I ran the microsoft anti spyware and followed the directions to delete the
trojan and other spyware, I was then asked to restart . When the computer
restarted it came up in safe mode, I have tried to restore and have tried to
restart several times always in safemode. Help please.

Hi theresa

Have you done any scans within safe mode ?

Perform a full scan with MSAS, change scan options to full scan.
Something can be "left behind".

Try to restart.

If this fails, try system restore. Maybe your spyware is back
but your PC maybe starts in normal mode after a system restore.

http://support.microsoft.com/default...b;en-us;306084

Let us know if this works, you probably needs more advices.

--
plun



theresa pretended :
> I ran the microsoft anti spyware and followed the directions to delete the
> trojan and other spyware, I was then asked to restart . When the computer
> restarted it came up in safe mode, I have tried to restore and have tried to
> restart several times always in safemode. Help please.

Pluns suggestion may be your best option here as its hard to know whats gone
wrong without knowing what trojans were removed in the scan, Are you sure its
booting to safe mode each time and its not just on a modified theme.

To check the theme right click desktop and choose properties. If it shows as
windows classic in themes change it to windows xp (thats if it is XP) and
press apply. (Windows Classic can give the impression the pc is in safe mode)


Next option is try msconfig


goto start menu and run and type msconfig and press enter

On the General Tab make sure its checked as Normal Startup

Goto the Boot.ini tab and make sure /Safeboot isnt checked if it is then
click it to uncheck the box so no boxes on that tab are checked and press
apply.

If you still are booting to safe mode a system restore would be easier and
then repost so we can use other tools to remove whatever the infection was.

Andy

Hi Again,
I have tried all the fixes you all suggested and I still have the problem.
The restore completes successfully and at restart I get the desk top warning
asking me what mode I want to start in, I have tried them all and end up in
safe mode each time. When removing the spyware do you think one of the
startup features or important file were also removed. Suggestions please.

"plun" wrote:

> Hi theresa
>
> Have you done any scans within safe mode ?
>
> Perform a full scan with MSAS, change scan options to full scan.
> Something can be "left behind".
>
> Try to restart.
>
> If this fails, try system restore. Maybe your spyware is back
> but your PC maybe starts in normal mode after a system restore.
>
> http://support.microsoft.com/default...b;en-us;306084
>
> Let us know if this works, you probably needs more advices.
>
> --
> plun
>
>
>
> theresa pretended :
> > I ran the microsoft anti spyware and followed the directions to delete the
> > trojan and other spyware, I was then asked to restart . When the computer
> > restarted it came up in safe mode, I have tried to restore and have tried to
> > restart several times always in safemode. Help please.
>
>
>

All I can suggest at this stage is running some scanners or performing a
repair install of windows if you have your windows disk.

Run some of these online scanners:

Housecall online virus scan located at:

http://housecall.trendmicro.com/hous...start_corp.asp

Follow the prompts to scan your hard drive for viruses. Select the
"Autoclean" option so that Housecall will remove any viruses from your system.
When the scan is finished, please restart your computer.

Then run the Panda scan here:

http://www.pandasoftware.com/activescan/

Choose to "Disinfect automatically," and follow the prompts. Delete any
viruses found, and restart your computer.

Finally, run the WindowSecurity trojan scan here:

http://www.windowsecurity.com/trojanscan/

Remove any trojans found, and restart your computer.

If you cannot get online then try downloading some of these and transferring
them to the pc with the problem.

Microsoft Malicious software removal tool :

http://go.microsoft.com/fwlink/?LinkId=40587

Trend Micro's Damage clean up tool :

http://www.trendmicro.com/ftp/products/tsc/tsc.zip

Mcafee's Stinger Virus Remover

http://vil.nai.com/vil/stinger/

F-Secures Blacklight Beta

http://www.europe.f-secure.com/exclu...ght/blbeta.exe

save to desktop or c:/drive and press scan, post back the log if anything
shown as hidden

Hijack This

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Save to desktop or c:/drive and run , choose to run a system scan and save
the logfile, when its finished scanning it will open the results in notepad,
copy and paste that and post it back but dont fix anything using hijack this
as most entries are genuine or even essential files.


Failing that get your windows disk and insert it into the drive and run the
system file checker

Goto start and run and type (remember the space after SFC)

SFC /SCANNOW

press enter and let it scan your system, if any files are damaged or missing
they will be replaced using the files on the windows disk

If nothing here helps and you cannot change the settings in msconfig or use
system restore then you may have to do a repair install of windows:

All you do is boot from the CD. When it asks if you want to repair and to
press "R", don't. Continue with the installation just like you were
installing for the first time.

You will then get a license agreement and it will ask you to press F8 to
agree. Right after that screen, you will see a list of Windows installations
that setup found. It will ask if you want to repair it. Read the directions
on that page!!!

If no previous installations are found, STOP and exit. That usually means
that your registry is too corrupted for a repair and you will possibly lose
all your data if you continue.

Then, you will actually press "R" this time and XP will re-install.

When done, you will be back to your familiar desktop with everything looking
just like it did before. But all your Windows Updates are gone and you will
need to get those again. If you have any problems booting from CD, set the CD
to boot earlier than the hard drive in BIOS setup, or come back for more help.

Regards

Andy

Andy,
Thanks I will give all the suggestions a try. I do not have the Windows
disk, I run Windows XP and it did not come with one. do you have a
suggestion for that?
Theresa

"AndyManchesta" wrote:

>
> All I can suggest at this stage is running some scanners or performing a
> repair install of windows if you have your windows disk.
>
> Run some of these online scanners:
>
> Housecall online virus scan located at:
>
> http://housecall.trendmicro.com/hous...start_corp.asp
>
> Follow the prompts to scan your hard drive for viruses. Select the
> "Autoclean" option so that Housecall will remove any viruses from your system.
> When the scan is finished, please restart your computer.
>
> Then run the Panda scan here:
>
> http://www.pandasoftware.com/activescan/
>
> Choose to "Disinfect automatically," and follow the prompts. Delete any
> viruses found, and restart your computer.
>
> Finally, run the WindowSecurity trojan scan here:
>
> http://www.windowsecurity.com/trojanscan/
>
> Remove any trojans found, and restart your computer.
>
> If you cannot get online then try downloading some of these and transferring
> them to the pc with the problem.
>
> Microsoft Malicious software removal tool :
>
> http://go.microsoft.com/fwlink/?LinkId=40587
>
> Trend Micro's Damage clean up tool :
>
> http://www.trendmicro.com/ftp/products/tsc/tsc.zip
>
> Mcafee's Stinger Virus Remover
>
> http://vil.nai.com/vil/stinger/
>
> F-Secures Blacklight Beta
>
> http://www.europe.f-secure.com/exclu...ght/blbeta.exe
>
> save to desktop or c:/drive and press scan, post back the log if anything
> shown as hidden
>
> Hijack This
>
> http://www.spywareinfo.com/~merijn/files/hijackthis.zip
>
> Save to desktop or c:/drive and run , choose to run a system scan and save
> the logfile, when its finished scanning it will open the results in notepad,
> copy and paste that and post it back but dont fix anything using hijack this
> as most entries are genuine or even essential files.
>
>
> Failing that get your windows disk and insert it into the drive and run the
> system file checker
>
> Goto start and run and type (remember the space after SFC)
>
> SFC /SCANNOW
>
> press enter and let it scan your system, if any files are damaged or missing
> they will be replaced using the files on the windows disk
>
> If nothing here helps and you cannot change the settings in msconfig or use
> system restore then you may have to do a repair install of windows:
>
> All you do is boot from the CD. When it asks if you want to repair and to
> press "R", don't. Continue with the installation just like you were
> installing for the first time.
>
> You will then get a license agreement and it will ask you to press F8 to
> agree. Right after that screen, you will see a list of Windows installations
> that setup found. It will ask if you want to repair it. Read the directions
> on that page!!!
>
> If no previous installations are found, STOP and exit. That usually means
> that your registry is too corrupted for a repair and you will possibly lose
> all your data if you continue.
>
> Then, you will actually press "R" this time and XP will re-install.
>
> When done, you will be back to your familiar desktop with everything looking
> just like it did before. But all your Windows Updates are gone and you will
> need to get those again. If you have any problems booting from CD, set the CD
> to boot earlier than the hard drive in BIOS setup, or come back for more help.
>
> Regards
>
> Andy

Hi Theresa
Its going to be difficult if you cannot do a system restore and you dont
have the disk to perform a repair or to check system files but lets see how
the scanners get on first, you may have malware still on the system in places
like the drivers folder which is causing problems when you reboot,

Blacklight beta is really just to check for any rootkits and scans very fast
but could show genuine entries so post back the log first and hijack this
would be usefull to show whats running on the system. Its not going to be a
complete log if your always in safe mode and maybe wouldnt show that much but
its a good starting point,

Ewido Security Suite would also be usefull to make sure there isnt any
malware problems on the system,

http://www.ewido.net/en/download/

I would of suggested using MSAS and opening tools and spyware scan then view
spyware scan history and copy and paste that back so we know what got deleted
from your system but if you have used system restore the data probably
wouldnt be stored there now. When your using system restore It might be worth
going back a few days to a point which you know what working fine as the
recent restore points may also be damaged.

Start Menu > All Programs > Accessories > System Tools > System Restore .

If you have problems accessing the net to run some scans reboot and keep
tapping F8 then choose "Safe Mode with Networking" from the windows advanced
option menu as you should then be able to use IE.

Does it display safe mode in all four corners of the screen when you reboot
and is it a black background ? As you can see its all abit guesswork at the
moment and hard to know what the solution is but Im hoping things will become
clearer once you have run some scans or if you can still access the MSAS
removal log or restore to a earlier point to get things back up and running.

Let us know how you get on and post any logs you get as they make give a
indication to whats caused the damage on your system

Andy

Excuse the two grammer mistakes in my last post, Hopefully its still easy
enough to understand

Let us know how you get on

Andy

Andy here is the info you requested.
I have tried everything, I even called the free support number for help and
then HP they want to do a recovery of my home operating system, I do not want
to loose all my photos etc.......
The screen is black but the safe mode appears in 2 lower corners. I have
also received the blue screen at times with IrqL_not_less_or_equal

