Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win XP Pro Won't Boot


  • This topic is locked This topic is locked
74 replies to this topic

#1 ChuckLHead

ChuckLHead

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:05:34 PM

Posted 22 December 2009 - 10:43 PM

Per thcbytes, I've opened a new post for this issue. The original post is at http://www.bleepingcomputer.com/forums/t/280198/win-xp-pc-wont-boot/

This issue is on my home desktop computer (which is not the notebook computer recently cleaned from the Alureon virus at http://www.bleepingcomputer.com/forums/t/278746/alureonct-tdlcmddll/.

On the pc that is the subject of this issue (desktop Dell), I ran a quick scan using MBAM as a preemptive measure. There were no viruses being reported by McAfee. Basically, after the episode on my notebook, I had a new found sense of determination to make sure nothing happened to my home machine.

MBAM found 3 files in one of the user Documents and Setting directories (that's going from memory).

I let it remove the files and when it finished, it prompted for a reboot. I let it go ahead and reboot the PC.

Now I've got a problem. When the PC rebooted, I get a blue screen stating:

"A problem has been detected and Windows has been shut down to prevent damage to your computer.

If this is the first time you've seen this Stop error screen, restart your computer. If this screen appears again, follow these steps:

Disable or uninstall any anti-virus, disk defragmentation or backup utilities. Check your hard drive configuration, and check for any updated drivers. Run CHKDSK /F to check for hard drive corruption, and then restart your computer.

Technical information:

*** STOP: 0x00000024 (0x001902FE, 0xF7C613DC, 0xF7C610D8, 0x86AB0805) "


I tried rebooting to safe mode, safe mode with command prompt and Last known working configuration but each one of these resulted with this same screen appearing.

The BSOD appears seconds after the Windows splash screen appears.

I've tried suggestions from the other posting which suggested running the Recovery Console, running CHKDSK and BOOTCFG /REBUILD.

CHKDSK takes about 40 minutes to run and successfully completes.

BOOTCFG /REBUILD takes ~10 minutes to run and successfully finishes. Due to the number of times I've tried this (what's the definition of insanity?!), I now have some 5 load identifiers.

I've not done anything else other than bang my head on the desk and curse a lot.

Thanks in advance for taking on this issue.

ChuckLHead

Edited: Fixed link

Edited by thcbytes, 26 December 2009 - 02:17 PM.


BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:34 PM

Posted 22 December 2009 - 11:02 PM

Hi,
I am going to have a Moderator move us over to the HjT forums in light of the probability that this is malware related.
Thanks,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:34 PM

Posted 22 December 2009 - 11:22 PM

Hello again,

Have you ever run Combofix on that computer?
Do you have a Windows XP install disc?

Do this first please........

Let's now create a boot disc so that you can access your files and folders and so I can get a look at a log.....

*** Please print these instructions ***
  • Download Hiren's BootCD Iso to the desktop of a clean computer.
  • Extract the zipped HirensBootCD.zip to your desktop.
  • Open the extracted HirensBootCD folder and extract the zipped HirensBootCD.iso.
  • Double click the BurnToCD.cmd bat file contained in the HirensBootCD folder. This will launch BurnCDCC.
  • Insert a blank CD in your drive.
  • Press Start. This will burn the image to disc. After it has completed...
  • Restart your sick computer and boot from the HBCD you created.
    • If your PC is not booting from the CD, you need to change the boot order:
      • Restart your PC
      • As soon as you get an image, press the Setup key. This is usually F2, F10, F12 or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
      • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
      • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
      • The tab should now show your current boot order.
      • If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
      • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
    • Your PC should now boot from your CD.
    • Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
  • When the CD boots choose "Start MiniWindowsXP". Allow Windows to load. You will see a typical Windows Desktop.
  • You will be able to access your sick drive and save files/folders from here.
  • Create an ethernet (wired) Internet Connection
    • Double click the Network Support icon on the HBCD desktop
    • A computer screen will appear in the lower right corner system tray
    • Double click HBCD Menu on your HDCD desktop
    • Choose Menu
    • Then Browsers
    • Then Opera
    • Success?
  • You should now be connected to the internet.
  • Navigate here to the forum and click this link.
  • Download the program and save it to the desktop.
  • Once saved, close all other windows then double click the program to run it.
  • When completed, a log will open.
  • Save the log to the desktop using File>Save as, then post the log in a reply.

