Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Malady - Only Wallpaper upon login


  • This topic is locked This topic is locked
16 replies to this topic

#1 RiverMiss

RiverMiss

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Iowa
  • Local time:11:05 AM

Posted 01 June 2009 - 03:55 PM

I have a Dell Dimension 8400 XP SP2 computer. My computer had started getting a few stop errors and had been trying to get to the bottom of them. At the point that things went amuck was on March 11, 2009 - I was on the internet in a site I pay for - an investing site - in a .pdf file - print preview - when I got a blue screen of death with a stop - 0X0000008E (0X0000005X, 0X805509E9, 0XA1AC6C08, 0X00000000.

When I re-booted I had a chkdsk set to run and it ran - it looked like just run of the mill problems, but the results went by to quick to really tell. On the re-start from the chkdsk it ran a second chkdsk and then went to Windows. After logging in I only had wallpaper - no desktop icons or taskbar.

Using Task Manager I scanned with AVG but it detected nothing. I have tried many run of the mill solutions that I read on different websites such as typing explorer, replacing explorer, etc. Nothing has worked. I cannot run Internet Explorer or System Restore. I did notice last time I was on the computer that the only thing in Recent Documents was the desktop.ini file. I find that rather odd.

I am re-typing the contents so I hope I get the spaces correct because my writing leaves a bit to be desired:

[ShellClassInfo]
InfoTip=@shell32.dll,-12692
IconFile=%SystemRoot%\System32\Shell32.dll
IconIndex=-21
LocalizedResourceName=@Shell32.dll,-12691

I found a Microsoft article that might help and am including the link below:
http://support.microsoft.com/kb/330132

I ran dds.scr - which is brilliant because so far the bad guys do not appear to be stopping screensavers from running. The logs follow:


==== Installed Programs ======================

WILLPower
Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat and Reader 6.0.3 Update
Adobe Acrobat and Reader 6.0.4 Update
Adobe Acrobat and Reader 6.0.5 Update
Adobe Acrobat Elements 6.0
Adobe Flash Player 10 ActiveX
Adobe Reader 6.0.1
Adobe Reader 7.0.8
Adobe Reader 7.0.9
Adobe SVG Viewer 3.0
Adobe® Photoshop® Album Starter Edition 3.0
Adobe® Photoshop® Album Starter Edition 3.0.1
Advanced Analyzer
AnswerWorks Runtime
Apple Software Update
ATI Control Panel
ATI Display Driver
AVG Free 8.0
Banctec Service Agreement
Broadcom Advanced Control Suite 2
Business Complete Care Services Agreement
Classic PhoneTools
Corel Applications
Creative MediaSource
Creative System Information
Creative Zen Nano Plus
DeductionPro 2003
DeductionPro 2004-05
DeductionPro 2005-06
DeductionPro 2006
DeductionPro 2007
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Media Experience
Dell Networking Guide
Dell System Restore
DQ DSL Modem
Dr Watson for Microsoft Windows OneCare Live v1.1.1067.14
Dragon NaturallySpeaking 9
FileMaker Pro 5.0
Horizons - 1.00.05
Horizons - 1.00.09
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HP LaserJet 3050/3052/3055/3390/3392 2.0
HP Software Update
hppFaxDrv3390
hppFaxUtility
hppFonts
hppIOFiles
hppLJ3390
hppManuals3390
hppscan3390
hppScanTo
hppSendFax
hppTooCool
hppToolBoxFX
hpzTLBXFX
Intel Application Accelerator
Intel® 537EP V9x DFV PCI Modem
Internet Explorer Default Page
iPod for Windows 2005-10-12
iTunes
Jasc Animation Shop 3
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 9
Java™ 6 Update 11
Lotus SmartSuite Release 9.5
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Classic Board Games
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Digital Image Library 10
Microsoft Digital Image Library 9 - Blocker
Microsoft Digital Image Pro 10
Microsoft Digital Image Suite 10
Microsoft FrontPage Server Extensions 2002
Microsoft IntelliPoint 5.2
Microsoft IntelliType Pro 5.2
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Live Meeting 2005
Microsoft Office XP Professional with FrontPage
Microsoft PhotoDraw 2000 V2
Microsoft Plus! Digital Media Edition
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! for Windows XP
Microsoft Plus! Photo Story 2 LE
Microsoft Publisher 2002
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Modem Event Monitor
Modem Helper
Modem On Hold
MSN Money Investment Toolbox
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 Parser and SDK
Musicmatch for Windows Media Player
MUSICMATCH® Jukebox
NumeroLogic - 1.00.02
Pagis Pro 3.0
Pdf995 (installed by TaxCut)
PdfEdit995 (installed by TaxCut)
Perfect Attorney
PowerDVD 5.3
QFolder
Quicken 2006
QuickTime
Roxio DLA
Roxio MyDVD LE
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Scan
ScanSoft OmniPage Pro 14.0
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917537)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Solitaire Master 4
Sonic Update Manager
Sony ACID Music Studio 6.0
Sony DVD Architect Studio 3.0a
Sony Preset Manager 2.0d
Sony Sound Forge Audio Studio 8.0a
Sony Vegas Movie Studio 6.0a
Sound Blaster
SoundMAX
TaxCut 2004
TaxCut Deluxe 2005
TaxCut Iowa 2007
TaxCut Premium + State 2007
TaxCut Premium 2006
TD AMERITRADE StrategyDesk 1.1
TD AMERITRADE StrategyDesk 1.2
TD AMERITRADE StrategyDesk 1.3
TD AMERITRADE StrategyDesk 2.0
TD AMERITRADE StrategyDesk 2.1
TD AMERITRADE StrategyDesk 2.2
TD AMERITRADE StrategyDesk 2.3
TD AMERITRADE StrategyDesk 2.4_2 (C:\Program Files\TD AMERITRADE\StrategyDesk)
TD AMERITRADE StrategyDesk 3.0_3 (C:\Program Files\TD AMERITRADE\StrategyDesk)
TD AMERITRADE StrategyDesk 3.1_4 (C:\Program Files\TD AMERITRADE\StrategyDesk)
TextBridge Pro 9.0
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB914882)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
WebEx
WebFldrs XP
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB888310
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Winning Times - 1.00.12
WinWay Resume Deluxe
Word Connect
WordPerfect Office 12
WriteExpress 3,001 Business & Sales Letters

==== End Of File ===========================


DDS (Ver_09-05-14.01) - NTFSx86
Run by Karen at 13:52:56.50 on Mon 06/01/2009
Internet Explorer: 7.0.5730.11

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.dell4me.com/mywaybiz
uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [InstantAccess] c:\progra~1\scansoft\textbr~1.0\bin\INSTAN~1.EXE /h
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [DSLAGENTEXE] dslagent.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [CTSysVol] c:\program files\creative\sound blaster\surround mixer\CTSysVol.exe /r
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRunServices: [RegisterDropHandler] c:\progra~1\scansoft\textbr~1.0\bin\REGIST~1.EXE
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\npjpi160_11.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} - hxxps://www.windowsonecare.com/install/cli/1.1.1067.14/WinSSWebAgent.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} - hxxps://support.microsoft.com/OAS/ActiveX/odc.cab
DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - hxxp://download.microsoft.com/download/7/1/D/71D9F11F-0C02-4707-9D60-D56EA8951020/pmupd806.exe
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1156355073093
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxps://www-secure.symantec.com/techsupp/activedata/SymAData.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://tdameritradeevents.webex.com/client/T22L/event/ieatgpc.cab
DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - hxxps://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-05-30 06:25 <DIR> --d----- C:\Rooter$
2009-05-30 06:14 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-30 06:14 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-30 06:14 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-30 06:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2004-12-01 15:57 3,259 a------- c:\program files\INSTALL.LOG

============= FINISH: 13:53:20.17 ===============


I have run the Microsoft Malicious Software finder Quick Scan and it found nothing.

I ran Symantec's FixVundo.exe and it found nothing.

As you can see I installed Malwarebytes - but it would not run. I am using Task Manager & have to browse down to mbam.exe but could not get the program to run. Will it run if I rename the .exe file?

I ran rooter.exe & the log follows:

Microsoft Windows XP Professional (5.1.2600) Service Pack 2

A:\ [Removable] (Total:0 Mo/Free:0 Mo)
C:\ [Fixed] - NTFS - (Total:148930 Mo/Free:3478 Mo)
D:\ [Fixed] - NTFS - (Total:238472 Mo/Free:3011 Mo)
E:\ [Removable] (Total:1927 Mo/Free:1785 Mo)
R:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
S:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)

Sat 05/30/2009| 6:25

----------------------\\ Processes..

--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\WINDOWS\system32\Ati2evxx.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\LEXBCES.EXE
---------- C:\WINDOWS\system32\spoolsv.exe
---------- C:\WINDOWS\system32\LEXPPS.EXE
---------- C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
---------- C:\WINDOWS\system32\CTsvcCDA.exe
---------- C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
---------- C:\WINDOWS\system32\HPZipm12.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\MsPMSPSv.exe
---------- C:\PROGRA~1\AVG\AVG8\avgemc.exe
---------- C:\PROGRA~1\AVG\AVG8\avgrsx.exe
---------- C:\PROGRA~1\AVG\AVG8\avgnsx.exe
---------- C:\Program Files\AVG\AVG8\avgcsrvx.exe
---------- C:\WINDOWS\system32\taskmgr.exe
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Rooter$\RK.exe

----------------------\\ Search..

----------------------\\ ROOTKIT !!



1 - "C:\Rooter$\Rooter_1.txt" - Sat 05/30/2009| 6:26

----------------------\\ Scan completed at 6:26

I ran OTList and received an error:
"Access violation @ address 00506627 in module 'OTListIt2.exe'. Read of address 00000000.
Below the scan stopped at C:\Documents and Settings\All Users\Start Menu\Programs\Startup folder...
I tried to run it a few times with the same result.

From looking at the logs it appears to my untrained eye that someting has changed http to hxxp in the registry and perhaps changed the csrss.exe and winlogon.exe files and I am sure other things yet to be discovered.

I am appreciative of any assistance I can get with this problem. Yes, I started with a post at GeeksToGo but have had them close the post so that I do not have posts at more than one site.

Thank you.

Karen

Attached Files


Edited by RiverMiss, 02 June 2009 - 12:25 PM.


BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:05 AM

Posted 12 June 2009 - 10:15 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 RiverMiss

RiverMiss
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Iowa
  • Local time:11:05 AM

Posted 15 June 2009 - 09:56 AM

For anyone responding to my post:

I do not have internet access available because of the problem with this computer. Please do not ask me to do all kinds of things that I cannot do on this computer because it is frustrating enough having it so crippled. FYI, I am listing more details of what I can and cannot do.

I cannot currently access the internet. I have to maneuver using the Task Manager - meaning I have to do control + alt + del to bring up the task manager. It takes FOREVER to do anything on this computer so what might take a few minutes on a working computer can take hours on this one. Therefore, each task is a big deal time wise. I have to schedule my time accordingly to work on it. It sometimes takes me a while to get the time becuase it takes so much time to do each thing. Please have patience.

I have not been able to run anything that has to be installed. The program will install but not run. If the program can run with an executable file from a flash drive then I have been able to run it. I ran the DDS.scr and the files are posted above.

Does rooter.exe normally report the drive size incorrectly? It is reported correctly elsewhere and I am curious about this since I am unfamiliar with your program.

Thank you.

RiverMiss

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:05 PM

Posted 17 June 2009 - 07:23 AM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

It looks like we have a rootkit problem, though Rooter did not pick it up.

Please transfer the following files over to the infected comptuer:
ComboFix.exe
*******.exe (GMER)

Complete the steps below on the infected computer.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Transfer ComboFix.exe to your desktop before running it.

If ComboFix does not run, delete that copy. Rename a new copy to ComboFix123.exe and try again.

Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click the GMER program ******.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

In your next reply include:
-the ComboFix log
-the GMER scan log
With Regards,
The Panda

#5 RiverMiss

RiverMiss
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Iowa
  • Local time:11:05 AM

Posted 17 June 2009 - 02:37 PM

HI PP,

OK, I just put in a long post and it got lost before posting. I'll try again.

First, I have to use the Task Manager - File - New Task to do anything. Do you understand that?

I do not have a desktop.

I do not have internet access on that computer. I had to buy this notebook to do my work and get on the internet to try to find fixes for the messed up computer.

It does not sound like you understand my problem from the directions you are giving me. I cannot download anything to the desktop because I cannot access the desktop - that is the problem. I cannot download anything to that computer because the internet is not working on it. I use this computer and put things on a usb drive and then run them on the other computer. It takes a VERY long time to do anything on that computer in the state it is in. What would be minutes on a working computer can take hours on the broken one. The broken computer is named Angel, btw. Therefore I can usually only work on it on Sunday mornings if I am lucky and then it takes half a day to do anything.

I can only run programs that are .exe's. If the program has to be installed, it will not run.

I had posted a lot of this info in my previous posts but I feel like you must not have read it or else did not understand it. Please let me know that you understand.

I ran combofix but could not install the recovery console becuase I do not have internet access.

I have uploaded the log and it also follows:

ComboFix 09-05-31.05 - Karen 06/07/2009 7:47.1 - NTFSx86 MINIMAL

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\INSTALL.LOG
c:\windows\Downloaded Program Files\Temp
c:\windows\IE4 Error Log.txt
c:\windows\system32\Cache
c:\windows\winhelp.ini

.
((((((((((((((((((((((((( Files Created from 2009-05-07 to 2009-06-07 )))))))))))))))))))))))))))))))
.

2009-05-30 12:25 . 2009-05-30 12:26 -------- d-----w- C:\Rooter$
2009-05-30 12:14 . 2009-04-06 21:32 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-30 12:14 . 2009-04-06 21:32 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-30 12:14 . 2009-05-30 12:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-30 12:14 . 2009-05-30 12:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 135168]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-24 57344]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]
"CTSysVol"="c:\program files\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe" [2003-02-17 53248]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-03 1601304]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-03 15:34 10520 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\USMT\\MIGWIZ.EXE"=
"c:\\WINDOWS\\SYSTEM32\\FXSCLNT.EXE"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"c:\\WINDOWS\\SYSTEM32\\DPVSETUP.EXE"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\Microsoft Office\\Office10\\FRONTPG.EXE"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\FileMaker\\FileMaker Pro 5\\FileMaker Pro.exe"=
"c:\\WINDOWS\\SYSTEM32\\MMC.EXE"=
"c:\\Program Files\\TD AMERITRADE\\StrategyDesk\\StrategyDesk.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-03-03 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-03-03 107272]
R2 0235611168899853mcinstcleanup;McAfee Application Installer Cleanup (0235611168899853);c:\windows\TEMP\023561~1.EXE [x]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-03-03 903960]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-03 298264]
R2 SPTimer;SharePoint Timer Service;c:\program files\Common Files\Microsoft Shared\Web Server Extensions\50\bin\OWSTIMER.EXE [2001-02-16 345504]
R3 glauiad;DQ USB IAD LAN Modem;c:\windows\system32\DRIVERS\glauiad.sys [2002-10-11 29059]
R3 sbusb;Sound Blaster USB Audio Driver;c:\windows\system32\DRIVERS\sbusb.sys [2003-03-25 632576]


--- Other Services/Drivers In Memory ---

*Deregistered* - abp480n5
*Deregistered* - adpu160m
*Deregistered* - agp440
*Deregistered* - agpCPQ
*Deregistered* - Aha154x
*Deregistered* - aic78u2
*Deregistered* - aic78xx
*Deregistered* - AliIde
*Deregistered* - alim1541
*Deregistered* - amdagp
*Deregistered* - amsint
*Deregistered* - asc
*Deregistered* - asc3350p
*Deregistered* - asc3550
*Deregistered* - Beep
*Deregistered* - cbidf
*Deregistered* - cd20xrnt
*Deregistered* - Cdfs
*Deregistered* - CmdIde
*Deregistered* - Compbatt
*Deregistered* - Cpqarray
*Deregistered* - CryptSvc
*Deregistered* - dac2w2k
*Deregistered* - dac960nt
*Deregistered* - DcomLaunch
*Deregistered* - DLARTL_N
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - dmserver
*Deregistered* - dpti2o
*Deregistered* - Fastfat
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - helpsvc
*Deregistered* - hpn
*Deregistered* - i2omgmt
*Deregistered* - i2omp
*Deregistered* - ini910u
*Deregistered* - IntelIde
*Deregistered* - KSecDD
*Deregistered* - Mouclass
*Deregistered* - MountMgr
*Deregistered* - mraid35x
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - omci
*Deregistered* - PartMgr
*Deregistered* - perc2
*Deregistered* - perc2hib
*Deregistered* - ql1080
*Deregistered* - Ql10wnt
*Deregistered* - ql12160
*Deregistered* - ql1240
*Deregistered* - ql1280
*Deregistered* - rdpdr
*Deregistered* - RpcSs
*Deregistered* - sisagp
*Deregistered* - Sparrow
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - swenum
*Deregistered* - sym_hi
*Deregistered* - sym_u3
*Deregistered* - symc810
*Deregistered* - symc8xx
*Deregistered* - TermDD
*Deregistered* - TosIde
*Deregistered* - ultra
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - viaagp
*Deregistered* - ViaIde
*Deregistered* - VolSnap
*Deregistered* - winmgmt
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-DSLAGENTEXE - dslagent.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell4me.com/mywaybiz
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-07 07:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(256)
c:\windows\system32\l3codeca.acm
.
Completion time: 2009-06-07 7:53
ComboFix-quarantined-files.txt 2009-06-07 13:53

Pre-Run: 115,264,909,312 bytes free
Post-Run: 120,605,351,936 bytes free

196

I have also tried :

nodesktop.reg - no change
xp_taskbar_desktop_fixall.vbs - got an error that it could not find the script editor
FixShell.cmd - no change

I also did sfc /scannow - no change

I will post other things I have tried as I find my notes. This is what I have for now. I may not get a chance to run gmer until this week-end. I thought gmer ran as part of combofix - is this not correct?

Thanks

RiverMiss

Attached Files


Edited by RiverMiss, 17 June 2009 - 02:42 PM.


#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:05 PM

Posted 17 June 2009 - 03:47 PM

Hello.

From the looks of that log, essential system processes are not running.

Do you have your Windows XP disk available? I think, at very least, a repair install will be required.

GMER is separate from ComboFix, but seeing your situation, we'll run it later.

With Regards,
The Panda

#7 RiverMiss

RiverMiss
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Iowa
  • Local time:11:05 AM

Posted 17 June 2009 - 04:43 PM

Yes, I have my XP cd. I was just looking through stuff on the usb drive that was hooked up to that computer and found a file called bootex.log the contents follow:

Checking file system on E:
The type of the file system is FAT.

The volume is dirty.
Volume Serial Number is C832-E099
Windows has checked the file system and found no problems.

2021359616 bytes total disk space.
360448 bytes in 11 folders.
148275200 bytes in 28 files.
1872723968 bytes available on disk.

32768 bytes in each allocation unit.
61687 total allocation units on disk.
57151 allocation units available on disk.

I had seen an event viewer event that said the C drive was dirty some months before when things started going bad on the computer. I find it interesting to see this on the usb drive right now. Do you know anything about this? From the date on the log it appears this was generated when rooter.exe ran. Also, rooter did not report the size of the drive correctly. I am beginning to think this is a C drive issue and not a virus. I cannot do anything to recover or mess around with this until I get a new computer and pull the D - data drive out of it and into another computer. Then I will be able to see what is up with the C drive.

RiverMiss

Edited by RiverMiss, 17 June 2009 - 05:02 PM.


#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:05 PM

Posted 17 June 2009 - 08:41 PM

Hello.

From those logs, your computer looks clean of malware.

Chkdsk creates those logs.

It does look like a drive problem.

I strongly suggest that you backup any data, if you have not already.

Is your XP disk a SP2 disk?

With Regards,
The Panda

#9 RiverMiss

RiverMiss
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Iowa
  • Local time:11:05 AM

Posted 18 June 2009 - 12:09 PM

Deqar PP,

Yes I have an XP SP2 disk.

I have 2 drives in that computer - one for the OS & programs - and one for data. I want to get a new computer and put the data drive from the broke one into the new one.

Trying to do anything in the broke computer takes forever! I had backed up to an external drive about a week before it went south also. I had gone through and copied anything I thought I would need from the C drive as well.

I will need to spend a few days on financial matters in order to get a new computer because my air conditioner just went out in my house and that will be expensive as well.

My plan is to get the new computer. Use it for about a week and make sure it is working ok and then put the data drive from the other into the new computer. Then continue trying to fix the broken computer. What do you think?

Thanks,

Karen

Edited by RiverMiss, 18 June 2009 - 12:12 PM.


#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:05 PM

Posted 18 June 2009 - 01:16 PM

Hello Karen.

That sounds like a plan.

There is a slight chance of something going wrong during a repair install, so it's best to wait for another computer to be available.

Would you like to try a repair install now, or some other time? I'm okay with waiting.

With Regards,
The Panda

#11 RiverMiss

RiverMiss
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Iowa
  • Local time:11:05 AM

Posted 18 June 2009 - 03:44 PM

Hi PP,

Definitely wait until I have another desktop up & running & the data drive pulled from the broken computer & copied & put back. So this will take me a while at least 2+ weeks at this point. If very many other things go wrong even longer. So put me on hold unless I post sooner with any kind of an update.

Thanks,

Karen

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:05 PM

Posted 18 June 2009 - 03:48 PM

Hello Karen.

That's no problem.

The Panda

***Just a note to myself to keep this topic open longer.

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:05 PM

Posted 22 August 2009 - 09:47 AM

Hello.

If you are still here, please respond to this topic.

If there is no reply within 5 days of this post, this topic may be closed.

With Regards,
The Panda

#14 RiverMiss

RiverMiss
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Iowa
  • Local time:11:05 AM

Posted 22 August 2009 - 07:52 PM

Hi Panda,

I've got my new compyter up and going but have been dealing with a family emergency. I might be able to start picking away at the other computer. Where to start?

Thanks,

RiverMiss

#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:05 PM

Posted 23 August 2009 - 07:55 AM

Don't worry. Life comes first.

I might be able to start picking away at the other computer. Where to start?

Sorry, what do you mean by this?

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users