Logfile of HijackThis v1.99.1
Scan saved at 8:33:46 PM, on 10/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\fmbbss.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for
hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.weightwatchers.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.acsalaska.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} -
C:\WINDOWS\dsr.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN
Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} -
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: IEHlprObj Class - {AEE7DF76-242A-47E7-9400-9CF403F32F2E} -
C:\WINDOWS\system32\mo030414s.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -
C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} -
C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: TChkBHO Class - {DC3A8A12-718A-485B-A1AF-063EFE5ECDFB} -
C:\WINDOWS\system32\zutkcrkv.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} -
C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton Internet Security -
{0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common
Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program
Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password
Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Norton PasswordManager] C:\Program Files\Common
Files\Symantec Shared\CfgWiz.exe /GUID {D1AFB197-5F24-49f4-9571-2F28A9798936}
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [bwvezp] c:\windows\system32\wtnblm.exe
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C2-5297EF71F44B}] rundll32.exe
C:\WINDOWS\System32\stlbupdt.DLL,DllRunMain
O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINDOWS\System\WINSTA~1.EXE -b
O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\Toolbar\winnet.exe
O4 - HKLM\..\Run: [tjkdlmohnpal] C:\WINDOWS\System32\uwrhhn.exe
O4 - HKLM\..\Run: [susp] C:\WINDOWS\susp.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update
Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program
Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RVP] "C:\Program Files\RVP\bpc.exe"
O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe
C:\WINDOWS\System32\msiefr40.dll,DllRunServer
O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital
Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AKVCQISAN] C:\WINDOWS\AKVCQISAN.exe
O4 - HKLM\..\Run: [AHNUE] C:\WINDOWS\AHNUE.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [wiwyrq] C:\WINDOWS\system32\fmbbss.exe r
O4 - HKLM\..\Run: [ojjyqa] C:\WINDOWS\system32\lzxcss.exe r
O4 - HKLM\..\RunOnce: [Panda_cleaner_212229]
C:\WINDOWS\system32\ActiveScan\pavdr.exe 212229
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program
Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe"
/background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program
Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Morpheus] C:\Program
Files\StreamCast\Morpheus\Morpheus.exe -min
O4 - HKCU\..\Run: [Acme.PCHButton]
C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft
Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O10 - Broken Internet access because of LSP provider 'c:\program
files\newdotnet\newdotnet6_38.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat -
http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage
Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) -
https://www-secure.symantec.com/tech...a/LSSupCtl.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio
Conferencing) -
http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient
Class) -
http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) -
http://www.linksysfix.com/check/nets...l/gtdownls.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element)
- http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
https://www-secure.symantec.com/tech...a/SymAData.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) -
https://www-secure.symantec.com/tech...ActiveData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. -
C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program
Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec
Corporation - C:\Program Files\Norton Internet Security\Norton
AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -
C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton
Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner -
c:\windows\SvcProc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Theresa



"AndyManchesta" wrote:

>
> All I can suggest at this stage is running some scanners or performing a
> repair install of windows if you have your windows disk.
>
> Run some of these online scanners:
>
> Housecall online virus scan located at:
>
> http://housecall.trendmicro.com/hous...start_corp.asp
>
> Follow the prompts to scan your hard drive for viruses. Select the
> "Autoclean" option so that Housecall will remove any viruses from your system.
> When the scan is finished, please restart your computer.
>
> Then run the Panda scan here:
>
> http://www.pandasoftware.com/activescan/
>
> Choose to "Disinfect automatically," and follow the prompts. Delete any
> viruses found, and restart your computer.
>
> Finally, run the WindowSecurity trojan scan here:
>
> http://www.windowsecurity.com/trojanscan/
>
> Remove any trojans found, and restart your computer.
>
> If you cannot get online then try downloading some of these and transferring
> them to the pc with the problem.
>
> Microsoft Malicious software removal tool :
>
> http://go.microsoft.com/fwlink/?LinkId=40587
>
> Trend Micro's Damage clean up tool :
>
> http://www.trendmicro.com/ftp/products/tsc/tsc.zip
>
> Mcafee's Stinger Virus Remover
>
> http://vil.nai.com/vil/stinger/
>
> F-Secures Blacklight Beta
>
> http://www.europe.f-secure.com/exclu...ght/blbeta.exe
>
> save to desktop or c:/drive and press scan, post back the log if anything
> shown as hidden
>
> Hijack This
>
> http://www.spywareinfo.com/~merijn/files/hijackthis.zip
>
> Save to desktop or c:/drive and run , choose to run a system scan and save
> the logfile, when its finished scanning it will open the results in notepad,
> copy and paste that and post it back but dont fix anything using hijack this
> as most entries are genuine or even essential files.
>
>
> Failing that get your windows disk and insert it into the drive and run the
> system file checker
>
> Goto start and run and type (remember the space after SFC)
>
> SFC /SCANNOW
>
> press enter and let it scan your system, if any files are damaged or missing
> they will be replaced using the files on the windows disk
>
> If nothing here helps and you cannot change the settings in msconfig or use
> system restore then you may have to do a repair install of windows:
>
> All you do is boot from the CD. When it asks if you want to repair and to
> press "R", don't. Continue with the installation just like you were
> installing for the first time.
>
> You will then get a license agreement and it will ask you to press F8 to
> agree. Right after that screen, you will see a list of Windows installations
> that setup found. It will ask if you want to repair it. Read the directions
> on that page!!!
>
> If no previous installations are found, STOP and exit. That usually means
> that your registry is too corrupted for a repair and you will possibly lose
> all your data if you continue.
>
> Then, you will actually press "R" this time and XP will re-install.
>
> When done, you will be back to your familiar desktop with everything looking
> just like it did before. But all your Windows Updates are gone and you will
> need to get those again. If you have any problems booting from CD, set the CD
> to boot earlier than the hard drive in BIOS setup, or come back for more help.
>
> Regards
>
> Andy

