Options

Computer Reboots after attempted spy-ware removal

Unknown
edited December 2005 in Spyware & Virus Removal
I was infected with a cocktail of spy-ware programs recently. I ran Ad-aware and spybot, then attempted a microsoft update. After I rebooted I found that my machine would only run for about 2 minutes before rebooting. I can run it in safe mode with networking just fine. Any advice?

thanks,
mike

Comments

  • TroganTrogan London, UK
    edited December 2005
    Try and post a HJT log :)
  • mdarling
    edited December 2005
    Will do.
    HJT log:

    Logfile of HijackThis v1.99.0
    Scan saved at 9:25:12 PM, on 12/1/2005
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Mike Darling\Desktop\best\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\lrobs.dll/sp.html#17702
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\lrobs.dll/sp.html#17702
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\lrobs.dll/sp.html#17702
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\lrobs.dll/sp.html#17702
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\lrobs.dll/sp.html#17702
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\lrobs.dll/sp.html#17702
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\lrobs.dll/sp.html#17702
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - d:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Class - {77AA288C-4EB6-ADD2-6289-1A1A78F8EC3A} - C:\WINNT\system32\ieav32.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [winac.exe] C:\WINNT\system32\winac.exe
    O4 - Global Startup: D-Link AirPlus.lnk = D:\Program Files\D-Link AirPlus\AirPlus.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://extranet.agric.gov.ab.ca/iNotes6.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/153fa78c6b6d6ae29101/netzip/RdxIE601.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
    O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINNT\wincm.exe
    O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: WebDrive Service - Unknown - C:\Program Files\Webdisk Client\wdservice.exe
  • TroganTrogan London, UK
    edited December 2005
    Download the latest version of HJT from the link below:

    http://short-media.com/download.php?dc=69
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited December 2005
    Download CWShredder 2.15 from here.

    Download\'SpSeHjfix\' to the desktop and then
    right click a blank part of the desktop and select new folder, call it spfix
    unzip the file into that folder.

    Disconnect from the net and Close ALL OPEN PROGRAMS.
    Run 'SpSeHjfix'. and click on "Start Disinfection".
    When it's finished it will reboot your machine to finish the cleaning process.
    The tool creates a log of the fix which will appear in the folder.

    If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage.

    Run the shredder and press the *fix,* not scan and allow it to clean the infection. Close all browser and explorer windows before hitting the fix button.

    Reboot and post a fresh HJT log and the log that was created by 'SpSeHjfix'.
Sign In or Register to comment.