Computer Issues in the startup phase

roswell3053 · Apr 25, 2006

Hi,

My computer is stalling at the Windows startup page. I have to get into Safe Mode to do anything. I have run many spyware programs in Safe Mode, but I still have the same problem. This problem did not start until I loaded Norton Antivirus on my computer. Here is the log that I received when I ran Hijack This.

Logfile of HijackThis v1.99.1
Scan saved at 12:38:03 PM, on 4/25/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00048.exe"
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [fmkzttmA] C:\WINDOWS\fmkzttmA.exe
O4 - HKLM\..\Run: [NJv7jy] "C:\WINDOWS\System32\dgfgql.exe"
O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O4 - HKLM\..\Run: [shellbn] C:\WINDOWS\System32\shellbn.exe
O4 - HKLM\..\Run: [SysTray] C:\Program Files\paytime.exe
O4 - HKLM\..\Run: [tetriz3] C:\WINDOWS\System32\tetriz3.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20091\winlogon.exe
O4 - HKLM\..\Run: [Windows Task Manager] c:\windows\system32\taskmgn.exe
O4 - HKLM\..\Run: [KB681499] C:\WINDOWS\System32\KB681499.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Microsoft standard protector] C:\WINDOWS\inet20091\socks.exe
O4 - HKLM\..\Run: [42f128bc.exe] C:\WINDOWS\System32\42f128bc.exe
O4 - HKLM\..\Run: [eventwvr] C:\WINDOWS\System32\eventwvr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\RunServices: [shellbn] C:\WINDOWS\System32\shellbn.exe
O4 - HKLM\..\RunServices: [tetriz3] C:\WINDOWS\System32\tetriz3.exe
O4 - HKLM\..\RunServices: [KB681499] C:\WINDOWS\System32\KB681499.exe
O4 - HKLM\..\RunServices: [eventwvr] C:\WINDOWS\System32\eventwvr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142954001608
O20 - Winlogon Notify: directpt - directpt.dll (file missing)
O20 - Winlogon Notify: logon16x - C:\WINDOWS\SYSTEM32\logon16x.dll
O20 - Winlogon Notify: mmx4xt - C:\WINDOWS\
O20 - Winlogon Notify: SensSrv - C:\WINDOWS\SYSTEM32\senssrv.dll
O20 - Winlogon Notify: skyu16 - C:\WINDOWS\SYSTEM32\skyu16.dll
O20 - Winlogon Notify: zopenssl - C:\WINDOWS\SYSTEM32\zopenssl.dll
O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - (no file)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Please let me know if someone can help me.

Thank you,
roswell3053 a.k.a. Jennifer

shelf life · Apr 26, 2006

hi roswell3053,

your computer has been compromised.

you got some nasty stuff. dont use your computer for anything that requires you to type in login name/password esp. anything that requires personal info or banking info. i would limit my time on it until its cleaned up. first we will do it manually with hjt, then boot into safe mode to look for files to delete. OK:

first thing copy/paste this into notepad and save it to your desktop so you can read it in SAFE MODE, then pull the plug on your modem.
---------------------------------
first: make sure files are set to show:

FOr XP: on the desktop double click my computer,go to tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok
--------------------------------
next:
scan with HJT, put a checkmark beside the items below, close all windows and click fix checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com...r/fix_homepage

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing

F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00048.exe

O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll

O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O4 - HKLM\..\Run: [shellbn] C:\WINDOWS\System32\shellbn.exe
O4 - HKLM\..\Run: [SysTray] C:\Program Files\paytime.exe
O4 - HKLM\..\Run: [tetriz3] C:\WINDOWS\System32\tetriz3.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20091\winlogon.exe

O4 - HKLM\..\Run: [Windows Task Manager] c:\windows\system32\taskmgn.exe

O4 - HKLM\..\Run: [KB681499] C:\WINDOWS\System32\KB681499.exe

O4 - HKLM\..\Run: [Microsoft standard protector]
C:\WINDOWS\inet20091\socks.exe

O4 - HKLM\..\RunServices: [eventwvr] C:\WINDOWS\System32\eventwvr.exe

O20 - Winlogon Notify: directpt - directpt.dll (file missing)
O20 - Winlogon Notify: logon16x - C:\WINDOWS\SYSTEM32\logon16x.dll
O20 - Winlogon Notify: mmx4xt - C:\WINDOWS\
O20 - Winlogon Notify: SensSrv - C:\WINDOWS\SYSTEM32\senssrv.dll
O20 - Winlogon Notify: skyu16 - C:\WINDOWS\SYSTEM32\skyu16.dll
O20 - Winlogon Notify: zopenssl - C:\WINDOWS\SYSTEM32\zopenssl.dll
O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - (no file)
-------------------------------------------------
ok now time to boot into SAFE MODE. you reach safe mode by tapping the f8 key during a restart of the computer. chose the first option safe mode.
once at the safe mode desktop we will manually look for files to delete using explorer (right click on start>explore)
we will start in the system32 dir.(left hand pane) once you are there, double click it and the contents should open in the right hand pane.
click on "name" at top to sort the list

ok now its time to look for and delete each of these all in the system32 dir:

winbrume.dll
shellbn.exe
tetriz3.exe
taskmgn.exe (notice spelling, taskmgr.exe is ok to have )
KB681499.exe
eventwvr.exe

logon16x.dll
senssrv.dll
skyu16.dll
zopenssl.dll

now look in the C:\WINDOWS dir and delete these:
inet20091 (looks like it a folder)
mmx4xt.dll
---------------------------
also in safe mode:
Empty your Temp folders. Go to Start > Run and type:cleanmgr. Windows will scan. When done check these 3 and press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin
----------------------------
run norton in safe mode and any other malware apps you might have.

plug modem back in, reboot computer normally, download, install update ewido, check for updates to norton. run them both again back in safe mode:
1. Download Ewido and install
Ewido anti malware. It is a free trial version of the program:

http://www.ewido.net/en/download/

2. Install ewido anti malware
3. Launch ewido, there should be an icon on your desktop double-click it.
4. The program will now go to the main screen

You will need to update ewido to the latest definition files.

1. On the left hand side of the main screen click update
2. Then click on Start Update

The update will start and a progress bar will show the updates being installed.
update norton, boot back into SAFE MODE and run ewido and norton again.

ewido:
Click on scanner
Click Complete System Scan and the scan will begin.
During the scan it will prompt you to clean files, click OK
When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
When the scan is finished, click the Save report button at the bottom of the screen.
Save the report to your desktop

Close Ewido
---------------------------------
reboot normally, rescan and post a new hjt log and the saved ewido report from safe mode.

roswell3053 · May 2, 2006

Thank you for the help. I have done what you said, and here are the 2 logs that you wanted me to post.

hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 8:58:44 AM, on 5/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijack This\HijackThis.exe

O4 - HKLM\..\Run: [NJv7jy] "C:\WINDOWS\System32\dgfgql.exe"
O4 - HKLM\..\Run: [fmkzttmA] C:\WINDOWS\fmkzttmA.exe
O4 - HKLM\..\Run: [42f128bc.exe] C:\WINDOWS\System32\42f128bc.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [KB681499] C:\WINDOWS\System32\KB681499.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142954001608
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146067363593
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O20 - Winlogon Notify: logon16x - C:\WINDOWS\SYSTEM32\logon16x.dll
O20 - Winlogon Notify: skyu16 - C:\WINDOWS\SYSTEM32\skyu16.dll
O20 - Winlogon Notify: zopenssl - zopenssl.dll (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: NTSec(ntsec) (NTSec) - Unknown owner - C:\WINDOWS\system32\ntsec.exe (file missing)

ewido report:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 8:52:45 AM, 5/2/2006
+ Report-Checksum: 1C1E7803

