0

My cousin has a computer full of viruses and junk.
well she asked me to clean it since she couldnt get a web browser open.

I deleted all the viruses and spyware with Kaspersky, and spybot.
I dont want to reinstall windows since she has a lot of things on there which would take a long time to backup(and check if there not infected)
The computer is really old and slow, 1MHz processor, 32mb ram and well its only used for GG and IE, so she need it until she gets a new one.

Now the only way i can get into windows is by going into safe mode(with network, or without..they both work)
If i try to start windows normally it gets to the welcome screen then the computer restarts by itself.

There were a lot of registration changes made and i set them all back using spybot and ill try to find some type of registration cleaner.
Also i found a W32 Blaster Worm in the system using FixBlast, i downloaded a patch to fix it and the program said it was gone.
After cleaning it with kaspersky and spybot i STILL cant get it to start normaly.

Could some one please give me some advise on what to do.

This is the hijackthis report.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:31:20, on 2008-01-29
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\drivers\spool.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\drivers\spool.exe
C:\WINDOWS\system32\drivers\spool.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Pulpit\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\svchost.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\drivers\spool.exe C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {36DBC179-A19F-48F2-B16A-6A3E19B42A87} - c:\windows\system32\userinit.dll
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {897fe88e-1dd2-11b2-92c5-9c93f4e93ae8} - C:\WINDOWS\pohwfgje.dll
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684CC} - C:\Program Files\Helper\superfindout.dll
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8685CC} - C:\Program Files\Helper\1201271948.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Windows File XP Manager] wfdmgr.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Administrator\Local Settings\Application Data\cftmon.exe
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spool.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Wbcmgr] wbcmgr.exe
O4 - HKLM\..\Run: [Microsoft Update] C:\WINDOWS\System32\spool.exe
O4 - HKLM\..\Run: [Anti Trojan Elite] D:\Anti Trojan Elite\TJEnder.exe :NO
O4 - HKLM\..\Run: [wlyvoren] regsvr32 /u "C:\Documents and Settings\All Users\Dane aplikacji\wlyvoren.dll"
O4 - HKLM\..\Run: [drmsrv32] C:\lsyvg.exe
O4 - HKLM\..\Run: [DioCleaner] D:\actfight\actfight\DioCleaner.exe
O4 - HKLM\..\Run: [Windows Control Server] wmlmsnsvc.exe
O4 - HKLM\..\Run: [Windows Console] wkssvc.exe
O4 - HKLM\..\Run: [Windows Update] srv.exe
O4 - HKLM\..\Run: [Windll] C:\WINDOWS\windll.exe
O4 - HKLM\..\Run: [WindowsLiveMessengers] msngr.exe

4
Contributors
20
Replies
21
Views
9 Years
Discussion Span
Last Post by PhilliePhan
0

remove the following:
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)

O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)

O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)

O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)

O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)

O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)

O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)

O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)

O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)

O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)

O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)

O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)

O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)

O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)

O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)

0

download CCleaner from the link in my signature, that has a registry cleaner in it.

and download AVG anti spyware, i'm pretty sure filehippo.com has it...

see if you can get it to start normally now...

what does your cousin have on the computer because you can do a system recovery without losing music or pictures

0

Thnx ill try that today. so all of those things i should remove are in the registry right.

and i can access the internet but only in safe mode.

0

and then you are gonna have to do a new scan and post a new HiJackThis logfile here. DO NOT EDIT THE LOGFILE IN ANY WAY WHEN YOU POST IT!!!

0

what does your cousin have on the computer because you can do a system recovery without losing music or pictures

0

Ok thnx well ill have to do it tomorrow since i cant get to the computer today.
she has mostly music and pictures, but her brother has but a lot of junk on there and thats y there were so many viruses, and he's so slow that he couldn't possibly tell me how he broke it.
and i think that system recovery wasn't ever even turned on, but ill check it tomorrow and take your advice.
Thnx for the help

0

Hello, Warrior... that Hijackthis log looks truncated.. I know it is run in safe mode, but even so...
There are a lot of things to fix, those that Overwhelmed pointed out and a lot more. If we fix those and remove a couple of files could you post another log, and we'll see where we go from there.
Orrite, start hijackthis again, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\svchost.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\drivers\spool.exe C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {36DBC179-A19F-48F2-B16A-6A3E19B42A87} - c:\windows\system32\userinit.dll
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {897fe88e-1dd2-11b2-92c5-9c93f4e93ae8} - C:\WINDOWS\pohwfgje.dll
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684CC} - C:\Program Files\Helper\superfindout.dll
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8685CC} - C:\Program Files\Helper\1201271948.dll
O4 - HKLM\..\Run: [Windows File XP Manager] wfdmgr.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Administrator\Local Settings\Application Data\cftmon.exe
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spool.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Wbcmgr] wbcmgr.exe
O4 - HKLM\..\Run: [Microsoft Update] C:\WINDOWS\System32\spool.exe
O4 - HKLM\..\Run: [wlyvoren] regsvr32 /u "C:\Documents and Settings\All Users\Dane aplikacji\wlyvoren.dll"
O4 - HKLM\..\Run: [drmsrv32] C:\lsyvg.exe
O4 - HKLM\..\Run: [DioCleaner] D:\actfight\actfight\DioCleaner.exe
O4 - HKLM\..\Run: [Windows Control Server] wmlmsnsvc.exe
O4 - HKLM\..\Run: [Windows Console] wkssvc.exe
O4 - HKLM\..\Run: [Windows Update] srv.exe
O4 - HKLM\..\Run: [Windll] C:\WINDOWS\windll.exe
O4 - HKLM\..\Run: [WindowsLiveMessengers] msngr.exe

Good. That's a big list, huh? Now you must delete some files, and because that is only part of the log I cannot tell what some are, so they may not delete straight off... but we shall try this time around anyway.
Uninstall this pgm:
Helper [superfindout]

Delete these files: [note the paths and spelling closely!!]
C:\lsyvg.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\cftmon.exe
C:\Documents and Settings\All Users\Dane aplikacji\wlyvoren.dll
C:\WINDOWS\svchost.exe [NOT svchost.exe in system32 !!]
C:\WINDOWS\windll.exe
C:\WINDOWS\pohwfgje.dll
C:\WINDOWS\system32\wfdmgr.exe
C:\WINDOWS\system32\wbcmgr.exe
C:\WINDOWS\system32\wmlmsnsvc.exe
C:\WINDOWS\system32\drivers\spool.exe
c:\windows\system32\userinit.dll [NOT userinit.exe]
C:\WINDOWS\system32\wkssvc.exe
C:\WINDOWS\system32\windll.exe
C:\WINDOWS\system32\srv.exe
C:\WINDOWS\system32\msngr.exe
C:\WINDOWS\System32\spool.exe
C:\WINDOWS\system32\drivers\spool.exe
D:\actfight\actfight\DioCleaner.exe

and this folder:
C:\Program Files\Helper

Oh dear, not a lot left, is there? Never mind..
Orrite, that workload is cruel; because you can get SM with Networking running, you could try this INSTEAD:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
... and if that does what I think it will, post another log. See if you can enter Normal mode first; if so, run the log from there.

0

Thnx alot for that advise. but i cant get to the computer since she left the country, but i might be able to get it and take it to my house so i can fix it for her while she is gone.

Thanx alot again for the help guys and gals

0

sweet thanx for all the help guys. i fixed the computer, that ccleaner did the job, there was a registry in there which was changed so that windows wouldn't boot.

so its fixed now and thnx for the help

0

You are not serious, are you? CCleaner is a great tool, but it cleans what it is pointed at, pretty much usually basic temp and logging files. And your registry if you so wish. It was not pointed at and would not remove your mailing worm, your backdoor trojans, your ad trojans... now that you have got it working it is no longer yours, it can be controlled when on the net. Hackers have full access to it.
It is all up to you. But I do feel sorry for any friends your cousin contacts by email etc.

0

lol no, i deleted all those viruses and trojens when i booted back up in normal mode.
i just saying that ccleaner helped me get the computer started in normal mode

0

Good-oh. Well, if you are happy with it, fine, but feel free to post another ht log or a combofix run.
Cheers.

0

download CCleaner from the link in my signature, that has a registry cleaner in it.

What is the point of this?
Are you inferring that posters should have it "Scan for issues?" Because, that is not good advice. Only people familiar with how the registry works should do this.
And, only after properly backing up the registry.

Gerbil is correct - with a massive infestation such as this, a tool such as ComboFix or SDFix needs to be run.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.