Hi Theresa

This is for sure a challenge and if you only have these "stupid"
recovery disks even more. With a real XP OEM CD you can easily
repair your installation.

Within your HijackThis logs I can see several "infections",
abetterinternet probably Aurora, maybe Wintools, Gohip and also
viruses.

Microsoft also have free support for this so maybe it´s a good idea
to call them.

No-Charge Support
1-866-PCSAFETY
or
1-866-727-2338
This phone number is for virus and other security-related support. It
is available 24 hours a day for the U.S. and Canada.

For phone numbers outside of the U.S. and Canada, select your region.

http://support.microsoft.com/?pr=securityhome for link to other
regions.

I feel sorry when I sees what the "bad guys" doing to our PCs........
;(

Good luck.

--
plun


Theresa explained :
> Andy here is the info you requested.
> I have tried everything, I even called the free support number for help and
> then HP they want to do a recovery of my home operating system, I do not want
> to loose all my photos etc.......
> The screen is black but the safe mode appears in 2 lower corners. I have
> also received the blue screen at times with IrqL_not_less_or_equal
>
> Logfile of HijackThis v1.99.1
> Scan saved at 8:33:46 PM, on 10/11/2005
> Platform: Windows XP SP2 (WinNT 5.01.2600)
> MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
>
> Running processes:
> C:\WINDOWS\System32\smss.exe
> C:\WINDOWS\system32\winlogon.exe
> C:\WINDOWS\system32\services.exe
> C:\WINDOWS\system32\lsass.exe
> C:\WINDOWS\system32\svchost.exe
> C:\WINDOWS\System32\svchost.exe
> C:\WINDOWS\system32\winlogon.exe
> C:\WINDOWS\Explorer.exe
> C:\WINDOWS\system32\fmbbss.exe
> C:\WINDOWS\explorer.exe
> C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
> C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
> C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
> C:\Program Files\Internet Explorer\iexplore.exe
> C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for
> hijackthis.zip\HijackThis.exe
>
> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
> http://www.weightwatchers.com/
> R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
> http://www.acsalaska.com/
> F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
> O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} -
> C:\WINDOWS\dsr.dll
> O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
> C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
> O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN
> Apps\ST\01.03.0000.1005\en-xu\stmain.dll
> O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} -
> C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
> O2 - BHO: IEHlprObj Class - {AEE7DF76-242A-47E7-9400-9CF403F32F2E} -
> C:\WINDOWS\system32\mo030414s.dll (file missing)
> O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -
> C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
> O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} -
> C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
> O2 - BHO: TChkBHO Class - {DC3A8A12-718A-485B-A1AF-063EFE5ECDFB} -
> C:\WINDOWS\system32\zutkcrkv.dll
> O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} -
> C:\HP\EXPLOREBAR\HPTOOLKT.DLL
> O3 - Toolbar: Norton Internet Security -
> {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common
> Files\Symantec Shared\AdBlocking\NISShExt.dll
> O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
> C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
> O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program
> Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
> O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
> O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
> O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
> O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
> O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
> O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password
> Manager\AcctMgr.exe /startup
> O4 - HKLM\..\Run: [Norton PasswordManager] C:\Program Files\Common
> Files\Symantec Shared\CfgWiz.exe /GUID {D1AFB197-5F24-49f4-9571-2F28A9798936}
> O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
> Shared\ccApp.exe"
> O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
> -atboottime
> O4 - HKLM\..\Run: [Symantec NetDriver Monitor]
> C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program
> Files\Microsoft AntiSpyware\gcasServ.exe"
> O4 - HKLM\..\Run: [bwvezp] c:\windows\system32\wtnblm.exe
> O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C2-5297EF71F44B}] rundll32.exe
> C:\WINDOWS\System32\stlbupdt.DLL,DllRunMain
> O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINDOWS\System\WINSTA~1.EXE -b
> O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\Toolbar\winnet.exe
> O4 - HKLM\..\Run: [tjkdlmohnpal] C:\WINDOWS\System32\uwrhhn.exe
> O4 - HKLM\..\Run: [susp] C:\WINDOWS\susp.exe
> O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update
> Manager\sgtray.exe" /r
> O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program
> Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
> O4 - HKLM\..\Run: [RVP] "C:\Program Files\RVP\bpc.exe"
> O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe
> C:\WINDOWS\System32\msiefr40.dll,DllRunServer
> O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe
> O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
> O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
> O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
> O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
> O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
> O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
> O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
> O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital
> Imaging\Unload\hpqcmon.exe
> O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
> O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
> O4 - HKLM\..\Run: [AKVCQISAN] C:\WINDOWS\AKVCQISAN.exe
> O4 - HKLM\..\Run: [AHNUE] C:\WINDOWS\AHNUE.exe
> O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
> O4 - HKLM\..\Run: [wiwyrq] C:\WINDOWS\system32\fmbbss.exe r
> O4 - HKLM\..\Run: [ojjyqa] C:\WINDOWS\system32\lzxcss.exe r
> O4 - HKLM\..\RunOnce: [Panda_cleaner_212229]
> C:\WINDOWS\system32\ActiveScan\pavdr.exe 212229
> O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program
> Files\Microsoft AntiSpyware\gcASCleaner.exe
> O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe"
> /background
> O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program
> Files\Yahoo!\Messenger\ypager.exe -quiet
> O4 - HKCU\..\Run: [Morpheus] C:\Program
> Files\StreamCast\Morpheus\Morpheus.exe -min
> O4 - HKCU\..\Run: [Acme.PCHButton]
> C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
> O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft
> Shared\Works Shared\WkCalRem.exe
> O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
> Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
> O10 - Broken Internet access because of LSP provider 'c:\program
> files\newdotnet\newdotnet6_38.dll' missing
> O12 - Plugin for .spop: C:\Program Files\Internet
> Explorer\Plugins\NPDocBox.dll
> O16 - DPF: Yahoo! Chat -
> http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
> O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage
> Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
> O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) -
> https://www-secure.symantec.com/tech...a/LSSupCtl.cab
> O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio
> Conferencing) -
> http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
> O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
> http://us.dl1.yimg.com/download.yaho...st20040510.cab
> O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
> http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
> O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient
> Class) -
> http://messenger.zone.msn.com/binary...t.cab31267.cab
> O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) -
> http://www.linksysfix.com/check/nets...l/gtdownls.cab
> O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element)
> - http://www.windowsecurity.com/trojanscan/axscan.cab
> O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
> https://www-secure.symantec.com/tech...a/SymAData.cab
> O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
> O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) -
> https://www-secure.symantec.com/tech...ActiveData.cab
> O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
> O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -
> C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
> O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation -
> C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
> O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec
> Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
> O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation -
> C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
> O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
> O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. -
