Solve : Unable to boot in any mode except Safe Mode?

1.	Solve : Unable to boot in any mode except Safe Mode?
Answer» I'm helping a coworker with her personal computer, and she's run into a major issue that I don't know how to fix. First, she got WinFixer on it from some website, so I RECOMMENDED she download SpyBot and see if that would clear it up before I had time to go over and mess with it. She downloaded SpyBot and attempted to install it, but when she reached the point where she had to reboot, the computer just won't start up in any boot mode except Safe Mode. In Safe Mode, the program shows as not being installed yet. I've tried going to Safe Mode w/ Networking and Regular, but the computer hangs at the XP screen where the logo appears, then jumps back to the "Choose which mode you would like to boot in" screen. Unfortunately, as it's her only computer and mine's a desktop, I can't give any real specifics about the computer besides that it appears to be XP Home Edition that it's working with. I'm not even sure she has a boot CD, but I've never used one anyway, so if that's a possible solution, I'd need someone to walk me through that. Any ideas?First, make sure, she has Windows CD. That would be the easiest way to try to fix it.Quote WinFixer, WinAntiVirus, WinAntiVirusPro, ErrorSafe, SystemDoctor, WinAntiSpyware, AVSystemCare, WinAntiSpy, Performance Optimizer, StorageProtector, PrivacyProtector and others are very similar computer programs available only for Microsoft Windows that claim to repair computer system problems [1][2][3], but do not actually do so. They are sometimes installed without the user's consent, usually through Internet Explorer. They display false information about the user's computer, confusing the user into believing that their PC is infected with viruses, spyware and/or other forms of malware. The advertisements pop up a display with notifications to convince the user that SOMETHING may be amiss with the computer, or run a fake diagnostic. The program repeatedly prompts the user to purchase a licensed copy of the program. Due to these problems, WinFixer and its sister applications are generally considered SCAREWARE spyware through misleading popups and forced downloads. WinFixer claims it "is a useful utility to scan and fix any system, registry and hard drive errors. It ensures system stability and performance, frees wasted hard-drive space and recovers damaged Word, Excel, music and video files", but it has never been shown to do such things. Boot to safe mode and un-install WinFixer. Re-boot and see what happens...if it's stubborn as most scumware is we may need a lobotomy. Post back with the results...is it possible that you can use system restore? And restore to the point right before the winfixer got installed or some known clean restore point? the system restore can be run in safe mode so give it a shot (unless no system restore point exists which I doubt...)Do you have a flash drive to transfer over Vundofix Removal Steps: 1. Please print these instructions as they will be needed later when Internet access is not available. 2. Save these instructions in word or notepad to the desktop where they can be easily found. 3. Download Vundo Fix and save it to your desktop. 4. When it has completed downloading, double-click VundoFix.exe to run it. 5. Click the Scan for Vundo button. 6. Once it's done scanning, click the Remove Vundo button. 7. You will now receive a prompt asking if you want to remove the files, click the YES button. Once you click yes, your desktop will go blank as it starts removing Vundo. 8. When completed, it will prompt that it will shutdown your computer, click the OK button. 9. When the computer has shutdown, turn your computer back on. The WinFixer and Vundo infection should now be removed from your computer. Next go HERE and do the instructions and post the logs back in the Computer Viruses and Spyware forum. Quote from: evilfantasy on April 19, 2008, 05:45:13 PM Do you have a flash drive to transfer over Vundofix Removal Steps: 1. Please print these instructions as they will be needed later when Internet access is not available. 2. Save these instructions in word or notepad to the desktop where they can be easily found. 3. Download Vundo Fix and save it to your desktop. 4. When it has completed downloading, double-click VundoFix.exe to run it. 5. Click the Scan for Vundo button. 6. Once it's done scanning, click the Remove Vundo button. 7. You will now receive a prompt asking if you want to remove the files, click the YES button. Once you click yes, your desktop will go blank as it starts removing Vundo. 8. When completed, it will prompt that it will shutdown your computer, click the OK button. 9. When the computer has shutdown, turn your computer back on. The WinFixer and Vundo infection should now be removed from your computer. Next go HERE and do the instructions and post the logs back in the Computer Viruses and Spyware forum. That I think should fix the problem unless you have a system restore point and restoring earlier configurations don't matter to you too mucgh. In doing system restore, you might lose things that you did recently (more likely, you'll just have to reinstall any recent programs you installed so that the registry reads it right and cause no problem when loading)Yes it will fix it. Problem is what all else might be wrong. Winfixer shouldn't be blocking the internet. Malware writers don't profit on broken connections......... How To Remove Winfixer / Virtumonde / Msevents / Trojan.vundo.bWell, thank ya'll for the advice so far. Last night, I got the chance to go try it out on her computer, and here are my notes: - First, I took VundoFix over on CD, which seemed to work fine, since the program DLed and RAN on her computer. - I booted her computer up, and the first time it went into Safe Mode, the Safe Mode popup came up 5 times. - While VF was running, the WinFixer popups came up. One is a yellow yield sign in the system tray, and the other is a Windows-designed error message. After a while, a screensaver would consist of bugs crawling across the screen, eating the desktop. - VF took a half-hour to run, but found 6 infections, which I removed. When it began to remove them, a new Windows-designed error message popped up for a second that said due to a major problem, this computer would be shut down in 30 seconds. Then, all three error messages disappeared, and VF said it needed to restart the computer. - Upon restart, the computer still could not start in any mode except Safe Mode. As soon as it booted up to the desktop, the error messages reappeared. - I decided to just check out System Restore and see if I could find when it would restore to. Choosing System Restore from the Start MENU resulted in the following message: System Restore is not able to protect your computer. Please restart and run System Restore again. - I restarted one more time and System Restore gave the exact same error message again. I left off at this point because the first instruction didn't work. VF didn't remove the program, so I wasn't sure if I should go through with anything else before checking back with ya'll. Also, as I looked closely at it, the program is actually called WinIFixer, not just WinFixer. Not sure if they're the same thing. So, any more ideas?I am moving this to the virus and spyware forum. You need to run SmitFraudFix. Then post a Hijackthis log. Download and rename HijackThis (HJT) Double-click on HJTInstall. Click on the Install button. It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Upon install, HijackThis should open for you. Close HijackThis and rename it. Go to C:\Program Files\Trend Micro\HijackThis.exe Right click on HijackThis.exe and select Rename. Type in sniper.exe and press Enter. Right-click on sniper.exe and select Send To > Desktop (create shortcut) From the desktop open Hijackthis. If using Windows Vista, Right-click and Run As Administrator. Click on the Do a system scan and save a log file button Hijackthis will scan and then a log will open in notepad. Copy and then paste the entire contents of the log in your post. Do not have Hijackthis fix anything yet. Most of what it finds will be harmless or even required. Although we have renamed Hijackthis to sniper, we will still refer to it as Hijackthis or HJT. Okay, I apologize about the massive absence, but she was unable to print/save the