Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Disasters


  • This topic is locked This topic is locked
5 replies to this topic

#1 bobvance

bobvance

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 24 May 2009 - 03:14 PM

I was posting in Virus/Spyware and Moderator Boopme was helping. I was running Malwarebytes (MBAM), SuperantiSpyware, and SDFix. I posted the following SDFix log:

SDFix: Version 1.240
Run by Vince on Wed 05/13/2009 at 07:45 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\sdfix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-13 19:57:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOWS\system32\config\system, 1381
scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software, 1381
disk error: C:\Documents and Settings\Vince\ntuser.dat, 1381
scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"="C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Jukebox"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\IncrediMail\\bin\\ImApp.exe"="C:\\Program Files\\IncrediMail\\bin\\ImApp.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"="C:\\Program Files\\IncrediMail\\bin\\IncMail.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"="C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe:*:Enabled:IncrediMail"
"C:\\Program Files\\Magentic\\bin\\MgImp.exe"="C:\\Program Files\\Magentic\\bin\\MgImp.exe:*:Enabled:Magentic"
"C:\\Program Files\\Magentic\\bin\\Magentic.exe"="C:\\Program Files\\Magentic\\bin\\Magentic.exe:*:Enabled:Magentic"
"C:\\Program Files\\Magentic\\bin\\MgApp.exe"="C:\\Program Files\\Magentic\\bin\\MgApp.exe:*:Enabled:Magentic"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Common Files\\Intuit\\Update Service\\IntuitUpdateService.exe"="C:\\Program Files\\Common Files\\Intuit\\Update Service\\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Disabled:RealPlayer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :



Files with Hidden Attributes :

Thu 24 Jan 2008 2,323,784 ...H. --- "C:\Program Files\Golden Hearts Juice Bar\golden_hearts.exe"
Tue 22 Jan 2008 2,327,880 ...H. --- "C:\Program Files\Jojo's Fashion Show\JojosFashionShow.exe"
Fri 1 Feb 2008 7,134,200 ...H. --- "C:\Program Files\Purrfect Pet Shop\ps.exe"
Fri 4 May 2007 2,600,960 ...H. --- "C:\Program Files\SpongeBob SquarePants Obstacle Odyssey\SpongeBob SquarePants Obstacle Odyssey.exe"
Thu 4 Jan 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 1 Sep 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Fri 8 May 2009 0 A..H. --- "C:\Documents and Settings\Vince\Local Settings\Application Data\Microsoft\Outlook\~Outlook.pst.tmp"
Wed 6 Dec 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Wed 6 Dec 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Wed 6 Dec 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
Wed 6 Dec 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp"
Wed 6 Dec 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch5\lock.tmp"
Wed 6 Dec 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch6\lock.tmp"

Finished!

Boopme said to run a fullscan with MBAM also.

I replied that:
I can't run MBAM full scan - stops responding - tried 3 times. SAS full scan resulted in blue screen of death twice. This was the last quick scan log for MBAM run after 2nd attempt at full.

Malwarebytes' Anti-Malware 1.36
Database version: 2161
Windows 5.1.2600 Service Pack 3

5/20/2009 11:01:56 PM
mbam-log-2009-05-20 (23-01-56).txt

Scan type: Quick Scan
Objects scanned: 131396
Time elapsed: 9 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\Temp\msb.dll (Spyware.Agent) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Spyware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Spyware.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Spyware.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\msb.dll (Spyware.Agent) -> Delete on reboot.
C:\Documents and Settings\Vince\protect.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\autochk.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\protect.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lmn_setup.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\SystemProfile\protect.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vince\Start Menu\Programs\Startup\ChkDisk.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Vince\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.

Boopme said:

Ok this is a pretty ill machine.
We need to run HJT/DDS.
Please follow this guide.Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.



The first step in the prep guide is to backup data. I tried Cobian for backup and got:

5/22/2009 9:54:30 PM Creating or updating the archive "E:\C 2009-05-22 21;54;30.zip"
ERR 5/22/2009 9:55:56 PM Error while creating or updating the archive "E:\C 2009-05-22 21;54;30.zip": Cannot create file "E:\C 2009-05-22 21;54;30.zip". Incorrect function
5/22/2009 9:55:56 PM **** Backup for "Backup 1" ended. 0 file(s) were backed up. (Elapsed time: 0 hour(s), 1 minute(s), 25 second(s)) ****
ERR 5/22/2009 9:55:56 PM The backup contains 1 error(s)

I get a popup that says "the file or directory C:\Documents and Settings\Vince\Local Settings\Application Data\Microsoft\Outlook\~Outlook.pst.temp is corrupt and unreadable. Please run the chkdsk utility." I can't run chkdsk /f.

I have tried to backup some files manually but get error messages the E drive is inaccessible (I can play DVDs). Tried to backup a Zune and got a message that Zune needed to be reinstalled. If I search on these latest error messages in MicroSoft, they would suggest a Clean Start Up - Is that the way to go?

BC AdBot (Login to Remove)

 


m

#2 fairjoeblue

fairjoeblue

  • Members
  • 1,594 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:48 PM

Posted 24 May 2009 - 03:22 PM

Sometimes Windows geys messed up so bad there is no fix short of reinstalling.
If MS recommends a clean install that is the way to go.

Turn the unit on and put the XP disk in the drive.
Leave the disk in the drive and restart the unit,
Watch the screen for a message that says "Press any key to boot from CD,
Press a key on the keyboard,
Wait while it goes through starting from the disk,
[You may have to press F8 during startup to accept the EULA]
When you get to the screen with the box that shows the current version of XP installed press "D" on the keyboard,
Press "Enter"
Press "L"
You now should have a screen asking what file system you want to format to, NTFS should be selected by default,
Press enter,
The disk will be formatted and the installation will automatically begin when the format is finished,
During the installation the computer will restart DO NOT press a key to boot from the CD again !
At that point the unit will boot from the hard drive and continue the installation.
After awhile you will be asked to "name" your computer,
I suggest naming it the same as the main user ID.
[Example, I have an XP unit named "testbox" the user name is also "testbox"
You will be asked if you want to turn on automatic updates, select NO or Not now,
You will be asked if you want to setup a network connection, click on skip,
You will be asked to enter a user name and password,
Enter the same name you used for the unit ,
Only enter a password if you want to have to log on every time XP starts,
[If you have more then one user you can enter passwords later]
Follow the prompts to finish.
When you get to the desktop the only icon showing will be the recycle bin
Click on the "Tour XP balloon [or icon in the taskbar by the clock] and click "Cancel"
Go to Start>Control Panel,
Double click "Taskbar and Start Menu"
Click on the "Start Menu" tab
Put a dot in the circle by "Classic Start Menu"
[That will put the icons on the desktop]
Click OK
Double click on "Folder Options"
Click on the "View" tab
Go down the list until you find "Show hidden files and folders"
[for future use]
put a dot in the circle by it
Click OK
Close the Control Panel
Double click on "My Computer"
Right click on the "C:" drive
Left click on "Properties"
Click on the "Tools" tab
Click on "Defragment Now"
Defrag the drive
When you are done start installing your other programs and applications
[Defrag again when finished]
When they are installed if you have the "activate XP" notice do the activation,
When you have gotten this far either go to Windows Update and do the updates or go to "My Computer" and right click on it
Left click on "Properties"
When the box opens click on the "Automatic Updates" tab
Put a dot in the circle next to "Automaic [Recommended]
Click OK.
In order for the Automatic Updates to begin right away turn the unit completely off then restart it.
OCZ StealthXstream 700W,Gigabyte GA-EP45-UD3R , E8500, Arctic Freezer Pro 7, 3GB G.Skill PC8500,Gigabyte Radeon HD 4850 OC [1GB ], Seagate 250GB SATA II X2 in RAID 0, Samsung SATA DVD burner.

#3 hamluis

hamluis

    Moderator


  • Moderator
  • 54,864 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:02:48 PM

Posted 24 May 2009 - 04:30 PM

If...you are getting directives from a forum advisor/moderator...in the malware area....you should be posting all results of directions/suggestions given you...in that forum.

Louis

#4 bobvance

bobvance
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 24 May 2009 - 07:28 PM

Sorry. I will post this under my previous topic. Hadn't heard in a couple of days and the last direction that I had was to run HJT/DDS, then go to http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/ and post a new topic. Since I could not back up my system, I did not run HJT/DDS. I posted this status Friday and hadn't heard anything, so I thought the topic may be closed.

#5 hamluis

hamluis

    Moderator


  • Moderator
  • 54,864 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:02:48 PM

Posted 24 May 2009 - 08:51 PM

If the malware personnel send you here, that's one thing.

That occurs when they feel there's nothing they can do (at that point) or there is no known malware situation.

But...that end of the loop must be closed first...before anyone in this forum attempts to "help" you (but, in the process, defeats the efforts of the personnel volunteering in the malware forums).

Louis

#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,722 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:48 PM

Posted 25 May 2009 - 01:09 AM

To avoid confusion, I am closing this topic. ~ OB
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users