Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected: safe mode=blue screen, can't run any spyware removal tools


  • This topic is locked This topic is locked
25 replies to this topic

#1 Plautus

Plautus

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 08 November 2009 - 03:39 AM

I can download and run DDS, but it gets killed before I get the log. Ditto with RootRepeal and HijackThis. When I try rkill, it seems to work, but then I immediately get a "personalized settings" pop-up, which runs briefly, then (I'm assuming) undoes whatever rkill achieved. None of the malware removers I've tried (Malware Bytes, SpyBot, Windows Defender, AdAware) run to completion. I've tried exefix, which again, seems to run fine, but the tools still won't finish.

Upon normal boot, Windows XP launches, then the "Personalized settings" thing pops up first, followed by "Protection System"--a virus I've been able to read about online, but none of the fixes I've seen elsewhere seem to work. Windows Defender makes an appearance, but when I try to start it, it says "Access is denied. Error code: 0x80070005." I also have some redirect problems when trying to find solutions online, but I can work around it by going to the site in question (e.g., bleepingcomputer) and searching internally for my problems.

When I try and run in safe mode, I get a blue screen: STOP: 0x0000007E(0XC000005, 0x8537009, 0XF7C7B3E0, 0XF7C7B0DC).

Any help at all would be greatly appreciated! I assume the first step is figuring out how to get a DDS, RootRepeal or HijackThis log, but I'm totally flummoxed. Would listing my processes help?

I got D.D.S. to run! Here are the results.

I'm trying RootRepeal again next.