HiJackThis log, so she had to hand-write the entire thing and I had to retype it all. Please excuse any slight typos (O's where 0's should be, uncapitalized letters, etc.) So, here it is: Logfile of trend micro hijackthis v2.0.2 Scan saved at 9:09:25pm, on 4/23/2008 Platform: WindowsXP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Safe mode Running processes : C:\windows\system32\smss.exe C:\windows\system32\winlogon.exe C:\windows\system32\services.exe C:\windows\system32\lsass.exe C:\windows\system32\svchost.exe C:\windows\system32\svchost.exe C:\windows\explorer.exe C:\windows\system32\drivers\spools.exe C:\Program Files\Trendmicro\HijackThis\sniper.exe.exe C:\Program Files\Internet Explorer\iexplore.exe R1_HKCU\Software\Microsoft\Windows\Current version\internet setting.proxyoverride=*.local R3_URLSearchHook:Yahoo! Toolbar_{EF99BD32-C1FB-11D2-892F0090271D4F88}-C:\PROGRA~1\Yahoo!\companion\Installs\cpn\yt.dll F2-Reg:system.ini:Shell=Explorer.exe C:\windows\Shell.exe F2-Reg:system.ini:userInit=C:\windows\system32\userint.exe, C:\programFiles\Common Files\Microsoft Shared\sysctc.exe, O2-BHOLno name)-{3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9}-C:\Windows\system32\jfiehayd.dll O2-BHO:C:\windows\system32\jfiehayd.dll-{C5AF49A2-94F3-42BD-F434-2604812C897D}-C:\windows\system32\jfiehayd.dll O3-Toolbar:Hpview-{B2847E28-SD7D-4DE8-8B67-05D28BCF79F5}-C:\Program Files\HP\Digital imaging\bin HPDTLKO2.dll O3-Toolbar:Yahoo! Toolbar-{EF99BD32-C1FB-11D2-892F-0090271D4F88}-C:\PROGRA~1\Yahoo!\companion\installs\cpn\yt.dll O4-HKLM\..\Run:[YsearchProtection]”C:\Program Files\Yahoo!\search protection\searchprotection.exe” O4-HKLM\..\Run:[QuickTime Task]”C:\Program Files\QuickTime\QTTASK.exe”-atboottime O4-HKLM\..Run:[itunesHelper]”C:\Program Files\itunes\ituneshelper.exe” O4-HKLM\..\Run:[Postsetupcheck]C:\windows\system32\Rundll32.exe”C:\windows\system32\atgban.dll” Dllstart O4-HKLM\..\Run:[runner1 C:\windows\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01FOB3E35B6 638993F4661AA4EBD86D67C56389B284534F310 F3D1DC7E4638E8323A15806F97BDE4417E6FD96 7002BA754E2C2832213329D26033AAC O4-HKLM\..\Run:[b4fe43bd]rundll32.exe”C:\windows\system32\fqvtivpi.dll”,b O4-HKLM\..\Run:[ntuser]C:\windows\system32\drivers\spools.exe 04-HKLM\..\Run:[autoload]C:\Documents and Settings\Adriana\cftmon.exe O4-HKLM\..\Run:[BluetoothAutorizationAgent]C:windows\system32\BluetoothAuthorizationAgent.exe O4-HKLM\..\Run:[WinIFixer]C:\Program Files\WinIFixer\WinIFixer.exe O4-HKLM\..\Run:[antivirus Pro]C:Program Files\AntivirusPro\AntivirusPro.exe O4-HKLM\..\Run:[jdgf894jrghoiistd]C:\windows\Temp\winlogan.exe O4-HKLM\..\Run:[advap32]C:windows\TEMP\loader2.exe\v O4-HKLM\..\Run:[SystemDrive]C:windows\system32\maxpaynow1.exe O4-HKLM\..\Run:[taskmon]C:windows\taskmon.exe O4-HKLM\..\Run:[msvtt]C:windows\system32\mmhkj.exe O4-HKLM\..\Run:[BMb7cd7021]Rundll32.exe “C:\windows\system32\amcakabk.dll”,s O4-HKLM\..\Run:[kernelFaultCheck]%systemroot%\system32\dumprep O-K O4-HKCU\..\Run:[ctfmon.exe]C:Windows\system32\ctfmon.exe O4-HKCU\..\Run:[Yahoo! Pager]”C:\PROGRA~1\Yahoo\MESSEN~1\YAHOOM~1.EXE”-quiet O4-HKCU\..\Run:[MSMSGS]”C:\Program Files\Messenger\msmsgs.exe”/background O4-HKCU\..\Run:[YsearchProtection]C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe O4-HKCU\..\Run:[srro]”C:\DOCUME~1\adriana\MYDOCU~1\SSTEM~1\winlogon.exe” –vt ya2b O4-HKCU\..\Run:[Odog] “C:\Documents and settings\adriana\My Documents\M?crosoft.net\??rvices.exe” O4-HKCU\..\Run:[ntuser]C:\Windows\system32\drivers\spools.exe O4-HKCU\..\Run:[jdgf894jrghoiiskd]C:\Windows\TEMP\winlogan.exe O4-HKCU\..\Run:[Jnskdfmf9eldfd]C:\Docume~1\adriana\LOCALS~1\Temp\csrssc.exe O4-HKCU\..\Run:[ServicePack1]C:\Windows\system32\vedxgbame4.exe O4-HKCU\..\Run:[autoload]c:\Documents and settings\adriana\cftmon.exe O4-HKUS\S-1-5-18\..\Run:[autoload]C:\Documents and settings\\local service\cftmon.exe (user ‘SYSTEM’) O4-HKUS\S-1-5-18\..\Run:[jdgf894jrghoiiskd]C:\windows\temp\winlogan.exe (user ‘system’) O4-HKUS\S-1-5-18\..\Run:[jnskdfmf9eldfd]C:\windows\temp\csrssc.exe (user ‘system’) O4-HKUS\S-1-5-18\..\Run:[spoolsv]C:\windows\system32\spoolvs.exe (user ‘system’) O4-HKUS\S-1-5-18\..\Run:[windows update loader]C:\windows\xpupdate.exe (user ‘system’) O4-HKUS\.DEFAULT\..\Run:[ntuser]C:\windows\system32\drivers\spools.exe (user ‘Default user’) O4-Startup:DW-Start.lnk=C:\windows\system32\rwwnwb4d.exe O4-Global startup:adobe reader speed launch.lnk=c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe O4-Global startup:Lumix simple viewer.lnk=? O7-HKCU\software\Microsoft\windows\current version\policies\system.disableregedit=1 O8-Extra content menu item: Add to HP organize… -C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\sendTo.html O8-Extra content menu item: E &xopt to Microsoft Excel – res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000 O9-Extra button: (no name)-{O8BOE5CO-4FCB-11CF-AAA5-00401C608501}-C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9-Extra ‘tools’ menuitem:sunjava Console-{08BDE5CO-4FCB-11CF-AAA5-004016608501}C:\Program Files\java\j2re1.4.2_03\bin\npjpi142-03.dll O9 Extra button: Yahoo! Messenger-{E5012C4E-7B4F-11D3-B5C9-005004563C96}-C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 Extra ’Tools’ menuitem: Yahoo! Messenger-{E5D12C4E-7B4F-11D3-B5C9-0050045C3L96}-C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe 09-Extra button:Messenger-{FB5F1910-F110-11dz-BB9E-00C04F795683}-C:\Program Files\Messenger\msmsgs.exe 09 Extra ’Tools’ menuitem:windows messenger-{FB5F1910-F110-11dz-BB9E-00C04F795683}-C:\Program Files\Messenger\msmsgs.exe OI7-HKLM\System\ccs\services\tcpip\..\{7345DF05-A119-4931-9OE6-666CF5AEA1DA}:nameserver 85.255.116.168.85.255.112.209 OI7-HKLM\System\ccs\services\tcpip\..\{CD941F95-643F-460F-856B-CSD8263728DC}: nameserver 85.255.116.168.85.255.112.209 OI7-HKLM\system\cs1\services\Tcpip\Parameters:Name Server=85.255.116.168.85.255.112.209 OI7-HKLM\system\cs1\services\Tcpip\..\{7345DF05-A119-4931-90E6-666CF5AEA1DA}NameServer=85.255.116.168.85.255.112.209 OI7- HKLM\system\cs1\services\Tcpip\parameters:Nameserver=85.255.116.168.85.255.112.209 O20-Applnit_DLLS:C:\windows\system32\wowfx.dll O20-Winlogon Notify:awtttus-C:\windows\system32\awtttus.dll O20-Winlogon Notify:ibudu-C:\windows\system32\ibudu.dll O20-Winlogon Notify:partnershipreg-C:\Documents and settings\All users\\Documents\Settings\partnership.dll O20-Winlogon Notify:wlctrl32-C:\windows\system32\WLCtrl32.dll O21-SSODL:BeaQtlcG-{B4FE4313-1E54-E9B9-2D3B-2B96A415245B}-C:\windows\system32\zckmib.dll O21-SSODL:PrxRam-{439e5852-9e59-4240-84c8-fe09995e25c8}-C:windows\Installer\\{439e5852-9e59-4240-84c8-fe09995e25c8}\PrxRam.dd O21-SSODL:AlrtAlrt-{8bb3b421-ce22-4132-9140-a1fdefbfdo29}-C:\windows\Resources\AlrtAlrt.dll O21-SSODL:zip-{da053baf-f7e9-4f4f-b41d-a5139124b1a2}-C:\windows\Installer\{da053baf-f7e9-4f4f-b41d-a5139124b1a2}\zip.dll O22-Sharedtaskscheduler:jhsf8d984jief8dsfus98jkefn-{C5AF49A2-94F3-42BD-F434-Z604812C8970}-C:\window\system32\jfiehayd.dll O23-Service: Apple Mobile Device-Apple, Inc.-C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23-Service :Bonjour Service-Apple Inc.-C:\Program Files\Bonjour\mdNSRejponder.exe O23-Service : Command Service (cmdservice) –unknown owner- C:\windows\IA\command.exe O23-Service :FC1 (fci)-unknown owner-C:\windows\system32\svchost.exe:ext.exe O23-Service:Google Online Services-Unknown owner-C:\Documents and settings\Adriana\ie_updates3r.exe O23-Service: iPod service-Apple Inc.-C:\Program Files\ipod\bin\ipodservice.exe O23-Service:Network Monitor-unknown owner-C:\Program Files\Network Monitor\netmon.exe O23-Service:task scheduler (schedule)-unknown owner-C:\windows\system32\drivers\spools.exe -- End of File – 8463 bytes You have a massive problem. Do the steps in this post in order and then post all of the logs including a new hijackthis log.Well, the problem is that she still can't connect to the internet in any way, shape, or form. How would you recommend going about everything in that post without any type of access? Note that the computer can't reboot in any mode except Safe Mode either. Anything that requires an online verification won't work.It appears that all the downloads will have to be done by you and transferred using a flashdrive or CD.I would probably be easier to reinstall. When I say "You have a massive problem." I'm not exaggerating.Ah. Bummer. I appreciate the help, anyway. I'll pass the word along to her.

Answer»

I'm helping a coworker with her personal computer, and she's run into a major issue that I don't know how to fix.

First, she got WinFixer on it from some website, so I RECOMMENDED she download SpyBot and see if that would clear it up before I had time to go over and mess with it. She downloaded SpyBot and attempted to install it, but when she reached the point where she had to reboot, the computer just won't start up in any boot mode except Safe Mode. In Safe Mode, the program shows as not being installed yet.

I've tried going to Safe Mode w/ Networking and Regular, but the computer hangs at the XP screen where the logo appears, then jumps back to the "Choose which mode you would like to boot in" screen.

Unfortunately, as it's her only computer and mine's a desktop, I can't give any real specifics about the computer besides that it appears to be XP Home Edition that it's working with. I'm not even sure she has a boot CD, but I've never used one anyway, so if that's a possible solution, I'd need someone to walk me through that.

Any ideas?First, make sure, she has Windows CD. That would be the easiest way to try to fix it.Quote

WinFixer, WinAntiVirus, WinAntiVirusPro, ErrorSafe, SystemDoctor, WinAntiSpyware, AVSystemCare, WinAntiSpy, Performance Optimizer, StorageProtector, PrivacyProtector and others are very similar computer programs available only for Microsoft Windows that claim to repair computer system problems [1][2][3], but do not actually do so. They are sometimes installed without the user's consent, usually through Internet Explorer. They display false information about the user's computer, confusing the user into believing that their PC is infected with viruses, spyware and/or other forms of malware. The advertisements pop up a display with notifications to convince the user that SOMETHING may be amiss with the computer, or run a fake diagnostic. The program repeatedly prompts the user to purchase a licensed copy of the program. Due to these problems, WinFixer and its sister applications are generally considered SCAREWARE spyware through misleading popups and forced downloads.

WinFixer claims it "is a useful utility to scan and fix any system, registry and hard drive errors. It ensures system stability and performance, frees wasted hard-drive space and recovers damaged Word, Excel, music and video files", but it has never been shown to do such things.

Boot to safe mode and un-install WinFixer.
Re-boot and see what happens...if it's stubborn as most scumware is we may need a lobotomy.
Post back with the results...is it possible that you can use system restore? And restore to the point right before the winfixer got installed or some known clean restore point?

the system restore can be run in safe mode so give it a shot (unless no system restore point exists which I doubt...)Do you have a flash drive to transfer over Vundofix

Removal Steps:

1. Please print these instructions as they will be needed later when Internet access is not available.

2. Save these instructions in word or notepad to the desktop where they can be easily found.

3. Download Vundo Fix and save it to your desktop.

4. When it has completed downloading, double-click VundoFix.exe to run it.

5. Click the Scan for Vundo button.

6. Once it's done scanning, click the Remove Vundo button.

7. You will now receive a prompt asking if you want to remove the files, click the YES button. Once you click yes, your desktop will go blank as it starts removing Vundo.

8. When completed, it will prompt that it will shutdown your computer, click the OK button.

9. When the computer has shutdown, turn your computer back on.

The WinFixer and Vundo infection should now be removed from your computer.

Next go HERE and do the instructions and post the logs back in the Computer Viruses and Spyware forum.

Quote from: evilfantasy on April 19, 2008, 05:45:13 PM

Do you have a flash drive to transfer over Vundofix

Removal Steps:

1. Please print these instructions as they will be needed later when Internet access is not available.

2. Save these instructions in word or notepad to the desktop where they can be easily found.

3. Download Vundo Fix and save it to your desktop.

4. When it has completed downloading, double-click VundoFix.exe to run it.

5. Click the Scan for Vundo button.

6. Once it's done scanning, click the Remove Vundo button.

7. You will now receive a prompt asking if you want to remove the files, click the YES button. Once you click yes, your desktop will go blank as it starts removing Vundo.

8. When completed, it will prompt that it will shutdown your computer, click the OK button.

9. When the computer has shutdown, turn your computer back on.

The WinFixer and Vundo infection should now be removed from your computer.

Next go HERE and do the instructions and post the logs back in the Computer Viruses and Spyware forum.

That I think should fix the problem unless you have a system restore point and restoring earlier configurations don't matter to you too mucgh. In doing system restore, you might lose things that you did recently (more likely, you'll just have to reinstall any recent programs you installed so that the registry reads it right and cause no problem when loading)Yes it will fix it. Problem is what all else might be wrong. Winfixer shouldn't be blocking the internet. Malware writers don't profit on broken connections.........

