Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

From getting locked in Safe Mode to possibly corrupt file [header]s


  • Please log in to reply
2 replies to this topic

#1 darkheart

darkheart

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:18 PM

Posted 04 January 2010 - 09:57 AM

Hi there.

I'm running Windows XP SP2 on a Celeron 2.80GHz with 504mb RAM. It's around three years old, and has had a couple of run-ins with what I think was a Brontok and/or Sasser infection as well as a DNS Changer, all of which were sorted out at least a year or so ago with no lingering side effects.

At around 10PM last night, though, my system suddenly launched a popup box telling me that a shutdown had been initiated.

Event Viewer give the following information:

1/3/2010
22:26:17
"The process winlogon.exe has initiated the restart of TCS-4357A6CF1B7 for the following reason: No title for this reason could be found
Minor Reason: 0xff
Shutdown Type: reboot
Comment: Unrecognized disk driver command"
bytes: 0000: ff 00 00 00 ...
words: 0000: 000000ff


I recognized this shutdown-heralding popup as similar to what a Sasser infection would do, but had long since forgotten the "shutdown -a" response. As such, I panicked and tried to open Task Manager to look for a rogue application that needed to be ended, but couldn't launch it anymore because Windows was shutting down.

When it rebooted, I used F8 to move to Safe Mode. Ran a MalwareBytes check, which turned up some stuff I quarantined and deleted.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wab (Trojan.Dropper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


When I rebooted, however, it rebooted into Safe Mode. Tried it again, this time specifying "Start Windows Normally". Still, Safe Mode. This went on all night until I went to sleep, and all day today until I thought of fiddling with msconfig and unchecking the Safe Mode option from Boot.ini. Finally everything was back to normal, or so it seemed.

First, I noticed that my RocketDock was half program-specific icons [source files were GIFs, i think] and half ACDSee generic icons [source files were PNGs]. I opened Windows Explorer and ACDSee only to find out that only my GIFs and PSDs were still working like they should. While all my JPEGS and PNGS still had their original file sizes and names, they could not be opened, whether by Photoshop, ACDSee, Microsoft Picture Manager, Picture Viewer, or Windows Picture and Fax Viewer. They also all had a Last Modified date of 1/3/2010. Even my Firefox interface is missing buttons.Oddly enough, a handful of the JPEGs were still viewable as normal. Additionally, my screen saver [which runs a slide show of JPEGS from a specified folder] works perfectly fine.

Of interest is that I could not register browseui.dll via "regsvr32 browseui.dll", if that means anything [Return Code was: 0x80004005].

To make matters worse, after spending the afternoon thinking it was only images that had seemingly been affected, I tried opening an Excel and a Word file, only to be told "The file is not in a recognizable format." [Excel] and "Microsoft Word needs a converter to display this file correctly." Video files play fine, but MP3/music files do not.

Aside from swearing a lot, I've spent the afternoon and evening running a MBAM scan [log posted below] and a Sophos Sasser scan [nothing found], and am currently 80% of the way into an Avira Antivir scan. Nothing has been found on C:\, which is good and bad -- the latter because it means that all this isn't necessarily due to something that can be removed to solve the problem.

EDIT: Avira Antivir scan finished.

AVIRA log:



Avira AntiVir Personal
Report file date: Monday, January 04, 2010 19:26

Scanning for 1496501 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 2) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : TCS-4357A6CF1B7