    Please note: If you are unable to connect to the internet then please download to a flash drive on a clean computer and transfer to the sick computer to run!

  • In addition you now have access to all your files and folders amoungst many other utilities that we might need to use later. :(
  • If you double click your Windows Explorer icon on your desktop you will be able to access your hard drive.

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#4 ChuckLHead

ChuckLHead
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:05:34 PM

Posted 23 December 2009 - 08:02 AM

I honestly can't remember if I've ever run Combofix on this machine. Wish I had a more definitive answer for you.

The Windows CD that I have is labeled:

Operating System
Already Installed on Your Computer
Reinstallation CD
Microsoft Windows XP Professional
Including Service Pack 2

I'll be starting on the tasks this evening.

Thanks.

ChuckLHead

#5 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:34 PM

Posted 23 December 2009 - 10:45 AM

Fair enough. Once we boot into the virtual environment we can take a look at your MBAM log and see what it removed. We will take a peek at the fresh DDS log. We can see if you ever ran CF and see what it detected. The options are endless!

Let me know. :(
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#6 ChuckLHead

ChuckLHead
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:05:34 PM

Posted 24 December 2009 - 07:13 AM

OK...Here we go. Below is the DDS log that was created:


DDS_BootCD_Version (Ver_09-10-04.01) - NTFSx86
Run at 16:00:01.95 on Thu 11/11/2004
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_03