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2178F3FB-2560-458f-BDEE-631E2FE0DFE4} -> Adware.WinAntiVirus : Cleaned with backup
HKU\.DEFAULT\Software\DNS -> Adware.Shorty : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Keywords -> Adware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-839522115-1935655697-2146749123-1003\Software\Microsoft\Internet Explorer\Keywords -> Adware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-18\Software\DNS -> Adware.Shorty : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Keywords -> Adware.CoolWebSearch : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\~518282.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\~519087.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\~521692.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\~539363.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\administrator.UBS\Local Settings\Temp\~480520.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\administrator.UBS\Local Settings\Temp\~523568.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\administrator.UBS\Local Settings\Temp\~671424.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\administrator.UBS\Local Settings\Temp\~675426.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\hans\Local Settings\Temp\~542127.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\HansYoo\Local Settings\Temp\~540829.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Jennifer\Local Settings\Temp\180sainstaller.exe/clientax.dll -> Adware.180Solutions : Cleaned with backup
C:\Documents and Settings\Jennifer\Local Settings\Temp\180sainstaller.exe/clientax.dll -> Adware.180Solutions : Cleaned with backup
C:\Documents and Settings\Jennifer\Local Settings\Temp\A6DF.tmp/Quicklinks.exe -> Adware.MDH : Cleaned with backup
C:\Documents and Settings\Jennifer\Local Settings\Temp\Del13.tmp -> Downloader.Small.asf : Cleaned with backup
C:\Documents and Settings\Jennifer\Local Settings\Temp\temp.fr2EA5\Ssk.exe -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\Jennifer\Local Settings\Temp\temp.fr2EA5\SskBho.dll -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\Jennifer\Local Settings\Temp\temp.fr2EA5\SskCore.dll -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\Jennifer\Local Settings\Temporary Internet Files\Content.IE5\63QHWRAX\9400[1].cab/Quicklinks.exe -> Adware.MDH : Cleaned with backup
C:\Documents and Settings\Jennifer Garcia\Cookies\jennifer garcia@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Jennifer Garcia\Local Settings\Temp\Cookies\jennifer garcia@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\lee\Cookies\lee@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\NNSCAA638.EXE -> Adware.NewDotNet : Cleaned with backup
C:\Program Files\2search\2search.dll -> Adware.2Search : Cleaned with backup
C:\Program Files\2search\get.exe -> Adware.2Search : Cleaned with backup
C:\Program Files\2search\main.exe -> Adware.2Search : Cleaned with backup
C:\Program Files\2search\uninstall.exe -> Adware.2Search : Cleaned with backup
C:\Program Files\EQAdvice\EQAdvice.exe -> Adware.CASClient : Cleaned with backup
C:\Program Files\Ineimail\Cache\00000728_43a73d69_0007d309 -> Downloader.IstBar.j : Cleaned with backup
C:\Program Files\Ineimail\Cache\00001796_43a71a05_000b6690 -> Downloader.IstBar.j : Cleaned with backup
C:\Program Files\Network\ipnetwork.exe -> Adware.Maxifiles : Cleaned with backup
C:\Program Files\QL\uninstall.exe -> Adware.Suggestor : Cleaned with backup
C:\WINDOWS\finally.txt -> Downloader.Agent.afl : Cleaned with backup
C:\WINDOWS\kl1.exe -> Dropper.Small.amd : Cleaned with backup
C:\WINDOWS\rlvknlg.exe -> Adware.RK : Cleaned with backup
C:\WINDOWS\system32\cnkdsk.exe -> Proxy.Small.bo : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\order_vsnl.exe -> Backdoor.Agent.wi : Cleaned with backup
C:\WINDOWS\system32\dnscntrl.exe -> Backdoor.SdBot.aoy : Cleaned with backup
C:\WINDOWS\system32\drivers\sysbus32.sys -> Not-A-Virus.SpamTool.Win32.Mailbot.ab : Cleaned with backup
C:\WINDOWS\system32\dynmodem.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\inetdns.exe -> Backdoor.SdBot.anp : Cleaned with backup
C:\WINDOWS\system32\l20ulcd91f0.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\modifalf.dll -> Adware.Agent : Cleaned with backup
C:\WINDOWS\system32\ntsec.exe -> Backdoor.SdBot.apr : Cleaned with backup
C:\WINDOWS\system32\p8r4li9q18.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\qldsregl.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\rk.bin -> Adware.RK : Cleaned with backup
C:\WINDOWS\system32\termcaps.exe -> Proxy.Small.bo : Cleaned with backup
C:\WINDOWS\system32\TheMatrixHasYou.exe -> Proxy.Small.bo : Cleaned with backup
C:\WINDOWS\system32\tmp_bms.dll -> Downloader.Agent.agz : Cleaned with backup
C:\WINDOWS\system32\xp244833.dll -> Logger.Gepost.p : Cleaned with backup
C:\WINDOWS\system32\zopenssl.dll -> Logger.Goldun.im : Cleaned with backup
C:\WINDOWS\system32\zopenssld.sys -> Logger.Goldun.im : Error during cleaning
C:\WINDOWS\Temp\01083070\1356.tmp -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\WINDOWS\Temp\01083070\2116.tmp -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\WINDOWS\Temp\01083070\2232.tmp -> Trojan.Sinowal.l : Cleaned with backup
C:\WINDOWS\Temp\01083070\2240.tmp -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\WINDOWS\Temp\01083070\236.tmp -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\WINDOWS\Temp\01083070\2424.tmp -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\WINDOWS\Temp\01083070\2528.tmp -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\WINDOWS\Temp\01083070\2552.tmp -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\WINDOWS\Temp\01083070\2672.tmp -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\WINDOWS\Temp\01083070\2824.tmp -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\WINDOWS\Temp\01083070\2844.tmp -> Trojan.Sinowal.l : Cleaned with backup
C:\WINDOWS\Temp\01083070\2964.tmp -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\WINDOWS\Temp\01083070\2984.tmp -> Trojan.Sinowal.l : Cleaned with backup
C:\WINDOWS\Temp\01083070\3100.tmp -> Trojan.Sinowal.l : Cleaned with backup
C:\WINDOWS\Temp\01083070\3148.tmp -> Trojan.Sinowal.l : Cleaned with backup
C:\WINDOWS\Temp\01083070\3196.tmp -> Trojan.Sinowal.l : Cleaned with backup
C:\WINDOWS\Temp\01083070\3292.tmp -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\WINDOWS\Temp\01083070\3400.tmp -> Trojan.Sinowal.l : Cleaned with backup
C:\WINDOWS\Temp\01083070\3424.tmp -> Trojan.Sinowal.l : Cleaned with backup
C:\WINDOWS\Temp\01083070\3852.tmp -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\WINDOWS\Temp\01083070\524.tmp -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\WINDOWS\Temp\01083070\6116.tmp -> Trojan.Sinowal.l : Cleaned with backup
C:\WINDOWS\Temp\5.qtdfmp -> Downloader.Small.cnz : Cleaned with backup
C:\WINDOWS\Temp\540144176436\1608.tmp -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\WINDOWS\Temp\540144176436\1876.tmp -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\WINDOWS\Temp\540144176436\2248.tmp -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\WINDOWS\Temp\540144176436\2368.tmp -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\WINDOWS\Temp\540144176436\2396.tmp -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\WINDOWS\Temp\540144176436\2528.tmp -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\WINDOWS\Temp\540144176436\2724.tmp -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\WINDOWS\Temp\540144176436\3040.tmp -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\WINDOWS\Temp\540144176436\3304.tmp -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\WINDOWS\Temp\6C76.tmp -> Downloader.Agent.afl : Cleaned with backup
C:\WINDOWS\Temp\7.tmp -> Downloader.Agent.agz : Cleaned with backup
C:\WINDOWS\Temp\A9C10.tmp/dgfgql.exe -> Adware.Suggestor : Cleaned with backup
C:\WINDOWS\Temp\F5D15.tmp/dgfgql.exe -> Adware.Suggestor : Cleaned with backup
C:\WINDOWS\tmp_l7i.exe -> Downloader.Agent.agz : Cleaned with backup
C:\WINDOWS\Tqympvwm.dll -> Adware.BookedSpace : Cleaned with backup
C:\WINDOWS\win320941216458582006.exe -> Downloader.VB.tw : Cleaned with backup
C:\ZICORN001.exe -> Adware.ZenoSearch : Cleaned with backup

