I need help!
My PC Keeps restarting, and the only way I can do anything is in safe mode with networking.
When I try to start it normally, it keeps giving me a restart prompt with a countdown that lasts about 30 seconds.
Then it restarts and does the whole thing all over again.
I had to run HJT in safemode since I can't get the PC to start normally, but here's the log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:21:34 PM, on 11/15/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode with network support
Running processes:
C:\WINNT\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {36DBC179-A19F-48F2-B16A-6A3E19B42A87} - c:\winnt\system32\lodctr.dll
O2 - BHO: (no name) - {46600D6A-7867-4C1B-8B35-DBBC7DD2AABF} - C:\Program Files\WindowsUpdate\mezoheq83122.dll
O2 - BHO: (no name) - {5DC2F8EB-4E52-4B47-BADA-2B40CAB4EEA6} - C:\Program Files\WindowsUpdate\mezoheq4444.dll
O2 - BHO: SpamBlockerUtility - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbHostIE.dll
O2 - BHO: {e6b6070d-a38d-a45b-53e4-66dd0931a057} - {750a1390-dd66-4e35-b54a-d83ad0706b6e} - C:\WINNT\system32\ocflloqm.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINNT\system32\fzssfuyz.dll
O2 - BHO: C:\WINNT\system32\jkd845jg.dll - {B5AC49A2-94F3-42BD-F434-2604812C897D} - C:\WINNT\system32\jkd845jg.dll
O2 - BHO: (no name) - {B5ECE52D-B89C-4E34-B4BD-6FAF3D3D2BD5} - C:\DOCUME~1\MDS07\LOCALS~1\Temp\jkkkk.dll
O2 - BHO: (no name) - {bcfa78d8-f7a8-4f38-a68f-bbc51243b5b8} - C:\WINNT\system32\amjcmvk.dll
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Program Files\E404 Helper\e404.v5.dll
O2 - BHO: 0 - {FCEFB565-7CA7-4E89-E9A3-E01DC2C21FD5} - C:\Program Files\Accessories\qulaburuh455.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: SpamBlockerUtility - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbHostIE.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [lcfep] "C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe" -x
O4 - HKLM\..\Run: [runner1] C:\WINNT\mrofinu77.exe 61A847B5BBF72815358B2B27128065E9C084320161C4661227A755E9C2933154389A28452DA545E9
B1894E754BE546321EF81683BADC7E4F67D83F516CAC59B6
O4 - HKLM\..\Run: [avp] C:\WINNT\avp.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [Printer] C:\WINNT\system32\printer.exe
O4 - HKLM\..\Run: [ms] C:\DOCUME~1\MDS07\LOCALS~1\Temp\8828\gm.exe
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\DOCUME~1\MDS07\LOCALS~1\Temp\__c00A1964.dat",realset
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\DOCUME~1\MDS07\LOCALS~1\Temp\jkkkk.dll,c
O4 - HKCU\..\Run: [Spoolsv] C:\WINNT\system32\spoolvs.exe
O4 - HKCU\..\Run: [Taoe] "C:\PROGRA~1\MCROSO~1.NET\tracert.exe" -vt yazb
O4 - HKCU\..\Run: [userinit] C:\Documents and Settings\MDS07\Application Data\ntos.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [__c00DDD1B] rundll32.exe "C:\DOCUME~1\MDS07\LOCALS~1\Temp\__c00DDD1B.dat",B
O4 - HKCU\..\Run: [A00F52BC60.exe] C:\DOCUME~1\MDS07\LOCALS~1\Temp\_A00F52BC60.exe
O4 - HKCU\..\Run: [NI.UGA6P_0001_N122M2210] "C:\DOCUME~1\MDS07\LOCALS~1\Temp\gitobxmn.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: findfast.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: autorun.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: Yahoo! Chess - http://download2.games.yahoo.com/games/clients/y/ct5_x.cab
O16 - DPF: Yahoo! Spades - http://download2.games.yahoo.com/games/clients/y/st3_x.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1180820018181
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} (SbInstObj) - http://installs.spamblockerutility.com/ins...ckerutility.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mds.mdsinc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mds.mdsinc.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mds.mdsinc.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = mds.mdsinc.com
O21 - SSODL: DCOM Server 25319 - {2C1CD3D7-86AC-4068-93BC-A02304B25319} - C:\WINNT\system32\eiumfji.dll
O22 - SharedTaskScheduler: DCOM Server 25319 - {2C1CD3D7-86AC-4068-93BC-A02304B25319} - C:\WINNT\system32\eiumfji.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Aelita DMW Migration Agent (Vmover.exe) - Aelita Software Corporation - C:\WINNT\System32\Vmover.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Accessories\rterteproleg.html
--
End of file - 6664 bytes
How much of a mess is this!?
