Help
Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.
This topic is locked
This is long.. because I've been at this for two weeks. The "usual" fixit almost worked and then got nailed again.
Preliminaries:
--------------
Windows XP Media Edition SP3 + patches kept it up to date via Microsoft's Update site. This system has been upgraded from SP1.1 to SP2 and finally to SP3 via Microsoft service packs. I've got the SP3 CD at hand. And my partition and system recovery CD is nearby.
Microsoft Essentials Security. Up to this, it's done a good job at stopping the malware.
HP Pavilion a1240n, 3 GHz, hyperthreaded, 4 GB RAM, 250 GB disk (about 180 GB available), NVidia 6200 (runs dual monitor).
Side note: I've been fiddling with computers for a while now; written some software for Windows and Linux as part of my job. A few of my friends might consider me "technical". For all of that, this ...problem... has me nearing the end of my rope.
Trouble
-------
Aw, this machine was fast. Now? Several minutes to boot up in normal mode. The hard drive access light goes on SOLID a moment or two after the splash screen and the system is unresponsive. After a minute or two the drive can be heard to twitch ... and things start happening during the twitches.
It's "stuttering". Near unusable.
Give it maybe five minutes and it's sort-of active. But whatever's in there is putting a few seconds of delay into normal XP operations.
On start, Microsoft Essentials puts up that little red "house" in the System Tray. A few seconds later a warning panel pops up. "Security Essentials isn't monitoring your computer because the program's service stopped. You should restart it now." and there's a pretty button.
It does not matter if the button is pressed or not; a minute or so later the "house" symbol turns green.
What's been done so far:
-----------------------
1. Hauled out my 80 GB USB drive and backed up everything in sight while in Safe Mode. I think I've got a complete set of data.
2. Pulled a spare drive out of the closet, unplugged the drive with the problem, and built a new install of XPSP3 onto the new drive. I mean I started with the SP1.1a CD (it's a two-CD set) (three hours for the recovery system to finish the build and install) then SP3, then several visits to Microsoft's Update for on the order of 200 patches and packages. The computer is on a fairly fast link (Comcast) and all this took perhaps five hours.
Installed Essentials Security at the end of the patchfest.
3. Plugged in the USB drive with the intent of copying everything off it and onto the new system. That was a mistake: the drive was connected, recognized by XP, and then AutoRun/AutoPlay started. Two bright flashes of the drive access light, a pause, and the drive access light goes solid on and system response time goes to zilch.
This (3) is really irritating. I remember one patch indicating "Installing this patch will prevent Auto-something, do you wish to continue?" And I clicked Yes to install the patch. Apparently that didn't apply to USB-connected disk drives.
Then comes the sinking feeling that I'm in over my head.
What I have Done So Far
-----------------------
Well, at least the data is safe (I HOPE!).. albeit to what appears to be an infected USB drive. So far I haven't seen signs of massive data corruption (chewed up text or Word '97 files, corrupted and unrunnable executables, etc). So I'm hoping my electronic records are intact.
Task Manager reports the System Idle Process at between 92% and 99%.
SysInternals reports the same. It also reports lsass reading a LOT of data from the drive. Last I looked, it was past 200M and zooming right along. In Safe Mode (where this note is being written), it seems well-behaved.
Starting the Computer Management console, I'm looking at the Event Viewer under Application. There are a number of Errors. Here's one from just a little bit ago:
Event 5000
----------
EventType mptelemetry, P1 8007043c, P2 beginsearch, P3 search, P4 3.0.8107.0, P5 mpsigdwn.dll, P6 3.0.8107.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094), P8 NIL, P9 NIL, P10 NIL.
Event 5001
----------
Bucket 1568835785, bucket table 5, EventType mptelemetry, P1 8007043c, P2 beginsearch, P3 search, P4 3.0.8107.0, P5 mpsigdwn.dll, P6 3.0.8107.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094), P8 NIL, P9 NIL, P10 NIL.
There are several notices of applications being "hung". Partial list: msseces, mmc, all with address 0x00000000 .
CHKDSK /r
Produced one bad sector. It says the data was recovered and the sector locked out.
CCleaner 3.0.6 cleaned out a pile of temp files.
I run Firefox and occasionally Internet Explorer 7. Both have had their respective "clean up the mess" buttons pushed.
Ran Trend Micro's HouseCall software. Several times. System comes up clean.
Ran Panda's online antivirus. System comes up clean.
Someone pointed me at HitmanPro 3.5 and that reported the system as clean.
Started a full scan by Microsoft's Essentials and that came up clean.
By now I'm wondering what has invaded the computer and either how to get rid of it or to build a system that won't get infected by it when that USB drive is plugged in.
SFC runs, claims DLLs are corrupted, and wants my Windows Professional Service Pack 3 CD to install correct copies. Plugging in the SP3 CD produces, "You inserted the wrong CD." and a repeated request for the correct CD.
I've gone through several iterations of turning everything off in the Startup then turning them on one at a time. The problem persists; nothing I turn off or turn on seems to have an effect. I'm a little leery of turning off Services (which service interacts with which ability?).
Per instructions, DDS has been run. Log files will be posted and attached per instructions.
I cannot get GMER to complete in WinXP SP3 normal boot. It gets to "IDE Part 0" (think that's what it said) then XP crashes itself. The screens blank, the drive spins down (!), the computer POSTs itself, reboots (now up to several minutes of the drive stuttering and performance crawling) and XP says, "The system has recovered from a serious error." and wants permission to tell Microsoft. I clicked OK. The report back from Microsoft says:
Stop (blue screen) error caused by device or driver.
The last driver installed was applied to the video interface, an NVidia 6200; it showed up in a Microsoft update cycle. Rolling the driver back didn't have an effect; GMER in normal mode is crashed dead a few seconds after launch.
GMER run to completion (several hours) in Safe Mode. GMER then reports it could not find any system modifications.
What I have available
---------------------
Backup of data. Unfortunately, I recently moved and a few installation disks are somewhere in storage. The search for those continues.
An old P1 @ 233 MHz laptop is available. I can get on the net with it (it's faster than the P4 right now!). It runs Win98SE, has a USB port, and I've got USB memory sticks.
As mentioned above, the System Recovery and Service Pack 3 are available.
A spare drive. Another five hours and a fresh system could be built. I don't know how to stop AutoRun/AutoPlay when inserting a USB drive. Stopping that with CD's is easy: hold down the left-shift key. But USB drives?
Your time is appreciated.
WalkingThrough
================================
.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 7.0.5730.11
Run by HP_Administrator at 1:12:12 on 2011-05-24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2942.2313 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\ALCMTR.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr
C:\WINDOWS\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mWindow Title =
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [Iomega Drive Icons] c:\program files\iomega\driveicons\ImgIcon.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [Deskup] c:\program files\iomega\driveicons\deskup.exe /IMGSTART
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [ADUserMon] c:\program files\iomega\autodisk\ADUserMon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: E&xport to Microsoft Excel
IE: {6224f700-cba3-4071-b251-47cb894244cd} - c:\progra~1\icq\ICQ.exe
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188396583656
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5131/mcfscan.cab
DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} - file:///C:/PSDK/controls/sdkinst.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Notify: AutorunsDisabled - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\hp_administrator\application data\mozilla\firefox\profiles\a0whf4qj.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxps://www.google.com/search?ZUGO&form=2GAADF&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsl0fb96d48;MpKsl0fb96d48;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3b629575-beae-4f27-b9b6-28019eb30b96}\MpKsl0fb96d48.sys [2011-5-23 28752]
R1 MpKsla5b92dd3;MpKsla5b92dd3;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3b629575-beae-4f27-b9b6-28019eb30b96}\MpKsla5b92dd3.sys [2011-5-24 28752]
R2 DriverX;DriverX;c:\windows\system32\drivers\driverx.sys [2009-3-30 234140]
R2 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2007-8-29 14336]
R3 NmPar;PCI Parallel Port;c:\windows\system32\drivers\NmPar.sys [2008-4-9 80256]
R3 nmserial;PCI Serial Port;c:\windows\system32\drivers\NmSerial.sys [2008-4-4 70016]
S1 MpKslc1662846;MpKslc1662846;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3b629575-beae-4f27-b9b6-28019eb30b96}\MpKslc1662846.sys [2011-5-23 28752]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 4mmdat;4mmdat;c:\windows\system32\drivers\4mmdat.sys [2009-4-20 12288]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2008-10-11 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
.
=============== Created Last 30 ================
.
