not able to restart in normal mode

[Guest]

I ran the microsoft anti spyware and followed the directions to delete the
trojan and other spyware, I was then asked to restart . When the computer
restarted it came up in safe mode, I have tried to restore and have tried to
restart several times always in safemode. Help please.

 

[plun]

Hi theresa

Have you done any scans within safe mode ?

Perform a full scan with MSAS, change scan options to full scan.
Something can be "left behind".

Try to restart.

If this fails, try system restore. Maybe your spyware is back
but your PC maybe starts in normal mode after a system restore.

http://support.microsoft.com/default.aspx?scid=kb;en-us;306084

Let us know if this works, you probably needs more advices.

--
plun



theresa pretended :

 

[Guest]

Pluns suggestion may be your best option here as its hard to know whats gone
wrong without knowing what trojans were removed in the scan, Are you sure its
booting to safe mode each time and its not just on a modified theme.

To check the theme right click desktop and choose properties. If it shows as
windows classic in themes change it to windows xp (thats if it is XP) and
press apply. (Windows Classic can give the impression the pc is in safe mode)


Next option is try msconfig


goto start menu and run and type msconfig and press enter

On the General Tab make sure its checked as Normal Startup

Goto the Boot.ini tab and make sure /Safeboot isnt checked if it is then
click it to uncheck the box so no boxes on that tab are checked and press
apply.

If you still are booting to safe mode a system restore would be easier and
then repost so we can use other tools to remove whatever the infection was.

Andy

 

[Guest]

Hi Again,
I have tried all the fixes you all suggested and I still have the problem.
The restore completes successfully and at restart I get the desk top warning
asking me what mode I want to start in, I have tried them all and end up in
safe mode each time. When removing the spyware do you think one of the
startup features or important file were also removed. Suggestions please.

 

[Guest]

All I can suggest at this stage is running some scanners or performing a
repair install of windows if you have your windows disk.

Run some of these online scanners:

Housecall online virus scan located at:

http://housecall.trendmicro.com/housecall/start_corp.asp

Follow the prompts to scan your hard drive for viruses. Select the
"Autoclean" option so that Housecall will remove any viruses from your system.
When the scan is finished, please restart your computer.

Then run the Panda scan here:

http://www.pandasoftware.com/activescan/

Choose to "Disinfect automatically," and follow the prompts. Delete any
viruses found, and restart your computer.

Finally, run the WindowSecurity trojan scan here:

http://www.windowsecurity.com/trojanscan/

Remove any trojans found, and restart your computer.

If you cannot get online then try downloading some of these and transferring
them to the pc with the problem.

Microsoft Malicious software removal tool :

http://go.microsoft.com/fwlink/?LinkId=40587

Trend Micro's Damage clean up tool :

http://www.trendmicro.com/ftp/products/tsc/tsc.zip

Mcafee's Stinger Virus Remover

http://vil.nai.com/vil/stinger/

F-Secures Blacklight Beta

http://www.europe.f-secure.com/exclude/blacklight/blbeta.exe

save to desktop or c:/drive and press scan, post back the log if anything
shown as hidden

Hijack This

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Save to desktop or c:/drive and run , choose to run a system scan and save
the logfile, when its finished scanning it will open the results in notepad,
copy and paste that and post it back but dont fix anything using hijack this
as most entries are genuine or even essential files.


Failing that get your windows disk and insert it into the drive and run the
system file checker

Goto start and run and type (remember the space after SFC)

SFC /SCANNOW

press enter and let it scan your system, if any files are damaged or missing
they will be replaced using the files on the windows disk

If nothing here helps and you cannot change the settings in msconfig or use
system restore then you may have to do a repair install of windows:

All you do is boot from the CD. When it asks if you want to repair and to
press "R", don't. Continue with the installation just like you were
installing for the first time.

You will then get a license agreement and it will ask you to press F8 to
agree. Right after that screen, you will see a list of Windows installations
that setup found. It will ask if you want to repair it. Read the directions
on that page!!!

If no previous installations are found, STOP and exit. That usually means
that your registry is too corrupted for a repair and you will possibly lose
all your data if you continue.

Then, you will actually press "R" this time and XP will re-install.

When done, you will be back to your familiar desktop with everything looking
just like it did before. But all your Windows Updates are gone and you will
need to get those again. If you have any problems booting from CD, set the CD
to boot earlier than the hard drive in BIOS setup, or come back for more help.

Regards

Andy

 

[Guest]

Andy,
Thanks I will give all the suggestions a try. I do not have the Windows
disk, I run Windows XP and it did not come with one. do you have a
suggestion for that?
Theresa

 

[Guest]

Hi Theresa
Its going to be difficult if you cannot do a system restore and you dont
have the disk to perform a repair or to check system files but lets see how
the scanners get on first, you may have malware still on the system in places
like the drivers folder which is causing problems when you reboot,

Blacklight beta is really just to check for any rootkits and scans very fast
but could show genuine entries so post back the log first and hijack this
would be usefull to show whats running on the system. Its not going to be a
complete log if your always in safe mode and maybe wouldnt show that much but
its a good starting point,

Ewido Security Suite would also be usefull to make sure there isnt any
malware problems on the system,

http://www.ewido.net/en/download/

I would of suggested using MSAS and opening tools and spyware scan then view
spyware scan history and copy and paste that back so we know what got deleted
from your system but if you have used system restore the data probably
wouldnt be stored there now. When your using system restore It might be worth
going back a few days to a point which you know what working fine as the
recent restore points may also be damaged.

Start Menu > All Programs > Accessories > System Tools > System Restore .

If you have problems accessing the net to run some scans reboot and keep
tapping F8 then choose "Safe Mode with Networking" from the windows advanced
option menu as you should then be able to use IE.

Does it display safe mode in all four corners of the screen when you reboot
and is it a black background ? As you can see its all abit guesswork at the
moment and hard to know what the solution is but Im hoping things will become
clearer once you have run some scans or if you can still access the MSAS
removal log or restore to a earlier point to get things back up and running.

Let us know how you get on and post any logs you get as they make give a
indication to whats caused the damage on your system

Andy

 

[Guest]

Excuse the two grammer mistakes in my last post, Hopefully its still easy
enough to understand

Let us know how you get on

Andy

 

[Guest]

Andy here is the info you requested.
I have tried everything, I even called the free support number for help and
then HP they want to do a recovery of my home operating system, I do not want
to loose all my photos etc.......
The screen is black but the safe mode appears in 2 lower corners. I have
also received the blue screen at times with IrqL_not_less_or_equal

Logfile of HijackThis v1.99.1
Scan saved at 8:33:46 PM, on 10/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\fmbbss.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for
hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.weightwatchers.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.acsalaska.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} -
C:\WINDOWS\dsr.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN
Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} -
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: IEHlprObj Class - {AEE7DF76-242A-47E7-9400-9CF403F32F2E} -
C:\WINDOWS\system32\mo030414s.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -
C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} -
C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: TChkBHO Class - {DC3A8A12-718A-485B-A1AF-063EFE5ECDFB} -
C:\WINDOWS\system32\zutkcrkv.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} -
C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton Internet Security -
{0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common
Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program
Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password
Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Norton PasswordManager] C:\Program Files\Common
Files\Symantec Shared\CfgWiz.exe /GUID {D1AFB197-5F24-49f4-9571-2F28A9798936}
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [bwvezp] c:\windows\system32\wtnblm.exe
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C2-5297EF71F44B}] rundll32.exe
C:\WINDOWS\System32\stlbupdt.DLL,DllRunMain
O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINDOWS\System\WINSTA~1.EXE -b
O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\Toolbar\winnet.exe
O4 - HKLM\..\Run: [tjkdlmohnpal] C:\WINDOWS\System32\uwrhhn.exe
O4 - HKLM\..\Run: [susp] C:\WINDOWS\susp.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update
Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program
Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RVP] "C:\Program Files\RVP\bpc.exe"
O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe
C:\WINDOWS\System32\msiefr40.dll,DllRunServer
O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital
Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AKVCQISAN] C:\WINDOWS\AKVCQISAN.exe
O4 - HKLM\..\Run: [AHNUE] C:\WINDOWS\AHNUE.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [wiwyrq] C:\WINDOWS\system32\fmbbss.exe r
O4 - HKLM\..\Run: [ojjyqa] C:\WINDOWS\system32\lzxcss.exe r
O4 - HKLM\..\RunOnce: [Panda_cleaner_212229]
C:\WINDOWS\system32\ActiveScan\pavdr.exe 212229
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program
Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe"
/background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program
Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Morpheus] C:\Program
Files\StreamCast\Morpheus\Morpheus.exe -min
O4 - HKCU\..\Run: [Acme.PCHButton]
C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft
Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O10 - Broken Internet access because of LSP provider 'c:\program
files\newdotnet\newdotnet6_38.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat -
http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage
Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) -
https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio
Conferencing) -
http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient
Class) -
http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) -
http://www.linksysfix.com/check/netset/install/gtdownls.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element)
- http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) -
https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. -
C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program
Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec
Corporation - C:\Program Files\Norton Internet Security\Norton
AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -
C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton
Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner -
c:\windows\SvcProc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Theresa

 

[plun]

Hi Theresa

This is for sure a challenge and if you only have these "stupid"
recovery disks even more. With a real XP OEM CD you can easily
repair your installation.

Within your HijackThis logs I can see several "infections",
abetterinternet probably Aurora, maybe Wintools, Gohip and also
viruses.

