1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Help plz....Safe mode only boot that works

Discussion in 'Virus & Other Malware Removal' started by Ewok2040, Feb 26, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. Ewok2040

    Ewok2040 Thread Starter

    Joined:
    Feb 26, 2007
    Messages:
    26
    Logfile of HijackThis v1.99.1
    Scan saved at 12:54:19 AM, on 2/26/2007
    Platform: Unknown Windows (WinNT 6.00.1904)
    MSIE: Internet Explorer v7.00 (7.00.6000.16386)

    Running processes:
    C:\Windows\Explorer.EXE
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Users\Deviltoes\Desktop\hijack\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
    O2 - BHO: (no name) - {D7B374C3-8DED-4CB1-820B-413FF0C71FC6} - C:\Windows\system32\opnnmlk.dll
    O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - C:\Windows\system32\brjtnfgc.dll (file missing)
    O2 - BHO: (no name) - {E9D8E652-0DAB-4637-BE8E-E14438E76390} - C:\Windows\system32\efeee.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O4 - HKLM\..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
    O4 - HKLM\..\Run: [Winsystem] C:\Windows\system32\winsystem16.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
    O4 - HKLM\..\RunServices: [Winsystem] C:\Windows\system32\winsystem16.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Windows\system32\efeee.dll,CreateProtectProc
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
    O11 - Options group: [INTERNATIONAL] International*
    O13 - Gopher Prefix:
    O15 - Trusted Zone: http://www.adobe.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{45BE4A00-14D4-4410-A8B4-B07D60936120}: NameServer = 192.168.1.1
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: cbxxxvt - C:\Windows\SYSTEM32\cbxxxvt.dll
    O20 - Winlogon Notify: efcaxvw - C:\Windows\SYSTEM32\efcaxvw.dll
    O20 - Winlogon Notify: efccyvu - C:\Windows\SYSTEM32\efccyvu.dll
    O20 - Winlogon Notify: efcyaxy - C:\Windows\SYSTEM32\efcyaxy.dll
    O20 - Winlogon Notify: efeee - C:\Windows\system32\efeee.dll
    O20 - Winlogon Notify: iifeebx - C:\Windows\SYSTEM32\iifeebx.dll
    O20 - Winlogon Notify: opnnmlk - C:\Windows\SYSTEM32\opnnmlk.dll
    O20 - Winlogon Notify: rqrspqq - C:\Windows\SYSTEM32\rqrspqq.dll
    O20 - Winlogon Notify: xxyvvus - C:\Windows\SYSTEM32\xxyvvus.dll
    O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
    O23 - Service: CCProvSP - TODO: <Company name> - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ccprovsp.exe
    O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: @%systemroot%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelInstallRC.dll,-8195 (NetMsmqActivator) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" -NetMsmqActivator (file missing)
    O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
    O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
    O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
    O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-30003 (W3SVC) - Unknown owner - %windir%\system32\svchost.exe (file missing)
    O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-30001 (WAS) - Unknown owner - %windir%\system32\svchost.exe (file missing)
    O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
     
  2. Ewok2040

    Ewok2040 Thread Starter

    Joined:
    Feb 26, 2007
    Messages:
    26
    Not sure what happend but I was trying to fix popup virus and it stoped booting in normal mode and everything I do will not work.....even tried system restore any help wiould be great.... here is my hijack log

    Logfile of HijackThis v1.99.1
    Scan saved at 12:54:19 AM, on 2/26/2007
    Platform: Windows Vista (WinNT 6.00.1904)
    MSIE: Internet Explorer v7.00 (7.00.6000.16386)

    Running processes:
    C:\Windows\Explorer.EXE
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Users\Deviltoes\Desktop\hijack\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
    O2 - BHO: (no name) - {D7B374C3-8DED-4CB1-820B-413FF0C71FC6} - C:\Windows\system32\opnnmlk.dll
    O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - C:\Windows\system32\brjtnfgc.dll (file missing)
    O2 - BHO: (no name) - {E9D8E652-0DAB-4637-BE8E-E14438E76390} - C:\Windows\system32\efeee.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O4 - HKLM\..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
    O4 - HKLM\..\Run: [Winsystem] C:\Windows\system32\winsystem16.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
    O4 - HKLM\..\RunServices: [Winsystem] C:\Windows\system32\winsystem16.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Windows\system32\efeee.dll,CreateProtectProc
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
    O11 - Options group: [INTERNATIONAL] International*
    O13 - Gopher Prefix:
    O15 - Trusted Zone: http://www.adobe.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{45BE4A00-14D4-4410-A8B4-B07D60936120}: NameServer = 192.168.1.1
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: cbxxxvt - C:\Windows\SYSTEM32\cbxxxvt.dll
    O20 - Winlogon Notify: efcaxvw - C:\Windows\SYSTEM32\efcaxvw.dll
    O20 - Winlogon Notify: efccyvu - C:\Windows\SYSTEM32\efccyvu.dll
    O20 - Winlogon Notify: efcyaxy - C:\Windows\SYSTEM32\efcyaxy.dll
    O20 - Winlogon Notify: efeee - C:\Windows\system32\efeee.dll
    O20 - Winlogon Notify: iifeebx - C:\Windows\SYSTEM32\iifeebx.dll
    O20 - Winlogon Notify: opnnmlk - C:\Windows\SYSTEM32\opnnmlk.dll
    O20 - Winlogon Notify: rqrspqq - C:\Windows\SYSTEM32\rqrspqq.dll
    O20 - Winlogon Notify: xxyvvus - C:\Windows\SYSTEM32\xxyvvus.dll
    O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
    O23 - Service: CCProvSP - TODO: <Company name> - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ccprovsp.exe
    O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: @%systemroot%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelInstallRC.dll,-8195 (NetMsmqActivator) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" -NetMsmqActivator (file missing)
    O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
    O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
    O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
    O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-30003 (W3SVC) - Unknown owner - %windir%\system32\svchost.exe (file missing)
    O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-30001 (WAS) - Unknown owner - %windir%\system32\svchost.exe (file missing)
    O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
     
  3. Byteman

    Byteman Moderator Malware Specialist

    Joined:
    Jan 24, 2002
    Messages:
    17,727
    Hi, I've merged your two threads to one, we allow you only one thread to work in for the same issue, please continue all replies etc here...someone will help you but it may not be until morning, US time...

    I can't help and there are not many who can with a Vista OS, so be patient.

    I'm not sure if Vista would allow a boot in Safe Mode with networking but restart and try that, it allows use of the Internet. Log onto your usual account.

    Try this:

    http://www.mwti.net/products/mwav/mwav.asp < download

    http://www.msspl.co.in/products/mwav/mwav.asp

    It's compatible with 32 and 64 bit Vista....
     
  4. Ewok2040

    Ewok2040 Thread Starter

    Joined:
    Feb 26, 2007
    Messages:
    26
    somehow it fixed itself...will post new thread with new probs
     
  5. Byteman

    Byteman Moderator Malware Specialist

    Joined:
    Jan 24, 2002
    Messages:
    17,727
    Hi, I don't think that problem fixed itself- what did you do, scan with antivirus?
     
  6. Ewok2040

    Ewok2040 Thread Starter

    Joined:
    Feb 26, 2007
    Messages:
    26
    i dont get y this is happining but when i plug in my power cord i can get into windows "normal" mode but when i unplug my power cord,even when windows is running i get the fatel blue screen....so as long as im plugged in i get windows otherwise i get safe mode only...........and if neone can help i have mundo virus winsystem16.exe but it does not exist as file...so im lost...if neone can help that would b great
     
  7. Byteman

    Byteman Moderator Malware Specialist

    Joined:
    Jan 24, 2002
    Messages:
    17,727
    Hi,

    We need you to rename the file hijackthis.exe to tool.exe and run it again and post a log.

    You have an infection (Vundo, not mundo) that can hide files from Hijackthis.


    Also, download this and do the following:




    Download and run VundoFix: Vundo Fix
    Double-click VundoFix.exe to run it.
    Put a check next to Run VundoFix as a task (your version may not have this option just continue to run VundoFix)
    .
    You will receive a message saying vundofix will close and re-open in a minute or less. Click OK.
    When VundoFix re-opens, click the Scan for Vundo button.
    Once it's done scanning, click the Remove Vundo button.
    You will receive a prompt asking if you want to remove the files, click YES.
    Once you click yes, your desktop will go blank as it starts removing Vundo.
    When completed, it will prompt that it will shutdown your computer, click OK.
    Turn your computer back on.
    Please post the contents of C:\vundofix.txt and a new HijackThis log



    1. Please download The Avenger by Swandog46 to your Desktop.
    • Right Click on Avenger.zip to open the file
    • Extract avenger.exe to your desktop so avenger.exe shows on your Desktop.

    We will use Avenger later, don't do anything with it yet!
     
