Hi

Rerun Hijack this and remove the following entries:

C:\WINDOWS\system32\gdi++\gditray.exe

C:\Program Files\RK Launcher\RK Launcher 0.41 Beta Nightly\RKLauncher.exe

D:\Apps\ObjectBar\ObjectBar.exe

D:\Y'z Shadow\YzShadow.exe

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)

O2 - BHO: Google Update Class - {ADD57508-1A52-4FAA-A7B3-A3ADE8FAEFEC} - C:\Program Files\Google\Update\1.1.17.0\GoopdateBho.dll

O3 - Toolbar: QT TabBar - {d2bf470e-ed1c-487f-a333-2bd8835eb6ce} - mscoree.dll (file missing)

O3 - Toolbar: QT Tab Standard Buttons - {D2BF470E-ED1C-487F-A666-2BD8835EB6CE} - mscoree.dll (file missing)

O4 - HKCU\..\Run: [3RVX.exe] C:\Program Files\3RVX\3RVX.exe

O4 - HKCU..Run: [GDI++] C:\WINDOWS\system32\gdi++\gditray.exe -on

O4 - Startup: gditray.lnk = C:\WINDOWS\system32\gdi++\gditray.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (no file)

O22 - SharedTaskScheduler: OLE Object - {D9E0368F-201B-46CF-AA60-B9C513E67847} - (no file)

Once removed reboot. :)

The entries are programs that have kow spyware embeded in them.

D:\Y'z Shadow\YzShadow.exe is the most dangerous out of them all.

http://www.pcreview.co.uk/startup/YzShadow.exe.php

The items marked for deletion are all known programs that infect your PC.

You can carry on using them, but I wouldn't recommend it. And if possible, try and find a legitimate replacement for them.

Interesting, delphine. When you start your machine quite early on in the loading of Windows a program called Ntldr is in control; one of its last functions is to read in kernel files and the SYSTEM reg hive to see which drivers should be loaded. Pressing F8 to choose Safe Mode at this point results in a different registry key being used to specify a reduced set of drivers.
Now it so happens that the error code you are receiving is caused by a missing or bad hardware driver which is related to your your hd or IDE controllers, or a PCI bus driver [commonly called the chipset drivers..]. What that means is that when the system tries to change up a gear in its mode of accessing the hd, it just cannot. So it reports that the boot device is missing...
You obviously have those drivers because you can operate in Normal mode okay?, it must be that the reg key for the list of Safe Mode drivers is incorrect. Ways around that: If the problem does not date back too far you may be able to pick up a restore point that will solve it. Or you could get an old copy of the SYSTEM hive from Windows\repair using the recovery console [tedious]. Or you could update the drivers in Device Manager - catch is, I am not certain if trying this last will rewrite the necessary safe mode reg key [I am sure it will, I just dunno... but I do know it won't hurt to try]
So... did restoring work?
If not... go to Device Manager [go Start, run, paste in
control sysdm.cpl,,2 -and Enter].
-in Device Manager expand IDE ATA/ATAPI controllers, select your Primary IDE Controller, right click it and select Update Driver.
-you may choose to download a driver from Updates or take one from your hardware installation cd or floppy...
-restart... say how you get on.

This is what I found from http://support.microsoft.com/kb/324103:

"Device Driver Issues
You may receive a "Stop 0x0000007B" error message in the following scenarios:
A device driver that the computer boot controller needs is not configured to start during the startup process.
A device driver that the computer boot controller needs is corrupted.
Information in the Windows XP registry (information related to how the device drivers load during startup) is corrupted."

You are going to have to update or uninstall your drivers in order to fix your problem. Go to the manufactures site or use Driver Robot to update your drivers

This is a direct result of a virus infection. The only computers I've found to do this in safe mode only are those who are currently or previously infected with a fake anti-virus/anti-spyware. However I have yet to find a solution that does not involve a wipe and reload. If I do find a solution I will definitely advise. As of right now, I'm still searching for one though. I have no doubt a number of different registry entries are to blame though.

