Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Restore Doesn't Work?!


  • Please log in to reply
2 replies to this topic

#1 compy

compy

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 19 June 2008 - 12:46 AM

Lately, there have been some problems with my computer. I've uninstalled AVG because of a very annoying error message 'the application has failed to start because of a configuration error' or something like that. Now, I've tried to install Bitdefender Free but the service vsserv wont start and I've got a wonky Bitdefender 8 on my computer. I want to do a System Restore but it doesn't open. No error message. Shell32.dll is at 13.5 MB. Basically, my system is messed up and you'll probably find inconsistencies in the HJT logs. There might be some malware.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:44:26 PM, on 19/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Vista Applications\ViOrb\ViOrb.exe
C:\Program Files\Vista Applications\ViStart\ViStart.exe
C:\Program Files\Vista Applications\AveDesk\AveDesk.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Comodo\Memory Firewall\cmf.exe
C:\Program Files\Vista Applications\Vista Drive Icon\DrvIcon.exe
C:\Program Files\Softwin\BitDefender8\bdswitch.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Rainmeter\Rainmeter.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Comodo\Firewall\cfp.exe
C:\Documents and Settings\Anonymous\Desktop\Hijack This!.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts file is located at: C:\WINDOWS\System32\drivers\etc\hosts
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG Anti-Virus\avgssie.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Vista Applications\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [ViOrb] "C:\Program Files\Vista Applications\ViOrb\ViOrb.exe" /hidetrayicon
O4 - HKLM\..\Run: [ViStart] C:\Program Files\Vista Applications\ViStart\ViStart.exe
O4 - HKLM\..\Run: [AveDesk] C:\Program Files\Vista Applications\AveDesk\AveDesk.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Comodo Firewall Pro] "C:\Program Files\Comodo\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [Comodo Memory Firewall] "C:\Program Files\Comodo\Memory Firewall\cmf.exe" -s
O4 - HKLM\..\Run: [DrvIcon] C:\Program Files\Vista Applications\Vista Drive Icon\DrvIcon.exe
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\Program Files\Softwin\BitDefender8\bdswitch.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TransBar] C:\Program Files\Vista Applications\TransBar\TransBar.exe /s
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Rainmeter.lnk = C:\Program Files\Rainmeter\Rainmeter.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - C:\WINDOWS\System32\mnmsrvc.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5225 bytes

StartupList report, 19/06/2008, 3:41:02 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Anonymous\Desktop\Hijack This!.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16674)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Vista Applications\ViOrb\ViOrb.exe
C:\Program Files\Vista Applications\ViStart\ViStart.exe
C:\Program Files\Vista Applications\AveDesk\AveDesk.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Comodo\Memory Firewall\cmf.exe
C:\Program Files\Vista Applications\Vista Drive Icon\DrvIcon.exe
C:\Program Files\Softwin\BitDefender8\bdswitch.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Rainmeter\Rainmeter.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Comodo\Firewall\cfp.exe
C:\Documents and Settings\Anonymous\Desktop\Hijack This!.exe
C:\Program Files\Windows Defender\MpCmdRun.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Anonymous\Start Menu\Programs\Startup]
Rainmeter.lnk = C:\Program Files\Rainmeter\Rainmeter.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ViOrb = "C:\Program Files\Vista Applications\ViOrb\ViOrb.exe" /hidetrayicon
ViStart = C:\Program Files\Vista Applications\ViStart\ViStart.exe
AveDesk = C:\Program Files\Vista Applications\AveDesk\AveDesk.exe
Windows Defender = "C:\Program Files\Windows Defender\MSASCui.exe" -hide
Comodo Firewall Pro = "C:\Program Files\Comodo\Firewall\cfp.exe" -h
Comodo Memory Firewall = "C:\Program Files\Comodo\Memory Firewall\cmf.exe" -s
DrvIcon = C:\Program Files\Vista Applications\Vista Drive Icon\DrvIcon.exe
BDSwitchAgent = "C:\Program Files\Softwin\BitDefender8\bdswitch.exe"
BDMCon = "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
BDNewsAgent = "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
TransBar = C:\Program Files\Vista Applications\TransBar\TransBar.exe /s
msnmsgr = "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
WMPNSCFG = C:\Program Files\Windows Media Player\WMPNSCFG.exe

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=C:\WINDOWS\system32\guard32.dll

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\WLXPGSS.SCR
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

WormRadar.com IESiteBlocker.NavFilter - C:\Program Files\AVG Anti-Virus\avgssie.dll (file missing) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
(no name) - (no file) - {7E853D72-626A-48EC-A868-BA8D5E23E045}

--------------------------------------------------

Enumerating Task Scheduler jobs:

MP Scheduled Scan.job

--------------------------------------------------

Enumerating Download Program Files:

[{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]
CODEBASE = http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\CONFLICT.2\MessengerStatsPAClient.dll
CODEBASE = http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9e.ocx
CODEBASE = http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
End of report, 7,097 bytes
Report generated in 2.281 seconds

BC AdBot (Login to Remove)

 


#2 compy

compy
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:55 AM

Posted 19 June 2008 - 01:11 AM

Windows Live Messenger fails to go online, it simply terminates itself. Also, after executing drwtsn32.exe and launching System Restore, it says rstrui.exe has generated errors and will be closed by Windows. You will need to restart the program. An error log is being created.

Edited by compy, 20 June 2008 - 12:57 AM.


#3 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:55 PM

Posted 12 July 2008 - 08:27 PM

Hello compy

Welcome to BleepingComputer :thumbsup:
========================
If you are still in need of assistance please post a new Hijackthis log.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users