How To Remove Winfixer / Virtumonde / Msevents / Trojan.vundo.bWell, thank ya'll for the advice so far. Last night, I got the chance to go try it out on her computer, and here are my notes:

- First, I took VundoFix over on CD, which seemed to work fine, since the program DLed and RAN on her computer.
- I booted her computer up, and the first time it went into Safe Mode, the Safe Mode popup came up 5 times.
- While VF was running, the WinFixer popups came up. One is a yellow yield sign in the system tray, and the other is a Windows-designed error message. After a while, a screensaver would consist of bugs crawling across the screen, eating the desktop.
- VF took a half-hour to run, but found 6 infections, which I removed. When it began to remove them, a new Windows-designed error message popped up for a second that said due to a major problem, this computer would be shut down in 30 seconds. Then, all three error messages disappeared, and VF said it needed to restart the computer.
- Upon restart, the computer still could not start in any mode except Safe Mode. As soon as it booted up to the desktop, the error messages reappeared.
- I decided to just check out System Restore and see if I could find when it would restore to. Choosing System Restore from the Start MENU resulted in the following message: System Restore is not able to protect your computer. Please restart and run System Restore again.
- I restarted one more time and System Restore gave the exact same error message again.

I left off at this point because the first instruction didn't work. VF didn't remove the program, so I wasn't sure if I should go through with anything else before checking back with ya'll. Also, as I looked closely at it, the program is actually called WinIFixer, not just WinFixer. Not sure if they're the same thing.

So, any more ideas?I am moving this to the virus and spyware forum.

You need to run SmitFraudFix. Then post a Hijackthis log.

Download and rename HijackThis (HJT)

Double-click on HJTInstall.
Click on the Install button.
It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
Upon install, HijackThis should open for you.

Close HijackThis and rename it.
Go to C:\Program Files\Trend Micro\HijackThis.exe
Right click on HijackThis.exe and select Rename.
Type in sniper.exe and press Enter.
Right-click on sniper.exe and select Send To > Desktop (create shortcut)

From the desktop open Hijackthis.
If using Windows Vista, Right-click and Run As Administrator.
Click on the Do a system scan and save a log file button
Hijackthis will scan and then a log will open in notepad.
Copy and then paste the entire contents of the log in your post.
- Do not have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Although we have renamed Hijackthis to sniper, we will still refer to it as Hijackthis or HJT.

Okay, I apologize about the massive absence, but she was unable to print/save the HiJackThis log, so she had to hand-write the entire thing and I had to retype it all. Please excuse any slight typos (O's where 0's should be, uncapitalized letters, etc.) So, here it is:

Logfile of trend micro hijackthis v2.0.2
Scan saved at 9:09:25pm, on 4/23/2008
Platform: WindowsXP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes :
C:\windows\system32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\explorer.exe
C:\windows\system32\drivers\spools.exe
C:\Program Files\Trendmicro\HijackThis\sniper.exe.exe
C:\Program Files\Internet Explorer\iexplore.exe
R1_HKCU\Software\Microsoft\Windows\Current version\internet setting.proxyoverride=*.local
R3_URLSearchHook:Yahoo! Toolbar_{EF99BD32-C1FB-11D2-892F0090271D4F88}-C:\PROGRA~1\Yahoo!\companion\Installs\cpn\yt.dll
F2-Reg:system.ini:Shell=Explorer.exe C:\windows\Shell.exe
F2-Reg:system.ini:userInit=C:\windows\system32\userint.exe, C:\programFiles\Common Files\Microsoft Shared\sysctc.exe,
O2-BHOLno name)-{3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9}-C:\Windows\system32\jfiehayd.dll
O2-BHO:C:\windows\system32\jfiehayd.dll-{C5AF49A2-94F3-42BD-F434-2604812C897D}-C:\windows\system32\jfiehayd.dll
O3-Toolbar:Hpview-{B2847E28-SD7D-4DE8-8B67-05D28BCF79F5}-C:\Program Files\HP\Digital imaging\bin HPDTLKO2.dll
O3-Toolbar:Yahoo! Toolbar-{EF99BD32-C1FB-11D2-892F-0090271D4F88}-C:\PROGRA~1\Yahoo!\companion\installs\cpn\yt.dll
O4-HKLM\..\Run:[YsearchProtection]”C:\Program Files\Yahoo!\search protection\searchprotection.exe”
O4-HKLM\..\Run:[QuickTime Task]”C:\Program Files\QuickTime\QTTASK.exe”-atboottime
O4-HKLM\..Run:[itunesHelper]”C:\Program Files\itunes\ituneshelper.exe”
O4-HKLM\..\Run:[Postsetupcheck]C:\windows\system32\Rundll32.exe”C:\windows\system32\atgban.dll” Dllstart
O4-HKLM\..\Run:[runner1 C:\windows\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01FOB3E35B6 638993F4661AA4EBD86D67C56389B284534F310 F3D1DC7E4638E8323A15806F97BDE4417E6FD96 7002BA754E2C2832213329D26033AAC
O4-HKLM\..\Run:[b4fe43bd]rundll32.exe”C:\windows\system32\fqvtivpi.dll”,b
O4-HKLM\..\Run:[ntuser]C:\windows\system32\drivers\spools.exe
04-HKLM\..\Run:[autoload]C:\Documents and Settings\Adriana\cftmon.exe
O4-HKLM\..\Run:[BluetoothAutorizationAgent]C:windows\system32\BluetoothAuthorizationAgent.exe
O4-HKLM\..\Run:[WinIFixer]C:\Program Files\WinIFixer\WinIFixer.exe
O4-HKLM\..\Run:[antivirus Pro]C:Program Files\AntivirusPro\AntivirusPro.exe
O4-HKLM\..\Run:[jdgf894jrghoiistd]C:\windows\Temp\winlogan.exe
O4-HKLM\..\Run:[advap32]C:windows\TEMP\loader2.exe\v
O4-HKLM\..\Run:[SystemDrive]C:windows\system32\maxpaynow1.exe
O4-HKLM\..\Run:[taskmon]C:windows\taskmon.exe
O4-HKLM\..\Run:[msvtt]C:windows\system32\mmhkj.exe
O4-HKLM\..\Run:[BMb7cd7021]Rundll32.exe “C:\windows\system32\amcakabk.dll”,s
O4-HKLM\..\Run:[kernelFaultCheck]%systemroot%\system32\dumprep O-K
O4-HKCU\..\Run:[ctfmon.exe]C:Windows\system32\ctfmon.exe
O4-HKCU\..\Run:[Yahoo! Pager]”C:\PROGRA~1\Yahoo\MESSEN~1\YAHOOM~1.EXE”-quiet
O4-HKCU\..\Run:[MSMSGS]”C:\Program Files\Messenger\msmsgs.exe”/background
O4-HKCU\..\Run:[YsearchProtection]C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4-HKCU\..\Run:[srro]”C:\DOCUME~1\adriana\MYDOCU~1\SSTEM~1\winlogon.exe” –vt ya2b
O4-HKCU\..\Run:[Odog] “C:\Documents and settings\adriana\My Documents\M?crosoft.net\??rvices.exe”
O4-HKCU\..\Run:[ntuser]C:\Windows\system32\drivers\spools.exe
O4-HKCU\..\Run:[jdgf894jrghoiiskd]C:\Windows\TEMP\winlogan.exe
O4-HKCU\..\Run:[Jnskdfmf9eldfd]C:\Docume~1\adriana\LOCALS~1\Temp\csrssc.exe
O4-HKCU\..\Run:[ServicePack1]C:\Windows\system32\vedxgbame4.exe
O4-HKCU\..\Run:[autoload]c:\Documents and settings\adriana\cftmon.exe
O4-HKUS\S-1-5-18\..\Run:[autoload]C:\Documents and settings\\local service\cftmon.exe (user ‘SYSTEM’)
O4-HKUS\S-1-5-18\..\Run:[jdgf894jrghoiiskd]C:\windows\temp\winlogan.exe (user ‘system’)
O4-HKUS\S-1-5-18\..\Run:[jnskdfmf9eldfd]C:\windows\temp\csrssc.exe (user ‘system’)
O4-HKUS\S-1-5-18\..\Run:[spoolsv]C:\windows\system32\spoolvs.exe (user ‘system’)
O4-HKUS\S-1-5-18\..\Run:[windows update loader]C:\windows\xpupdate.exe (user ‘system’)
O4-HKUS\.DEFAULT\..\Run:[ntuser]C:\windows\system32\drivers\spools.exe (user ‘Default user’)
O4-Startup:DW-Start.lnk=C:\windows\system32\rwwnwb4d.exe
O4-Global startup:adobe reader speed launch.lnk=c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
O4-Global startup:Lumix simple viewer.lnk=?
O7-HKCU\software\Microsoft\windows\current version\policies\system.disableregedit=1
O8-Extra content menu item: Add to HP organize… -C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\sendTo.html
O8-Extra content menu item: E &xopt to Microsoft Excel – res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9-Extra button: (no name)-{O8BOE5CO-4FCB-11CF-AAA5-00401C608501}-C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9-Extra ‘tools’ menuitem:sunjava Console-{08BDE5CO-4FCB-11CF-AAA5-004016608501}C:\Program Files\java\j2re1.4.2_03\bin\npjpi142-03.dll
O9 Extra button: Yahoo! Messenger-{E5012C4E-7B4F-11D3-B5C9-005004563C96}-C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 Extra ’Tools’ menuitem: Yahoo! Messenger-{E5D12C4E-7B4F-11D3-B5C9-0050045C3L96}-C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
09-Extra button:Messenger-{FB5F1910-F110-11dz-BB9E-00C04F795683}-C:\Program Files\Messenger\msmsgs.exe
09 Extra ’Tools’ menuitem:windows messenger-{FB5F1910-F110-11dz-BB9E-00C04F795683}-C:\Program Files\Messenger\msmsgs.exe
OI7-HKLM\System\ccs\services\tcpip\..\{7345DF05-A119-4931-9OE6-666CF5AEA1DA}:nameserver 85.255.116.168.85.255.112.209
OI7-HKLM\System\ccs\services\tcpip\..\{CD941F95-643F-460F-856B-CSD8263728DC}: nameserver 85.255.116.168.85.255.112.209
OI7-HKLM\system\cs1\services\Tcpip\Parameters:Name Server=85.255.116.168.85.255.112.209
OI7-HKLM\system\cs1\services\Tcpip\..\{7345DF05-A119-4931-90E6-666CF5AEA1DA}NameServer=85.255.116.168.85.255.112.209
OI7- HKLM\system\cs1\services\Tcpip\parameters:Nameserver=85.255.116.168.85.255.112.209
O20-Applnit_DLLS:C:\windows\system32\wowfx.dll
O20-Winlogon Notify:awtttus-C:\windows\system32\awtttus.dll
O20-Winlogon Notify:ibudu-C:\windows\system32\ibudu.dll
O20-Winlogon Notify:partnershipreg-C:\Documents and settings\All users\\Documents\Settings\partnership.dll
O20-Winlogon Notify:wlctrl32-C:\windows\system32\WLCtrl32.dll
O21-SSODL:BeaQtlcG-{B4FE4313-1E54-E9B9-2D3B-2B96A415245B}-C:\windows\system32\zckmib.dll
O21-SSODL:PrxRam-{439e5852-9e59-4240-84c8-fe09995e25c8}-C:windows\Installer\\{439e5852-9e59-4240-84c8-fe09995e25c8}\PrxRam.dd
O21-SSODL:AlrtAlrt-{8bb3b421-ce22-4132-9140-a1fdefbfdo29}-C:\windows\Resources\AlrtAlrt.dll
O21-SSODL:zip-{da053baf-f7e9-4f4f-b41d-a5139124b1a2}-C:\windows\Installer\{da053baf-f7e9-4f4f-b41d-a5139124b1a2}\zip.dll
O22-Sharedtaskscheduler:jhsf8d984jief8dsfus98jkefn-{C5AF49A2-94F3-42BD-F434-Z604812C8970}-C:\window\system32\jfiehayd.dll
O23-Service: Apple Mobile Device-Apple, Inc.-C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23-Service :Bonjour Service-Apple Inc.-C:\Program Files\Bonjour\mdNSRejponder.exe
O23-Service : Command Service (cmdservice) –unknown owner- C:\windows\IA\command.exe
O23-Service :FC1 (fci)-unknown owner-C:\windows\system32\svchost.exe:ext.exe
O23-Service:Google Online Services-Unknown owner-C:\Documents and settings\Adriana\ie_updates3r.exe
O23-Service: iPod service-Apple Inc.-C:\Program Files\ipod\bin\ipodservice.exe
O23-Service:Network Monitor-unknown owner-C:\Program Files\Network Monitor\netmon.exe
O23-Service:task scheduler (schedule)-unknown owner-C:\windows\system32\drivers\spools.exe

--
End of File – 8463 bytes
You have a massive problem.

Do the steps in this post in order and then post all of the logs including a new hijackthis log.Well, the problem is that she still can't connect to the internet in any way, shape, or form.

How would you recommend going about everything in that post without any type of access?

Note that the computer can't reboot in any mode except Safe Mode either. Anything that requires an online verification won't work.It appears that all the downloads will have to be done by you and transferred using a flashdrive or CD.I would probably be easier to reinstall. When I say "You have a massive problem." I'm not exaggerating.Ah.

Bummer.

I appreciate the help, anyway. I'll pass the word along to her.

Solve : Unable to boot in any mode except Safe Mode?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment