Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

HELP!! Blank Blue screen when booting up and constant pop-ups

Posted on 2008-06-09
28
Medium Priority
?
1,940 Views
Last Modified: 2013-12-06
I've got some kind fo spyware/adware infecting my PC.When I boot up it just shows a completely blank blue screen and then after a while I get a pop-up stating my system is infected, etc... and than a pop-up for AntiSpySpider. There is a link in the first pop-up that claims to update the Windows Security Center, so I clicked on it since the PC is not currently connected to a network or the internet. It brought me to an Internet Explorer window and I used that to go to C:\windws and run the Explorer.exe. Now my system is booted up but I am constantly getting pop-ups. Here is the HiJackThis Logfile. Can anyone help?
  Cojo

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:20:44 PM, on 6/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\ISS\RSDP\blackd.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRAM FILES\DRU\bin\DRUService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\444.0
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\WINDOWS\portsv.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\rcmdsvc.exe
C:\Program Files\Radmin\r_server.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\snmpdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\IBM\Tivoli\Remote Control\Target\trc_base.exe
C:\Program Files\Serena\ChangeMan\DS\Client\vcs_nt_service.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\1E\SMSWakeUp50\SMSWUagent.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\iftuyszv.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\IBM\Tivoli\Remote Control\Target\trc_gui.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\progra~1\FileNET\IDM\fnsysmgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\PaperPort\pptd40nt.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\System32\cscript.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\zz\ZenMediaSource\Detector\CTDetect.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\_taft\mg\Microsoft Money\System\mnyexpr.exe
C:\Documents and Settings\tl1272\Application Data\Microsoft\dtsc\11189.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\PROGRA~1\COMMON~1\CROSOF~1.NET\attrib.exe
C:\Program Files\QdrModule\QdrModule17.exe
C:\WINDOWS\?racle\m?hta.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Documents and Settings\tl1272\Application Data\Microsoft\dtsc\11189.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = file://c:/windows/homepage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy.sbc.com/autoproxy.cgi
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe,
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Utils\RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_15\bin\ssv.dll
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: (no name) - {A664BB3E-738C-5A55-FF38-78A2E5EA42E1} - C:\WINDOWS\system32\hvrx.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O2 - BHO: Microsoft copyright - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - sockins32.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Utils\RoboForm\roboform.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [0FileNET System Manager] c:\progra~1\FileNET\IDM\fnsysmgr.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VPN_MTU] "C:\Program Files\cisco systems\vpn client\setmtu.exe" /s 1200
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SBCAssess] "C:\Program Files\Compapps\SBCAssess\SBCAssess.exe" 5
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [BVRPLiveUpdate] C:\Program Files\Avanquest update\Engine\Setup.exe /PATCH,/SRCUPDATEC:\DOCUME~1\ALLUSE~1\APPLIC~1\BVRPSO~1\MOTORO~1\LIVEUP~1\LISTOF~1.DAT
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] C:\WINDOWS\zz\ZenMediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\_taft\mg\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\Documents and Settings\tl1272\Application Data\Microsoft\dtsc\11189.exe
O4 - HKCU\..\Run: [Eusn] "C:\PROGRA~1\COMMON~1\CROSOF~1.NET\attrib.exe" -vt yazb
O4 - HKCU\..\Run: [QdrModule17] "C:\Program Files\QdrModule\QdrModule17.exe"
O4 - HKCU\..\Run: [Tbaxhfom] C:\WINDOWS\?racle\m?hta.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor]  (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor]  (User 'Default user')
O4 - Startup: Q Team-Link Messenger.lnk = C:\Program Files\Q Team-Link Messenger\jre1.5.0_09\bin\javaw.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Customize Menu - file://C:\Utils\RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Utils\RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Open with BitPump - C:\WINDOWS\zz\AnalogX\BitPump\ieint.htm
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Utils\RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Utils\RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_15\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_15\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Utils\RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Utils\RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Utils\RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Utils\RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Utils\RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Utils\RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://myintranet.sbc.com
O16 - DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - https://strtc.oracle.com/imtapp/res/jar/cnsload.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0a454840-7232-11d5-b63d-00c04faedb18} - http://chpwire2.sbc.com:8000/jinitiator/oajinit11814.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} (Loader Class v3) - http://quality-center.sbc.com/qcbin/Spider90.ocx
O16 - DPF: {9C134253-E8A3-4759-9F98-302B7981922E} (MaxViewer Class) - http://support.scansoft.com/pp/files/np_max.cab
O16 - DPF: {C9386579-3C0F-4713-82C6-5BA8088C7C8D} (Windows Live SkyDrive Upload Tool) - http://cid-59243c76f68bf954.skydrive.live.com/Microsoft.Live.Folders.RichUpload.cab
O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - http://chdcfas2.sbc.com:8891/jinitiator/oajinit.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://attwm.webex.com/client/v_mywebex-t20-pso-attdevel2/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ait.itservices.sbc.com
O17 - HKLM\Software\..\Telephony: DomainName = ait.itservices.sbc.com
O20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts.dll
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\RSDP\blackd.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DRUAgent - AT&T - C:\PROGRAM FILES\DRU\bin\DRUService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\444.0.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\ORACLE\ORA92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\ORACLE\ORA92\BIN\ONRSD.EXE
O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINDOWS\portsv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\RSDP\RapApp.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\Program Files\Radmin\r_server.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SMSWUagent - 1E Ltd. - C:\Program Files\1E\SMSWakeUp50\SMSWUagent.exe
O23 - Service: snmpdm - Unknown owner - C:\WINDOWS\system32\snmpdm.exe
O23 - Service: IBM Tivoli Remote Control - Target (TRCTARGET) - Unknown owner - C:\Program Files\IBM\Tivoli\Remote Control\Target\trc_base.exe
O23 - Service: VCS NT Service (VCS_Service) - Unknown owner - C:\Program Files\Serena\ChangeMan\DS\Client\vcs_nt_service.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 19642 bytes
0
Comment
Question by:Cojo1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 15
  • 11
  • 2
28 Comments
 
LVL 5

Expert Comment

by:virtuatech
ID: 21746284
Looks like you have a script file running C:\WINDOWS\System32\cscript.exe.  Use Process Explorer and see what files are opened with that program.  I would recommend closing all applications in your System Tray and doing an "End Task" on known programs, and avoid closing system files like svchosts and lsass.  I would Google each .exe to identify what they are.
0
 
LVL 5

Expert Comment

by:virtuatech
ID: 21746292
0
 

Author Comment

by:Cojo1
ID: 21746349
What do I do after identifying the files that the script is using?
0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 
LVL 20

Accepted Solution

by:
IndiGenus earned 1000 total points
ID: 21746454
Hi,
This thing is absolutely riddled with Malware. PurityScan, vundo, bots, trojans, ....you name it. I'll give it a shot.

Download SDFix (by Andy Machesta) and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe 

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Double click on SDFix.exe. It should automatically extract a folder called SDFix to your system drive (usually C:\). Please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Open the SDFix folder and double click on RunThis.bat to start the script.
Type Y and press Enter to begin the script.
It will start cleaning your PC and then prompt you to press any key to Reboot.
Press any key to restart the PC.
Your system will take longer than normal to restart as the fixtool will be removing files.
When the desktop loads the Fixtool will complete the removal and display Finished.
Press any key to end the script and to load your desktop icons.

A text file should automatically open,
Please do not post the log into the comment window. Use "Attach File" under the comment window to post the log.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download and Run ComboFix (by sUBs) from one of the links below. You must run it directly from your Desktop.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

http://subs.geekstogo.com/ComboFix.exe

Disable your Anti-virus and any real-time Anti-spyware monitors that are running.
Then double click Combofix.exe & follow the prompts.
When finished, it will produce a log for you. Upload that log in your next reply with a new HijackThis log.  

Please do not post the log into the comment window. Use "Attach File" under the comment window to post the log.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note 2: Remember to re-enable your Anti-virus and Anti-spyware.

NOTE: If you have issues connecting to your network or internet after running combofix you can either simply reboot, or do the following:
* Going to Control Panel > Network Connections.
* Right click on their Network icons & select "Repair"
or
Alternately, if the Network icon appears in the notification area in the lower right corner of Desktop, right-click it, and then click Repair from the shortcut menu.

PLEASE ALSO NOTE: Combofix will typically fix most and sometimes all Malware entries but many times a script is also needed to finish cleaning up. So please keep CF until advised whether you need the script or not.
0
 

Author Comment

by:Cojo1
ID: 21746511
Oh, I forgot to mention that when I go to boot into SAFE mode, they system won't accept my password. I can log in with my password fine in normal mode. Any ideas on how to get around that?  Cojo
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 21746558
Don't think we can get "around" anything here. Just clean it up and hope for the best. Sometimes with systems this infected there is OS damage that cannot be repaired.
0
 

Author Comment

by:Cojo1
ID: 21746722
Will it work without being in SAFE mode?  When I run RunThis.bat, I only get a menu with the options to select "A, B, C, D, U,1,2,3,4 or E to Exit" I typed "Y" like your instructions and the window closed. Don't think it's doing anything. Should I be selecting another option or is it not working because I'm not in SAFE mode? By the way - Thanx for the help.  Cojo
0
 

Author Comment

by:Cojo1
ID: 21746911
I got around the problem. I am now able to login with SAFE mode. I created a new account. (Looks like my old account must have an old password stored with it.) Anyway,I can now run SDFIX in safe mode and will go thru your instructions above and post back when I'm done. - thx - cojo
0
 

Author Comment

by:Cojo1
ID: 21747105
I ran the SDFIX and it completed and said it was going to reboot my system. It rebooted and is now stuck on the blank blue screen. It's like it's not starting Explorer.exe. Any ideas?
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 21747209
To start EXPLORER.EXE manually:

   1. Open Windows Task Manager. Press CTRL+SHIFT+ESC.
   2. On Windows Task Manager, Click File>New Task (Run..)
   3. In Create New Task, type %WinDir%\EXPLORER.EXE and click OK.
   4. Close Task Manager.

We may have to make a registry edit to bring back explorer on startup. Run combofix first though. Again....badly infected machine. You may want to consider a re-install if we continue to have issues here.
0
 

Author Comment

by:Cojo1
ID: 21747610
Managed to get by it by logging in with the new account I created. For some reason I can't boot up with my main account (which I really need to).  Here's the logs that I got after running both. I still need to be able to fix my main account to boot up right besides whatever this shows wrong.

SDFIX-log-first-run-6-09-08.txt.txt
combofix-log-6-9-08.txt
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 21747785
Can you post a new HijackThis log too? You say you cannot get into your main profile...why? What happens when you try?

Do you know of this program?
C:\Program Files\Radmin

Do you use a remote admin. or use remote access on this pc?
0
 

Author Comment

by:Cojo1
ID: 21751408
Yes RADMIN is my remote access software. -- When I log into my main account, it only comes up to a blank blue screen (not the blue screen of death). I don't think it's running Explorer.exe. Also if I hit Ctrl-Alt-Del, the "Task Manager" button is grayed out. But only on the main account, not the tnew one I created. Weird! Attached is the new HijackThis file.
hijackthis.log
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 21751937
These scripts that are running...do you know what they are?

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\[u]0[/u]\[u]0[/u]]
"Script"=drustatus.vbe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\[u]0[/u]\1]
"Script"=newhealth.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2057499049-1289676208-1959431660-70014\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=LEDNIssueLogonScript.vbs
0
 

Author Comment

by:Cojo1
ID: 21752194
I do not know what these are.  Also, does it make a difference that this HijackThis script was not run under the user account that I'm having the problem with? Because I can't login to that account to do anything. It just stays on the blank blue screen.If I could get the Task Mgr ungrayed than I could start Explorer.exe and run it from that account.
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 21752539
Yes, it does matter where it's run from, and it would be nice if we could get into that account, but I'm not sure how we can at this point. I'm assuming (maybe wrongly) that this machine is part of a domain? In a work environment?
0
 

Author Comment

by:Cojo1
ID: 21752590
UPDATE: OK, I am able to login now to the main account. I went into Documents and Settings and renamed the folder for my main account. When I logged in, it recreated it and logged me in fine. Weird, but it worked. Here's the HijackThis logfile from the account.
hijackthis.log
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 21752739
Great, good job. Not sure what you did though?

There is one entry I am pretty sure is bad, but haven't been able to find much info. on as it appears pretty new. We can use combofix to deal with it. You may need to download combofix into this profile as it was run earlier from another correct? If so do that and download to your desktop, then...

1. Open Notepad.

2. Now copy/paste the text between the lines below into the Notepad window:

------------------------------------------------------------------------

File::
C:\WINDOWS\portsv.exe

Folder::
C:\WINDOWS\system32\2705

Driver::
PlugPlayRPC

------------------------------------------------------------------------

3. Save the above as CFScript.txt on your desktop.

4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please upload the following reports/logs.

-Combofix.txt
-A new HijackThis log
0
 

Author Comment

by:Cojo1
ID: 21753018
Is that the right folder?

Folder::
C:\WINDOWS\system32\2705

I don't mean to question you but I just wanted to double check before I ran it. In the HJT log it shows the file being in C:\WINDOWS. the only file in this folder is ~@24771p.spt
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 21753096
It is from the combofix log and was created right at the same time the portsv.exe file was. Many times there are just randomly named folders created and this is probably one of them. It's probably harmless but....if you know it's OK then don't remove. There are quite a few things on this PC I don't recognize and that's why I asked about being on a domain and having many policies and restrictions in place.
0
 

Author Comment

by:Cojo1
ID: 21753174
Nevermind, I misunderstood. I didn't realize that was cleanining up the folder. For some reason I thought that under the folder section, you were telling it where to find the file portsv.exe. My bad, sorry.
0
 

Author Comment

by:Cojo1
ID: 21754375
Ok, ran that combofix and here's the log for it and another HJT log.

0
 

Author Comment

by:Cojo1
ID: 21754390
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 21754516
OK how's it running now? You need to update your Java, older versions are vulnerable to malware.
0
 

Author Comment

by:Cojo1
ID: 21754579
How do I update the Java?
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 21754643
Updating Java:
Go to Start > Control Panel > Add/Remove programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
Select and click Remove.

Then Download and install the newest version from here:
http://www.java.com/en/download/manual.jsp
0
 

Author Closing Comment

by:Cojo1
ID: 31465929
Thank you very much for your help with this. You were right on the money with your solution. Sorry for all the questions. Keep up the great work!
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 21755691
Glad it worked out and you're welcome. Don't worry about asking questions, that's how we learn.

You should uninstall combofix...

Click START then Run...
Now type Combofix /u in the runbox  and click OK.  Note the space between the X and the U, it needs to be there.

The above procedure will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sub-Titled: “My Way” (with apologies to Francis Albert Sinatra) Let me start by stating emphatically that I am one of those Experts who prefer doing things “My Way”. It’s kind of a no-brainer. “The following procedure works for me, so here is …
Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question