::Report End

Please let me know what else I may need to do. I had to end up uninstalling Norton in order to get the computer to start up properly. I plan on reinstalling it once I can get everything cleaned on it.

Thanks.

shelf life · May 6, 2006

hi roswell3053,

sorry for the delay, you seemed to have dropped off my reply list until a member pointed it out to me.

if you have reinstalled norton, check for updates to it and ewido. run them in safe mode. if you havent reinstalled norton, you need to get a antivirus app on your computer. you can get a free one here:

http://free.grisoft.com/freeweb.php/doc/2/
download,install,update it, run it in safe mode

after checking for updates or getting avg do this next:

its been awhile your log may have changed, check for these:

run hjt and have it "fix":
O4 - HKLM\..\Run: [NJv7jy] "C:\WINDOWS\System32\dgfgql.exe"
O4 - HKLM\..\Run: [fmkzttmA] C:\WINDOWS\fmkzttmA.exe
O4 - HKLM\..\Run: [42f128bc.exe] C:\WINDOWS\System32\42f128bc.exe
O20 - Winlogon Notify: logon16x - C:\WINDOWS\SYSTEM32\logon16x.dll
O20 - Winlogon Notify: skyu16 - C:\WINDOWS\SYSTEM32\skyu16.dll
O20 - Winlogon Notify: zopenssl - zopenssl.dll (file missing)
------------------------------
ok now boot computer into safe mode, might want to copy/paste the services.msc part to notepad and save it somewhere so you can read it tin safe mode:
you reach safe mode by tapping the f8 key during a computer restart, chose the first option safe mode.
once in safe mode:

go to start>run and type in--> services.msc,<--in the list of services that comes up, under name column, look for>>NTSec(ntsec)

right click on it and select properties. under the general tab:
make sure that the service status is: Stopped
and the Startup type is: disabled

next run your updated antivirus and ewido in safe mode.
restart computer normally, rescan and post a new hjt log......shelf life

shelf life · May 7, 2006

hi roswell3053,

hows it going over there?

tashi · May 12, 2006

This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a pm and provide a link to the thread.

Applies only to the original topic starter.

Computer Issues in the startup phase

roswell3053

New member

shelf life

Emeritus

roswell3053

New member

shelf life

Emeritus

shelf life

Emeritus

tashi

Member of Team Spybot