DDS (Ver_09-10-26.01) - NTFSx86
Run by Matt at 10:34:24.45 on Sun 11/08/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.393 [GMT -5:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
svchost.exe
C:WINDOWSsystem32spoolsv.exe
svchost.exe
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:Program FilesBonjourmDNSResponder.exe
C:WINDOWSsystem32svchost.exe -k netsvcs
C:WINDOWSsystem32dlcccoms.exe
C:WINDOWSeHomeehRecvr.exe
C:WINDOWSeHomeehSched.exe
C:WINDOWSsystem32FastNetSrv.exe
C:Program FilesCommon FilesSymantec SharedPIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}PIFSvc.exe
C:Program FilesCommon FilesLogiShrdLVMVFMLVPrcSrv.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
C:WINDOWSsystem32ctfmon.exe
svchost.exe
C:WINDOWSsystem32svchost.exe -k imgsvc
C:Program FilesCommon FilesSymantec SharedCCPD-LCsymlcsvc.exe
C:WINDOWSsystem32dllhost.exe
svchost.exe C:WINDOWSTEMPVRT1.tmp
C:Program FilesMicrosoft Security Essentialsmsseces.exe
C:Program FilesiTunesiTunesHelper.exe
C:WINDOWSSystem32DLADLACTRLW.EXE
C:Program FilesCommon FilesBluebeam SoftwareBreweryV45Printer SupportBBPrint.exe
C:Program FilesAdobeAcrobat 9.0AcrobatAcrotray.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesVDOToolTBPanel.exe
C:Program FilesLogitechDesktop Messenger8876480ProgramLogitechDesktopMessenger.exe
C:Program FilesCommon FilesInstallShieldUpdateServiceisuspm.exe
C:Program FilesYourWare SolutionsFreeRAM XP ProFreeRAM XP Pro.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
C:Program FilesiPodbiniPodService.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:WINDOWSexplorer.exe
C:Program FilesInternet Exploreriexplore.exe
C:WINDOWSsystem32NOTEPAD.EXE
svchost.exe -m
C:Documents and SettingsMattDesktopdds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uLocal Page = search.net-studio.org
uWindow Title = Internet Explorer
mStart Page = search.net-studio.org
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:program filescommon filesadobeacrobatactivexAcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:program filesskypetoolbarsinternet explorerSkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:program filesspybot - search & destroySDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:windowssystem32dlaDLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:program filesjavajre1.6.0_03binssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:program filescommon filesadobeacrobatactivexAcroIEFavClient.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:program filesbaeBAE.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:program filescommon filesadobeacrobatactivexAcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:program filescommon filesadobeacrobatactivexAcroIEFavClient.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {5617ECA9-488D-4BA2-8562-9710B9AB78D2} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:windowssystem32Shdocvw.dll
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
uRun: [wow64main.exe] c:docume~1mattlocals~1tempwow64main.exe
uRun: [winhbt.exe] c:docume~1mattlocals~1tempwinhbt.exe
uRun: [TurboNet] c:docume~1mattlocals~1tempb.exe
uRun: [TBPanel] c:program filesvdotoolTBPanel.exe /A
uRun: [Skype] "c:program filesskypephoneSkype.exe" /nosplash /minimized
uRun: [Security Center] c:windowssc.exe
uRun: [Protection System] c:program filesprotection systempsystem.exe
uRun: [LDM] c:program fileslogitechdesktop messenger8876480programLogitechDesktopMessenger.exe
uRun: [ISUSPM] "c:program filescommon filesinstallshieldupdateserviceisuspm.exe" -scheduler
uRun: [iLike] c:program filesilike1.2.16ilikesidebar.exe /checkforupdate
uRun: [FreeRAM XP] "c:program filesyourware solutionsfreeram xp proFreeRAM XP Pro.exe" -win
uRun: [SpybotSD TeaTimer] c:program filesspybot - search & destroyTeaTimer.exe
mRun: [Windows Defender] "c:program fileswindows defenderMSASCui.exe" -hide
mRun: [ter8m] RUNDLL32.EXE c:windowssystem32msxm192z.dll,w
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [QuickTime Task] "c:program filesquicktimeQTTask.exe" -atboottime
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:windowssystem32NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:windowssystem32NvCpl.dll,NvStartup
mRun: [net] "c:windowssystem32net.net"
mRun: [MSSE] "c:program filesmicrosoft security essentialsmsseces.exe" -hide
mRun: [msnmager] c:windowssystem32rundll32.exe c:windowstempebdhff.dll,Set1
mRun: [iTunesHelper] "c:program filesitunesiTunesHelper.exe"
mRun: [igfxpers] c:windowssystem32igfxpers.exe
mRun: [igfxhkcmd] c:windowssystem32hkcmd.exe
mRun: [dscactivate] "c:program filesdell support centergs_agentcustomdsca.exe"
mRun: [dlccmon.exe] "c:program filesdell photo aio printer 924dlccmon.exe"
mRun: [DLA] c:windowssystem32dlaDLACTRLW.EXE
mRun: [BbPrintMonitor] c:program filescommon filesbluebeam softwarebreweryv45printer supportBBPrint.exe
mRun: [BbInstallUser] c:program filesbluebeam softwarepushbutton pdfBluebeam Admin User.exe
mRun: [AppleSyncNotifier] c:program filescommon filesapplemobile device supportbinAppleSyncNotifier.exe
mRun: [Acrobat Assistant 8.0] "c:program filesadobeacrobat 9.0acrobatAcrotray.exe"
mRun: [DLCCCATS] rundll32 c:windowssystem32spooldriversw32x863DLCCtime.dll,_RunDLLEntry@16
mRunOnce: [Malwarebytes' Anti-Malware] c:program filesmalwarebytes' anti-malwarembamgui.exe /install /silent
dRun: [DWQueuedReporting] "c:progra~1common~1micros~1dwdwtrig20.exe" -t
StartupFolder: c:docume~1alluse~1startm~1programsstartupdigita~1.lnk - c:program filesdigital line detectDLG.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartuplogite~1.lnk - c:program fileslogitechdesktop messenger8876480programLogitechDesktopMessenger.exe
IE: Append Link Target to Existing PDF - c:program filescommon filesadobeacrobatactivexAcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:program filescommon filesadobeacrobatactivexAcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:program filescommon filesadobeacrobatactivexAcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:program filescommon filesadobeacrobatactivexAcroIEFavClient.dll/AcroIECapture.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:program filesjavajre1.6.0_03binssv.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:program filesskypetoolbarsinternet explorerSkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~2office12REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:windowssystem32Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:program filesspybot - search & destroySDHelper.dll
Trusted Zone: turbotax.com
Trusted Zone: musicmatch.comonline
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.com/SnapfishActivia.cab
DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} - hxxp://www.srtest.com/srl_bin/sysreqlab_ind.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174241824656
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:program fileslogitechdesktop messenger8876480programGAPlugProtocol-8876480.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:progra~1common~1skypeSKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: ,c:windowstemp39527333.dll,c:docume~1mattlocals~1temp5447333.dll,c:windowstemp4008333.dll,c:docume~1mattlocals~1temp16158333.dll,c:windowstemp6408333.dll,c:docume~1mattlocals~1temp5217xxx.dll,c:docume~1mattlocals~1temp35528333.dll,c:docume~1mattlocals~1temp41528usc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:progra~1wifd1f~1MpShHook.dll
mASetup: {43fR72BA-R2h9-13R1-bRbf-eaKfR836gWl5} - %SystemRoot%system32winnt.exe