Microsoft also have free support for this so maybe it´s a good idea
to call them.

No-Charge Support
1-866-PCSAFETY
or
1-866-727-2338
This phone number is for virus and other security-related support. It
is available 24 hours a day for the U.S. and Canada.

For phone numbers outside of the U.S. and Canada, select your region.

http://support.microsoft.com/?pr=securityhome for link to other
regions.

I feel sorry when I sees what the "bad guys" doing to our PCs........
;(

Good luck.

--
plun


Theresa explained :

Andy here is the info you requested.
I have tried everything, I even called the free support number for help and
then HP they want to do a recovery of my home operating system, I do not want
to loose all my photos etc.......
The screen is black but the safe mode appears in 2 lower corners. I have
also received the blue screen at times with IrqL_not_less_or_equal

Logfile of HijackThis v1.99.1
Scan saved at 8:33:46 PM, on 10/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\fmbbss.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for
hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.weightwatchers.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.acsalaska.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} -
C:\WINDOWS\dsr.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN
Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} -
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: IEHlprObj Class - {AEE7DF76-242A-47E7-9400-9CF403F32F2E} -
C:\WINDOWS\system32\mo030414s.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -
C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} -
C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: TChkBHO Class - {DC3A8A12-718A-485B-A1AF-063EFE5ECDFB} -
C:\WINDOWS\system32\zutkcrkv.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} -
C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton Internet Security -
{0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common
Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program
Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password
Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Norton PasswordManager] C:\Program Files\Common
Files\Symantec Shared\CfgWiz.exe /GUID {D1AFB197-5F24-49f4-9571-2F28A9798936}
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program
Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [bwvezp] c:\windows\system32\wtnblm.exe
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C2-5297EF71F44B}] rundll32.exe
C:\WINDOWS\System32\stlbupdt.DLL,DllRunMain
O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINDOWS\System\WINSTA~1.EXE -b
O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\Toolbar\winnet.exe
O4 - HKLM\..\Run: [tjkdlmohnpal] C:\WINDOWS\System32\uwrhhn.exe
O4 - HKLM\..\Run: [susp] C:\WINDOWS\susp.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update
Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program
Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RVP] "C:\Program Files\RVP\bpc.exe"
O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe
C:\WINDOWS\System32\msiefr40.dll,DllRunServer
O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital
Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AKVCQISAN] C:\WINDOWS\AKVCQISAN.exe
O4 - HKLM\..\Run: [AHNUE] C:\WINDOWS\AHNUE.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [wiwyrq] C:\WINDOWS\system32\fmbbss.exe r
O4 - HKLM\..\Run: [ojjyqa] C:\WINDOWS\system32\lzxcss.exe r
O4 - HKLM\..\RunOnce: [Panda_cleaner_212229]
C:\WINDOWS\system32\ActiveScan\pavdr.exe 212229
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program
Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe"
/background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program
Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Morpheus] C:\Program
Files\StreamCast\Morpheus\Morpheus.exe -min
O4 - HKCU\..\Run: [Acme.PCHButton]
C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft
Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O10 - Broken Internet access because of LSP provider 'c:\program
files\newdotnet\newdotnet6_38.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat -
http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage
Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) -
https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio
Conferencing) -
http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient
Class) -
http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) -
http://www.linksysfix.com/check/netset/install/gtdownls.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element)
- http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) -
https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. -
C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program
Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec
Corporation - C:\Program Files\Norton Internet Security\Norton
AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -
C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton
Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner -
c:\windows\SvcProc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Theresa

All I can suggest at this stage is running some scanners or performing a
repair install of windows if you have your windows disk.

Run some of these online scanners:

Housecall online virus scan located at:

http://housecall.trendmicro.com/housecall/start_corp.asp

Follow the prompts to scan your hard drive for viruses. Select the
"Autoclean" option so that Housecall will remove any viruses from your
system. When the scan is finished, please restart your computer.

Then run the Panda scan here:

http://www.pandasoftware.com/activescan/

Choose to "Disinfect automatically," and follow the prompts. Delete any
viruses found, and restart your computer.

Finally, run the WindowSecurity trojan scan here:

http://www.windowsecurity.com/trojanscan/

Remove any trojans found, and restart your computer.

If you cannot get online then try downloading some of these and transferring
them to the pc with the problem.

Microsoft Malicious software removal tool :

http://go.microsoft.com/fwlink/?LinkId=40587

Trend Micro's Damage clean up tool :

http://www.trendmicro.com/ftp/products/tsc/tsc.zip

Mcafee's Stinger Virus Remover

http://vil.nai.com/vil/stinger/

F-Secures Blacklight Beta

http://www.europe.f-secure.com/exclude/blacklight/blbeta.exe

save to desktop or c:/drive and press scan, post back the log if anything
shown as hidden

Hijack This

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Save to desktop or c:/drive and run , choose to run a system scan and save
the logfile, when its finished scanning it will open the results in notepad,
copy and paste that and post it back but dont fix anything using hijack this
as most entries are genuine or even essential files.