  8. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,322
    You have started three threads for this same problem. DO NOT start another new thread for this same problem. You need to contunue this HERE in this thread. Make ALL posts regarding this matter in this thread. Continue posting all replies here until Byteman declares that you are finished here.
     
  9. Ewok2040

    Ewok2040 Thread Starter

    Joined:
    Feb 26, 2007
    Messages:
    26
    VundoFix V6.3.9

    Checking Java version...

    Scan started at 12:07:26 AM 2/27/2007

    Listing files found while scanning....

    C:\Windows\System32\cbxxxvt.dll
    C:\Windows\System32\efcaxvw.dll
    C:\Windows\System32\efccyvu.dll
    C:\Windows\System32\efcyaxy.dll
    C:\Windows\System32\iifeebx.dll
    C:\Windows\System32\opnnmlk.dll
    C:\Windows\System32\rqrspqq.dll
    C:\Windows\System32\xxyvvus.dll

    Beginning removal...

    Attempting to delete C:\Windows\System32\cbxxxvt.dll
    C:\Windows\System32\cbxxxvt.dll Has been deleted!

    Attempting to delete C:\Windows\System32\efcaxvw.dll
    C:\Windows\System32\efcaxvw.dll Has been deleted!

    Attempting to delete C:\Windows\System32\efccyvu.dll
    C:\Windows\System32\efccyvu.dll Has been deleted!

    Attempting to delete C:\Windows\System32\efcyaxy.dll
    C:\Windows\System32\efcyaxy.dll Has been deleted!

    Attempting to delete C:\Windows\System32\iifeebx.dll
    C:\Windows\System32\iif

    my screen went blank and i thought it was done after like 15-20 mins but i guess it wasnt. after i restarted my comp and checked the log and seen that it hadn't finished so i ran it again "vundofix" and it didnt not find nething....and here is my hijack log

    not sure y it says "unknown windows" for platform in hijack but it is vista

    Logfile of HijackThis v1.99.1
    Scan saved at 2:24:07 AM, on 2/27/2007
    Platform: Unknown Windows (WinNT 6.00.1904)
    MSIE: Internet Explorer v7.00 (7.00.6000.16386)

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
    C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe
    C:\Program Files\Java\jre1.6.0\bin\jusched.exe
    C:\Windows\sttray.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Windows\system32\NOTEPAD.EXE
    C:\Users\Deviltoes\Desktop\hijack\tool.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar3.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O4 - HKLM\..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
    O11 - Options group: [INTERNATIONAL] International*
    O13 - Gopher Prefix:
    O15 - Trusted Zone: http://www.adobe.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{45BE4A00-14D4-4410-A8B4-B07D60936120}: NameServer = 192.168.1.1
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B85BB4F2-22AF-4429-AD09-B9CE23CD8437}: NameServer = 192.168.1.1
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: ljjklkl - C:\Windows\SYSTEM32\ljjklkl.dll
    O20 - Winlogon Notify: nnnonki - C:\Windows\SYSTEM32\nnnonki.dll
    O20 - Winlogon Notify: pmnmmkk - C:\Windows\SYSTEM32\pmnmmkk.dll
    O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
    O23 - Service: CCProvSP - TODO: <Company name> - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ccprovsp.exe
    O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: @%systemroot%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelInstallRC.dll,-8195 (NetMsmqActivator) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" -NetMsmqActivator (file missing)
    O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
    O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
    O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
    O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe
    O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-30003 (W3SVC) - Unknown owner - %windir%\system32\svchost.exe (file missing)
    O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-30001 (WAS) - Unknown owner - %windir%\system32\svchost.exe (file missing)
    O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
     
  10. Ewok2040

    Ewok2040 Thread Starter

    Joined:
    Feb 26, 2007
    Messages:
    26
    also avenger will not run on my system......not supported by vista only win2000 and xp
     
  11. Byteman

    Byteman Moderator Malware Specialist

    Joined:
    Jan 24, 2002
    Messages:
    17,727
    Hi, Hijackthis: sometimes it shows unknown, sometimes it shows Vista, but it still works fairly well- it will be updated to cover things in time.


    Please follow the same steps and run VundoFix again:
    • Double-click VundoFix.exe to run it.
    • Put a check next to Run VundoFix as a task (your version may not have this option just continue to run VundoFix)
      .
    • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK.
    • When VundoFix re-opens, click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES.
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will shutdown your computer, click OK.
    • Turn your computer back on.
    • Please post the contents of C:\vundofix.txt and a new HijackThis log
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/547293