================= FIREFOX ===================

FF - ProfilePath - c:docume~1mattapplic~1mozillafirefoxprofilesqmvrr4eq.default
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - component: c:program filesmedia access startup1.5.0.850ffcomponentsHPFFAddOn.dll
FF - plugin: c:documents and settingsmattapplication datamove networkspluginsnpqmp071500000347.dll
FF - plugin: c:documents and settingsmattapplication datamove networkspluginsnpqmp071505000010.dll
FF - plugin: c:program filesdownload managernpfpdlm.dll
FF - plugin: c:program filesemusic download managerpluginnpemusic.dll
FF - plugin: c:program filesgooglepicasa3npPicasa3.dll
FF - plugin: c:program filesmozilla firefoxpluginsNPTURNMED.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:windowsmicrosoft.netframeworkv3.5windows presentation foundationdotnetassistantextension
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R?2 win;wins;c:windowssystem32svchost.exe -k netsvcs [2005-8-16 34304]
R0 pavboot;pavboot;c:windowssystem32driverspavboot.sys [2009-7-17 28544]
R2 BtwSrv;BtwSrv;c:windowssystem32svchost.exe -k netsvcs [2005-8-16 34304]
R2 fastnetsrv;fastnetsrv Service;c:windowssystem32FastNetSrv.exe [2004-8-10 67584]
R2 Ias;Windows Protected Network;c:windowssystem32svchost.exe -k netsvcs [2005-8-16 34304]
S2 NetLogin;Net Login;c:windowssvchost.exe [2009-11-7 1169920]
S3 cpuz130;cpuz130;??c:docume~1mattlocals~1tempcpuz130cpuz_x32.sys --> c:docume~1mattlocals~1tempcpuz130cpuz_x32.sys [?]
S3 daqdrv;daqdrv;c:windowssystem32daqdrv.sys [2005-8-16 2304]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;??c:program fileslavalyseverest ultimate editionkerneld.wnt --> c:program fileslavalyseverest ultimate editionkerneld.wnt [?]
S4 OpenCASE Media Agent;OpenCASE Media Agent;c:program filesopencaseopencase media agentMediaAgent.exe [2007-12-6 810632]

=============== Created Last 30 ================

2009-11-08 08:14:00 0 d-----w- c:program filesTrend Micro
2009-11-08 07:54:57 38224 ----a-w- c:windowssystem32driversmbamswissarmy.sys
2009-11-08 07:54:54 19160 ----a-w- c:windowssystem32driversmbam.sys
2009-11-08 07:54:53 0 d-----w- c:program filesMalwarebytes' Anti-Malware
2009-11-08 07:52:25 77867 ----a-w- c:windowssystem32win.dll
2009-11-08 07:51:27 88576 ----a-w- c:windowssystem323.tmp
2009-11-08 07:51:18 52 ----a-w- c:windowssystem322.tmp
2009-11-08 07:17:17 0 d-----w- c:program filesESET
2009-11-08 06:37:43 88576 ----a-w- c:windowssystem3212.tmp
2009-11-08 06:37:40 52 ----a-w- c:windowssystem3211.tmp
2009-11-08 06:22:24 3752 ----a-w- c:documents and settingsmattGetPaths.vbs
2009-11-08 06:15:17 88576 ----a-w- c:windowssystem32E.tmp
2009-11-08 06:15:13 52 ----a-w- c:windowssystem32B.tmp
2009-11-08 05:58:00 88576 ----a-w- c:windowssystem32D.tmp
2009-11-08 05:57:56 52 ----a-w- c:windowssystem32C.tmp
2009-11-08 03:04:36 88576 ----a-w- c:windowssystem3210.tmp
2009-11-08 03:04:34 52 ----a-w- c:windowssystem32F.tmp
2009-11-08 02:54:42 187034 ----a-w- c:windowssystem32net.net
2009-11-08 02:52:44 6144 ----a-w- c:windowssystem32WinRAR.dll
2009-11-08 02:52:38 59392 ----a-w- c:windowssystem32winnt.exe
2009-11-08 02:52:17 181248 ----a-w- c:windowsmsb.exe
2009-11-08 02:52:02 309212 ----a-w- c:windowssv1.exe
2009-11-08 02:51:04 826 ----a-w- c:windowssystem32wininit.dll
2009-11-08 02:51:03 1168896 ----a-w- c:windowssvchust.exe
2009-11-08 02:49:54 1169920 ----a-w- c:windowssvchost.exe
2009-11-08 02:49:36 885248 ----a-w- c:windowsisvchost.exe
2009-11-08 02:49:25 61440 ----a-w- c:windowssystem32msxm192z.dll
2009-11-08 02:49:15 0 ----a-w- c:windowssystem32C1.tmp
2009-11-08 02:49:13 88576 ----a-w- c:windowssystem32C0.tmp
2009-11-08 02:49:09 868 ----a-w- c:windowssystem326404688.exe
2009-11-08 02:49:04 52 ----a-w- c:windowssystem32BF.tmp
2009-11-08 02:48:36 0 d-----w- c:program filesProtection System
2009-11-08 02:48:04 181248 ----a-w- c:windowsmsa.exe
2009-11-08 02:47:52 0 ----a-w- c:windowswin32k.sys
2009-11-07 16:19:38 599552 ------w- c:windowssystem32dllcachecrypt32.dll
2009-11-07 16:19:38 177664 ------w- c:windowssystem32dllcachewintrust.dll
2009-11-02 20:43:02 97952 ----a-w- c:windowssystem32BBPdfPortMon.DLL
2009-11-02 20:40:29 0 d-----w- c:program filescommon filesBluebeam Software
2009-11-02 20:40:29 0 d-----w- c:program filesBluebeam Software
2009-11-02 20:40:29 0 d-----w- c:docume~1alluse~1applic~1Bluebeam Software
2009-11-02 20:09:04 59 ----a-w- c:windowswpd99.drv
2009-11-02 20:09:04 249856 ----a-w- c:windowssystem32pdfmona.dll
2009-11-02 20:09:04 0 d-----w- c:docume~1alluse~1applic~1pdf995
2009-11-02 20:09:03 51716 ----a-w- c:windowssystem32pdf995mon.dll
2009-11-02 20:07:09 0 d-----w- C:pdf995
2009-11-02 13:02:06 0 d-----w- C:7082faf910216b2eaf
2009-10-31 13:14:14 0 d-----w- C:8e49e155a82916c45d5fb773ba5cba
2009-10-30 12:27:04 0 d-----w- c:program filesiPod
2009-10-30 12:05:58 0 d-----w- C:a63b7a6ec55e6866bf411bcaf6c46a
2009-10-29 18:45:35 0 d-----w- C:4f6b4f47bf07c0453404c00d146b70cd
2009-10-28 17:29:12 0 d-----w- C:ce231d05294f04c4380f9589c1719e
2009-10-27 22:28:59 0 d-----w- C:f3a88696585186c82f8b28fa
2009-10-27 12:31:38 0 d-----w- C:2c384b5e15c2574ba24f053661
2009-10-22 17:45:34 0 d-----w- c:program filesNCH Swift Sound
2009-10-19 16:32:53 0 d-----w- c:docume~1mattapplic~1GetRightToGo
2009-10-13 18:54:42 103720 ----a-w- c:documents and settingsmattGoToAssistDownloadHelper.exe

==================== Find3M ====================

2009-11-08 15:34:30 34512160 --sha-w- c:windowssystem32driversfidbox.dat
2009-11-08 07:52:28 3373856 --sha-w- c:windowssystem32driversfidbox2.dat
2009-11-08 07:49:54 0 ----a-w- c:windowssystem32driverslvuvc.hs
2009-11-08 07:49:52 0 ----a-w- c:windowssystem32driverslogiflt.iad
2009-11-08 07:47:02 317324 --sha-w- c:windowssystem32driversfidbox2.idx
2009-11-08 07:47:01 457916 --sha-w- c:windowssystem32driversfidbox.idx
2009-11-03 01:42:06 195456 ------w- c:windowssystem32MpSigStub.exe
2009-10-22 09:19:04 5939712 ----a-w- c:windowssystem32dllcachemshtml.dll
2009-09-11 14:18:39 136192 ----a-w- c:windowssystem32msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:windowssystem32dllcachemsv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:windowssystem32msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:windowssystem32dllcachemsasn1.dll
2009-08-28 10:35:52 173056 ----a-w- c:windowssystem32dllcacheie4uinit.exe
2009-08-26 08:00:21 247326 ----a-w- c:windowssystem32strmdll.dll
2009-08-26 08:00:21 247326 ------w- c:windowssystem32dllcachestrmdll.dll
2009-08-18 03:33:52 1193832 ----a-w- c:windowssystem32FM20.DLL
2007-01-20 15:26:16 88 --sh--r- c:windowssystem32838A716C74.sys
2007-01-20 15:26:17 3350 --sha-w- c:windowssystem32KGyGaAvL.sys
2008-08-30 15:07:32 32768 -csha-w- c:windowssystem32configsystemprofilelocal settingshistoryhistory.ie5mshist012008083020080831index.dat

============= FINISH: 10:37:17.79 ===============

RootRepeal kept getting killed after scanning the files for a bit, so to create the attached file, I hit "Stop" right around the point where RootRepeal was crashing, which allowed RR to run through. In other words, this might not be a complete RR report, but at least it's something!

Merged 3 posts. ~ OB

Attached Files


Edited by Orange Blossom, 08 November 2009 - 05:44 PM.


BC AdBot (Login to Remove)

 


#2 Plautus

Plautus
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 11 November 2009 - 05:53 PM

I realize there's a policy against "bumping" threads here, but my computer's getting progressively worse. Yesterday, the system tray disappeared, and today, Windows XP no longer loads; I get a blue screen no matter which configuration I try. I'm guessing that my best bet is going to be salvaging whatever I can from the hard drive and reformatting Windows XP, but before I go that route, I thought I'd give this one last shot! If any of you wonderful, overworked volunteers is able to take a look in the next day or too, I'd greatly appreciate it.

Much thanks,

Plautus

#3 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:57 AM

Posted 12 November 2009 - 10:15 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#4 Plautus

Plautus
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 13 November 2009 - 10:12 AM

Unfortunately, I can't download or run any programs, as Windows XP won't start, in any mode. Blue screen message on regular start up: 4STOP: c000021a, status of 0xc0000022. In safe mode, the message is STOP: 0x0000007E (0xC0000005, 0x90537009, 0xFC7B3E0, 0xFC7B0DC). The boot to partition tests available all pass.

As I don't have another computer (I'm following this thread from a public computer), my plan now is to take out the current hard drive, buy a new one, install Windows XP on the new one, then recover whatever I can from the old hard drive using an external hard drive conversion kit. If any experts here have any better ideas or thinks I might be able to salvage the current hard drive, I'm all ears! I thought about trying a Windows XP repair installation, but I'm afraid that might jeapordize the data recovery process, and there are some files I'd desperately like to recover.

I'm not sure if my problem is still germane to this thread, but here's a question that might be: once I do the above (assuming y'all don't talk me out of it), what's the best way of ensuring that I don't infect the new hard drive when I access the old one? Obviously, after I recover what I need, I'll reformat the old hard drive so that I can use it as a back-up, but I'm a little nervous about preventing the virus from spreading.

Much thanks, and my apologies, mods, if this thread needs to be moved.

#5 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:57 AM

Posted 13 November 2009 - 02:02 PM

If you want to try I might be able to get you booting again. Do you have an XP install disc?
Thanks,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#6 Plautus

Plautus
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 13 November 2009 - 03:09 PM

Thanks, thcbytes! I bought my computer from Dell a couple years ago, and they didn't include an XP install disk; however, I called them yesterday and they're sending one free of charge. I should have it by Wednesday at the latest.

Provided there isn't any greater risk to losing data on my hard drive than by doing the hard drive conversion kit thing, I'm definitely willing to try whatever you've got in mind! My postings will unfortunately be infrequent until my computer's up again, but I should be able to check my email at least once a day.

Thanks again for your help!

Plautus

#7 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:57 AM

Posted 13 November 2009 - 10:24 PM

More questions....

Do you have the ability to download from another computer?
Do you have access to a CD burner on this other computer?

Here is the plan.

We need the recovery console. You can use the Windows install disk that is on the way or I can provide you with instructions as to how to burn a recovery console to disk. Then I will guide you how to boot into the recovery console in an attempt to get your computer booting. If we are lucky enough to get that far then we can begin cleanup.

If we are simply unable to get your computer booting from the Windows XP OS then I can guide you how to create a boot disc to boot up an alternative OS on the sick computer. You will then be able to easily access your hard drive and transfer whatever data you want to save before we format your hard disk and reinstall the Windows OS.

So if you have a blank CD, a computer with a burner, and the ability to download then please do this........

Please go here and create a Recovery Console CD. Just click the link provided there to download the recovery_console_cd.zip and unzip that to your desktop.

Then inside the recovery_console_cd folder that created locate and click on the IE icon titled Readme. This will open a webpage, which will provide the simple steps you will need to follow, as well as a clickable link to go to the MS download page where you can select the BootDisk file download appropriate for your operating system. For example, for an XP SP2 Home Edition you would be downloading WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe.

For emergency boot disk uses, as well as to access the Recovery Console, the SP2 version can also be used on systems that have the SP3 upgrade.
  • Insert the CD-ROM into the CD-ROM drive, and then restart the sick computer.

  • If your PC is not booting from the CD, you need to change the boot order:
    • Restart your PC
    • As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
    • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
    • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
    • The tab should now show your current boot order.
      If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
    • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
  • Your PC should now boot from your CD.
    Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.

  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.

  • When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.

  • A command prompt will open
Once in Recovery Console, please type

chkdsk /r
fixboot


and hit enter.

Type exit to exit and restart your PC.
Are you able to boot into Windows?

==========

If not please proceed as outlined below........

==========

Let's now create a boot disc so that you can access your files and folders.....

*** Please print these instructions ***
  • Download Hiren's BootCD Iso to the desktop of a clean computer.
  • Extract the zipped HirensBootCD.zip to your desktop.
  • Open the extracted HirensBootCD folder and extract the zipped HirensBootCD.iso.
  • Double click the BurnToCD.cmd bat file contained in the HirensBootCD folder. This will launch BurnCDCC.
  • Insert a blank CD in your drive.
  • Press Start. This will burn the image to disc. After it has completed...
  • Restart your sick computer and boot from the HBCD you created.
    • If your PC is not booting from the CD, you need to change the boot order:
      • Restart your PC
      • As soon as you get an image, press the Setup key. This is usually F2, F10, F12 or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
      • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
      • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
      • The tab should now show your current boot order.
      • If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
      • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
    • Your PC should now boot from your CD.
    • Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
  • When the CD boots choose "Start MiniWindowsXP". Allow Windows to load. You will see a typical Windows Desktop.
  • You will be able to access your sick drive and save files/folders from here. Let me know when you have gotten this far and I can guide you.
  • If you have an Ethernet connection you can double click the Network icon on the desktop to gain internet access. You will need to choose the "BootCDWinTools" icon on your Desktop. Choose "Menu" - "Browsers" - "Opera".
  • You should now be connected to the internet.
Let me know what you want to do.

