Tech Support banner
Status
Not open for further replies.
1 - 10 of 10 Posts

·
Registered
Joined
·
5 Posts
Discussion Starter · #1 ·
Logfile of HijackThis v1.99.1
Scan saved at 12:05:40 AM, on 1/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {11904ce8-632a-4856-a7cc-00b33fe71bd8} - (no file)
O2 - BHO: (no name) - {15ACE85C-0BB1-42d1-9E32-07EB0506675A} - (no file)
O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - (no file)
O2 - BHO: (no name) - {479fd0cf-5be9-4c63-8cda-b6d371c67bd5} - (no file)
O2 - BHO: (no name) - {5753791b-f607-48ca-814e-91c14d081f9e} - (no file)
O2 - BHO: (no name) - {7070a8f9-08a4-ca47-0ab0-1eb9e4ee1f3b} - (no file)
O2 - BHO: (no name) - {746455fe-d059-47e7-af0e-140e03f5a447} - (no file)
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {7a7e6d97-b492-4884-9abb-c31281dcc4f2} - (no file)
O2 - BHO: (no name) - {860c2f6b-ca82-4282-9187-beccbb66f0af} - (no file)
O2 - BHO: (no name) - {87185e78-a61b-4db3-965a-3235bbd7a622} - (no file)
O2 - BHO: (no name) - {8dc8f96d-34f7-1501-a2a4-631341aa3ac1} - (no file)
O2 - BHO: (no name) - {9c5875b8-93f3-429d-ff34-660b206d897a} - (no file)
O2 - BHO: (no name) - {a2595f37-48d0-46a1-9b51-478591a97764} - (no file)
O2 - BHO: ASGP32.ASGP - {AB268D16-3B58-482F-91EB-8D305534302F} - C:\WINDOWS\System32\asgp32.dll
O2 - BHO: (no name) - {b212d577-05b7-4963-911e-4a8588160dfa} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {d1ac752e-883f-4ed8-8828-b618c3a72152} - (no file)
O2 - BHO: (no name) - {e2b2b5a1-b48c-4886-a318-723916a01024} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e6d5237d-a6c7-4c83-a67f-f9f15586fa62} - (no file)
O2 - BHO: (no name) - {fe2d25c1-c1db-4b5e-9390-af1cb5302f32} - (no file)
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Program Files\ContMedia\Anatomy Atlas 4HRI\MSDXM.OCX
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QUVGVwEx] C:\PROGRA~1\vossrvvo\fcQAFoxN.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [Start Page] C:\WINDOWS\system32\svcnt32.exe home
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [37.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\37.tmp.exe
O4 - HKLM\..\Run: [38.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\38.tmp.exe
O4 - HKLM\..\Run: [6.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\6.tmp.exe
O4 - HKLM\..\Run: [7.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\7.tmp.exe
O4 - HKLM\..\Run: [6.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\6.tmp.exe
O4 - HKLM\..\Run: [7.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\7.tmp.exe
O4 - HKLM\..\Run: [A.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\A.tmp.exe
O4 - HKLM\..\Run: [A.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\A.tmp.exe
O4 - HKLM\..\Run: [17.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\17.tmp.exe
O4 - HKLM\..\Run: [17.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\17.tmp.exe
O4 - HKLM\..\Run: [1E.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\1E.tmp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [glght.exe] C:\WINDOWS\System32\glght.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9841D1AE-9C0B-11D3-9452-00105A098C21} - http://70.150.224.48/controls/prntpro2.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{01D1C6CD-6D44-46B6-BA89-10155A459FBE}: NameServer = 85.255.116.106,85.255.112.73
O17 - HKLM\System\CCS\Services\Tcpip\..\{864076FA-9332-4CFE-808D-8DAE740F3A3B}: NameServer = 85.255.116.106,85.255.112.73
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BA41CE8-2325-46C9-B8F2-9DDD2CF9CDA2}: NameServer = 85.255.116.106,85.255.112.73
O17 - HKLM\System\CCS\Services\Tcpip\..\{B811EBDB-D601-4639-A38A-4DA0EDC3DEB1}: NameServer = 85.255.116.106,85.255.112.73
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5FBFFC6-E115-4633-B23B-E51C1B402DC1}: NameServer = 85.255.116.106,85.255.112.73
O17 - HKLM\System\CCS\Services\Tcpip\..\{C87E5847-D658-4244-A27B-980E112F83CF}: NameServer = 85.255.116.106,85.255.112.73
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF20E463-EBE1-48F3-995E-7BAA1D7E296D}: NameServer = 85.255.116.106,85.255.112.73
O17 - HKLM\System\CCS\Services\Tcpip\..\{E58D8711-D4F3-4FF9-9DD1-51F434B2366F}: NameServer = 85.255.116.106,85.255.112.73
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.106 85.255.112.73
O17 - HKLM\System\CS1\Services\Tcpip\..\{01D1C6CD-6D44-46B6-BA89-10155A459FBE}: NameServer = 85.255.116.106,85.255.112.73
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.106 85.255.112.73
O21 - SSODL: ryYxujAshx - {BC9E7CA8-1634-D602-E96B-91D0A7E54126} - C:\WINDOWS\System32\qurbh.dll (file missing)
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\WINDOWS\System32\vbsys2.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
 

·
Registered
Joined
·
2,096 Posts
Hi and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

You may wish to Subscribe to this thread (Thread Tools) so that you are notified when you receive a reply.