I had this problem but fixed it by removing a TDSS infection and a little manual cleaning of the registry, system32 folder, Temp folders, Temporary Internet Files (in Local Settings), for the current user as well as All Users, etc. Some of the file deletion had to be done from a Live CD such as hiners or UBCD. I actually used an Ophcrack bootable CD for that. FileAssassin is also good for this. I was then able to launch XP in Safe Mode and run HiJackThis and Malwarebytes, both of which would not launch before. Ahh yes, I also had to use the Norton Removal Tool and the McAfee Removal Tool to get rid of their "on access scanners" which may have been part of the problem. "TDSS Killer" was a big help in getting to a point where I could clean the rest of the system. There are so many good tools out there, if one doesn't work you can find another to try. Just be aware that the ones you choose are actually tools to help, and not rogue tools to make things worse. A little extra research is worth it.
Dougknox.com is a great resource for XP fixes. I have also used stephen gibson's tools (grc.com) and sysinternals tools ( http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx ) frequently in the past.

C:\WINDOWS\system32\gdi++\gditray.exe
C:\Program Files\RK Launcher\RK Launcher 0.41 Beta Nightly\RKLauncher.exe
D:\Apps\ObjectBar\ObjectBar.exe
D:\Y'z Shadow\YzShadow.exe
O3 - Toolbar: QT TabBar - {d2bf470e-ed1c-487f-a333-2bd8835eb6ce} - mscoree.dll (file missing)
O3 - Toolbar: QT Tab Standard Buttons - {D2BF470E-ED1C-487F-A666-2BD8835EB6CE} - mscoree.dll (file missing)
O4 - HKCU\..\Run: [3RVX.exe] C:\Program Files\3RVX\3RVX.exe
O4 - HKCU..Run: [GDI++] C:\WINDOWS\system32\gdi++\gditray.exe -on
O4 - Startup: gditray.lnk = C:\WINDOWS\system32\gdi++\gditray.exe

I'm just wondering if it's really necessary to delete these entries, as I do rely quite a bit on all these programs and I'm not sure if deleting these entries in HJT will break them completely. Thanks
delphine
Reputation Points: 10
Solved Threads: 0
Newbie Poster
delphine is offline Offline
14 posts
since Apr 2007

I'm getting a BSOD when I try to boot into Safe Mode :/ The reason I've been trying to boot into Safe Mode is because I want to delete and replace some fonts with a newer version of them, and I can't do so in normal Windows because my access to them is constantly denied (even though I'm fairly sure they're not in use by any process). I suspect it's a leftover remnant of the previous big spyware infection I had with Vundo/Virtuamonde trojan, as I remember also having a BSOD problem then... The stop code is 0x0000007B (0xF78AF528, 0xC0000034, 0x00000000, 0x00000000) if that helps. Here is my HJT log. Any help is really appreciated