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#8 Plautus

Plautus
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 14 November 2009 - 05:06 PM

thcbytes,

That all sounds great, but while I have access to computers with CD burners, they're all public computers and (so far, at least) won't allow me to run unauthorized programs. I have a feeling my wife will have the same problem if she tries with her office computer, but I might give that a shot . . . Worst case scenario, it sounds like, is I wait for the XP install disk, which should arrive early next week.

Thanks again for your help, and I'll let you know if I have any success creating either boot disk.

Plautus

#9 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:57 AM

Posted 14 November 2009 - 09:51 PM

:(
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#10 Plautus

Plautus
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 16 November 2009 - 05:16 PM

Well, the Windows XP install disk came today, and I was able to run chkdsk /r and fixboot. Unfortunately, Windows still did not load on reboot, and I got the same blue screen and error message at the same point during loading. My wife is going to try to create a Hiren's boot disk tomorrow on her work computer. If she's not able to, can you suggest any other steps?

Thanks again for your help!

Plautus

#11 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:57 AM

Posted 16 November 2009 - 05:29 PM

We have many more options. Let me know how the HBCD goes. :(
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#12 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:57 AM

Posted 17 November 2009 - 10:11 AM

Don't miss my prior post.

I have a question. Have you ever run Combofix?
Thanks,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#13 Plautus

Plautus
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 17 November 2009 - 02:26 PM

Well, no dice on my wife's computer, unfortunately! I did, by the way, go ahead and order a hard drive and external hard drive conversion kit, figuring that if I didn't need them, I could return them--they should arrive tomorrow. Does that scenario make sense to you, or do you have other suggestions that I should try first?

Thanks again! This is becoming quite the marathon . . .

#14 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:57 AM

Posted 17 November 2009 - 04:18 PM

Hi,
  • Have you ever run Combofix? This is important. If you have then it may be a way of restoring your computer
  • What problem did your Wife run into creating the HBCD? It is usually very easy to create and use. That is why I like it.

hard drive and external hard drive conversion kit

  • What exactly did you purchase? I have freeware applications that do a wonderful job saving your data. All you need is an external hard drive to store your data.
Now that you have your Windows XP disc we can perform a Repair Install.

A Repair Install will replace the system files with the files on the XP CD used for the Repair Install. It will leave your applications and settings intact, but Windows updates will need to be reapplied.

A Repair Install will replace files altered by adware and malware, but will not fix an adware, malware problem.


Another option is to back up your data and use your Windows XP install disc to perform a format and re-install the OS. All data is lost and your drive is wiped clean but if we back up your data we can transfer it back. You will lose installed programs/applications though.

In both cases you might need your Product Key. If you no longer have your product key you can contact Microsoft and plead your case!

Please answer my questions and let me know how you want to proceed.

Thanks,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#15 Plautus

Plautus
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 17 November 2009 - 04:45 PM

* Have you ever run Combofix? This is important. If you have then it may be a way of restoring your computer


No, I haven't run Combofix--missed this question the first time!

* What problem did your Wife run into creating the HBCD? It is usually very easy to create and use. That is why I like it.


Apparently, she didn't have authority to run the program--sounds like the same message that came up when I tried to use public computers.

* What exactly did you purchase? I have freeware applications that do a wonderful job saving your data. All you need is an external hard drive to store your data.


A DriveWire USB Hard Drive Adapter, and a 320GB SATA Hard Drive. My plan had been to take out the infected hard drive, install the new one, install Windows on that, salvage what I could on the old one using the adapter, then reformat it and use it to back up my files going forward.

Another option is to back up your data and use your Windows XP install disc to perform a format and re-install the OS. All data is lost and your drive is wiped clean but if we back up your data we can transfer it back. You will lose installed programs/applications though.


I don't mind losing installed programs--I don't think I have many that I've paid for and don't have installation disks for--so long as I can save most of the files.

In both cases you might need your Product Key. If you no longer have your product key you can contact Microsoft and plead your case!



I'm not positive about the Product Key--I didn't notice it on the install disk Dell sent me, but then, I didn't look for it! I can update you on that tomorrow.

As far as what I want to do, my top priority is salvaging as much data as possible, followed by getting my computer back up and running, so pretty much whatever you think will work best, works for me!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users