Version information:
BUILD.DAT : 9.0.0.418 21723 Bytes 12/2/2009 16:28:00
AVSCAN.EXE : 9.0.3.10 466689 Bytes 11/20/2009 07:34:17
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 19:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 20:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 19:58:52
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 07:34:14
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 06:22:20
VBASE002.VDF : 7.10.1.1 2048 Bytes 11/19/2009 06:22:22
VBASE003.VDF : 7.10.1.2 2048 Bytes 11/19/2009 06:22:25
VBASE004.VDF : 7.10.1.3 2048 Bytes 11/19/2009 06:22:26
VBASE005.VDF : 7.10.1.4 2048 Bytes 11/19/2009 06:22:26
VBASE006.VDF : 7.10.1.5 2048 Bytes 11/19/2009 06:22:27
VBASE007.VDF : 7.10.1.6 2048 Bytes 11/19/2009 06:22:27
VBASE008.VDF : 7.10.1.7 2048 Bytes 11/19/2009 06:22:27
VBASE009.VDF : 7.10.1.8 2048 Bytes 11/19/2009 06:22:30
VBASE010.VDF : 7.10.1.9 2048 Bytes 11/19/2009 06:22:31
VBASE011.VDF : 7.10.1.10 2048 Bytes 11/19/2009 06:22:31
VBASE012.VDF : 7.10.1.11 2048 Bytes 11/19/2009 06:22:34
VBASE013.VDF : 7.10.1.79 209920 Bytes 11/25/2009 06:12:56
VBASE014.VDF : 7.10.1.128 197632 Bytes 11/30/2009 05:25:41
VBASE015.VDF : 7.10.1.178 195584 Bytes 12/7/2009 06:36:17
VBASE016.VDF : 7.10.1.224 183296 Bytes 12/14/2009 07:29:40
VBASE017.VDF : 7.10.1.247 182272 Bytes 12/15/2009 07:29:54
VBASE018.VDF : 7.10.2.30 198144 Bytes 12/21/2009 07:30:53
VBASE019.VDF : 7.10.2.63 187392 Bytes 12/24/2009 20:45:03
VBASE020.VDF : 7.10.2.93 195072 Bytes 12/29/2009 20:45:29
VBASE021.VDF : 7.10.2.94 2048 Bytes 12/29/2009 20:45:30
VBASE022.VDF : 7.10.2.95 2048 Bytes 12/29/2009 20:45:30
VBASE023.VDF : 7.10.2.96 2048 Bytes 12/29/2009 20:45:32
VBASE024.VDF : 7.10.2.97 2048 Bytes 12/29/2009 20:45:33
VBASE025.VDF : 7.10.2.98 2048 Bytes 12/29/2009 20:45:34
VBASE026.VDF : 7.10.2.99 2048 Bytes 12/29/2009 20:45:34
VBASE027.VDF : 7.10.2.100 2048 Bytes 12/29/2009 20:45:35
VBASE028.VDF : 7.10.2.101 2048 Bytes 12/29/2009 20:45:36
VBASE029.VDF : 7.10.2.102 2048 Bytes 12/29/2009 20:45:37
VBASE030.VDF : 7.10.2.103 2048 Bytes 12/29/2009 20:45:38
VBASE031.VDF : 7.10.2.112 130560 Bytes 1/3/2010 22:16:53
Engineversion : 8.2.1.122
AEVDF.DLL : 8.1.1.2 106867 Bytes 9/17/2009 06:37:54
AESCRIPT.DLL : 8.1.3.4 586105 Bytes 12/23/2009 07:32:26
AESCN.DLL : 8.1.3.0 127348 Bytes 12/11/2009 07:29:28
AESBX.DLL : 8.1.1.1 246132 Bytes 11/20/2009 07:34:16
AERDL.DLL : 8.1.3.4 479605 Bytes 12/2/2009 01:28:32
AEPACK.DLL : 8.2.0.3 422261 Bytes 11/8/2009 20:40:24
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 6/27/2009 19:47:34
AEHEUR.DLL : 8.1.0.189 2195833 Bytes 12/23/2009 07:32:19
AEHELP.DLL : 8.1.9.0 237943 Bytes 12/18/2009 07:30:01
AEGEN.DLL : 8.1.1.82 369014 Bytes 12/23/2009 07:31:49
AEEMU.DLL : 8.1.1.0 393587 Bytes 10/5/2009 02:12:20
AECORE.DLL : 8.1.9.1 180598 Bytes 12/11/2009 07:29:13
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 23:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 17:47:59
AVPREF.DLL : 9.0.3.0 44289 Bytes 9/10/2009 03:27:08
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 23:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 19:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/25/2009 00:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 19:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/29/2009 00:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 17:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 19:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/16/2009 00:39:58
RCTEXT.DLL : 9.0.73.0 86785 Bytes 11/20/2009 07:34:11

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, E:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Monday, January 04, 2010 19:26

Starting search for hidden objects.
'45843' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'Photoshop.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'ACDSee32.exe' - '1' Module(s) have been scanned
Scan process 'cmd.exe' - '1' Module(s) have been scanned
Scan process 'RocketDock.exe' - '1' Module(s) have been scanned
Scan process 'Ymsgr_tray.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'TeaTimer.exe' - '1' Module(s) have been scanned
Scan process 'utorrent.exe' - '1' Module(s) have been scanned
Scan process 'VisualTaskTips.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'billy.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'oldmcdonald.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'avgtray.exe' - '1' Module(s) have been scanned
Scan process 'DrvIcon.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'avgcsrvx.exe' - '1' Module(s) have been scanned
Scan process 'avgnsx.exe' - '1' Module(s) have been scanned
Scan process 'avgrsx.exe' - '1' Module(s) have been scanned
Scan process 'avgemc.exe' - '1' Module(s) have been scanned
Scan process 'WtSrv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'PSIService.exe' - '1' Module(s) have been scanned
Scan process 'HPZipm12.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'avgwdsvc.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
46 processes with 46 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'E:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '61' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
Begin scan in 'E:\' <E:>
E:\Mike\Interest\WritingBooks\CliffsAP.English.Language.and.Composition.eBook-EEn.ZIP
[0] Archive type: ZIP
--> CliffsAP.English.Language.and.Composition.eBook-EEn/ecapelc2.zip
[1] Archive type: ZIP
--> CAPELC.R00
[2] Archive type: RAR
--> CliffsAP.English.Language.and.Composition.eBook-EEn\CELC072.png
[WARNING] No further files can be extracted from this archive. The archive will be closed
--> CliffsAP.English.Language.and.Composition.eBook-EEn/ecapelc3.zip
[1] Archive type: ZIP
--> CAPELC.R01
[2] Archive type: RAR
--> CliffsAP.English.Language.and.Composition.eBook-EEn\CELC142.png
[WARNING] No further files can be extracted from this archive. The archive will be closed
--> CliffsAP.English.Language.and.Composition.eBook-EEn/ecapelc4.zip
[1] Archive type: ZIP
--> CAPELC.R02
[2] Archive type: RAR
--> CliffsAP.English.Language.and.Composition.eBook-EEn\CELC210.png
[WARNING] No further files can be extracted from this archive. The archive will be closed
--> CliffsAP.English.Language.and.Composition.eBook-EEn/ecapelc5.zip
[1] Archive type: ZIP
--> CAPELC.R03
[2] Archive type: RAR
--> CliffsAP.English.Language.and.Composition.eBook-EEn\CELC278.png
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed


End of the scan: Monday, January 04, 2010 23:14
Used time: 3:48:22 Hour(s)

The scan has been done completely.

9534 Scanned directories
561434 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
1 Files cannot be scanned
561433 Files not concerned
2362 Archives were scanned
6 Warnings
1 Notes
45843 Objects were scanned with rootkit scan
0 Hidden objects were found


MBAM log:

Malwarebytes' Anti-Malware 1.41
Database version: 3261
Windows 5.1.2600 Service Pack 2

1/4/2010 6:47:34 PM
mbam-log-2010-01-04 (18-47-34).txt

Scan type: Quick Scan
Objects scanned: 120948
Time elapsed: 1 hour(s), 6 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


... help.

Edited by darkheart, 04 January 2010 - 12:56 PM.


BC AdBot (Login to Remove)

 


#2 darkheart

darkheart
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:18 PM

Posted 06 January 2010 - 01:13 PM

UPDATE [can't seem to edit the first post]

As of today, MBAM and Avira declare the computer all clear and I no longer have the browseui.dll issue.

However,

While I can view:

WMV
AVI
GIF
PSD
XP-style folder thumbnail with 4 image thumbnails representing images within the folder
JPEG files from any date, run by the Windows "My Pictures" Screensaver
some JPEG files created on January
JPEG files from other sources [CD, etc]

The following do not work:

JPG/JPEG, [thumbnails cannot be viewed in Explorer] or actual files
Excel files ["The file is not in a recognizable format."]
Word files ["Microsoft Word needs a converter to display this file correctly."]
MP3 [WMPlayer, or Media Player Classic -- "Cannot render the file"]

all of which retain their original filenames AND sizes, but have a Last Modified date of January 3, 2010 regardless of where they originally came from.

In the meantime, I can seemingly go online perfectly normally with no crashing or redirecting, so I guess there's that to be thankful for. However, my Firefox interface is missing buttons for its add-ons.

I'm still [1] mystified as to what brought this on and [2] desperate to get my files recognized again so I can back them all up.

Can somebody tell me what could've happened here, and what I can do to get my stuff back up and running?

#3 darkheart

darkheart
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:18 PM

Posted 11 January 2010 - 07:52 AM

Anyone?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users