Full Version: My PC Keeps Restarting!
Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Resolved/Inactive HijackThis Logs
I tried getting rid of some stuff, but nothing changed.
Here's an updated HJT log.
Anyone there?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:50:48 AM, on 11/16/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode with network support
Running processes:
C:\WINNT\Explorer.EXE
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {46600D6A-7867-4C1B-8B35-DBBC7DD2AABF} - C:\Program Files\WindowsUpdate\mezoheq83122.dll
O2 - BHO: (no name) - {5DC2F8EB-4E52-4B47-BADA-2B40CAB4EEA6} - C:\Program Files\WindowsUpdate\mezoheq4444.dll
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKCU\..\Run: [Taoe] "C:\PROGRA~1\MCROSO~1.NET\tracert.exe" -vt yazb
O4 - HKCU\..\Run: [userinit] C:\Documents and Settings\MDS07\Application Data\ntos.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [__c00DDD1B] rundll32.exe "C:\DOCUME~1\MDS07\LOCALS~1\Temp\__c00DDD1B.dat",B
O4 - HKCU\..\Run: [A00F52BC60.exe] C:\DOCUME~1\MDS07\LOCALS~1\Temp\_A00F52BC60.exe
O4 - HKCU\..\Run: [NI.UGA6P_0001_N122M2210] "C:\DOCUME~1\MDS07\LOCALS~1\Temp\gitobxmn.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mds.mdsinc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mds.mdsinc.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mds.mdsinc.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = mds.mdsinc.com
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Aelita DMW Migration Agent (Vmover.exe) - Aelita Software Corporation - C:\WINNT\System32\Vmover.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Accessories\rterteproleg.html
--
End of file - 3066 bytes
Here's an updated HJT log.
Anyone there?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:50:48 AM, on 11/16/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode with network support
Running processes:
C:\WINNT\Explorer.EXE
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {46600D6A-7867-4C1B-8B35-DBBC7DD2AABF} - C:\Program Files\WindowsUpdate\mezoheq83122.dll
O2 - BHO: (no name) - {5DC2F8EB-4E52-4B47-BADA-2B40CAB4EEA6} - C:\Program Files\WindowsUpdate\mezoheq4444.dll
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKCU\..\Run: [Taoe] "C:\PROGRA~1\MCROSO~1.NET\tracert.exe" -vt yazb
O4 - HKCU\..\Run: [userinit] C:\Documents and Settings\MDS07\Application Data\ntos.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [__c00DDD1B] rundll32.exe "C:\DOCUME~1\MDS07\LOCALS~1\Temp\__c00DDD1B.dat",B
O4 - HKCU\..\Run: [A00F52BC60.exe] C:\DOCUME~1\MDS07\LOCALS~1\Temp\_A00F52BC60.exe
O4 - HKCU\..\Run: [NI.UGA6P_0001_N122M2210] "C:\DOCUME~1\MDS07\LOCALS~1\Temp\gitobxmn.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mds.mdsinc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mds.mdsinc.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mds.mdsinc.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = mds.mdsinc.com
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Aelita DMW Migration Agent (Vmover.exe) - Aelita Software Corporation - C:\WINNT\System32\Vmover.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Accessories\rterteproleg.html
--
End of file - 3066 bytes
Hello.RonSpice & Welcome
First May I ask that you don't fix anything more for now. And are you running a Virus scanner??? If so I'm not seeing it running in the back ground. I would also like to see you download Ad-Aware2007 Free, install it run an update. And run a Full System scan. Come back here and Attach it's logfile here.
Please download Ad-Aware 2007 for free Here
NOTE: Make sure to remove all other Ver of Ad-Aware before installing new Ver.
Gogo
First May I ask that you don't fix anything more for now. And are you running a Virus scanner??? If so I'm not seeing it running in the back ground. I would also like to see you download Ad-Aware2007 Free, install it run an update. And run a Full System scan. Come back here and Attach it's logfile here.
Please download Ad-Aware 2007 for free Here
NOTE: Make sure to remove all other Ver of Ad-Aware before installing new Ver.
Gogo
Thanks for the welcome.
There isn't any anti-virus software on this PC that I am aware of.
I am downloading AdAware now, but I can only install and use it in SAFE MODE.
Is that going to work?
And I won't do anything else without you telling me to.
I got anxious, and I saw that other people were being answered sooner, so I thought there was something wrong with my post!
Now I know better......
There isn't any anti-virus software on this PC that I am aware of.
I am downloading AdAware now, but I can only install and use it in SAFE MODE.
Is that going to work?
And I won't do anything else without you telling me to.
I got anxious, and I saw that other people were being answered sooner, so I thought there was something wrong with my post!
Now I know better......
Problem. I can't install anything in safe mode... 
Hi.RonSpice
Please hold-on here I'm going to have someone take a look here.
Gogo
Please hold-on here I'm going to have someone take a look here.
Gogo
OK. Thanks.
That's a severely infected computer, I'm afraid.
Skip trying to install anything right now. Let's try to get it under control with some free fix tools for some of the stuff I see there.
See if this helps with the restarting:
Go to: Control Panel / System / Advanced / Startup and Recovery / Settings.
Make sure the box is UNCHECKED where it says "Automatically Restart" under "System Failure."
Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
......................
Next step
You are also going to need this one too:
Download ComboFix and save it to your desktop.
**Note: It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
1. Close any open browsers.
2. Double click on combofix.exe & follow the prompts.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Skip trying to install anything right now. Let's try to get it under control with some free fix tools for some of the stuff I see there.
See if this helps with the restarting:
Go to: Control Panel / System / Advanced / Startup and Recovery / Settings.
Make sure the box is UNCHECKED where it says "Automatically Restart" under "System Failure."
Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, the Advanced Options Menu should appear;
- Select the first option, to run Windows in Safe Mode, then press Enter.
- Choose your usual account.
- Open the extracted SDFix folder and double click RunThis.bat to start the script.
- Type Y to begin the cleanup process.
- It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
- Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum). - Finally paste the contents of the Report.txt back here
......................
Next step
You are also going to need this one too:
Download ComboFix and save it to your desktop.
**Note: It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
1. Close any open browsers.
2. Double click on combofix.exe & follow the prompts.
- When finished, it will produce a report for you.
- Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
They called in the big guns, eh? Well thanks Jane. I hope you can help me.
It's a shared PC, and I just can't believe how bad it is!
The boxes where it says "Automatically Restart" under "System Failure" are blacked out.
All 3 boxes are checked (write an event to the system log - send an administrative alert - automatically reboot) and cannot be unchecked.
Is that an administrator thing? Is there anything that I can do?
It's a shared PC, and I just can't believe how bad it is!
The boxes where it says "Automatically Restart" under "System Failure" are blacked out.
All 3 boxes are checked (write an event to the system log - send an administrative alert - automatically reboot) and cannot be unchecked.
Is that an administrator thing? Is there anything that I can do?
Run those tools in safe mode and let's see what is there. I'm sure there are some backdoor trojans running and it looks pretty severely infected.
A reformat/reinstall might be in order even if we can get it cleaned up. If that is easy enough for you it is probably the safest, easiest solution. But if not, I'll try to work with you on it as best I can.
A reformat/reinstall might be in order even if we can get it cleaned up. If that is easy enough for you it is probably the safest, easiest solution. But if not, I'll try to work with you on it as best I can.
SDbot - I'll give you a generic definition because there are thousands upon thousands of variants of this and more coming out each day. They basically all do about the same thing.
Yours was running - likely this entry:
O4 - HKCU\..\Run: [Spoolsv] C:\WINNT\system32\spoolvs.exe
It may or may not come also with a rootkit which is stealth technology to hide malware - so there may be more.
Generic definition (from Kaspersky)
http://www.viruslist.com/en/viruses/encycl...a?virusid=24976
What is a backdoor or remote access trojan?
Read this article.
Danger: Remote Access Trojans
http://www.microsoft.com/technet/security/...o/virusrat.mspx
Additionally, it has downloaded more malware onto that computer which also causes damage and other infections that affect the system.
Yours was running - likely this entry:
O4 - HKCU\..\Run: [Spoolsv] C:\WINNT\system32\spoolvs.exe
It may or may not come also with a rootkit which is stealth technology to hide malware - so there may be more.
Generic definition (from Kaspersky)
http://www.viruslist.com/en/viruses/encycl...a?virusid=24976
QUOTE
Backdoor.SdBot.gen
Aliases
Backdoor.SdBot.gen (Kaspersky Lab) is also known as: W32/Lolol.worm.gen (McAfee), W32.Spybot.Worm (Symantec), Win32.IRC.Bot.based (Doctor Web), W32/Spybot-CQ (Sophos), Win32/HLLW.SpyBot (RAV), Worm/SpyBot.#3 (H+BEDV), Win32:SpyBot-GEN (ALWIL), Worm/Spybot (Grisoft), Backdoor.SDBot.Gen (SOFTWIN), Trojan.Spybot.gen-3 (ClamAV), W32/Spybot.BE.worm (Panda), Win32/SpyBot.AFL (Eset)
Description added Aug 21 2002
Behavior Backdoor
Technical details
This is a family of backdoor malicious programs, which provide the user with remote control over victim machines. This is achieved by sending commands via IRC channels.
Installation
Depending upon the program version, the backdoor either copies itself either to the Windows System directory or to other directories located in the System directory. The program also registers a copy of itself in the system registry, which ensures that it will be executed when Windows is started:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
The registry value will vary according to which version of the backdoor has infected the machine.
Payload
Backdoor.SdBot connects to a range of IRC servers, then connects with a channel that is hard coded into its body. It is then ready to receive remote commands, such as downloading and executing remote files, acting as an IRC proxy server, joining IRC channels, sending messages via IRC, and sending UDP and ICMP packets to remote computers.
Aliases
Backdoor.SdBot.gen (Kaspersky Lab) is also known as: W32/Lolol.worm.gen (McAfee), W32.Spybot.Worm (Symantec), Win32.IRC.Bot.based (Doctor Web), W32/Spybot-CQ (Sophos), Win32/HLLW.SpyBot (RAV), Worm/SpyBot.#3 (H+BEDV), Win32:SpyBot-GEN (ALWIL), Worm/Spybot (Grisoft), Backdoor.SDBot.Gen (SOFTWIN), Trojan.Spybot.gen-3 (ClamAV), W32/Spybot.BE.worm (Panda), Win32/SpyBot.AFL (Eset)
Description added Aug 21 2002
Behavior Backdoor
Technical details
This is a family of backdoor malicious programs, which provide the user with remote control over victim machines. This is achieved by sending commands via IRC channels.
Installation
Depending upon the program version, the backdoor either copies itself either to the Windows System directory or to other directories located in the System directory. The program also registers a copy of itself in the system registry, which ensures that it will be executed when Windows is started:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
The registry value will vary according to which version of the backdoor has infected the machine.
Payload
Backdoor.SdBot connects to a range of IRC servers, then connects with a channel that is hard coded into its body. It is then ready to receive remote commands, such as downloading and executing remote files, acting as an IRC proxy server, joining IRC channels, sending messages via IRC, and sending UDP and ICMP packets to remote computers.
What is a backdoor or remote access trojan?
Read this article.
Danger: Remote Access Trojans
http://www.microsoft.com/technet/security/...o/virusrat.mspx
Additionally, it has downloaded more malware onto that computer which also causes damage and other infections that affect the system.
QUOTE(LS CalamityJane @ Nov 16 2007, 07:16 PM) 
Run those tools in safe mode and let's see what is there. I'm sure there are some backdoor trojans running and it looks pretty severely infected.
A reformat/reinstall might be in order even if we can get it cleaned up. If that is easy enough for you it is probably the safest, easiest solution. But if not, I'll try to work with you on it as best I can.
A reformat/reinstall might be in order even if we can get it cleaned up. If that is easy enough for you it is probably the safest, easiest solution. But if not, I'll try to work with you on it as best I can.
I ran SDfix, and it stopped a few times, but finished.
When it restarted in normal mode, I had the same problem, and had to go back to safe mode.
Then I tried to run Combofix, and I was told I need Administrative privileges to run the tool.
What would I have to do to reformat/reinstall?
I don't think I can do anything else.
Can you post the SDFix log so I can see what it found?
Instruction and help on reformat/reinstall (do you have the original install CD?)
When should I re-format? How should I reinstall?
http://www.dslreports.com/faq/10063
I'd really like to confirm exactly what's going on there to be sure.
You should still be able to run ComboFix in safe mode - you just have to log in as administrator to run it.
You should also be able to access this online AV scanner:
* Go here to run an online scannner from ESET.
Instruction and help on reformat/reinstall (do you have the original install CD?)
When should I re-format? How should I reinstall?
http://www.dslreports.com/faq/10063
I'd really like to confirm exactly what's going on there to be sure.
You should still be able to run ComboFix in safe mode - you just have to log in as administrator to run it.
You should also be able to access this online AV scanner:
* Go here to run an online scannner from ESET.
- Note: You will need to use Internet explorer for this scan
- Tick the box next to YES, I accept the Terms of Use.
- Click Start
- When asked, allow the activex control to install
- Click Start
- Make sure that the option Remove found threats and the option Scan unwanted applications is checked
- Click Scan
- Wait for the scan to finish
- Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
- Copy and paste that log as a reply to this topic, along with a new HijackThis log & a description of any remaining problems
It may help also to use HijackThis to *fix* these items.
Scan and checkmark these entries, then press the *fix checked* button
O2 - BHO: (no name) - {46600D6A-7867-4C1B-8B35-DBBC7DD2AABF} - C:\Program Files\WindowsUpdate\mezoheq83122.dll
O2 - BHO: (no name) - {5DC2F8EB-4E52-4B47-BADA-2B40CAB4EEA6} - C:\Program Files\WindowsUpdate\mezoheq4444.dll
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKCU\..\Run: [Taoe] "C:\PROGRA~1\MCROSO~1.NET\tracert.exe" -vt yazb
O4 - HKCU\..\Run: [userinit] C:\Documents and Settings\MDS07\Application Data\ntos.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [__c00DDD1B] rundll32.exe "C:\DOCUME~1\MDS07\LOCALS~1\Temp\__c00DDD1B.dat",B
O4 - HKCU\..\Run: [A00F52BC60.exe] C:\DOCUME~1\MDS07\LOCALS~1\Temp\_A00F52BC60.exe
O4 - HKCU\..\Run: [NI.UGA6P_0001_N122M2210] "C:\DOCUME~1\MDS07\LOCALS~1\Temp\gitobxmn.exe"
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
Delete anything you can in this folder:
C:\DOCUME~1\MDS07\LOCALS~1\Temp
Delete these files:
C:\winstall.exe
mgrs.exe
C:\Documents and Settings\MDS07\Application Data\ntos.exe
Delete this folder:
C:\PROGRA~1\MCROSO~1.NET note the misspelling intended to spoof "Microsoft" except this one starts with the letters MCROSO... (no "i" in that). Don't delete the legitimate folder of similar name (but spelled right)
Scan and checkmark these entries, then press the *fix checked* button
O2 - BHO: (no name) - {46600D6A-7867-4C1B-8B35-DBBC7DD2AABF} - C:\Program Files\WindowsUpdate\mezoheq83122.dll
O2 - BHO: (no name) - {5DC2F8EB-4E52-4B47-BADA-2B40CAB4EEA6} - C:\Program Files\WindowsUpdate\mezoheq4444.dll
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKCU\..\Run: [Taoe] "C:\PROGRA~1\MCROSO~1.NET\tracert.exe" -vt yazb
O4 - HKCU\..\Run: [userinit] C:\Documents and Settings\MDS07\Application Data\ntos.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [__c00DDD1B] rundll32.exe "C:\DOCUME~1\MDS07\LOCALS~1\Temp\__c00DDD1B.dat",B
O4 - HKCU\..\Run: [A00F52BC60.exe] C:\DOCUME~1\MDS07\LOCALS~1\Temp\_A00F52BC60.exe
O4 - HKCU\..\Run: [NI.UGA6P_0001_N122M2210] "C:\DOCUME~1\MDS07\LOCALS~1\Temp\gitobxmn.exe"
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
Delete anything you can in this folder:
C:\DOCUME~1\MDS07\LOCALS~1\Temp
Delete these files:
C:\winstall.exe
mgrs.exe
C:\Documents and Settings\MDS07\Application Data\ntos.exe
Delete this folder:
C:\PROGRA~1\MCROSO~1.NET note the misspelling intended to spoof "Microsoft" except this one starts with the letters MCROSO... (no "i" in that). Don't delete the legitimate folder of similar name (but spelled right)
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.