Start-up & shut down problems after trojan detected & cleaned...

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Parker650

Thread Starter
Joined
Jan 27, 2005
Messages
4
My first post here, hope to get some help...my wife is ready to kill me (and vice versa) as she is accusing me of screwing up a month old Dell Dimension 8400.

I'm at work right now writing this so I can't do anything until I get home tonight. Here's the problem...

I tried downloading a cheat for yahoo pool, when McAfee and Webroot Spysweeper picked up a host of adaware and junk trying to get installed I immediately stopped installing (but of course, some got through). After a few minutes the PC decided to shut down on it's own, without me doing anything. I restarted and the same thing happened almost immediately after start up, it shut down on it's own. I restarted using F8 and used the "restart with latest settings that worked" command. Got on and was able to run McAfee and some other programs where a trojan was found and removed. Everything worked fine after and the computer had been on for 5 or 6 days since then.

My wife decides she is going to log on under her log-on last night. Using only Word, the program crashed and closed. She started again a few times, getting to where she tried to print and it locked up on her. So I get her out of word and close out of everything and do a shutdown. It shuts down normal, nothing forced. On reboot, the blue screen "Fat32 library is dirty" screen pops up and the pc spends 45 mins checking files and folders and such. It completes with no problems but doesn't do anything...the blue screen disappears and the monitor is left blank with nothing happening. No keystrokes work or mouse or anything...I had to manually shutdown by holding the on button for 5 secs.

I restart and get the blank screen immediatly after the Windows XP start up window disappears. I restart again...same thing. I restart and use the F8 key, choose "settings that most recently worked"...blank screen. Started safe mode...that worked...but didn't do anything for me. Restarted...again, and so on. Somehow I got in (don't ask me how, I did so many combinations I don't remember), was able to log on and I immediatly ran McAfee, Webroot Spysweeper and TDS (or something, some trojan detector) making sure they were all up to date before I did. They all scanned fine, no problems, trojans or adaware found.

So I restart...I get the blank screen after Windows XP again, only after 30 seconds or so, the log on screen appears. Thinking that it was all set and that XP is just taking longer to boot up, I figure it's fine. I leave it for the night.

Now this morning on the way to work I get a phone call from my wife screaming that the she logged on under her, printed something and then went to log off and the computer froze. Her desktop background was showing, nothing else and was locked. As she is screaming at me she does a forced shutdown and continues to scream as I f(#)!#$ up the brand new computer. And voila...after the Windows XP screen disappears, it stays with a blank screen and does not get to the log-on screen.

So...I don't know where to start. I'm not that computer literate, I mean I know some stuff but not enough to understand anything in the registry or how to change it...and I'm not sure if thats a good idea anyway. I just need to get this thing fixed before I get divorced over it. I haven't done a system restore, mostly b/c I have put a lot of my CD collection onto the PC recently to use w/ my Ipod and don't want to have to do it again and don't have a way of backing up all that music other than CD's.

Do I need to run HijackThis? Will this help? I am not sure what I should do. It seems to be start up and shut down the biggest problem. When I am signed on under my log-on, everything works perfectly...when my wife log's on, the it craps out.

Can anyone help? Thanks.

Parker
 
Joined
Mar 23, 2002
Messages
519
Does your wife have alot of "personal data" in her profile ?
Does your profile have the programs she uses when she is in her profile ?
When it worked that is.....

What I would probably do if I where in your situation is...
Create a folder in your profile calling it wifes stuff.
Locate ALL personal data...doc files picture files...etc
Copy all her data to that folder.
Delete her profile
Recreate the profile.

To me profiles are a pain in the neck...but some people like them.
I work with one profile and have folders for other users personal stuff.

Just a thought
 

Parker650

Thread Starter
Joined
Jan 27, 2005
Messages
4
OK...I'm home. The wierdest thing happens. When I start up, the screen on the monitor goes black/blank right after the windows xp start screen when it boots. It stays black/blank if I don't do anything (mouse/keystrokes don't work, basically nothing)...however, if I turn the monitor off, I hear the computer working, then turn the monitor back on and the log on screen appears. I don't undestand.

I checked my firewall settings and the blocked applications list, seems there are three programs in there that were allowed access that I didn't know were on this machine and the programs aren't in my add/remove programs list...they are:

* BackDoor Knock - bdknock.exe
- I searched my PC for this "bdknock.exe" and found bdknock in C:\Program Files\TDS3\Ext.Plug

* iinstall.exe
- McAfee shows it as C:\Documents and Settings\Jay\Local Settings\Temp\iinstall.exe
- I searched my PC for this "iinstall.exe" and found in local settings temp folder

tlii.exe
- McAfee shows it as C:\Documents and Settings\Jay\Application Data\tlii.exe
- I searched my PC for this "tlii.exe" and found TLII.EXE-29F2978F.pf in C:\WINDOWS\Prefetch

I ran disk cleanup right before I searched for them.

So I don't know where to start. Here is my HJT log...hope someone can help me.

Logfile of HijackThis v1.99.0
Scan saved at 6:31:14 PM, on 1/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\lexpps.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\mcafee.com\agent\McDash.exe
c:\program files\mcafee.com\shared\mghtml.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfConsole.exe
C:\WINDOWS\SYSTEM32\CLEANMGR.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Jay\LOCALS~1\Temp\Rar$EX00.984\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.yeak.net
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {BB95299D-B65B-47E0-8DDB-697A66298C3A} (UniVoiceX Control) - http://webcamnow.com/fs5/voice/voice.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O23 - Service: IAA Event Monitor - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LogMeIn Maintenance Service - 3am Labs, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - 3am Labs, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
 

Parker650

Thread Starter
Joined
Jan 27, 2005
Messages
4
Oh yeah...I would also like to get rid of MySearchAssistant and Windows Messenger, but don't know how to get rid of them.

Ever since I found this trojan, my sound card (or PC) somewhere BEEPS when I change something. For instance, when i adjust the volume on the computer, I slide the volume bar and let go of the mouse...I don't get the windows beep (in accordance with how high or low I set the volume) through my speakers...what I do get a monotone, same volume beep from the back of the computer. Anyone know how to fix this?
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top