BleepingComputer.com: Logging in to WinXP,wont let me log in

MOD EDIT: As there is no malware I moved this to Windows XP,so you can can more eyes on this.

I boot my PC and get to the user name log in screen. I have 2 users on my PC. The curser is a arrow and usually when you hover over a user name it turns into a hand and lets when you click it lets you log in. In my case it doesnt change to a hand and doesnt let me log in.
When I push ctrl+Alt+delete the screen goes dark and the log into windows screen appares asking me for a user name and password. I click on cancel and than the curser changes to a hand and lets me log in.
Once I log in I see that Avira doesnt start up and all the programs dont work properly. I could use the internet.

Thanks in advance

This post has been edited by boopme: 08 February 2012 - 04:20 PM

Hello dira,

My name is bloopie, and I'll be assisting you for the time being.

That's an unusual problem to stem up from nowhere. When did this problem occur? Have you made any recent changes to the machine that could cause this?

Please list the manufacturer and model of your computer!

We need to see some logs to get a better view:

Try to run the following in normal boot mode:

First, please download Rkill by Grinler and save it to your desktop.

Link 1
Link 2

• Double-click on the Rkill desktop icon to run the tool.
  
• If using Vista, right-click on it and Run As Administrator.
  
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  
• If not, delete the file, then download and use the one provided in Link 2.
  
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  
• If the tool does not run from any of the links provided, please let me know.

Do not reboot the computer after the tool runs, or you will need to run the application again.

Please download Malwarebytes Anti-Malware and save it to your desktop.

• Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.

Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet and double-click on the renamed file to install the application.
  
• When the installation begins, follow the prompts and do not make any changes to default settings.
  
• Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  
• If an update is found, the program will automatically update itself. Press the OK button and continue.
  
• If you cannot update Malwarebytes or use the Internet to download any files to the infected computer, manually update the database by following the instructions in FAQ Section A: 4. Issues.

• Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  
• Click on the Scan button.
  
• When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  
• Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked and then click Remove Selected.
  
• When removal is completed, a log report will open in Notepad.
  
• The log is automatically saved and can be viewed by clicking the Logs tab.
  
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  
• Exit Malwarebytes when done.

Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

========================================================

Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
  
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

• Disconnect from the Internet and close all running programs.
  
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  
• Now click the Scan button. If you see a rootkit warning window, click OK.
  
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  
• Click the Copy button and paste the results into your next reply.
  
• Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning.

========================================================

Please include the MBAM and GMER logs in your next reply!

bloopie

This post has been edited by bloopie: 03 February 2012 - 11:06 PM

Also, please let me know if there is any change in the computers behaviour after running the scans!


bloopie

This post has been edited by bloopie: 03 February 2012 - 11:08 PM

Thanks for your reply.
I cannot save any of the files you asked me to download. When I click on the link you provided and than click on "save file" it just freezes up firefox and I have to close it. I tried it with both links for GMER and RKill

Hi again,

Sorry to hear that...try a different approach please:

Can you try to download the files with Internet Explorer instead of Firefox? And if that doesn't work also try to do the same in safemode.

Make sure you choose safemode 'With Networking'.

Let me know if you are still having trouble after trying the above steps.

bloopie

I downloaded it with Chrome and its the GMER is scanning now. i will post it when its done.
MalwareBytes was already installed on my PC so I just ran it. It came up with no virus but I will post the log anyway.

Hi,

Quote

Good to hear!

When running MBAM, you need to make sure it's updated! Use the "updates" tab and 'check for updates' until there are none left.

When done, please post all the logs here for review.

bloopie

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-02-05 09:15:17
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-2 WDC_WD25 rev.10.0
Running: epfwn134.exe; Driver: C:\DOCUME~1\ML~1\LOCALS~1\Temp\pxtdipow.sys


---- System - GMER 1.0.15 ----

SSDT BA700284 ZwClose
SSDT BA70023E ZwCreateKey
SSDT BA70028E ZwCreateSection
SSDT BA700234 ZwCreateThread
SSDT BA700243 ZwDeleteKey
SSDT BA70024D ZwDeleteValueKey
SSDT BA70027F ZwDuplicateObject
SSDT BA700252 ZwLoadKey
SSDT BA700220 ZwOpenProcess
SSDT BA700225 ZwOpenThread
SSDT BA7002A7 ZwQueryValueKey
SSDT BA70025C ZwReplaceKey
SSDT BA700298 ZwRequestWaitReplyPort
SSDT BA700257 ZwRestoreKey
SSDT BA700293 ZwSetContextThread
SSDT BA70029D ZwSetSecurityObject
SSDT BA700248 ZwSetValueKey
SSDT BA7002A2 ZwSystemDebugControl
SSDT BA70022F ZwTerminateProcess

---- User code sections - GMER 1.0.15 ----

.text C:\program files\real\realplayer\update\realsched.exe[3100] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\explorer.exe[3644] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00C62F20] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\explorer.exe[3644] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00C62C90] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\explorer.exe[3644] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00C62CF0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\explorer.exe[3644] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00C62CC0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mozy.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)

Device \FileSystem\Fastfat \Fat 98527D20

AttachedDevice \FileSystem\Fastfat \Fat mozy.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.05.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
ML :: HOME [administrator]

2/5/2012 10:38:08 AM
mbam-log-2012-02-05 (10-38-08).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 246747
Time elapsed: 10 minute(s),

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

My internet browsers are acting a little weird. In Firefox, I cant close or minimize the screen by clicking on the x on top or the minimize icon next to it, I can only do it thru the toolbar.
In Chrome, if i open a new tab than the old one closes by itself and i can not click on the tools tab.

Hi again,

The logs are looking pretty good, so let's take a look elsewhere:

• Please download MBRScan and save it to your desktop.
  
• Doubleclick on MBRScan.exe and click the Report button. (Vista and Windows 7 Users, right click on MBRScan and then click on run as administrator).
  
• Please don't use the computer while the scan is running. The computer may not respond until the scan is done. Please be patient and don't force a restart of the computer.
  
• When the scan is finished, a log file will appear.
  
• Save that log file to your desktop and post its content in your next reply.

Also, please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

• Ensure all Firefox windows are closed.
  
• To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  
• When prompted to run the scan, click Yes.
  
• GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

Make sure to post both logs in your next reply please. Use any browser that you can to download and post the logs.

bloopie

GooredFix by jpshortstuff (03.07.10.1)
Log created at 16:38 on 05/02/2012 (ML)
Firefox version 10.0 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [02:01 01/05/2011]

C:\Documents and Settings\ML\Application Data\Mozilla\Firefox\Profiles\92wzgla4.default\extensions\
vshareus@toolbar [01:57 01/08/2010]
{20a82645-c095-46ed-80e3-08825760534b} [01:31 09/05/2010]
{7aeb3efd-e564-43f1-b658-5058a7c5743b} [13:35 09/01/2012]
{8061ddcf-3632-4287-8d8a-133e219ae838} [00:14 21/02/2010]
{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e} [04:50 31/01/2007]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [03:47 04/05/2009]
"{ABDE892B-13A8-4d1b-88E6-365A6E755758}"="C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext" [03:44 24/01/2012]
"web2pdfextension@web2pdf.adobedotcom"="C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn" [19:06 29/01/2012]

-=E.O.F=-

Hi,

Have you run the MBRScan from my last post? Please also post that log here.

bloopie

MBRScan v1.1.0

OS             : Windows XP Home Service Pack 3 (32 bit)
PROCESSOR      : x86 Family 15 Model 6 Stepping 4, GenuineIntel
BOOT           : Normal Boot
DATE           : 2012/02/05 (ISO 8601) at 20:15:02
________________________________________________________________________________

DISK           : Device\Harddisk0\DR0 __WDC WD25 00JS-75NCB3 (10.0)
BUS_TYPE       : (0x03)  P-ATA
USE_PIO        : YES
MAX_TRANSFER   : 128 Kb
ALIGNMENT_MASK : word aligned
________________________________________________________________________________

Device\Harddisk0\DR0	232.8 Go  [Fixed] ==> Unknown MBR Code

MBR_MD5   : 2395697370A640220529097C25492CAF
MBR_SHA1  : E43E8E205EF3E6C6474968D3C3C85BD32161C0CB

Device\Harddisk0\Partition1	39.19 Mo  	0xDE Dell Utility 
Device\Harddisk0\Partition2	229.6 Go  	0x07 NTFS / HPFS __ BOOTABLE __
Device\Harddisk0\Partition3	3.20 Go  	0xDB CP/M/CTOS 
________________________________________________________________________________

############################### Additional scan ################################

DRIVER  : C:\WINDOWS\System32\Drivers\dump_iastor.sys => Invisible on the disk
ADDRESS : 0x945C0000
SIZE    : 732.0 Ko

SystemStartOptions : NOEXECUTE=OPTIN  FASTDETECT

________________________________________________________________________________

_______MBR   \Device\Harddisk0\DR0  

0x00000000   B8 00 00 8E D0 BC 00 7C 8E D8 FC B9 80 00 8B F4   ¸...м.|.Øü¹...ô
0x00000010   BF 00 06 8E C0 F3 66 A5 EA 2D 06 00 00 10 00 01   ¿...Àóf¥ê-......
0x00000020   00 00 00 00 00 00 00 00 00 00 00 00 00 E8 C5 00   .............èÅ.
0x00000030   B4 11 CD 16 74 48 3D 00 89 75 43 B4 10 CD 16 33   ´.Í.tH=..uC´.Í.3
0x00000040   DB C6 87 BE 07 00 80 BF C2 07 DB 74 0E 83 C3 10   ÛÆ.¾...¿Â.Ût..Ã.
0x00000050   83 FB 40 72 EC BE 47 07 E9 92 00 C6 87 BE 07 80   .û@rì¾G.é..Æ.¾..
0x00000060   C6 87 C2 07 0C 2E C7 06 21 06 00 06 B8 43 00 86   Æ.Â...Ç.!...¸C..
0x00000070   C4 B2 80 BE 1D 06 CD 13 72 DB 0A E4 75 D7 33 DB   IJ.¾..Í.rÛ.äu×3Û
0x00000080   33 C9 8A 87 BE 07 3C 00 74 0C 3C 80 74 05 BE 8A   3É..¾.<.t.<.t.¾.
0x00000090   07 EB 5A 41 8B EB 83 C3 10 83 FB 40 72 E4 BE 95   .ëZA.ë.Ã..û@rä¾.
0x000000A0   07 00 0C 80 F9 01 72 4B 77 43 BE 58 07 8B C5 C1   ....ù.rKwC¾X..ÅÁ
0x000000B0   E8 04 00 44 1B FF D7 66 8B 86 C6 07 66 2E A3 25   è..D..×f..Æ.f.£%
0x000000C0   06 2E C7 06 21 06 00 7C B4 42 B2 80 BE 1D 06 CD   ..Ç.!..|´B².¾..Í
0x000000D0   13 BE 80 07 72 17 0A E4 75 13 BE 78 07 FF D7 BE   .¾..r..äu.¾x..×¾
0x000000E0   AB 07 81 3E FE 7D 55 AA 75 03 E9 13 75 FF D7 B4   «..>þ}Uªu.é.u.×´
0x000000F0   00 CD 16 CD 18 B8 03 00 CD 10 B8 00 B8 8E C0 33   .Í.Í.¸..Í.¸.¸.À3
0x00000100   FF B8 20 1F B9 50 00 F3 AB B1 0C BE 3B 07 BF 44   .¸ .¹P.ó«±.¾;.¿D
0x00000110   00 AC AB E2 FC B4 02 B7 00 BA 00 02 CD 10 B4 86   .¬«âü´.·.º..Í.´.
0x00000120   B9 1E 00 BA 80 84 CD 15 BF 2C 07 C3 AC 3C 00 74   ¹..º..Í.¿,.ì<.t
0x00000130   09 B4 0E BB 07 00 CD 10 EB F2 C3 77 77 77 2E 64   .´.»..Í.ëòÃwww.d
0x00000140   65 6C 6C 2E 63 6F 6D 43 61 6E 6E 6F 74 20 72 65   ell.comCannot re
0x00000150   73 74 6F 72 65 0D 0A 00 4C 6F 61 64 69 6E 67 20   store...Loading 
0x00000160   50 42 52 20 66 6F 72 20 64 65 73 63 72 69 70 74   PBR for descript
0x00000170   6F 72 20 31 2E 2E 2E 00 64 6F 6E 65 2E 0D 0A 00   or 1....done....
0x00000180   66 61 69 6C 65 64 2E 0D 0A 00 42 61 64 20 66 6C   failed....Bad fl
0x00000190   61 67 0D 0A 00 30 20 61 63 74 69 76 65 20 70 61   ag...0 active pa
0x000001A0   72 74 69 74 69 6F 6E 73 0D 0A 00 42 61 64 20 50   rtitions...Bad P
0x000001B0   42 52 0D 0A 00 00 00 00 8C 73 F4 D0 00 00 00 01   BR.......sôÐ....
0x000001C0   01 00 DE FE 3F 04 3F 00 00 00 86 39 01 00 80 00   ..Þþ?.?....9....
0x000001D0   01 05 07 FE FF FF C5 39 01 00 92 9E B2 1C 00 00   ...þ..Å9....²...
0x000001E0   C1 FF DB FE FF FF 57 D8 B3 1C 22 77 66 00 00 00   Á.Ûþ..Wس."wf...
0x000001F0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA   ..............Uª

Hi again,

Your logs are clean, so this may not be a malware issue. I'd like you to try the following:

Run System File Checker

Make sure you have your XP Disc handy.

The System File Checker (Sfc.exe) utility is used for scanning protected operating system files to verify their version and integrity. If System File Checker detects any operating system file with the incorrect file version, it replaces the corrupted file with a file that has the correct version from the Windows installation source files.

• Click Start>Run and then highlight and copy the text in the codebox below, then paste it into the open Runbox.

sfc /scannow

• Then press enter

Note: If it asks for your installation CD please insert it, if it doesn't ask, then it did not need to copy any files.

Please let me know how it goes!

Next, I would like you to uninstall Firefox and reinstall it again.

Then I'd like us to scan your machine with ESET OnlineScan

• Hold down Control and click on this link to open ESET OnlineScan in a new window.
  
• Click the button.
  
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    
  • Double click on the
    icon on your desktop.
  
  
• Check "YES, I accept the Terms of Use."
  
• Click the Start button.
  
• Accept any security warnings from your browser.
  
• Under scan settings, check "Scan Archives" and "Remove found threats"
  
• Click Advanced settings and select the following:
  • Scan potentially unwanted applications
    
  • Scan for potentially unsafe applications
    
  • Enable Anti-Stealth technology
  
  
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  
• When the scan completes, click List Threats
  
• Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  
• Click the Back button.
  
• Click the Finish button.

Please post the log from ESET if produced, and let me know how your computer is running after this.

bloopie

Hi, I ran everything above and it all came out clean. however this morning I got this pop up from Avira

My computer is still acting very weird

Hi again,

I may have missed something, try this please:

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

• Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
  Vista/Windows 7 users right-click and select Run As Administrator.
  
• If TDSSKiller does not run, try renaming it.
  
• To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  
• Click the Start Scan button.
  
• Do not use the computer during the scan
  
• If the scan completes with nothing found, click Close to exit.
  
• If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  
• Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  
• A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  
• Copy and paste the contents of that file in your next reply.

Also, run a scan with Avira if it didn't act on it's detections and have it remove what it's found. Let me know if Avira cannot remove the detections.

bloopie