2011-05-24 05:00:20 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3b629575-beae-4f27-b9b6-28019eb30b96}\MpKsla5b92dd3.sys
2011-05-24 04:00:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-24 04:00:33 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-24 04:00:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-24 03:50:25 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3b629575-beae-4f27-b9b6-28019eb30b96}\MpKslc1662846.sys
2011-05-24 03:35:43 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3b629575-beae-4f27-b9b6-28019eb30b96}\MpKsl0fb96d48.sys
2011-05-23 06:07:41 6962000 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3b629575-beae-4f27-b9b6-28019eb30b96}\mpengine.dll
2011-05-23 00:22:49 6962000 ------w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\updates\mpengine.dll
2011-05-22 23:41:29 -------- d-----w- c:\program files\Microsoft Security Client
2011-05-22 16:42:54 -------- d-----w- c:\documents and settings\hp_administrator\local settings\application data\Sunbelt Software
2011-05-22 05:53:20 -------- d-----w- c:\documents and settings\all users\application data\NVIDIA Corporation
2011-05-22 05:47:20 252080 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-05-22 05:46:20 252080 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-05-22 05:46:20 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-05-22 05:43:01 6397824 ----a-w- c:\windows\system32\nv4_disp.dll
2011-05-22 05:43:01 6397824 ----a-w- c:\windows\system32\dllcache\nv4_disp.dll
2011-05-22 05:40:35 941160 ----a-w- c:\windows\system32\nvdispco322090.dll
2011-05-22 05:40:35 837736 ----a-w- c:\windows\system32\nvgenco322040.dll
2011-05-22 05:40:35 2916968 ----a-w- c:\windows\system32\nvcuvid.dll
2011-05-22 05:40:35 2292678 ----a-w- c:\windows\system32\nvdata.bin
2011-05-22 05:40:35 2251368 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-05-22 05:40:35 14671872 ----a-w- c:\windows\system32\nvoglnt.dll
2011-05-22 05:40:33 4980736 ----a-w- c:\windows\system32\nvcuda.dll
2011-05-22 05:39:34 1958400 ----a-w- c:\windows\system32\nvapi.dll
2011-05-22 05:39:34 13004800 ----a-w- c:\windows\system32\nvcompiler.dll
2011-05-22 05:34:15 -------- d-----w- C:\NVIDIA
2011-05-17 23:48:16 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-05-13 10:17:07 -------- d-sh--r- C:\cmdcons
2011-05-13 10:16:54 -------- d-----w- c:\windows\setupupd
2011-05-13 08:24:04 -------- d-----w- c:\documents and settings\hp_administrator\local settings\application data\PCHealth
2011-05-13 03:38:01 -------- d-----w- C:\ToolBar SD
2011-05-11 08:42:23 -------- d-----w- C:\COMPARE
2011-05-10 01:16:11 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2011-05-07 15:57:57 -------- d-----w- C:\CCleaner Registry Backups
2011-05-07 15:41:33 -------- d-----w- c:\program files\CCleaner
2011-05-07 09:15:21 -------- d-----w- c:\program files\common files\Symantec Shared
2011-05-07 08:59:34 -------- d-----w- c:\documents and settings\hp_administrator\local settings\application data\Tific
2011-05-07 08:59:34 -------- d-----w- c:\documents and settings\hp_administrator\application data\Tific
2011-05-07 08:58:22 -------- d-----w- c:\documents and settings\all users\application data\Norton
2011-05-07 08:57:23 -------- d-----w- c:\documents and settings\all users\application data\NortonInstaller
2011-05-03 02:31:06 61440 ----a-w- c:\windows\system32\OpenCL.dll
.
==================== Find3M ====================
.
2011-05-17 22:05:17 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-24 05:18:19 1424 ----a-w- C:\output.bat
2011-03-11 14:10:38 471552 ----a-w- c:\windows\apppatch\aclayers.dll
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-23 06:57:00 941160 ----a-w- c:\windows\system32\SET20.tmp
2011-02-23 06:57:00 6398720 ----a-w- c:\windows\system32\SETF.tmp
2011-02-23 06:57:00 1958400 ----a-w- c:\windows\system32\SET11.tmp
.
============= FINISH: 1:14:24.45 ===============
Followup....
Deleted all partitions on the spare drive, inserted the WinXP Partition Restore CD's, and that tripped a rebuild when the system was rebooted. Five hours later I've got a stable XP SP3 system.
Now, I know the USB backup drive is contaminated; a previously fresh-built XP was pwned in seconds after plugging it in.
Please... how can I stop XP from AutoPlay'ing the drive on attach?
Your time is appreciated.
Mod Edit: Merged posts ~ Hamluis.
Attached File(s)
-
attach.zip (7.1K)
Number of downloads: 2
This post has been edited by hamluis: 29 May 2011 - 05:10 AM
Back to top