Failing that get your windows disk and insert it into the drive and run the
system file checker

Goto start and run and type (remember the space after SFC)

SFC /SCANNOW

press enter and let it scan your system, if any files are damaged or missing
they will be replaced using the files on the windows disk

If nothing here helps and you cannot change the settings in msconfig or use
system restore then you may have to do a repair install of windows:

All you do is boot from the CD. When it asks if you want to repair and to
press "R", don't. Continue with the installation just like you were
installing for the first time.

You will then get a license agreement and it will ask you to press F8 to
agree. Right after that screen, you will see a list of Windows installations
that setup found. It will ask if you want to repair it. Read the directions
on that page!!!

If no previous installations are found, STOP and exit. That usually means
that your registry is too corrupted for a repair and you will possibly lose
all your data if you continue.

Then, you will actually press "R" this time and XP will re-install.

When done, you will be back to your familiar desktop with everything looking
just like it did before. But all your Windows Updates are gone and you will
need to get those again. If you have any problems booting from CD, set the
CD to boot earlier than the hard drive in BIOS setup, or come back for more
help.

Regards

Andy

 

[plun]

Hi again

If you talks to MS or HP support again.

Try to convince them that your photos must be saved and maybe
it´s easiest to loan a friends real copy of Windows XP
and repair your installation. (or that they send you one but it takes
time)

MS or HP then must help you to change to your licensed genuine
validation after repair. (and reset your friends maybe)

So this is a challenge.

--
plun


plun formulated on onsdag :

Hi Theresa

This is for sure a challenge and if you only have these "stupid" recovery
disks even more. With a real XP OEM CD you can easily
repair your installation.

Within your HijackThis logs I can see several "infections", abetterinternet
probably Aurora, maybe Wintools, Gohip and also viruses.

Microsoft also have free support for this so maybe it´s a good idea
to call them.

No-Charge Support
1-866-PCSAFETY
or
1-866-727-2338
This phone number is for virus and other security-related support. It is
available 24 hours a day for the U.S. and Canada.

For phone numbers outside of the U.S. and Canada, select your region.

http://support.microsoft.com/?pr=securityhome for link to other regions.

I feel sorry when I sees what the "bad guys" doing to our PCs........ ;(

Good luck.

--
plun


Theresa explained :

Andy here is the info you requested.
I have tried everything, I even called the free support number for help and
then HP they want to do a recovery of my home operating system, I do not
want to loose all my photos etc.......
The screen is black but the safe mode appears in 2 lower corners. I have
also received the blue screen at times with IrqL_not_less_or_equal

Logfile of HijackThis v1.99.1
Scan saved at 8:33:46 PM, on 10/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\fmbbss.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for
hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.weightwatchers.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.acsalaska.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} -
C:\WINDOWS\dsr.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program
Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} -
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: IEHlprObj Class - {AEE7DF76-242A-47E7-9400-9CF403F32F2E} -
C:\WINDOWS\system32\mo030414s.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -
C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} -
C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: TChkBHO Class - {DC3A8A12-718A-485B-A1AF-063EFE5ECDFB} -
C:\WINDOWS\system32\zutkcrkv.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} -
C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton Internet Security -
{0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common
Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program
Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password
Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Norton PasswordManager] C:\Program Files\Common
Files\Symantec Shared\CfgWiz.exe /GUID
{D1AFB197-5F24-49f4-9571-2F28A9798936}
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program
Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [bwvezp] c:\windows\system32\wtnblm.exe
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C2-5297EF71F44B}] rundll32.exe
C:\WINDOWS\System32\stlbupdt.DLL,DllRunMain
O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINDOWS\System\WINSTA~1.EXE -b
O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\Toolbar\winnet.exe
O4 - HKLM\..\Run: [tjkdlmohnpal] C:\WINDOWS\System32\uwrhhn.exe
O4 - HKLM\..\Run: [susp] C:\WINDOWS\susp.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update
Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program
Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RVP] "C:\Program Files\RVP\bpc.exe"
O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe
C:\WINDOWS\System32\msiefr40.dll,DllRunServer
O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital
Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AKVCQISAN] C:\WINDOWS\AKVCQISAN.exe
O4 - HKLM\..\Run: [AHNUE] C:\WINDOWS\AHNUE.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [wiwyrq] C:\WINDOWS\system32\fmbbss.exe r
O4 - HKLM\..\Run: [ojjyqa] C:\WINDOWS\system32\lzxcss.exe r
O4 - HKLM\..\RunOnce: [Panda_cleaner_212229]
C:\WINDOWS\system32\ActiveScan\pavdr.exe 212229
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program
Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe"
/background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program
Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Morpheus] C:\Program
Files\StreamCast\Morpheus\Morpheus.exe -min
O4 - HKCU\..\Run: [Acme.PCHButton]
C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft
Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O10 - Broken Internet access because of LSP provider 'c:\program
files\newdotnet\newdotnet6_38.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat -
http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) -
https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio
Conferencing) -
http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient
Class) -
http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update)
- http://www.linksysfix.com/check/netset/install/gtdownls.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm
Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} - O16 - DPF:
{E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) -
https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation
- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software -
C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. -
C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program
Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec
Corporation - C:\Program Files\Norton Internet Security\Norton
AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -
C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton
Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner -
c:\windows\SvcProc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Theresa

All I can suggest at this stage is running some scanners or performing a
repair install of windows if you have your windows disk.

Run some of these online scanners:

Housecall online virus scan located at:

http://housecall.trendmicro.com/housecall/start_corp.asp

Follow the prompts to scan your hard drive for viruses. Select the
"Autoclean" option so that Housecall will remove any viruses from your
system. When the scan is finished, please restart your computer.

Then run the Panda scan here:

http://www.pandasoftware.com/activescan/

Choose to "Disinfect automatically," and follow the prompts. Delete any
viruses found, and restart your computer.

Finally, run the WindowSecurity trojan scan here:

http://www.windowsecurity.com/trojanscan/

Remove any trojans found, and restart your computer.

If you cannot get online then try downloading some of these and
transferring them to the pc with the problem.

Microsoft Malicious software removal tool :

http://go.microsoft.com/fwlink/?LinkId=40587

Trend Micro's Damage clean up tool :

http://www.trendmicro.com/ftp/products/tsc/tsc.zip

Mcafee's Stinger Virus Remover

http://vil.nai.com/vil/stinger/

F-Secures Blacklight Beta

http://www.europe.f-secure.com/exclude/blacklight/blbeta.exe

save to desktop or c:/drive and press scan, post back the log if anything
shown as hidden

Hijack This

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Save to desktop or c:/drive and run , choose to run a system scan and save
the logfile, when its finished scanning it will open the results in
notepad, copy and paste that and post it back but dont fix anything using
hijack this as most entries are genuine or even essential files.


Failing that get your windows disk and insert it into the drive and run
the system file checker

Goto start and run and type (remember the space after SFC)

SFC /SCANNOW

press enter and let it scan your system, if any files are damaged or
missing they will be replaced using the files on the windows disk

If nothing here helps and you cannot change the settings in msconfig or
use system restore then you may have to do a repair install of windows:

All you do is boot from the CD. When it asks if you want to repair and to
press "R", don't. Continue with the installation just like you were
installing for the first time.

You will then get a license agreement and it will ask you to press F8 to
agree. Right after that screen, you will see a list of Windows
installations that setup found. It will ask if you want to repair it. Read
the directions on that page!!!

If no previous installations are found, STOP and exit. That usually means
that your registry is too corrupted for a repair and you will possibly
lose all your data if you continue.

Then, you will actually press "R" this time and XP will re-install.

When done, you will be back to your familiar desktop with everything
looking just like it did before. But all your Windows Updates are gone and
you will need to get those again. If you have any problems booting from
CD, set the CD to boot earlier than the hard drive in BIOS setup, or come
back for more help.

Regards

Andy

 

[Guest]

Hi Theresa

Sorry I lost track of this topic and thought you may of fixed things I
will check the box to notify me of any more responses so I get a email if
someone replies and check your log now and repost abit later.

Andy

 

[Guest]

There's alot of problems here and different Infections,

First thing is to move Hijack This out of your temp folders as it will
create back ups
of anything thats fixed, If its in temp folder's then all backups will be
lost if you ever
clear the temp folders.

Please delete Hijack This using the Add/Remove screen and download this one

http://www.merijn.org/files/hijackthis_sfx.exe

When you run it just follow the prompts and press "Unzip" and it will then
go into this folder

C:\Program Files\HijackThis

You could create a folder(right click a empty space > choose new > then
folder) on desktop or C:\drive and move the copy you have from temp folders
but this way may be easier for you

First of all, you may want to print out this post or copy it to notepad and
save it so that you have a hard copy of these instructions.

You may need to choose safe mode with networking (reboot and tap F8 then
choose Safe mode with Networking from the windows advanced menu) so we can
download and update the scanners.

Download Ad-Aware SE

http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10045910.html

Install Ad-Aware and run it. In the bottom-right hand corner, click "Check
for updates now". Click "Connect" to download the newest reference file.

