My computer crushed when I ran spybot in safemode?

[kimsland]

You know I've never actually read this type of report!
But it does tell me everything about what's starting and secuity updates installed and lots more (addins)
But I can't see where it says removed, or cannot remove

There's no entry saying Spybots can't remove this file (or anything like that)
You may need to re-run it and when it finds the exact file again, look up the details of it (this can be done, by first highlighting the found file, then clicking to expand the RHS arrow.

At least Spybots reports everything about all files starting up.

 

[Bobbye]

I haven't see it either. But there are some things that need to be addressed:

First and most important, you are running TWO anti-virus programs! That is a given to cause problems. Decide on one, uninstall the other:
1. C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP> AVG Anti-Virus Control Center.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe> Alert manager for AVG Anti-Virus System
2. C:\PROGRA~1\mcafee.com\agent\mcagent.exe> mcagent.exe known as McAfee Virusscan Agent

Second, it must take you t least 10 minutes to load all the startups! STOP these from starting at boot:
1. C:\Program Files\Lexmark 4300 Series\ezprint.exe
2. C:\Program Files\Lexmark 4300 Series\lxcemon.exe
3. C:\Program Files\Dell Support\DSAgnt.exe" /startupfile:
4. C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
5. C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
6. C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
7. C:\Program Files\Common Files\Real\Update_OB\realsched.exe
8. C:\Program Files\Logitech\Video\ISStart.exe

Reconsider this program: C:\Program Files\SpyNoMore\SNM.exe /startup
SpyNoMore was listed on Spyware Warrior as a rogue program because of concerns with false positives. Testing with the latest version of the program indicates that the problems with earlier versions have been satisfactorily resolved. Thus, we can no longer consider SpyNoMore to be "rogue/suspect" anti-spyware.

You have these and they are know , good programs without a shady background:
1. C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
2. C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

There is a great deal more on your startups that do not need to start at boot and run in the background. You are also running at least 2 messenger programs MSN & AOL.

 

[kimsland]

Wow Bobbye, you really put a lot of time in that

I was thinking to address every issue too, but you actually did it

Sounds a little patronizing, but well done. :grinthumb

 

[cheesezgigi]

thanks you guys for all the great input
question-how do u remove program from running in the startup and background?
and I already uninstalled spynomore.exe why is it still in my start up?and how can i remove it?

Blind Dragon here is my newest hijackthis log and avenger log
how is my pc doing so far??

 

[Blind Dragon]

Gonna look through logs now

A simple way for managing startup programs is through spybot S&D. Go to Mode and select advanced. then expand tools in the left pane, then double click system startup uncheck items that don't need to be started everytime you turn on your computer. If you don't know what something is you can post here or google for it. Don't uncheck anything in green.

 

[Bobbye]

"how do u remove program from running in the startup and background?"

Like this:
Start> Run> type in 'msconfig' without the quotes> enter> Selective Startup> Startup tab> uncheck any process you don't want to start when you boot> Apply> OK.

Reboot the computer. You will get a 'nag' message that you can just close after checking 'don't show this message again.'

The process name at the end of the program files I left is what you should see. There are a few more, but that's a start.

As for uninstalling SpyNoMore, you won't be able to do it until you stop if from starting up. So uncheck it while you're there. After you've rebooted, you should then be able to uninstall it correctly in Add/Remove Programs in the Control Panel.

 

[Blind Dragon]

This is nasty, it took forever to put this together but should save you a lot of time. Had to go back through your logs plus added some from research.

You have 2 of the worst infections I know of, cnsminkp and searchnet amongst others. Unfortunately I don't know of an easy fix for either so I made up a script to run with avenger and am hoping it gets those 2 off, but there are more infections present that also have no easy fixes. So I am going to do my best with this.

Note: This program must be run from an account with Administrator priviledges.

• Open the Avenger folder and double click Avenger.exe to launch the programme.
• Copy the text in the code box below and Paste it into the Input script here: box.

Drivers to delete:
LEGACY_ANFAD
LEGACY_CNSMINKP
LEGACY_FAD
LEGACY_INTERNET_CONNECTION_MANAGER
LEGACY_MSPCIDRV
LEGACY_REMOTE_LOG
Anfad
FAD
Internet Connection Manager
mspath
mspcidrv
Remote Log

Registry values to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | CdnCtr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | SearchNet_Up
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | MoveSearch

Files to delete:
C:\Windows\System32\drivers\Anfad.sys
C:\Windows\System32\drivers\FAD.sys
C:\Windows\System32\ServeHost.dat
C:\Windows\System32\ServeHost.exe
C:\ProgramFiles\SearchNet\SearchNet.exe
C:\ProgramFiles\SearchNet\ServeUp.exe
C:\ProgramFiles\SearchNet\SNHpr.dll
C:\ProgramFiles\SearchNet\SrvNet32.dll
C:\ProgramFiles\SearchNet\UnInstall.exe
C:\Windows\System32\drivers\abhcop.sys
C:\Windows\System32\drivers\hcalway.sys

Folders to delete:
C:\ProgramFiles\wsearch
C:\ProgramFiles\HuaCi
C:\ProgramFiles\SearchNet

Registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CE496D1-1746-41CD-9489-3C0B93DF10E2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{52BEA5F9-7E3F-490A-B7E8-9BD5DDDEE5DF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D1AFED83-9133-4660-8C8F-DAF1B4A3D5A8}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{158919D3-4CAB-4109-9755-9AE794D5B2DE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{E8D3778F-47D3-4F1F-9245-3D46856936E4}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHpr.InterCept
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHpr.InterCept.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A0176FE-008B-4706-90F5-BBA532A49731}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CE496D1-1746-41CD-9489-3C0B93DF10E2}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZSXZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cdnup.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{04152c5b-7ca9-4bb1-8077-5ea42f787eb8}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{515bafd0-86a0-4b2a-9dfe-4440bf60c355}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{5c20c0e0-9a22-424f-92c8-6f408563ce98}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{93506e82-31e9-47b4-901e-2d04d6aa3b86}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{b9b553a9-77ff-44de-8c24-fe88ccdc4e93}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{c8a82950-abe8-4b7d-a5de-19c249a9cfac}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{cf3780c4-33ba-44bd-981f-e37940887d8b}
HKEY_LOCAL_MACHINE\SOFTWARE\SearchNet
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ANFAD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_hprocess
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FAD
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2A0176FE-008B-4706-90F5-BBA532A49731}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CE496D1-1746-41CD-9489-3C0B93DF10E2}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Anfad
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hprocess
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FAD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Remote Log
HKEY_CLASSES_ROOT\CLSID\{594BE7B2-23B0-4FAE-A2B9-0C21CC1417CE}
HKEY_CLASSES_ROOT\Interface\{4E1ACE40-F681-4CC4-A7C0-AD1E6C9AD86F}
HKEY_CLASSES_ROOT\Interface\{A07E6B9B-BB30-4381-A9D8-FABB0648BCEF}
HKEY_CLASSES_ROOT\TypeLib\{FD536575-73F7-42A3-9E9F-11688F1A006A}
HKEY_CLASSES_ROOT\TypeLib\{C5CE084B-31E0-4B34-A33A-82B4EA913CF8}
HKEY_CLASSES_ROOT\SearchM.Com
HKEY_CLASSES_ROOT\SearchM.Com.1
HKEY_CLASSES_ROOT\SearchM.Search
HKEY_CLASSES_ROOT\SearchM.Search.1
HKEY_CURRENT_USER\Software\Pig Move Search
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CDSearch
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\»®´ÊËÑË÷
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\abhcop
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hcalway
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\abhcop
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hcalway

• Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
  
  
• Ensure the following:
  • Scan for Rootkits is checked.
  • Automatically disable any rootkits found is Unchecked.
• Press the Execute key.
• Avenger will now process the script you've pasted (this may involve more than one re-boot), when finished it will produce a log file.
• Post the log back here please. (it can also be found at C:\avenger.txt)

------------------------------------------------------------------------------------------------------------------------------------------------------------------

I will wait to see the attached avenger.txt log before we continue, we will need to search for some additional files that I was unsure of their path.

 

[cheesezgigi]

Hi Blind Dragon
here is the new avenger log, there were some error when I run it
please let me know what i have to next
Thanks a millions!:wave:

 

[cheesezgigi]

forgot to attch my file

here it is

 

[Blind Dragon]

Please run combofix for me again and post the log as an attachment, I was working off of an older log and need to see it updated