============== Pseudo HJT Report ===============

S-1-5-21-234274271-1096421296-799955145-500_Start Page = hxxp://www.yahoo.com/
S-1-5-21-234274271-1096421296-799955145-500_Default_Page_URL = hxxp://www.dell4me.com/myway
S-1-5-21-234274271-1096421296-799955145-500_Internet Connection Wizard,ShellNext = hxxp://ww3.weatherbug.com/survey/uninstall/uninstall.asp?regid=-1&ZCode=&DLID=1800&Version=
S-1-5-21-234274271-1096421296-799955145-500_SearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mLocal Page = %SystemRoot%\system32\blank.htm
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/yme/*http://www.yahoo.com/ext/search/search.html
S-1-5-21-234274271-1096421296-799955145-1006_URLSearchHooks: H - No File
S-1-5-21-234274271-1096421296-799955145-1006_URLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
S-1-5-21-234274271-1096421296-799955145-1007_URLSearchHooks: H - No File
S-1-5-21-234274271-1096421296-799955145-1010_URLSearchHooks: H - No File
S-1-5-21-234274271-1096421296-799955145-1010_URLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 8\SnagItBHO.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 8\SnagItBHO.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: AIM Search: {40d41a8b-d79b-43d7-99a7-9ee0f344c385} - c:\program files\aim toolbar\AIMBar.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
S-1-5-21-234274271-1096421296-799955145-1005_Run: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
S-1-5-21-234274271-1096421296-799955145-1005_Run: [ctfmon.exe] c:\windows\system32\ctfmon.exe
S-1-5-21-234274271-1096421296-799955145-1006_Run: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
S-1-5-21-234274271-1096421296-799955145-1006_Run: [ctfmon.exe] c:\windows\system32\ctfmon.exe
S-1-5-21-234274271-1096421296-799955145-1006_Run: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
S-1-5-21-234274271-1096421296-799955145-1007_Run: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
S-1-5-21-234274271-1096421296-799955145-1007_Run: [ctfmon.exe] c:\windows\system32\ctfmon.exe
S-1-5-21-234274271-1096421296-799955145-1008_Run: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
S-1-5-21-234274271-1096421296-799955145-1008_Run: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
S-1-5-21-234274271-1096421296-799955145-1008_Run: [ctfmon.exe] c:\windows\system32\ctfmon.exe
S-1-5-21-234274271-1096421296-799955145-1008_Run: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
S-1-5-21-234274271-1096421296-799955145-1008_Run: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe"
S-1-5-21-234274271-1096421296-799955145-1008_Run: [Steam] "c:\program files\steam\Steam.exe" -silent
S-1-5-21-234274271-1096421296-799955145-1008_Run: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
S-1-5-21-234274271-1096421296-799955145-1010_Run: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
S-1-5-21-234274271-1096421296-799955145-1010_Run: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
S-1-5-21-234274271-1096421296-799955145-1010_Run: [ctfmon.exe] c:\windows\system32\ctfmon.exe
S-1-5-21-234274271-1096421296-799955145-1010_Run: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
S-1-5-21-234274271-1096421296-799955145-1010_RunOnce: [Shockwave Updater] c:\windows\system32\macromed\shockw~1\SWHELP~1.EXE -Update -1020023 -iexplore.exe7.0
S-1-5-21-234274271-1096421296-799955145-500_Run: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
S-1-5-21-234274271-1096421296-799955145-500_Run: [ctfmon.exe] c:\windows\system32\ctfmon.exe
S-1-5-21-234274271-1096421296-799955145-500_Run: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
S-1-5-21-234274271-1096421296-799955145-500_RunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\NPSWF32_FlashUtil.exe -p
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [Dell Photo AIO Printer 922] "c:\program files\dell photo aio printer 922\dlbtbmgr.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\troy\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
S-1-5-21-234274271-1096421296-799955145-1008_Policies-system: EnableProfileQuota = 1 (0x1)
S-1-5-21-234274271-1096421296-799955145-500_Policies-explorer: NoThemesTab = 0 (0x0)
S-1-5-21-234274271-1096421296-799955145-500_Policies-explorer: ForceActiveDesktopOn = 0 (0x0)
S-1-5-21-234274271-1096421296-799955145-500_Policies-system: NoDispAppearancePage = 0 (0x0)
S-1-5-21-234274271-1096421296-799955145-500_Policies-system: NoColorChoice = 0 (0x0)
S-1-5-21-234274271-1096421296-799955145-500_Policies-system: NoSizeChoice = 0 (0x0)
S-1-5-21-234274271-1096421296-799955145-500_Policies-system: NoVisualStyleChoice = 0 (0x0)
S-1-5-21-234274271-1096421296-799955145-500_Policies-system: NoDispSettingsPage = 0 (0x0)
IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm
IE: &Clean Traces - c:\program files\dap\privacy package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\dap\dapextie.htm
IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: musicmatch.com\online
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} - hxxps://ra.budco.com/pdl/jt/msrdp.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

(null); [x]
BEHRINGER_2902; System32\Drivers\BUSB2902.sys
DCSPGSRV; "c:\program files\processguard\dcsuserprot.exe"
DISK_DRIVE32; \??\c:\documents and settings\troy\desktop\ultimate hack pack 4.0 public release\cheatengine\disk_1024.sys
drvncdb; [x]
ILADFtmi; [x]
kbdcap; [x]
McAfee SiteAdvisor Service; "c:\program files\mcafee\siteadvisor\McSACore.exe"
MusCDriverV32; system32\drivers\MusCDriverV32.sys
MusCVideo32; system32\DRIVERS\MusCVideo32.sys
NUBBER; \??\c:\home\troy\hacks\nubbk32.sys
procguard; \??\c:\windows\system32\drivers\procguard.sys
SASDIFSV; \??\c:\program files\superantispyware\SASDIFSV.SYS
SASENUM; \??\c:\program files\superantispyware\SASENUM.SYS
SASKUTIL; \??\c:\program files\superantispyware\SASKUTIL.sys
sejt1; \??\c:\documents and settings\troy\desktop\akumaengine\sejt.sys
spuce1; \??\c:\documents and settings\troy\desktop\spuce 2.0\spuce.sys
SQTECH9052; System32\Drivers\Capt9052.sys
yjiyubfs; System32\drivers\rixeaiir.sys
{76314686-A808-4CBD-A33C-A656504D18AB}; [x]
{E7B2E6B1-0E1B-42C2-A66F-75C698D4A033}; [x]

=============== Created Last 30 ================

2004-11-10 16:30 <DIR> --d----- c:\documents and settings\all users\application data\PMB Files
2004-11-08 10:35 22,016 a------- C:\RCX550.tmp

==================== Find3M ====================

2009-12-12 21:08 1,648,462,032 a------- c:\program files\MSSetupv80.exe
2004-12-21 02:38 262,144 a------- c:\documents and settings\all users\NTUSER.DAT
2004-09-29 22:28 134,912 a------- c:\windows\system32\drivers\ipnat.sys
2004-09-29 22:28 134,912 a------- c:\windows\system32\dllcache\ipnat.sys
2004-09-15 18:28 20,480 a------- c:\windows\system32\wmpui.dll
2004-09-15 18:28 20,480 a------- c:\windows\system32\wmpcore.dll
2004-09-15 18:28 20,480 a------- c:\windows\system32\wmpcd.dll
2004-09-15 18:28 20,480 a------- c:\windows\system32\dllcache\wmpui.dll
2004-09-15 18:28 20,480 a------- c:\windows\system32\dllcache\wmpcore.dll
2004-09-15 18:28 20,480 a------- c:\windows\system32\dllcache\wmpcd.dll
2004-09-15 18:27 5,550,080 a------- c:\windows\system32\setb5.tmp
2004-09-15 18:27 991,232 a------- c:\windows\system32\dllcache\migrate.exe
2004-09-14 17:29 487,424 a------- c:\windows\system32\Jasc Paint Shop Photo Album 5.scr
2004-09-14 17:28 241,664 a------- c:\windows\system32\pspascrrc5.dll
2004-09-14 17:07 236,576 a------- c:\windows\system32\XceedFtp.dll
2004-09-01 17:56 1,044,480 a------- c:\windows\system32\ROBOEX32.DLL
2004-09-01 17:56 65,536 a------- c:\windows\system32\JGSH400.DLL
2004-09-01 17:56 45,568 a------- c:\windows\system32\JGSD400.DLL
2004-09-01 17:56 44,544 a------- c:\windows\system32\JGAW400.DLL
2004-09-01 17:56 35,840 a------- c:\windows\system32\JGMD400.DLL
2004-08-24 21:06 10,752 -------- c:\windows\system32\PXWMA.dll
2009-12-20 03:49 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

==== Installed Programs ======================

µTorrent
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 7.0.5 Language Support
Adobe Reader 7.0.8
Adobe Shockwave Player
Adobe Stock Photos 1.0
Adobe SVG Viewer 3.0
Adobe® Photoshop® Album Starter Edition 3.0
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Audacity 1.2.6
AutoUpdate
Banctec Service Agreement
BEHRINGER USB AUDIO DRIVER
Bonjour
Camel's MPEGJoin
Candy Land - Dora the Explorer Edition
CCleaner (remove only)
Conexant D850 56K V.9x DFVc Modem
Critical Update for Windows Media Player 11 (KB959772)
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Media Experience
Dell Photo AIO Printer 922
Dell Picture Studio v3.0
Dell Support Center
Dell System Restore
DellSupport
Digital Line Detect
DivX
DivX Converter
DivX Player
DivX Web Player
Drug Wars
energyXT2.07
G5a922EN
Guitar Pro 5.2
HI-TECH C51-lite V9.60PL0
HI-TECH PICC lite V9.60PL0
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Intel® Extreme Graphics 2 Driver
Intel® PRO Network Adapters and Drivers
Intel® PROSet for Wired Connections
Internet Explorer Default Page
iPod for Windows 2005-09-23
iPod for Windows 2006-03-23
iTunes
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Jasc Paint Shop Photo Album 5
Jasc Paint Shop Pro Studio, Dell Editon
Java 2 Runtime Environment, SE v1.4.2_03
Java 2 Runtime Environment, SE v1.4.2_06
Java™ 6 Update 3
KSignAccessToolkit v1.0
Learn2 Player (Uninstall Only)
Malwarebytes' Anti-Malware
MapleStory
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft User-Mode Driver Framework Feature Pack 1.9
Microsoft Visual C++ 2005 Redistributable
Microsoft WinUsb 1.0
Modem Helper
Mozilla Firefox (3.5.6)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
Musicmatch for Windows Media Player
Musicmatch® Jukebox
My Way Search Assistant
Napster Burn Engine
NetWaiting
Pando Media Booster
Plants vs. Zombies .
Power Tab Editor 1.7
PowerDVD 5.3
PrimoPDF
Puzzle Quest
QuickTime
RealPlayer Basic
Roll
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
SnagIt 8
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
SoundMAX
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WD Diagnostics
WebFldrs XP
What's Running 2.2
Windows Defender
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows Movie Maker 2.0
Windows Presentation Foundation
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB888310
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WinZip
XML Paper Specification Shared Components Pack 1.0
Zune
Zune Language Pack (ES)
Zune Language Pack (FR)

============= FINISH: 16:00:39.48 ===============

Should I assume that I should not restart this machine unless explicitly instructed to do so? Not that I want / need to, but if it happens, does it set us back?


And allow me to add "Merry Christmas", thcbytes.

I, as well as countless others, are grateful that people like you take the time to help us out of (what is often self-inflicted) digital misery.

ChuckLHead

Edited by ChuckLHead, 24 December 2009 - 07:15 AM.


#7 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:34 PM

Posted 24 December 2009 - 10:45 AM

You are very welcome. My pleasure indeed! :(

Reboot will cause no problems. Note though that if you reboot with the HBCD disc in the drive you will again be presented with the HBCD boot menu. If you use your down arrow and choose the Hard drive ntldr option (something like that) the computer will boot into normal Windows. You choose.

==========

Let's check out a few things.

Please go to....
C:\Program Files\Malwarebytes' Anti-Malware
Post the last few logs please.

==========

Go here and see if this exists.....
C:\Qoobox\ComboFix-quarantined-files.txt
Post the log please.

==========

Thanks,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#8 ChuckLHead

ChuckLHead
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:05:34 PM

Posted 24 December 2009 - 11:46 AM

After a moment of panic when all I found in the MBAM home directory was a log from 1.5 years ago, I searched and located the other logs.

@@@@@@@@@@@@@@@@@@@@@
Malwarebytes' Anti-Malware 1.42
Database version: 3393
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

12/19/2009 4:04:04 PM
mbam-log-2009-12-19 (16-04-04).txt

Scan type: Quick Scan
Objects scanned: 171628
Time elapsed: 1 hour(s), 0 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Troy\Local Settings\Temp\841.tmp (Malware.Packer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Troy\Local Settings\Temp\846.tmp (Malware.Packer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Troy\Local Settings\Temporary Internet Files\Content.IE5\7ZOYAZRR\eH2cba6b17V03006f35002R99e01955102T6791b8d4Q000002fc901807F0020000aJ03000601l0409Kc8e4e8b7316P000800070[1] (Malware.Packer) -> Quarantined and deleted successfully.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Malwarebytes' Anti-Malware 1.42
Database version: 3352
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

12/13/2009 9:52:00 PM
mbam-log-2009-12-13 (21-52-00).txt

Scan type: Quick Scan
Objects scanned: 170503
Time elapsed: 59 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Troy\Desktop\install_flash_player.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Joan\Local Settings\Temp\d.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Troy\Local Settings\Temp\d.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Troy\Local Settings\Temp\f.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Malwarebytes' Anti-Malware 1.41
Database version: 3001
Windows 5.1.2600 Service Pack 2

10/21/2009 7:51:14 AM
mbam-log-2009-10-21 (07-51-14).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 250107
Time elapsed: 3 hour(s), 29 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\drv (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@2

I did not locate anything for Combofix.

ChuckLHead

Edited by ChuckLHead, 24 December 2009 - 12:05 PM.


#9 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:34 PM

Posted 24 December 2009 - 12:33 PM

Let's see your boot.ini.
  • Windows explorer
  • Search
  • Boot.ini
  • Right click the boot.ini at the C: location and choose open
  • Copy and paste that log for my review.
Thanks,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#10 ChuckLHead

ChuckLHead
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:05:34 PM

Posted 24 December 2009 - 12:46 PM

boot.ini follows:

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional"
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS=""
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="y"
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect


Yeah. I know. I've made a mess of it!

ChuckLHead

#11 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:34 PM

Posted 24 December 2009 - 01:51 PM

We need to take a look at the Minidump files which should help us diagnose the crash

Boot up HBCD again.

STEP ONE

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck: Hide protected operating system files (recommended) option.
Click Yes to confirm.


STEP TWO
  • Go to start and right-click My Computer then Properties
  • Click the Advanced tab. Under Startup and Recovery section click Settings > (the option Automatically restart should be unchecked and the other two options should be checked).
  • Under the Write debugging information section there is the Small dump directory: the path to the mini dump folder is given.
After the computer crashes the PC will, on restarting, create a dump file (Minixxxxx.dmp where x represent a number). After a crash you should go to that folder and find the mini dump file inside it to upload it.

Note: %systemroot% usually means Windows so %systemroot%\Minidump is C:\Windows\Minidump


If you have trouble locating the minidump files...
  • Use the windows search advanced options:
  • Go to Start then Search. Click All files and folders.
  • Click More advanced options.
  • Put a check mark in the box next to search system folders, search hidden files and folders and search sub-folders.
  • Make sure the Case Sensitive box in not checked.
  • Type mini*.dmp in the upper box and click on search.
STEP THREE

Now zip the file and attach it to your reply. To attach the file:
  • Click ADDREPLY, under the reply window press Browse... and find the path to the zip file on your computer:
  • Highlight the zip file and click Open then press the green UPLOAD button.
Note: The old mini dump files might have already been removed and you may have to wait for the next crash for a file to be produced.

Thanks,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#12 ChuckLHead

ChuckLHead
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:05:34 PM

Posted 24 December 2009 - 02:57 PM

Step 1 and 2 weren't a problem.

After step 2, I'm assuming I need to reboot the pc from the hard drive (Win XP) in order to get the BSOD and the dump file. I tried that twice and then booted into Mini Win XP (another assumption) but I haven't found a mini*.dmp.

I'm guessing that I'm not selecting the correct options as HBCD boots - selected Boot from Hard Drive Win XP (NTDLR) or something like that. Then I selected the original Windows XP Pro selection for the load identifiers. After the BSOD, I restart the pc and select Mini Win XP from the HBCD options.

I think it's safe to say that I need clarification on the exact options to select.

Sorry about that.

Thanks,

ChuckLHead

#13 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:34 PM

Posted 24 December 2009 - 03:12 PM

You did it perfect. Now in HBCD look at c:\windows\minidump. Does the folder exist? Post its contents please.
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#14 ChuckLHead

ChuckLHead
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:05:34 PM

Posted 24 December 2009 - 03:26 PM

The directory exists but it's empty. No files. No directories.

ChuckLHead

#15 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:34 PM

Posted 24 December 2009 - 03:39 PM

I suspected that might be your reply. Are you able to access all of your files and folders? The next steps that I am going to recommend present a risk for data loss. I want you to backup all the files and folders that are significant to you before we proceed. In that your computer is infected you will need to be careful.

Please note...........

Files with the following extensions should not be backed up:
.exe
.scr
.htm
.html
.xml
.zip
.rar
.asp
.php


HBCD has some really cool backup tools or you can do it the old fashion way...copy/paste.

Let me know when your ready to proceed.
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users