Then Close Adaware

Download the Ad-Aware VX2 Plugin

http://updates.ls-servers.com/vx2cleaner.zip

Extract and Run and it will install into the Lavasoft/Plugins folder Then
exit


Download Ewido Security Suite :

Please download, install, and update the free version of ewido security suite

http://www.ewido.net/en/download/

When installing, under "Additional Options" uncheck "Install background
guard" and "Install scan via context menu". Click on update in the left menu,
then click the Start update button. After the update finishes close Ewido

Download Ccleaner

http://download.ccleaner.com/download124bin.asp

Install Then close


Open Ad-Aware SE

From the main menu choose "Add-Ons"

Click the VX2 cleaner entry and then press "Run Tool" , it will then give a
pop up window asking if it can execute the tool , Click ok and it then scans
the system and will display VX2 variant found on the system. Let it clean
the files
and follow the instructions which will be to reboot again and run a smart
scan,

Reboot into safe mode and run a full system scan with Adaware to detect and
remove other problems.

Run Ewido again.

From the main menu click on 'scanner' then click 'Complete System Scan'
When ewido finds something, it will pop up a notification. Select "Remove"
and check the boxes "Perform action with all infections" and "Create
encrypted backup" then click on ok.When the scan finishes, click on "Save
Report" and save it to your desktop or c:/drive incase you need it again.

Run Ccleaner and press "Run Cleaner"

Make sure you are logged in as Administrator

Go to the Start Menu, and click on "Control Panel". Choose "Add/Remove
Programs" and remove any of the following that are listed:

Shopping Community
newdotnet
new.net
BrowserAid
CashToolbar
Web Toolbar
BrowserPal

Goto start menu and run and type cmd then press enter,

At the command prompt, type

netsh Winsock reset

and press ENTER again then type exit,

Goto Start Menu then C:\Drive and to ProgramFiles, Open the Hijack This
folder and double click HijackThis.exe

Please run HijackThis and click "System Scan." Place checks next to the
following entries:

Some will have been removed by the above removers but place checks in any
that remain:


F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} -
C:\WINDOWS\dsr.dll

O2 - BHO: IEHlprObj Class - {AEE7DF76-242A-47E7-9400-9CF403F32F2E} -
C:\WINDOWS\system32\mo030414s.dll (file missing)

O2 - BHO: TChkBHO Class - {DC3A8A12-718A-485B-A1AF-063EFE5ECDFB} -
C:\WINDOWS\system32\zutkcrkv.dll

O4 - HKLM\..\Run: [bwvezp] c:\windows\system32\wtnblm.exe

O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C2-5297EF71F44B}] rundll32.exe
C:\WINDOWS\System32\stlbupdt.DLL,DllRunMain

O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINDOWS\System\WINSTA~1.EXE -b

O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\Toolbar\winnet.exe

O4 - HKLM\..\Run: [tjkdlmohnpal] C:\WINDOWS\System32\uwrhhn.exe

O4 - HKLM\..\Run: [susp] C:\WINDOWS\susp.exe

O4 - HKLM\..\Run: [RVP] "C:\Program Files\RVP\bpc.exe"

O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe
C:\WINDOWS\System32\msiefr40.dll,DllRunServer

O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe

O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKLM\..\Run: [AKVCQISAN] C:\WINDOWS\AKVCQISAN.exe

O4 - HKLM\..\Run: [AHNUE] C:\WINDOWS\AHNUE.exe

O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe

O4 - HKLM\..\Run: [wiwyrq] C:\WINDOWS\system32\fmbbss.exe r

O4 - HKLM\..\Run: [ojjyqa] C:\WINDOWS\system32\lzxcss.exe r

O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) -
http://www.linksysfix.com/check/netset/install/gtdownls.cab

O23 - Service: System Startup Service (SvcProc) - Unknown owner -
c:\windows\SvcProc.exe

Close all browser and other windows except for HijackThis, and click "Fix
Checked" to have HijackThis remove the entries you checked.


Next, please reboot your computer again (Restart your computer, Keep tapping
F8 then choose safe mode from the list. Select the first option, to run
Windows in Safe Mode)

Next, please enable viewing of hidden files as follows:
1) Go to My Computer, and click on the "Tools" menu
2) Click "Folder options"
3) Select the "View" tab
4) Make sure "Show hidden files and folders" is selected
5) Make sure "Hide extensions for known file types" is unchecked
6) Make sure "Hide protected operating system files (recommended)" is
unchecked

Next, delete the following files (if they exist):

C:\Windows\System32\ALCXMNTR.EXE
c:\windows\system32\wtnblm.exe
C:\WINDOWS\System32\stlbupdt.DLL
C:\WINDOWS\System\WINSTA~1.EXE
C:\WINDOWS\System32\uwrhhn.exe
C:\WINDOWS\susp.exe
C:\WINDOWS\System32\msiefr40.dll
C:\WINDOWS\rundll16.exe
C:\WINDOWS\Belt.exe
C:\WINDOWS\AKVCQISAN.exe
C:\WINDOWS\AHNUE.exe
C:\WINDOWS\dinst.exe

Also, delete the following folders (if they exist):

C:\ProgramFiles\CommonName
C:\Program Files\RVP

Finally, go to the Start Menu, click "Run", and in the window type cleanmgr.
This will run the System Cleanup program. Make sure the box next to
"Temporary files" is checked, and then click "OK".

