computer just reboots after running Malwarebytes

[swetbak]

I have a similar situation to an earlier post, but mine doesn't make it to the logon screen. My computer reboots itself just after the Windows splash screen. Same with safe mode. Here is the situation:

I was given a computer that was doa from a friend. They had been experiencing some "virus" issues and it just stopped working. I determined that the motherboard and/or processor was bad. I replaced them both and got the machine up and running. "Great! I'm home free now!" Think again.

Upon startup the Windows Security Window kept popping up and it looked corrupted. The links asked to run a scan or download protection. The background image was dark red with the toxic waste theme that I couldn't remove. I was only able to get to the display properties thru the Control Panel, but the background images were all greyed out. I had very little control over this machine, including no Internet. After removing as many suspicious programs from Add/Remove Programs in Control Panel, I used a flash disk and installed Rogue Remover and Malwarebytes. Rogue found about a dozen things and removed them. I rebooted. things still looked the same. I ran Malwarebytes using the quick scan. It found about 350 things. During the removal process a window popped up saying that my computer was going to shutdown. Another window popped up asking I wanted to quit Malwarebytes. I clicked "no" and just then the computer shut down and rebooted. Now it just reboots at the spash screen.

Any chance I can make a boot cd as in the previous post and fix a registry key?

XP Home edition.

This is an Emachine and they don't have the rescue cd:(

[JeanInMontana]

Hi swetbak and welcome to Malwarebytes. Please follow the instructions here http://www.malwarebytes.org/forums/index.php?showtopic=2936 someone will be happy to help you.

[swetbak]

Hi swetbak and welcome to Malwarebytes. Please follow the instructions here http://www.malwarebytes.org/forums/index.php?showtopic=2936 someone will be happy to help you.

Thank you Jean for the reply, but I am not able to get the OS loaded to do any scans or hjt log. If my post was unclear I will be happy to restate it. If I've miss understood your instructions let me know.

Thanks

[AdvancedSetup]

Please take a look at this forum post >Partitioning and Recovery Tools - Links

Specifically this one: Microsoft Diagnostics and Recovery Toolset

I would try using that one by creating the CD from another computer and using it on this broken computer.

Then check on this key in the Registry. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Userinit should have this entry which "might" be why it's not booting properly if it is anything else.

C:\WINDOWS\system32\userinit.exe,

Using the REAL location of the %WINDIR% folder though for the system. C:\WINDOWS and C:\WINNT are the most common.

[swetbak]

Please take a look at this forum post >Partitioning and Recovery Tools - Links

Specifically this one: Microsoft Diagnostics and Recovery Toolset

I would try using that one by creating the CD from another computer and using it on this broken computer.

Then check on this key in the Registry. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Userinit should have this entry which "might" be why it's not booting properly if it is anything else.

C:\WINDOWS\system32\userinit.exe,

Using the REAL location of the %WINDIR% folder though for the system. C:\WINDOWS and C:\WINNT are the most common.

I used a Bartpe cd and checked out that registry key. It listed i:\386\system32\userinit.exe, something Bartpe put there since that is the drive that has its files. I changed it to d:\windows\system32\userinit.exe, and rebooted and it's still the same, reboot after windows splash screen. The system partition is on D. Is there anything else I can try?

Thanks

[AdvancedSetup]

No, by booting with a BartPE disk it was showing you the local bootup registry entry, not the one from your C: Local drive.

You would need to use a REMOTE REGISTRY tool such as offered on a current new build of an Ultimate Boot CD 4 Windows.

Also, I'm not saying that is the issue - just that it is a possibility.

[Raid]

I used a Bartpe cd and checked out that registry key. It listed i:\386\system32\userinit.exe, something Bartpe put there since that is the drive that has its files. I changed it to d:\windows\system32\userinit.exe, and rebooted and it's still the same, reboot after windows splash screen. The system partition is on D. Is there anything else I can try?

Thanks

When you replaced the mainboard, is the chipset still the same? If not, Windows NT family usually won't make it far into the system. The video issue you mentioned, everything greyed out, unable to do anything was a video driver problem. I suspect windows was busily detecting new hardware when you scanned, and when it requested the reboot, it's hanging on the switched chipset. If that's the case.

we need more information.

[swetbak]

When you replaced the mainboard, is the chipset still the same? If not, Windows NT family usually won't make it far into the system. The video issue you mentioned, everything greyed out, unable to do anything was a video driver problem. I suspect windows was busily detecting new hardware when you scanned, and when it requested the reboot, it's hanging on the switched chipset. If that's the case.

we need more information.

Hi Raid.

I don't know for sure, but doubt that the chipset is the same. The scenario you mention is possible, but I had it running for a long time and rebooted it several times over the course of a few hours before this happened. I'm not sure the "greyed out" area in the background tab of Display properties was a driver issue, since I was able to navigate around and change resolution, etc and it showed the correct video card. I think the malware was keeping me from changing the background, but I could be wrong. There was O with a / thru it (sorry, I don't know how to make that character) next to the cursor. I guess it was a message that I couldn't remove the background no way, no how.

Assuming it's not a chipset issue, can you think of any way to get this to boot up?

I had the same thing happen the week before when cleaning up another friends laptop. The only difference was I was using Spybot on that one and while it was deleting the bad things it rebooted and went into the same reboot loop just after the splash screen; although it didn't give me warning that it was going to reboot. Fortunately it was a Sony and it had a restore partition accessible with F10. It was such a strange coincidence I though maybe it was environmental, but one happened at home and one at work. Maybe I'm holding my mouth wrong??

Thanks,

[Raid]

Hi Raid.

I don't know for sure, but doubt that the chipset is the same. The scenario you mention is possible, but I had it running for a long time and rebooted it several times over the course of a few hours before this happened. I'm not sure the "greyed out" area in the background tab of Display properties was a driver issue, since I was able to navigate around and change resolution, etc and it showed the correct video card. I think the malware was keeping me from changing the background, but I could be wrong. There was O with a / thru it (sorry, I don't know how to make that character) next to the cursor. I guess it was a message that I couldn't remove the background no way, no how.

Assuming it's not a chipset issue, can you think of any way to get this to boot up?

I had the same thing happen the week before when cleaning up another friends laptop. The only difference was I was using Spybot on that one and while it was deleting the bad things it rebooted and went into the same reboot loop just after the splash screen; although it didn't give me warning that it was going to reboot. Fortunately it was a Sony and it had a restore partition accessible with F10. It was such a strange coincidence I though maybe it was environmental, but one happened at home and one at work. Maybe I'm holding my mouth wrong??

Thanks,

I've got a few ideas. Your familar with a bartpe disc I see... Good. In the system volume information folder, lies another folder, which contains more folders, in date order. Pick one from a few days before you ran into this problem, and cd into it.

Inside that folder is (yes, another one) a snapshot folder, and inside it is a backup of the system registry hive files.

Copy these to a temp folder on your hard disk, like c:\work

rename them from _REGISTRY_BLAH_BLAHSYSTEM to SYSTEM.

and do the same for the others, SAM, HARDWARE, SOFTWARE AND DEFAULT.

now, create another folder c:\oldreg, and copy the contents from c:\windows\system32\config to c:\oldreg

copy the renamed files from c:\work to the c:\windows\system32\config folder, and select yes to overwrite the older ones.

Exit the console prompt and reboot the computer, allow it to try and boot on it's own and report back your results.

[swetbak]

I've got a few ideas. Your familar with a bartpe disc I see... Good. In the system volume information folder, lies another folder, which contains more folders, in date order. Pick one from a few days before you ran into this problem, and cd into it.

Inside that folder is (yes, another one) a snapshot folder, and inside it is a backup of the system registry hive files.

Copy these to a temp folder on your hard disk, like c:\work

rename them from _REGISTRY_BLAH_BLAHSYSTEM to SYSTEM.

and do the same for the others, SAM, HARDWARE, SOFTWARE AND DEFAULT.

now, create another folder c:\oldreg, and copy the contents from c:\windows\system32\config to c:\oldreg

copy the renamed files from c:\work to the c:\windows\system32\config folder, and select yes to overwrite the older ones.

Exit the console prompt and reboot the computer, allow it to try and boot on it's own and report back your results.

There were about 2 dozen folders in the sys vol folder, but only about half of them contained a snapshot folder. The best I could tell they were all dated before I got hold of the computer, around the first of May. I took one in the middle which was end of April. These are the 5 files that I renamed and copied to the config folder:

SAM

SECURITY

SOFTWARE

SYSTEM

DEFAULT

There were other files in the snapshot folder that I didn't copy over and these were:

Repostion (folder)

ComDB.dat

domain.txt

and half dozen Registry_User-NTUSER_SID#...... entry's.

After reboot, still having same behavior: Blue screen flashes about 5 seconds after Windows splash screen and reboot.

I am going to try to record the boot with a camera so I can read read what the Blue screen is displaying.

Also regarding the Bartpe cd. I'm trying to enable the Ad-Aware SE plugin but I don't have a refs.def file. I have the newest Ad-Aware 2008. I have a core.aawdef file. Can I just rename that file or do I need a different version of Ad-Aware?

Thanks

[swetbak]

I just noticed Advancedsetup's final entry, so I am working on making an Ultimate Boot CD 4 Windows, and will give his registry change another try.

I'm also uploading the Blue Screen error screen shot that says:

STOP: C000007b {Bad Image}

The application or DLL \??\H:\WINDOWS\System32\basetcf32.dll is not a valid windows image. Please check t...

As you can see, Windows is installed on H: drive. This is consistant with the location when I was trying to clean it out prior to my current problem. Interestingly, BartPE shows Windows on D drive. H (along with E, F, and G) are listed as "Removable drives". C drive is Emachines recovery partition, which shows up in the boot.ini as Unidentified operating system on drive C.

error1.bmp

error1.bmp

[AdvancedSetup]

It is probably because the BartPE you used may not have recognized some devices so it then puts the drive down at D:

Not really an issue which drive Windows is installed to for NT machines. Most applications also know and use the correct drive when working with it.

The latest version of UBCD4W has a REMOTE REGISTRY tool that will open the Registry of your hard drive instead of the one from the CD that it's running from.

For future reference, please use .JPG files for screen shots and use the tag to allow it to be shown in the post instead of having to download it.

[swetbak]

Sorry about the upload.

Able to use the Remote Registry tool. Here is the entry for Userinit in HKLM:

H:\Windows\System32\userinit.exe,H:\Windows\System32\Client\svchost32.exe,

I changed it to: H:\Windows\System32\userinit.exe, and rebooted. It's still doing the same reboot thing after the splash screen.

When I started the Remote Registry tool, it asked if I wanted to "Load remote user profiles for scanning?". Not sure what that means so I said "No".

Should I do anti-spyware and AV scans of the hard drive using UBCD4W?

[swetbak]

I went ahead and deleted all temp files from each user profile. Also all files in Windows\prefetch, and Windows\temp.

I ran stinger, but of course it didn't give me a log file so I don't know if it found anything.

No change in behavior.

[Raid]

Sorry about the upload.

Able to use the Remote Registry tool. Here is the entry for Userinit in HKLM:

H:\Windows\System32\userinit.exe,H:\Windows\System32\Client\svchost32.exe,

I changed it to: H:\Windows\System32\userinit.exe, and rebooted. It's still doing the same reboot thing after the splash screen.

When I started the Remote Registry tool, it asked if I wanted to "Load remote user profiles for scanning?". Not sure what that means so I said "No".

Should I do anti-spyware and AV scans of the hard drive using UBCD4W?

It mentioned a file previously, in the reboot. You should boot from a bartpe disc, and temporarily rename the bad .dll file to .bad, and try booting the machine again.

The application or DLL \??\H:\WINDOWS\System32\basetcf32.dll is not a valid windows image. Please check t

please rename that file from .dll to bad and try again.

[AdvancedSetup]

Also are you 100% sure you followed Raid's advice on copying over the repair versions of the registry? Changing all the Registry files pretty much can normally stop most Malware as there is no entry anywhere telling it to load unless it has replaced a known system file.

It could also be that there is some hardware/software entry on the system that is preventing it from loading properly.

[swetbak]

Also are you 100% sure you followed Raid's advice on copying over the repair versions of the registry? Changing all the Registry files pretty much can normally stop most Malware as there is no entry anywhere telling it to load unless it has replaced a known system file.

It could also be that there is some hardware/software entry on the system that is preventing it from loading properly.

I renamed and copied the 5 files exactly as I stated in my post. I will redo the steps again on Monday. I'll also rename the file Raid suggests and get back to you.

Thanks,

[swetbak]

I renamed and copied the 5 files exactly as I stated in my post. I will redo the steps again on Monday. I'll also rename the file Raid suggests and get back to you.

Thanks,

Ok, I had no luck doing any of this. I did however come across an XP Home cd and used it to do a repair (second repair option). Windows boots up now and I can log in.

After logging into the Owners account I can't do much. If I try to run app's, a dos window opens and closes fast. If I right click and choose "run as" and then uncheck the box to "protect my computer..." some things will run. Rogue Remover and cwshredder didn't find anything. I think SmitfraudFix found something (all ran in safe mode).

Not able to get into many items in the Control panel (User accounts, network connections, system, security center, mouse, keyboard, a/r programs, add hardware, etc..) just the black window that closes quickly. This is all the same in Safe Mode, and I can't get on the Internet in "Safe mode with Networking"; but can't get to device manager to see if the network card is recognized.

Long story short: Still many problems. Don't know what is malware or just broken files, but I feel better knowing I can finally give you something besides descriptions.

Here are the logs from Smitfraudfix and HJT:

SmitFraudFix v2.329

Scan done at 5:51:32.64, Wed 07/16/2008

Run from H:\Documents and Settings\Administrator\Desktop\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode

[swetbak]

I was finally able to make out the path shown in the title bar of those windows that open and close when I click on (almost) anything. It says "H:\Windows\System32\drivers\spools.exe". I think they are all saying that.

Hope this helps.

[swetbak]

You're going to kill me. I couldn't help but run Malwarebytes also, so here is the log and an updated HJT log:

p.s. I wasn't thinking and turned the computer off after this.

Malwarebytes' Anti-Malware 1.19

Database version: 899

Windows 5.1.2600 Service Pack 1

7:01:49 AM 7/16/2008

mbam-log-7-16-2008 (07-01-49).txt

Scan type: Full Scan (C:\|H:\|)

Objects scanned: 59889

Time elapsed: 8 minute(s), 26 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 5

Registry Data Items Infected: 0

Folders Infected: 17

Files Infected: 38

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Adware.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Adware.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winnt32 (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Adware.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{dda28099-dacf-415d-a5a8-bb134fca3d6a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\bdkpfxqw (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

H:\Program Files\Common Files\SystemErrorFixer (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.

H:\WINDOWS\system32\382077 (Trojan.BHO) -> Quarantined and deleted successfully.

H:\WINDOWS\system32\916992 (Trojan.BHO) -> Quarantined and deleted successfully.

H:\Documents and Settings\LocalService\Application Data\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.

H:\Documents and Settings\LocalService\Application Data\ShoppingReport\cs (Adware.Shopping.Report) -> Quarantined and deleted successfully.

H:\Documents and Settings\LocalService\Application Data\ShoppingReport\cs\db (Adware.Shopping.Report) -> Quarantined and deleted successfully.

H:\Documents and Settings\LocalService\Application Data\ShoppingReport\cs\dwld (Adware.Shopping.Report) -> Quarantined and deleted successfully.

H:\Documents and Settings\LocalService\Application Data\ShoppingReport\cs\report (Adware.Shopping.Report) -> Quarantined and deleted successfully.

H:\Documents and Settings\LocalService\Application Data\ShoppingReport\cs\res1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.

H:\Documents and Settings\ECHIJIOLE\Application Data\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.

H:\Documents and Settings\ECHIJIOLE\Application Data\ShoppingReport\cs (Adware.Shopping.Report) -> Quarantined and deleted successfully.

H:\Documents and Settings\ECHIJIOLE\Application Data\ShoppingReport\cs\db (Adware.Shopping.Report) -> Quarantined and deleted successfully.

H:\Documents and Settings\ECHIJIOLE\Application Data\ShoppingReport\cs\dwld (Adware.Shopping.Report) -> Quarantined and deleted successfully.

H:\Documents and Settings\ECHIJIOLE\Application Data\ShoppingReport\cs\report (Adware.Shopping.Report) -> Quarantined and deleted successfully.

H:\Documents and Settings\ECHIJIOLE\Application Data\ShoppingReport\cs\res2 (Adware.Shopping.Report) -> Quarantined and deleted successfully.

H:\Documents and Settings\All Users\Application Data\systemerrorfixer (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.

H:\Documents and Settings\All Users\Application Data\systemerrorfixer\Data (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.

Files Infected:

C:\Program Files\LiveAntispy\LiveAntispy.exe (Rogue.LiveAntispy) -> Quarantined and deleted successfully.

C:\Program Files\LiveAntispy\LiveAntispy0.dll (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program Files\LiveAntispy\LiveAntispy1.dll (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Program Files\LiveAntispy\LiveAntispy3.dll (Rogue.Multiple) -> Quarantined and deleted successfully.

H:\oldreg\systemprofile\ftp34.dll (Trojan.DownLoader) -> Quarantined and deleted successfully.

H:\Program Files\Common Files\SystemErrorFixer\strpmon.exe (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.

H:\WINDOWS\system32\382077\382077.dll (Trojan.BHO) -> Quarantined and deleted successfully.

H:\WINDOWS\system32\916992\916992.dll (Trojan.BHO) -> Quarantined and deleted successfully.

H:\Documents and Settings\LocalService\Application Data\ShoppingReport\cs\Config.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.

H:\Documents and Settings\LocalService\Application Data\ShoppingReport\cs\dwld\WhiteList.xip (Adware.Shopping.Report) -> Quarantined and deleted successfully.

H:\Documents and Settings\LocalService\Application Data\ShoppingReport\cs\report\aggr_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.

H:\Documents and Settings\LocalService\Application Data\ShoppingReport\cs\report\send_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.

H:\Documents and Settings\LocalService\Application Data\ShoppingReport\cs\res1\WhiteList.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.

H:\Documents and Settings\ECHIJIOLE\Application Data\ShoppingReport\cs\Config.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.

H:\Documents and Settings\ECHIJIOLE\Application Data\ShoppingReport\cs\db\Aliases.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.

H:\Documents and Settings\ECHIJIOLE\Application Data\ShoppingReport\cs\db\Sites.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.

H:\Documents and Settings\ECHIJIOLE\Application Data\ShoppingReport\cs\dwld\WhiteList.xip (Adware.Shopping.Report) -> Quarantined and deleted successfully.

H:\Documents and Settings\ECHIJIOLE\Application Data\ShoppingReport\cs\report\aggr_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.

H:\Documents and Settings\ECHIJIOLE\Application Data\ShoppingReport\cs\report\send_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.

H:\Documents and Settings\ECHIJIOLE\Application Data\ShoppingReport\cs\res2\WhiteList.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.

H:\Documents and Settings\All Users\Application Data\systemerrorfixer\Data\ac (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.

H:\Documents and Settings\All Users\Application Data\systemerrorfixer\Data\em (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.

H:\Documents and Settings\All Users\Application Data\systemerrorfixer\Data\oid (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.

H:\Documents and Settings\All Users\Application Data\systemerrorfixer\Data\user (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.

H:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.

H:\WINDOWS\system32\Client\svchost32.exe (Trojan.Agent) -> Quarantined and deleted successfully.

H:\WINDOWS\system32\WinNt32.dll (Trojan.Agent) -> Quarantined and deleted successfully.

H:\Documents and Settings\Owner\cftmon.exe (Trojan.Agent) -> Quarantined and deleted successfully.

H:\WINDOWS\system32\drivers\spools.exe (Trojan.Agent) -> Quarantined and deleted successfully.

H:\Documents and Settings\Administrator\cftmon.exe (Trojan.Agent) -> Quarantined and deleted successfully.

H:\WINDOWS\system32\drivers\clbdriver.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

H:\WINDOWS\rs.txt (Malware.Trace) -> Quarantined and deleted successfully.

H:\WINDOWS\system32\clbinit.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

H:\WINDOWS\wxdbpfvo.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

H:\WINDOWS\gndarmblvpg.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

H:\Documents and Settings\Owner\Local Settings\Tempmjiwep0.exe (Trojan.Agent) -> Quarantined and deleted successfully.

H:\Documents and Settings\LocalService\cftmon.exe (Trojan.Agent) -> Quarantined and deleted successfully.

H:\Documents and Settings\ECHIJIOLE\cftmon.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:04:03 AM, on 7/16/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Safe mode with network support

Running processes:

H:\WINDOWS\System32\smss.exe

H:\WINDOWS\system32\winlogon.exe

H:\WINDOWS\system32\services.exe

H:\WINDOWS\system32\lsass.exe

H:\WINDOWS\system32\svchost.exe

H:\WINDOWS\system32\svchost.exe

H:\WINDOWS\System32\svchost.exe

H:\WINDOWS\Explorer.EXE

H:\WINDOWS\System32\WgaTray.exe

H:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {E4FFD1CB-D8A7-44BB-A3F1-C177AE513988} - H:\WINDOWS\system32\mljjj.dll (file missing)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar1.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - H:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sRFirstRun] rundll32 srclient.dll,CreateFirstRunRp

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - H:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - H:\WINDOWS\web\related.htm

O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - H:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - http://imikimi.com/download/imikimi_plugin_0.5.1.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{D7AD1C86-AB85-46FD-8B61-01BF20F0EFB1}: NameServer = 85.255.116.43,85.255.112.135

O17 - HKLM\System\CCS\Services\Tcpip\..\{FA1EC96F-EFDB-4C2F-BB51-5F8EA029CBF4}: NameServer = 85.255.116.43,85.255.112.135

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.43 85.255.112.135

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.43 85.255.112.135

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.43 85.255.112.135

O20 - Winlogon Notify: mlJCTmKa - mlJCTmKa.dll (file missing)

O20 - Winlogon Notify: pgjrawnu - H:\WINDOWS\

O20 - Winlogon Notify: __c0069830 - H:\WINDOWS\system32\__c0069830.dat (file missing)

O20 - Winlogon Notify: __c009DC24 - H:\WINDOWS\system32\__c009DC24.dat (file missing)

O21 - SSODL: CheckAlrt - {5f7b7b43-7742-4f33-83ba-7952324a36d4} - H:\WINDOWS\Resources\CheckAlrt.dll (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - H:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\System32\nvsvc32.exe

--

End of file - 3557 bytes

[AdvancedSetup]

Now that the system is running enough to logon to it. Please download the latest version of Malwarebytes and the updater program and install both of them onto the bad computer.

mbam-setup.exe

mbam-rules.exe

Install, then run the updater, then do a Quick Scan and post the results in the HJT forum along with a link to this post so that we're aware that you've already done some work on this.

Also run a NEW HJT scan after running the latest MB program and post it along with the MB log.

HijackThis 2.0.2 installer

.