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:43 AM, on 10/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\PS Tray Factory\PSTrayFactory.EXE
C:\Program Files\Google\Update\1.1.17.0\GoogleUpdate.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Taskix\Taskix32.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Volumouse\volumouse.exe
C:\Program Files\Quicknote\Quicknote.exe
C:\Program Files\3RVX\3RVX.exe
C:\WINDOWS\system32\gdi++\gditray.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Samurize\Client.exe
C:\Program Files\Samurize\Client.exe
C:\Program Files\Samurize\Client.exe
C:\Program Files\Samurize\Client.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\ProcessTamer\ProcessTamerTray.exe
C:\Program Files\RK Launcher\RK Launcher 0.41 Beta Nightly\RKLauncher.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
D:\Apps\ObjectBar\ObjectBar.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
D:\Apps\Swept Away\Swept Away.exe
D:\Apps\texter.exe
D:\Y'z Shadow\YzShadow.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Apps\Miranda IM\miranda32.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Documents and Settings\Cuifen\My Documents\_junkdrawer\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\cidaemon.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ??
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Update Class - {ADD57508-1A52-4FAA-A7B3-A3ADE8FAEFEC} - C:\Program Files\Google\Update\1.1.17.0\GoopdateBho.dll
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.2.14.0\gears.dll
O2 - BHO: Loader Class - {F880A4A8-C436-4AC4-AFD1-AA0BDC9552DD} - C:\program files\FindeXer\FindeXer.dll
O3 - Toolbar: QT TabBar - {d2bf470e-ed1c-487f-a333-2bd8835eb6ce} - mscoree.dll (file missing)
O3 - Toolbar: QT Tab Standard Buttons - {D2BF470E-ED1C-487F-A666-2BD8835EB6CE} - mscoree.dll (file missing)
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - D:\Apps\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [SonyPowerCfg] "C:\Program Files\Sony\VAIO Power Management\SPMgr.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [Taskix] C:\Program Files\Taskix\Taskix32.exe start
O4 - HKLM\..\Run: [TrayFactory] C:\Program Files\PS Tray Factory\PSTrayFactory.exe /start
O4 - HKLM\..\Run: [EPSON Stylus DX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXE /P26 "EPSON Stylus DX3800 Series" /O6 "USB001" /M "Stylus DX3800"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe"
O4 - HKLM\..\RunOnce: [TrayFactory] C:\Program Files\PS Tray Factory\PSTrayFactory.EXE /start
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [$Volumouse$] "C:\Program Files\Volumouse\volumouse.exe" /nodlg
O4 - HKCU\..\Run: [Quicknote] "C:\Program Files\Quicknote\Quicknote.exe"
O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\lclock.exe
O4 - HKCU\..\Run: [3RVX.exe] C:\Program Files\3RVX\3RVX.exe
O4 - HKCU\..\Run: [GDI++] C:\\WINDOWS\\system32\\gdi++\\gditray.exe -on
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Client Default.lnk = C:\Program Files\Samurize\Client.exe
O4 - Startup: Client Ram Bar.lnk = C:\Program Files\Samurize\Client.exe
O4 - Startup: Client Todo.txt.lnk = C:\Program Files\Samurize\Client.exe
O4 - Startup: Client Weather.lnk = C:\Program Files\Samurize\Client.exe
O4 - Startup: gditray.lnk = C:\WINDOWS\system32\gdi++\gditray.exe
O4 - Startup: Instance Manager Group Default Instance Group.lnk = C:\Program Files\Samurize\InstanceManager.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Startup: ProcessTamer.lnk = C:\Program Files\ProcessTamer\ProcessTamerTray.exe
O4 - Startup: RKLauncher.exe.lnk = C:\Program Files\RK Launcher\RK Launcher 0.41 Beta Nightly\RKLauncher.exe
O4 - Startup: scripts.ahk.lnk = C:\Documents and Settings\Cuifen\My Documents\_docs\scripts.ahk
O4 - Startup: Stardock ObjectBar.lnk = D:\Apps\ObjectBar\ObjectBar.exe
O4 - Startup: Swept Away.lnk = D:\Apps\Swept Away\Swept Away.exe
O4 - Startup: Texter.lnk = D:\Apps\texter.exe
O4 - Startup: YzShadow.lnk = D:\Y'z Shadow\YzShadow.exe
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.2.14.0\gears.dll
O9 - Extra 'Tools' menuitem: &Google Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.2.14.0\gears.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (no file)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.com/en/
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-SG/.../GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - (no file)
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: interceptor.dll,wbsys.dll C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O22 - SharedTaskScheduler: OLE Object - {D9E0368F-201B-46CF-AA60-B9C513E67847} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate) - Google Inc. - C:\Program Files\Google\Update\1.1.17.0\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

--
End of file - 11155 bytes
Last edited by delphine; Mar 10th, 2008 at 4:48 am.
delphine
Reputation Points: 10
Solved Threads: 0
Newbie Poster
delphine is offline Offline
14 posts
since Apr 2007
Flag Bad Post Post Reply
Human DLL-1 Protein

wfa, you need to begin your own thread and not post in somebody else's thread. This thread is two years old and you won't receive assistance in anothers two year old thread. Begin you own, stating fully what problems you are having.

I don't know who told you to delete these or why but without full info we can't give help. Please follow the steps given in our Read Me Sticky
http://www.daniweb.com/forums/thread134865.html
and create your own thread with all the requested logs and full info and we will be most happy to help you.