Restart your computer and see if it will boot to normal mode, If not Id like
to see the Ewido Scan Log you saved and a fresh Hijack This log. You have two
explorer.exe entries in this log and there should be only one but with the
amount of malware present I want to see if it remains on the next log after
clean up then we can look at them in more detail.

All The Best

Andy

 

[plun]

Hi Andy

I don´t believe this PC is working or is it ? ( to download ?)

If MS or HP don´t help her it must be better that a friend
helps her with a real XP disc for repairing.

Or go out in the wild and get a XP copy....... last resort
to save personal photos.

--
plun


AndyManchesta brought next idea :

There's alot of problems here and different Infections,

First thing is to move Hijack This out of your temp folders as it will
create back ups
of anything thats fixed, If its in temp folder's then all backups will be
lost if you ever
clear the temp folders.

Please delete Hijack This using the Add/Remove screen and download this one

http://www.merijn.org/files/hijackthis_sfx.exe

When you run it just follow the prompts and press "Unzip" and it will then
go into this folder

C:\Program Files\HijackThis

You could create a folder(right click a empty space > choose new > then
folder) on desktop or C:\drive and move the copy you have from temp folders
but this way may be easier for you

First of all, you may want to print out this post or copy it to notepad and
save it so that you have a hard copy of these instructions.

You may need to choose safe mode with networking (reboot and tap F8 then
choose Safe mode with Networking from the windows advanced menu) so we can
download and update the scanners.

Download Ad-Aware SE

http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10045910.html

Install Ad-Aware and run it. In the bottom-right hand corner, click "Check
for updates now". Click "Connect" to download the newest reference file.

Then Close Adaware

Download the Ad-Aware VX2 Plugin

http://updates.ls-servers.com/vx2cleaner.zip

Extract and Run and it will install into the Lavasoft/Plugins folder Then
exit


Download Ewido Security Suite :

Please download, install, and update the free version of ewido security suite

http://www.ewido.net/en/download/

When installing, under "Additional Options" uncheck "Install background
guard" and "Install scan via context menu". Click on update in the left menu,
then click the Start update button. After the update finishes close Ewido

Download Ccleaner

http://download.ccleaner.com/download124bin.asp

Install Then close


Open Ad-Aware SE

From the main menu choose "Add-Ons"

Click the VX2 cleaner entry and then press "Run Tool" , it will then give a
pop up window asking if it can execute the tool , Click ok and it then scans
the system and will display VX2 variant found on the system. Let it clean
the files
and follow the instructions which will be to reboot again and run a smart
scan,

Reboot into safe mode and run a full system scan with Adaware to detect and
remove other problems.

Run Ewido again.

From the main menu click on 'scanner' then click 'Complete System Scan'
When ewido finds something, it will pop up a notification. Select "Remove"
and check the boxes "Perform action with all infections" and "Create
encrypted backup" then click on ok.When the scan finishes, click on "Save
Report" and save it to your desktop or c:/drive incase you need it again.

Run Ccleaner and press "Run Cleaner"

Make sure you are logged in as Administrator

Go to the Start Menu, and click on "Control Panel". Choose "Add/Remove
Programs" and remove any of the following that are listed:

Shopping Community
newdotnet
new.net
BrowserAid
CashToolbar
Web Toolbar
BrowserPal

Goto start menu and run and type cmd then press enter,

At the command prompt, type

netsh Winsock reset

and press ENTER again then type exit,

Goto Start Menu then C:\Drive and to ProgramFiles, Open the Hijack This
folder and double click HijackThis.exe

Please run HijackThis and click "System Scan." Place checks next to the
following entries:

Some will have been removed by the above removers but place checks in any
that remain:


F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} -
C:\WINDOWS\dsr.dll

O2 - BHO: IEHlprObj Class - {AEE7DF76-242A-47E7-9400-9CF403F32F2E} -
C:\WINDOWS\system32\mo030414s.dll (file missing)

O2 - BHO: TChkBHO Class - {DC3A8A12-718A-485B-A1AF-063EFE5ECDFB} -
C:\WINDOWS\system32\zutkcrkv.dll

O4 - HKLM\..\Run: [bwvezp] c:\windows\system32\wtnblm.exe

O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C2-5297EF71F44B}] rundll32.exe
C:\WINDOWS\System32\stlbupdt.DLL,DllRunMain

O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINDOWS\System\WINSTA~1.EXE -b

O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\Toolbar\winnet.exe

O4 - HKLM\..\Run: [tjkdlmohnpal] C:\WINDOWS\System32\uwrhhn.exe

O4 - HKLM\..\Run: [susp] C:\WINDOWS\susp.exe

O4 - HKLM\..\Run: [RVP] "C:\Program Files\RVP\bpc.exe"

O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe
C:\WINDOWS\System32\msiefr40.dll,DllRunServer

O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe

O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKLM\..\Run: [AKVCQISAN] C:\WINDOWS\AKVCQISAN.exe

O4 - HKLM\..\Run: [AHNUE] C:\WINDOWS\AHNUE.exe

O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe

O4 - HKLM\..\Run: [wiwyrq] C:\WINDOWS\system32\fmbbss.exe r

O4 - HKLM\..\Run: [ojjyqa] C:\WINDOWS\system32\lzxcss.exe r

O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) -
http://www.linksysfix.com/check/netset/install/gtdownls.cab

O23 - Service: System Startup Service (SvcProc) - Unknown owner -
c:\windows\SvcProc.exe

Close all browser and other windows except for HijackThis, and click "Fix
Checked" to have HijackThis remove the entries you checked.


Next, please reboot your computer again (Restart your computer, Keep tapping
F8 then choose safe mode from the list. Select the first option, to run
Windows in Safe Mode)

Next, please enable viewing of hidden files as follows:
1) Go to My Computer, and click on the "Tools" menu
2) Click "Folder options"
3) Select the "View" tab
4) Make sure "Show hidden files and folders" is selected
5) Make sure "Hide extensions for known file types" is unchecked
6) Make sure "Hide protected operating system files (recommended)" is
unchecked

Next, delete the following files (if they exist):

C:\Windows\System32\ALCXMNTR.EXE
c:\windows\system32\wtnblm.exe
C:\WINDOWS\System32\stlbupdt.DLL
C:\WINDOWS\System\WINSTA~1.EXE
C:\WINDOWS\System32\uwrhhn.exe
C:\WINDOWS\susp.exe
C:\WINDOWS\System32\msiefr40.dll
C:\WINDOWS\rundll16.exe
C:\WINDOWS\Belt.exe
C:\WINDOWS\AKVCQISAN.exe
C:\WINDOWS\AHNUE.exe
C:\WINDOWS\dinst.exe

Also, delete the following folders (if they exist):

C:\ProgramFiles\CommonName
C:\Program Files\RVP

Finally, go to the Start Menu, click "Run", and in the window type cleanmgr.
This will run the System Cleanup program. Make sure the box next to
"Temporary files" is checked, and then click "OK".

Restart your computer and see if it will boot to normal mode, If not Id like
to see the Ewido Scan Log you saved and a fresh Hijack This log. You have two
explorer.exe entries in this log and there should be only one but with the
amount of malware present I want to see if it remains on the next log after
clean up then we can look at them in more detail.

All The Best

Andy

 

[Guest]

Hi Plun

I can see Panda's activescan and MS Antispy cleaner showing in the log so
I'm assuming Theresa used safe mode with networking to use IE, Maybe Im wrong
but The Panda and MS Cleaner entries are under the RunOnce key so they would
remove themselves once the pc is rebooted.

The log is showing Broken internet access but Hijack This can sometimes
display them messages if the files are not found in the system area so it
then displays (file missing) If they cannot access the internet then its
worth running the
netsh Winsock reset command from cmd then trying safe mode with networking

If they can use the Internet then skip that part in the fix but keep the
instructions safe incase its needed again anytime. New.net usually has more
than 1 entry showing so its difficult to know if its still on the system,
removing it from add/remove screen should also remove that line from the log.

The two explorer entries under running processes looks abit strange but with
them both being in the same folder I dont think there would be two versions
as one would overwrite the other if put in the same folder. There was no
mention of being system tray or icons missing so it does look like the
genuine explorer file. Not being able to boot into normal mode could also be
the sign of a rootkit which has caused damage so there is still options left
but I think getting rid of all this malware is the first step ,

Its alot of work to save afew photo's but if they performed a repair it may
leave the installed programs on the system and just remove the service pack
and security patches so might not fix things unless its a full format and
fresh install but if there is no disk then we should try everything to get
the machine up and running.

Chat to you later

Andy

 

[plun]

Hi Andy

Even if it is 1 photo it can be worth it for theresa

A believe a repair can make it possible to save this photos
and then a full format probably is the best.

But the key problem for a lot of users is this trap with only
recovery CDs and no backups.

With a real CD it´s fast to repair and withhelp from someone
who really knows XP this photos fo sure will be saved, maybe also
other files, often a users forget about important personal files.

But can she manage to run it in safe mode with networking then
it probably is enough.


Borrow a XP CD is the standard answer for this challenge if you
look around in different forums.