Please be patient with me during this time.
 

·
Registered
Joined
·
2,096 Posts
Hello and welcome to TSF :smile:.

You may like to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools located near the top of this page, then click Subscribe to this Thread. Make sure it is set to Instant email Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please print out or copy these instructions/tutorial to Notepad as the internet will not (while in Safe Mode) be available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Please understand that your computer is heavily infected. So we shall require to go through multiple steps, so please stick with me patiently.
________________________________________________

Disable Security Softwares

1. Please disable Microsoft AntiSpyware, as it may hinder the removal of some entries. You can re-enable it after you're clean.
  • Right click the Microsoft AntiSpyware icon located in the system tray
  • Click on Security Agents Status (Enabled)
  • Click on Disable Real-time Protection

2. Please disable Webroot SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean.
To disable Webroot SpySweeper:
  • Go to the Options>Program Options
  • Uncheck Load at Windows Startup
  • Click Shields & uncheck all items there
  • Uncheck Home page shield.
________________________________________________

Show Hidden Files and Folders

Go to My Computer >Tools >Folder Options >View tab and select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Also make sure there is no check mark beside Hide file extensions for known file types. Click OK.
________________________________________________________________________________

Downloads

1. Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Do not run it now.

2. Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
  • Save it to your desktop and run it.
  • Click "Next", then Install, make sure "Run fixit" is checked and click Finish.
  • The fix will begin: Please follow the prompts.
  • You will be asked to reboot your computer, please do so.
  • Your system may take longer than usual to load and this is normal.
Once the desktop loads a text file will open (report.txt), you can close it - the file has already been saved.

Run HijackThis. Click "Do a System Scan Only" , and place a check next to the following items (if found):

O17 - HKLM\System\CCS\Services\Tcpip\..\{01D1C6CD-6D44-46B6-BA89-10155A459FBE}: NameServer = 85.255.116.106,85.255.112.73
O17 - HKLM\System\CCS\Services\Tcpip\..\{864076FA-9332-4CFE-808D-8DAE740F3A3B}: NameServer = 85.255.116.106,85.255.112.73
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BA41CE8-2325-46C9-B8F2-9DDD2CF9CDA2}: NameServer = 85.255.116.106,85.255.112.73
O17 - HKLM\System\CCS\Services\Tcpip\..\{B811EBDB-D601-4639-A38A-4DA0EDC3DEB1}: NameServer = 85.255.116.106,85.255.112.73
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5FBFFC6-E115-4633-B23B-E51C1B402DC1}: NameServer = 85.255.116.106,85.255.112.73
O17 - HKLM\System\CCS\Services\Tcpip\..\{C87E5847-D658-4244-A27B-980E112F83CF}: NameServer = 85.255.116.106,85.255.112.73
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF20E463-EBE1-48F3-995E-7BAA1D7E296D}: NameServer = 85.255.116.106,85.255.112.73
O17 - HKLM\System\CCS\Services\Tcpip\..\{E58D8711-D4F3-4FF9-9DD1-51F434B2366F}: NameServer = 85.255.116.106,85.255.112.73
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.106 85.255.112.73
O17 - HKLM\System\CS1\Services\Tcpip\..\{01D1C6CD-6D44-46B6-BA89-10155A459FBE}: NameServer = 85.255.116.106,85.255.112.73
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.106 85.255.112.73

________________________________________________

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.
________________________________________________

SDFix.exe

  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.
_____________________________________________________________

Run another System Scan with HJT and post the content of the log file it produces. Please understand that the log must be taken in normal mode so that we can understand the condition of your computer better.

--------------------------------------------------------------------

So with your next post please provide the following logs:

C:\fixwareout\report.txt
Report.txt (from SDFix)
HijackThis (A fresh one, taken in normal mode)


Please let me know about your systems overall behaviour :smile:.
 

·
Registered
Joined
·
5 Posts
Discussion Starter · #4 ·
It doesn't work

Here is the report:

Check for missing files
.....
C:\WINDOWS\system32\AUTOEXEC.NT not there
.....
End check for missing files
.....
please post this at the forum

When I tried to run SDfix I typed "y" and nothing happened. It just didn't do anything!
 

·
Registered
Joined
·
2,096 Posts
Hello Rhyne
Please post a new HJT logfile taken in the Normal mode.
 

·
Registered
Joined
·
5 Posts
Discussion Starter · #6 ·
I can't get into normal mode. My computer restarts before I can even log in. Can I take one in safe mode?
 

