We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Infected computer, need help understanding Hijack This log
Comments
-
tranmererovers wrote: »Thanks very much Browntoa! That's gone now (rebooted and re ran Hijack this to check!)
What about sbCtri.exe? I google it and it flagged up as 'Cloaked Malware' :eek:
yes meant to add that...but seeing it will not boot....Ex forum ambassador
Long term forum member0 -
-
I'd wait now until they have the Xp Cd . then do a repair install from the CD , then legalise the dodgy copy
http://www.microsoft.com/genuine/selfhelp/XPPkuinst.aspx?displaylang=en&sGuid=3799f7fb-fec6-466a-b5d1-21582d100fc8
Well to further complicate matters, they went out today to 4 shops but none of them had XP Professional in stock although one offered to order it at £140 and only one had XP Home but that was £88 :eek:
They would rather install XP home as they dont need XP professional either in functionality or the additional cost.
So am I right in thinking if they buy XP home they won't be able to repair their XP professional with that and will have to do a reinstall and lose all their data?
The main issue is that there is data on their computer (photos) that they (now tell me :rolleyes: ) haven't secured to disc so I need to back them up!
I don't have a boot CD for XP Pro only mine for XP home.
Is there anything you can suggest that will let me get windows loaded to recover their photos so we can then go for the cheaper home edition and do a full install on that?
Hope that makes sense
ThanksIt's easier to get forgiveness than to ask permission
0 -
Yes. If you have a windows CD to hand and a CD burner, google "PEbuilder".
If you follow the instructions for that, it will burn a CD in the end that will allow you to boot a "live CD" style, cut down XP environment and examine the disk/delete files/copy files to a USB pen or similar..
It's become one of my most used work recovery tools..:) I think it woks OK with XP home..yep..there's a link to the page for it..:
http://www.nu2.nu/pebuilder/
To copy files to a USB stick, you need to have the USB stick in the PC as you boot PEbuilders resulting rescue CD up - unlike XP, you can't plug/unplug them while it's running as it won't "spot" them if you do.0 -
-
So here is the latest in this saga.
I got my XP disc and licence and tried to do a windows repair but that didn't make the slightest bit of difference and I still had this 'XP Logon Logoff' problem. I did some further reading as I didn't want to reformat and wipe the disc unless absolutely necessary.
Also by using the windows repair function, I discovered that my userinit.exe file had been deleted. :eek:
I read this entry and decided to give the suggestion a go.
(Thanks to sirbendy for pointing me in the direction of PEbuilder - it's an extremely useful tool!! )
I build a BartPE cd with a regedit plugin so I could check the registry for winlogon (which was ok - looking for userinit.exe which didn't exist) and using this environment, I was able to copy across a userinit.exe file.
The machine has now loaded windows successfully:j
I'm just running a full scan with avast and then will post a (final hopefully) hijack this log which I hope you will be kind enough to have a look over.
Thanks for all your help :beer:It's easier to get forgiveness than to ask permission
0 -
I have finished running Avast, and here is the latest Hijack this log if you be be so kind as to give it the once over
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:53, on 2009-01-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: livetvbar Toolbar - {ad55c869-668e-457c-b270-0cfb2f61116f} - C:\Program Files\livetvbar\tblive.dll
O2 - BHO: AcroIEHlprObj Class - !!06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PopKill Class - !!3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\ntl\ntl Netguard\pkR.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - !!3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: ZKBho Class - !!56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\ntl\ntl Netguard\FBHR.dll
O2 - BHO: SSVHelper Class - !!761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: livetvbar Toolbar - {ad55c869-668e-457c-b270-0cfb2f61116f} - C:\Program Files\livetvbar\tblive.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - !!2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: livetvbar Toolbar - {ad55c869-668e-457c-b270-0cfb2f61116f} - C:\Program Files\livetvbar\tblive.dll
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_!!79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: Scheduler.lnk = C:\Program Files\3B Software\Common\Scheduler\wcomschd.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: !!8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flashcasino.ladbrokes.com/instant-play-en/FlashAX.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DvpApi (dvpapi) - Unknown owner - C:\Program Files\Common Files\Command Software\dvpapi.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)
--
End of file - 6207 bytes
Thank you :beer:It's easier to get forgiveness than to ask permission
0 -
Fingers crossed that the above Hijack this is all clear now. There is one other problem. In getting rid of the Virtob (I think it was called) virus, Avast deleted a whole load of exe files. Many of them (like word and excel) I can reinstall from the application discs but it also deleted exe files from the windows directory and the system32 directory.:eek:
I have used the BartPE disc to copy in some missing exe files into the system32 directory but I don't think that would be all of them as it is only a cut down version as I understand.
Also one of the exe files I copied in was notepad but that still won't run as there is another missing file
My other thought was to do a windows repair but when I did that earlier it didn't restore the userinit.exe to the system32 directory so I am not sure that would solve the problem either.
I don't want to do a reinstallation (unless there really is no other way), any other suggestions please
ThanksIt's easier to get forgiveness than to ask permission
0 -
You still have some AVG in there. use the removal tool
http://www.avg.com/download-tools
SYGATE is too old to be safe. ID suggest removing it and either switching on windows firewall (Which would probably be safer than sygate now) or use a decent 3rd party firewall like PCTOOLS
Download PC TOOLS FIREWALL (Make sure you click 'DOWNLOAD NOW')
http://www.download.com/PC-Tools-Firewall-Plus-Free-Edition/3000-10435_4-10625321.html
FIX these using hijack
O23 - Service: DvpApi (dvpapi) - Unknown owner - C:\Program Files\Common Files\Command Software\dvpapi.exe (file missing)
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing):idea:0 -
You also need to download SERVICE PACK 3 (Security updates):idea:0
before it abandoned ship and I think that was one it picked up
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 352.2K Banking & Borrowing
- 253.6K Reduce Debt & Boost Income
- 454.3K Spending & Discounts
- 245.2K Work, Benefits & Business
- 600.9K Mortgages, Homes & Bills
- 177.5K Life & Family
- 259K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards