Have IE_updater.exe, crss and winlogon--Cant get into safe mode!

[bruce48]

I have spent some time on hour site and it seems I have the above referenced infections.

I have read all the mandatory steps mentioned to obtain help, one of which is getting into safe mode.

I can get into the safe mode menu after hitting F-8--I arrow up to safe mode , I hit enter, the machine boots into windows safe mode, a box pops up asking me if I want to work in safe mode, I click yes and then the screen stays black. The screen says safe mode in white on the left and right bottom of the black screen with an hour glass that wont go away.

Any suggestions?

The machine is my daughter's who is home before finals, is a Dell laptop with SP2.

thanks in advance.

[tashi]

Hi there.

If you can't get into safe mode, please go ahead and produce the HJT log for one of our helpers to analyse, if you can.

Cheers.

[bruce48]

Thanks for your response.
Right before I ran HJ I installed BoClean which said it removed or shut down the IE_updater.

Here is the HJT log:


Logfile of HijackThis v1.99.1
Scan saved at 5:23:36 PM, on 5/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\SYSTEM32\MrobeService.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\system32\svehost.exe
C:\WINDOWS\system32\drvconf.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://email.pace.edu/uwc/auth
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: load=
F3 - REG:win.ini: run=
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\system32\svehost.exe
O4 - HKLM\..\Run: [drvdiag] C:\WINDOWS\system32\drvconf.exe
O4 - HKLM\..\Run: [BOC-423] C:\PROGRA~1\Comodo\CBOClean\BOC423.exe
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\cinkhbkr.dll",realset
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1136649345947
O16 - DPF: {9D5B6642-8C3F-4504-B2FC-42779ABAE4B9} (Snapfish File Upload ActiveX Control) - http://attwireless.snapfish.com/SnapfishUpload.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} - http://www.flipside.com/cab/WONWebLauncherControl.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} - http://download.buddylinks.net/ShellInstaller.cab
O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - C:\WINDOWS\system32\nvfwwfr.dll
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSIEUpdater_2 (Microsoft IE Updater_2) - Unknown owner - C:\Documents and Settings\ie_updater.exe (file missing)
O23 - Service: MrobeService - OLYMPUS IMAGING CORP. - C:\WINDOWS\SYSTEM32\MrobeService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[CalamityJane]

Hi bruce48,

Are you still needing help? If so could you please scan and post a fresh HijackThis log so I can see where you are at this point?

I'm now subscribed to this thread so I'll get a notice when you reply here and can get to you much more quickly.

Meanwhile, there are some backdoor trojans running on that PC - so please don't force safe mode. Here is why (techinical but important not to attempt using msconfig or forcing the machine into safe mode)
See the first post in this topic here:
http://www.dslreports.com/forum/remark,18150258

Just keep the PC offline as much as possible and we'll work with you here.

[bruce48]

Yes, yes indeed-- I am still in need of some help.
I am sending you this on my machine--the infected machine is a laptop that belongs to my daughter.
I will keep the unit off line as you requested and run a fresh HJT and send it to this machine and then to you.
I thank you so much!
Be right back at ya.

[bruce48]

Hello,
Ok here ya go.
I did manage, on Sunday, to install BoClean which said it took out the ie_updater:

Logfile of HijackThis v1.99.1
Scan saved at 5:28:21 PM, on 5/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\SYSTEM32\MrobeService.exe
C:\hjt\HijackThis.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\svchost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

https://email.pace.edu/uwc/auth
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL

= about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = 127.0.0.1;http://localhost;
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: load=
F3 - REG:win.ini: run=
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common

Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\system32\svehost.exe
O4 - HKLM\..\Run: [drvdiag] C:\WINDOWS\system32\drvconf.exe
O4 - HKLM\..\Run: [BOC-423] C:\PROGRA~1\Comodo\CBOClean\BOC423.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM

Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -

C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52}

- C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prejqghyt.dll
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should

be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should

be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should

be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should

be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should

be Internet Zone (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)

-

http://update.microsoft.com/windowsu...n/x86/client/w

uweb_site.cab?1136649345947
O16 - DPF: {9D5B6642-8C3F-4504-B2FC-42779ABAE4B9} (Snapfish File Upload

ActiveX Control) - http://attwireless.snapfish.com/SnapfishUpload.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} -

http://www.flipside.com/cab/WONWebLauncherControl.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer

Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} -

http://download.buddylinks.net/ShellInstaller.cab
O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509}

- C:\WINDOWS\system32\nvfwwfr.dll
O23 - Service: BOCore - COMODO - C:\Program

Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO

EPSON CORPORATION - C:\Program Files\Common

Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -

C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSIEUpdater_2 (Microsoft IE Updater_2) - Unknown owner -

C:\Documents and Settings\ie_updater.exe (file missing)
O23 - Service: MrobeService - OLYMPUS IMAGING CORP. -

C:\WINDOWS\SYSTEM32\MrobeService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\Security

Center\SymWSC.exe