·
Registered
Joined
·
2,096 Posts
Ok Rhyne, please post a log from the Safe Mode. :smile:
 

·
Registered
Joined
·
5 Posts
Discussion Starter · #8 ·
here you go:

Logfile of HijackThis v1.99.1
Scan saved at 11:49:08 AM, on 1/15/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {11904ce8-632a-4856-a7cc-00b33fe71bd8} - (no file)
O2 - BHO: (no name) - {15ACE85C-0BB1-42d1-9E32-07EB0506675A} - (no file)
O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - (no file)
O2 - BHO: (no name) - {479fd0cf-5be9-4c63-8cda-b6d371c67bd5} - (no file)
O2 - BHO: (no name) - {5753791b-f607-48ca-814e-91c14d081f9e} - (no file)
O2 - BHO: (no name) - {7070a8f9-08a4-ca47-0ab0-1eb9e4ee1f3b} - (no file)
O2 - BHO: (no name) - {746455fe-d059-47e7-af0e-140e03f5a447} - (no file)
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {7a7e6d97-b492-4884-9abb-c31281dcc4f2} - (no file)
O2 - BHO: (no name) - {860c2f6b-ca82-4282-9187-beccbb66f0af} - (no file)
O2 - BHO: (no name) - {87185e78-a61b-4db3-965a-3235bbd7a622} - (no file)
O2 - BHO: (no name) - {8dc8f96d-34f7-1501-a2a4-631341aa3ac1} - (no file)
O2 - BHO: (no name) - {9c5875b8-93f3-429d-ff34-660b206d897a} - (no file)
O2 - BHO: (no name) - {a2595f37-48d0-46a1-9b51-478591a97764} - (no file)
O2 - BHO: ASGP32.ASGP - {AB268D16-3B58-482F-91EB-8D305534302F} - C:\WINDOWS\System32\asgp32.dll
O2 - BHO: (no name) - {b212d577-05b7-4963-911e-4a8588160dfa} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {d1ac752e-883f-4ed8-8828-b618c3a72152} - (no file)
O2 - BHO: (no name) - {e2b2b5a1-b48c-4886-a318-723916a01024} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e6d5237d-a6c7-4c83-a67f-f9f15586fa62} - (no file)
O2 - BHO: (no name) - {fe2d25c1-c1db-4b5e-9390-af1cb5302f32} - (no file)
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Program Files\ContMedia\Anatomy Atlas 4HRI\MSDXM.OCX
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QUVGVwEx] C:\PROGRA~1\vossrvvo\fcQAFoxN.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [Start Page] C:\WINDOWS\system32\svcnt32.exe home
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [37.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\37.tmp.exe
O4 - HKLM\..\Run: [38.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\38.tmp.exe
O4 - HKLM\..\Run: [6.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\6.tmp.exe
O4 - HKLM\..\Run: [7.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\7.tmp.exe
O4 - HKLM\..\Run: [6.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\6.tmp.exe
O4 - HKLM\..\Run: [7.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\7.tmp.exe
O4 - HKLM\..\Run: [A.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\A.tmp.exe
O4 - HKLM\..\Run: [A.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\A.tmp.exe
O4 - HKLM\..\Run: [17.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\17.tmp.exe
O4 - HKLM\..\Run: [17.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\17.tmp.exe
O4 - HKLM\..\Run: [1E.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\1E.tmp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [glght.exe] C:\WINDOWS\System32\glght.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9841D1AE-9C0B-11D3-9452-00105A098C21} - http://70.150.224.48/controls/prntpro2.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O21 - SSODL: ryYxujAshx - {BC9E7CA8-1634-D602-E96B-91D0A7E54126} - C:\WINDOWS\System32\qurbh.dll (file missing)
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\WINDOWS\System32\vbsys2.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
 

·
Registered
Joined
·
2,096 Posts
Hello Rhyne :smile:

First we need to replace one of the very important file required to run your computer and some other programs. Please follow the next steps to do so:

Follow these steps to reinstall Autoexec.nt:
a. Click Start, click Run, type c:\windows\repair, and then click OK,
b. Right-click autoexec.nt, and then click Copy,
c. Click Start, click Run, type c:\windows\system32, and then click OK,
d. Right-click anywhere in that folder, and then click Paste,
e. Right-click the Autoexect.nt file that you just copied, and then click Properties,
f. Click to select Read-Only, and then click OK,

Now please run SDFix again according to the instructions I have already given, and post the log it produces. I also need to see the FixWareout Log (available at C:\fixwareout\report.txt).

See now if your computer can boot in Normal Mode, and post a new Log of HJT system scan taken in Normal Mode.
 

·
Registered
Joined
·
5 Posts
Discussion Starter · #10 ·
Okay I'm here, don't give up on me! It didn't work and it says that I'm missing something else. I'll post it in just a bit.
 
1 - 10 of 10 Posts
Status
Not open for further replies.
Top