1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Computer only works in safemode

Discussion in 'Malware and Virus Removal Archive' started by shannondiaz1, 2008/09/18.

  1. 2008/09/18
    shannondiaz1

    shannondiaz1 Inactive Thread Starter

    Joined:
    2008/06/21
    Messages:
    5
    Likes Received:
    0
    I am trying to help my nephew with his computer, it only works in safemode, word pad, printer and many other functions wont work either.
    I did a HijackThis scan, and here are the results.


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:15:48 PM, on 8/31/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Safe mode with network support
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Spyware Doctor\pctsAuxs.exe
    C:\Program Files\Spyware Doctor\pctsSvc.exe
    C:\Program Files\Spyware Doctor\pctsTray.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {0E2166D6-02C1-4210-883C-28B42FF0977D} - C:\WINDOWS\system32\rqRIyXNE.dll (file missing)
    O2 - BHO: (no name) - {2F02D978-0FF6-80F7-60BB-0426224AB7B3} - C:\Program Files\yawgxqmb\lqyxmgxw.dll (file missing)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {55948725-F7B6-41B2-B355-4CEF29DA70E4} - C:\WINDOWS\system32\dhcpmo.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: (no name) - {9CFA3819-4AA2-3731-CAD4-477415FD2A98} - C:\WINDOWS\system32\sarg0s\kernel32.dll
    O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O2 - BHO: (no name) - {E0100E9E-6D7B-4DFD-8930-31CE1B1B4C53} - C:\WINDOWS\system32\mlJCSiJA.dll (file missing)
    O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
    O4 - HKLM\..\Run: [avp] C:\WINDOWS\4r37wbqd.exe
    O4 - HKLM\..\Run: [Medichi] medichi.exe
    O4 - HKLM\..\Run: [Medichi2] medichi2.exe
    O4 - HKLM\..\Run: [{70-00-0E-EA-ZN}] c:\windows\system32\dwdsrngt.exe CHD001
    O4 - HKLM\..\Run: [{70-00-0E-EA-DW}] c:\windows\system32\rwwdw64d.exe CHD001
    O4 - HKLM\..\Run: [zwjuvqra] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\zwjuvqra.dll "
    O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [qtitoxyl] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\qtitoxyl.dll "
    O4 - HKLM\..\Run: [plite731] C:\WINDOWS\plite731.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [io43mvuiw4kj] C:\WINDOWS\io43mvuiw4kj.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
    O4 - HKLM\..\Run: [hmlefkze] rundll32.exe "C:\Program Files\hmlefkze\lghsjgre.dll ",Init
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [EasySpywareCleaner] C:\Program Files\EasySpywareCleaner\EasySpywareCleaner.exe
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe "
    O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe "
    O4 - HKLM\..\Run: [lphcne1j0eecr] C:\WINDOWS\system32\lphcne1j0eecr.exe
    O4 - HKLM\..\Run: [SMrhcje1j0eecr] C:\Program Files\rhcje1j0eecr\rhcje1j0eecr.exe
    O4 - HKLM\..\Run: [BMf7f433d9] Rundll32.exe "C:\WINDOWS\system32\ekdauikx.dll ",s
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe
    O4 - HKUS\S-1-5-18\..\Run: [LiveAntispy] C:\Program Files\LiveAntispy\LiveAntispy.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [LiveAntispy] C:\Program Files\LiveAntispy\LiveAntispy.exe (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')
    O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
    O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
    O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
    O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
    O20 - AppInit_DLLs: C:\WINDOWS\murka.dat
    O20 - Winlogon Notify: f4c700ea381 - C:\WINDOWS\System32\cfgbkend32.dll
    O20 - Winlogon Notify: iiffedc - iiffedc.dll (file missing)
    O20 - Winlogon Notify: rqRIyXNE - rqRIyXNE.dll (file missing)
    O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
    O20 - Winlogon Notify: __c00FEB3A - C:\WINDOWS\system32\__c00FEB3A.dat (file missing)
    O21 - SSODL: E404Helper - {aacf2815-8a01-4982-8862-de225abd8bcf} - e404d.dll (file missing)
    O21 - SSODL: PagingSYS - {009541A0-3B00-1F1C-00F3-040224001C01} - C:\Program Files\Common Files\PagingSYS.dll
    O21 - SSODL: CheckAlrt - {02898722-2ead-4437-bbc5-40fd9114d6f4} - C:\WINDOWS\Installer\{02898722-2ead-4437-bbc5-40fd9114d6f4}\CheckAlrt.dll
    O21 - SSODL: zip - {7f4b724d-553c-465d-90ba-e3ef5f55db0f} - C:\WINDOWS\Installer\{7f4b724d-553c-465d-90ba-e3ef5f55db0f}\zip.dll
    O21 - SSODL:
    O22 - SharedTaskScheduler: edfjgj - {441EF6D9-C6A2-419f-9A71-977E2004EE14} - (no file)
    O23 - Service: Background Intelligent Transfer Service BITSlanmanworkstation (BITSlanmanworkstation) - Unknown owner - C:\WINDOWS\system32\1028i.exe
    O23 - Service: DNS Client DnscacheNetDDE (DnscacheNetDDE) - Unknown owner - C:\WINDOWS\system32\609856r.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Help and Support helpsvcehRecvr (helpsvcehRecvr) - Unknown owner - C:\WINDOWS\system32\advpackne.exe
    O23 - Service: Human Interface Device Access HidServRpcLocator (HidServRpcLocator) - Unknown owner - C:\WINDOWS\system32\5558r.exe
    O23 - Service: Server lanmanserverPlugPlay (lanmanserverPlugPlay) - Unknown owner - C:\WINDOWS\system32\advpackn.exe
    O23 - Service: Workstation lanmanworkstationRDSessMgr (lanmanworkstationRDSessMgr) - Unknown owner - C:\WINDOWS\system32\activedsr.exe
    O23 - Service: Remote Desktop Help Session Manager RDSessMgrERSvc (RDSessMgrERSvc) - Unknown owner - C:\WINDOWS\system32\adsndsm.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: System Event Notification SENSHTTPFilter (SENSHTTPFilter) - Unknown owner - C:\WINDOWS\bronv32.exe
    O23 - Service: MS Software Shadow Copy Provider SwPrvNetman (SwPrvNetman) - Unknown owner - C:\WINDOWS\system32\5558w.exe
    O23 - Service: Windows User Mode Driver Framework UMWdfNetDDE (UMWdfNetDDE) - Unknown owner - C:\WINDOWS\system32\adsndsmr.exe
    O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
    --
    End of file - 11174 bytes


    Any help would be very appreciated.
    Thank you,
    Shannon Diaz
     
    shannondiaz1,
    #1
  2. 2008/09/19
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi Shannon
    Your nephew has quite a mess here.

    We need to run 3 tools, please run them in the order given, making sure you follow the instructions carefully.

    First MBAM. This will need to be updated after download, so please download and run this in "Safe mode with Networking "
    Then try to reboot back into normal windows, if it lets you please run it again in normal windows mode.

    Download Malwarebytes' Anti-Malware (MBAM) from here or here and save the file to your desktop.

    Double click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select 'Perform Quick Scan', then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note below)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Post the entire report in your next reply along with a fresh HijackThis log.

    Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


    Then do this one, This one needs to be ran in safe mode follow the instructions.

    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    • Finally paste the contents of the Report.txt back on the forum.

    Now run this one. It is best to run in normal mode if at all possible.

    Download ComboFix from Here to your Desktop.

    It's best to disable realtime protection applications as they sometimes interfere with the tool.
    Check this link for any applicable programs you may have.
    • Close all open programs and windows
    • Double click combofix.exe and follow the prompts.
    • Vista users right click Combofix.exe and select Run As Administrator.
    • When finished, it shall produce a log for you. Post the Combofix log
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall

    Note - ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

    Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.

    Please post the MBAM log the SDFix log and the Combofix log.

    Thanks
    Geri
     
    Geri,
    #2


  3. to hide this advert.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...