> C:\Program Files\iPod\bin\iPodService.exe
> O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program
> Files\Norton Internet Security\ISSVC.exe
> O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec
> Corporation - C:\Program Files\Norton Internet Security\Norton
> AntiVirus\navapsvc.exe
> O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -
> C:\WINDOWS\System32\nvsvc32.exe
> O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton
> Internet Security\Norton AntiVirus\SAVScan.exe
> O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -
> C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
> O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
> Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
> O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation -
> C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
> O23 - Service: System Startup Service (SvcProc) - Unknown owner -
> c:\windows\SvcProc.exe
> O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program
> Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
> O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program
> Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
>
>
> Theresa
>
>
>
> "AndyManchesta" wrote:
>
>>
>> All I can suggest at this stage is running some scanners or performing a
>> repair install of windows if you have your windows disk.
>>
>> Run some of these online scanners:
>>
>> Housecall online virus scan located at:
>>
>> http://housecall.trendmicro.com/hous...start_corp.asp
>>
>> Follow the prompts to scan your hard drive for viruses. Select the
>> "Autoclean" option so that Housecall will remove any viruses from your
>> system. When the scan is finished, please restart your computer.
>>
>> Then run the Panda scan here:
>>
>> http://www.pandasoftware.com/activescan/
>>
>> Choose to "Disinfect automatically," and follow the prompts. Delete any
>> viruses found, and restart your computer.
>>
>> Finally, run the WindowSecurity trojan scan here:
>>
>> http://www.windowsecurity.com/trojanscan/
>>
>> Remove any trojans found, and restart your computer.
>>
>> If you cannot get online then try downloading some of these and transferring
>> them to the pc with the problem.
>>
>> Microsoft Malicious software removal tool :
>>
>> http://go.microsoft.com/fwlink/?LinkId=40587
>>
>> Trend Micro's Damage clean up tool :
>>
>> http://www.trendmicro.com/ftp/products/tsc/tsc.zip
>>
>> Mcafee's Stinger Virus Remover
>>
>> http://vil.nai.com/vil/stinger/
>>
>> F-Secures Blacklight Beta
>>
>> http://www.europe.f-secure.com/exclu...ght/blbeta.exe
>>
>> save to desktop or c:/drive and press scan, post back the log if anything
>> shown as hidden
>>
>> Hijack This
>>
>> http://www.spywareinfo.com/~merijn/files/hijackthis.zip
>>
>> Save to desktop or c:/drive and run , choose to run a system scan and save
>> the logfile, when its finished scanning it will open the results in notepad,
>> copy and paste that and post it back but dont fix anything using hijack this
>> as most entries are genuine or even essential files.
>>
>>
>> Failing that get your windows disk and insert it into the drive and run the
>> system file checker
>>
>> Goto start and run and type (remember the space after SFC)
>>
>> SFC /SCANNOW
>>
>> press enter and let it scan your system, if any files are damaged or missing
>> they will be replaced using the files on the windows disk
>>
>> If nothing here helps and you cannot change the settings in msconfig or use
>> system restore then you may have to do a repair install of windows:
>>
>> All you do is boot from the CD. When it asks if you want to repair and to
>> press "R", don't. Continue with the installation just like you were
>> installing for the first time.
>>
>> You will then get a license agreement and it will ask you to press F8 to
>> agree. Right after that screen, you will see a list of Windows installations
>> that setup found. It will ask if you want to repair it. Read the directions
>> on that page!!!
>>
>> If no previous installations are found, STOP and exit. That usually means
>> that your registry is too corrupted for a repair and you will possibly lose
>> all your data if you continue.
>>
>> Then, you will actually press "R" this time and XP will re-install.
>>
>> When done, you will be back to your familiar desktop with everything looking
>> just like it did before. But all your Windows Updates are gone and you will
>> need to get those again. If you have any problems booting from CD, set the
>> CD to boot earlier than the hard drive in BIOS setup, or come back for more
>> help.
>>
>> Regards
>>
>> Andy