1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Start-up & shut down problems after trojan detected & cleaned...

Discussion in 'Windows XP' started by Parker650, Jan 27, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. Parker650

    Parker650 Thread Starter

    Joined:
    Jan 27, 2005
    Messages:
    4
    My first post here, hope to get some help...my wife is ready to kill me (and vice versa) as she is accusing me of screwing up a month old Dell Dimension 8400.

    I'm at work right now writing this so I can't do anything until I get home tonight. Here's the problem...

    I tried downloading a cheat for yahoo pool, when McAfee and Webroot Spysweeper picked up a host of adaware and junk trying to get installed I immediately stopped installing (but of course, some got through). After a few minutes the PC decided to shut down on it's own, without me doing anything. I restarted and the same thing happened almost immediately after start up, it shut down on it's own. I restarted using F8 and used the "restart with latest settings that worked" command. Got on and was able to run McAfee and some other programs where a trojan was found and removed. Everything worked fine after and the computer had been on for 5 or 6 days since then.

    My wife decides she is going to log on under her log-on last night. Using only Word, the program crashed and closed. She started again a few times, getting to where she tried to print and it locked up on her. So I get her out of word and close out of everything and do a shutdown. It shuts down normal, nothing forced. On reboot, the blue screen "Fat32 library is dirty" screen pops up and the pc spends 45 mins checking files and folders and such. It completes with no problems but doesn't do anything...the blue screen disappears and the monitor is left blank with nothing happening. No keystrokes work or mouse or anything...I had to manually shutdown by holding the on button for 5 secs.

    I restart and get the blank screen immediatly after the Windows XP start up window disappears. I restart again...same thing. I restart and use the F8 key, choose "settings that most recently worked"...blank screen. Started safe mode...that worked...but didn't do anything for me. Restarted...again, and so on. Somehow I got in (don't ask me how, I did so many combinations I don't remember), was able to log on and I immediatly ran McAfee, Webroot Spysweeper and TDS (or something, some trojan detector) making sure they were all up to date before I did. They all scanned fine, no problems, trojans or adaware found.

    So I restart...I get the blank screen after Windows XP again, only after 30 seconds or so, the log on screen appears. Thinking that it was all set and that XP is just taking longer to boot up, I figure it's fine. I leave it for the night.

    Now this morning on the way to work I get a phone call from my wife screaming that the she logged on under her, printed something and then went to log off and the computer froze. Her desktop background was showing, nothing else and was locked. As she is screaming at me she does a forced shutdown and continues to scream as I f(#)!#$ up the brand new computer. And voila...after the Windows XP screen disappears, it stays with a blank screen and does not get to the log-on screen.

    So...I don't know where to start. I'm not that computer literate, I mean I know some stuff but not enough to understand anything in the registry or how to change it...and I'm not sure if thats a good idea anyway. I just need to get this thing fixed before I get divorced over it. I haven't done a system restore, mostly b/c I have put a lot of my CD collection onto the PC recently to use w/ my Ipod and don't want to have to do it again and don't have a way of backing up all that music other than CD's.

    Do I need to run HijackThis? Will this help? I am not sure what I should do. It seems to be start up and shut down the biggest problem. When I am signed on under my log-on, everything works perfectly...when my wife log's on, the it craps out.

    Can anyone help? Thanks.

    Parker
     
  2. Parker650

    Parker650 Thread Starter

    Joined:
    Jan 27, 2005
    Messages:
    4
  3. amthmi

    amthmi

    Joined:
    Mar 23, 2002
    Messages:
    519
    Does your wife have alot of "personal data" in her profile ?
    Does your profile have the programs she uses when she is in her profile ?
    When it worked that is.....

    What I would probably do if I where in your situation is...
    Create a folder in your profile calling it wifes stuff.
    Locate ALL personal data...doc files picture files...etc
    Copy all her data to that folder.
    Delete her profile
    Recreate the profile.

    To me profiles are a pain in the neck...but some people like them.
    I work with one profile and have folders for other users personal stuff.

    Just a thought
     
  4. Parker650

    Parker650 Thread Starter

    Joined:
    Jan 27, 2005
    Messages:
    4
    OK...I'm home. The wierdest thing happens. When I start up, the screen on the monitor goes black/blank right after the windows xp start screen when it boots. It stays black/blank if I don't do anything (mouse/keystrokes don't work, basically nothing)...however, if I turn the monitor off, I hear the computer working, then turn the monitor back on and the log on screen appears. I don't undestand.

    I checked my firewall settings and the blocked applications list, seems there are three programs in there that were allowed access that I didn't know were on this machine and the programs aren't in my add/remove programs list...they are:

    * BackDoor Knock - bdknock.exe
    - I searched my PC for this "bdknock.exe" and found bdknock in C:\Program Files\TDS3\Ext.Plug

    * iinstall.exe
    - McAfee shows it as C:\Documents and Settings\Jay\Local Settings\Temp\iinstall.exe
    - I searched my PC for this "iinstall.exe" and found in local settings temp folder

    tlii.exe
    - McAfee shows it as C:\Documents and Settings\Jay\Application Data\tlii.exe
    - I searched my PC for this "tlii.exe" and found TLII.EXE-29F2978F.pf in C:\WINDOWS\Prefetch

    I ran disk cleanup right before I searched for them.

    So I don't know where to start. Here is my HJT log...hope someone can help me.

    Logfile of HijackThis v1.99.0
    Scan saved at 6:31:14 PM, on 1/27/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    C:\WINDOWS\system32\svchost.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\lexpps.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\mcafee.com\agent\McDash.exe
    c:\program files\mcafee.com\shared\mghtml.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfConsole.exe
    C:\WINDOWS\SYSTEM32\CLEANMGR.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\Jay\LOCALS~1\Temp\Rar$EX00.984\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: www.yeak.net
    O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
    O16 - DPF: {BB95299D-B65B-47E0-8DDB-697A66298C3A} (UniVoiceX Control) - http://webcamnow.com/fs5/voice/voice.cab
    O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
    O23 - Service: IAA Event Monitor - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: LogMeIn Maintenance Service - 3am Labs, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
    O23 - Service: LogMeIn - 3am Labs, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
    O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    O23 - Service: McAfee Personal Firewall Service - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
     
  5. Parker650

    Parker650 Thread Starter

    Joined:
    Jan 27, 2005
    Messages:
    4
    Oh yeah...I would also like to get rid of MySearchAssistant and Windows Messenger, but don't know how to get rid of them.

    Ever since I found this trojan, my sound card (or PC) somewhere BEEPS when I change something. For instance, when i adjust the volume on the computer, I slide the volume bar and let go of the mouse...I don't get the windows beep (in accordance with how high or low I set the volume) through my speakers...what I do get a monotone, same volume beep from the back of the computer. Anyone know how to fix this?
     
  6. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Start shut down
  1. zalan
    Replies:
    23
    Views:
    938
  2. vajovic
    Replies:
    30
    Views:
    2,088
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/323929

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice