Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus? Trojan? Malware? All of the above?


  • This topic is locked This topic is locked
17 replies to this topic

#1 ldj9575

ldj9575

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 11 January 2010 - 04:27 AM

Hi,

In desperate need of help.

Running WinVista SP1. Antivirus is Blink Personal Version 4.5.1, Rule version 1558, AntiVirus Version 1.0.875.

Windows Defender disabled at startup. Multiple DLL errors at startup also. Installer.exe and restore point services are disabled.

Seeing multiple suspicious call attempts, identity theft through domain mismatch attempts, malware, and fake antivirus install\security center alerts; getting some type of hit in Blink approximately once a minute. Earlier I was completely unable to launch Firefox or Internet Explorer; Blink would stop all browser launches and give an Application alert. This was one of the first major issues I experienced, and it was synonymous with the appearance of links for pornotube.com, nudetube.com, and youporn.com on my desktop. Right after this, IE launched but was direct to porn sites instead of the page (google, etc) I was trying to access. I use Firefox as default browser. Eventually I was able to access both browsers more or less normally, but I'm not sure how I accomplished this or even if my efforts had anything to do with it.

The installer is disabled, so I'm not able to install new malware scanners from executable files saved to the PC, although I was able to run HijackThis. Have tried running installers as Administrator and in XP SP2 compatibility mode. Both options fail; Compat mode is simply greyed out, and the Admin option times out after approx. 10 seconds.

Below is the HijackThis log. Please help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:06:02 AM, on 1/11/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\schtasks.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Users\Javatto\AppData\Local\Temp\settdebugx.exe
C:\Program Files\eEye Digital Security\Blink\Blink.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\ehome\ehmsas.exe
C:\Users\Javatto\AppData\Local\Temp\wscsvc32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\Snagit 9\SnagitBHO.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 9\SnagitIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe"
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [settdebugx.exe] C:\Users\Javatto\AppData\Local\Temp\settdebugx.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Javatto\AppData\Local\Temp\rqrrq.dll,#1
O4 - HKCU\..\Run: [MS Juan] rundll32 "C:\Users\Javatto\AppData\Local\Temp\prrgeakb.dll",run
O4 - HKCU\..\Run: [d6147884] rundll32.exe "C:\Users\Javatto\AppData\Local\Temp\aotofxto.dll",b
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Javatto\AppData\Local\Temp\vtsqn.dll,c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Blink.lnk = C:\Program Files\eEye Digital Security\Blink\Blink.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Snapfish Media Detector.lnk = C:\Program Files\Snapfish Picture Mover\SnapfishMediaDetector.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ss/sa...abs/tgctlsr.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/...tail/DASAct.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Filter hijack: text/html - {72D50253-BE71-4c85-9B38-6331E5AD1499} - C:\Program Files\eEye Digital Security\Blink\IEMimeFilter.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: eEye Blink Engine (blinksvc) - eEye Digital Security - C:\Program Files\eEye Digital Security\Blink\Blinksvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: eEye Application Bus (eeyeevnt) - eEye Digital Security - C:\Program Files\Common Files\eEye Digital Security\Application Bus\eeyeevnt.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 12676 bytes




BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:48 PM

Posted 16 January 2010 - 01:47 PM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results. Post both logs (no need to zip attach.txt).
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)
  • GMER log

Please do NOT post logs as attachments, unless you are unable to copy/paste a log directly in the reply box.


Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 ldj9575

ldj9575
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 20 January 2010 - 03:29 PM

problem has changed in nature and grown significantly worse.

between the time i first posted about my issue & the time i received a response (approximately one week), the multiple popups, porn links, and false security warnings seem to have stopped completely. however, the tradeoff is that i lost access to task manager, internet access once again became increasingly unreliable (still being flagged in blink, misdirected google links, and a "server unavailable" message any time i attempted to access any portion of bleepingcomputer.com despite being able to pull up the website on another PC at the same time). finally, yesterday, all user profiles and all versions of safe mode (with\without network prompt, etc) drop the GUI after the logon prompt - no windows explorer, no desktop, etc. other than the mouse pointer, there is nothing at all visible; just a blank black screen with no icons, no task bar, etc. CTL + ALT + DEL doesn't show task manager as an option any longer, so i can't try to manually start the explorer.exe process.

in desperation, last night i started HP's recovery process. i know little about it other than its claim to restore my PC's factory settings. not even sure how comprehensive that is. as part of the process, the PC is backing up personal files (music, video, documents, program files, and various executables) to an external USB hard drive. this copying process ran for around 15 hours last night into this morning, with no end in sight. hopefully it will be finished by the time i get home tonight and i can proceed to the rest of the recovery process, which i presume will restore WinVista to its factory settings and eliminate the virus issues i'm experiencing. if not, and so long as the backup of my personal files is successful and i can verify they're clean, i'm prepared to completely wipe the hard drive and reinstall the operating system from scratch.

i appreciate the effort put into examining my problem and suggesting a solution, but i can see no way to even attempt to implement the fix without access to the user interface provided by windows explorer. if i'm missing something (like a back door into the registry via command prompt, allowing some sort of tweak, maybe??), please let me know; i plan to check back here from home tonight on another computer before i allow the recovery process to proceed.

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:48 PM

Posted 20 January 2010 - 03:38 PM

Yes, there are various ways to get back onto your desktop smile.gif

Do you see the mouse cursor when it stops booting?

Let me know if you still need help!

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 ldj9575

ldj9575
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 20 January 2010 - 04:58 PM

do you mean the mouse pointer?? yes, i still had the pointer after logging onto my profile; in fact, that's the only thing showing at all. if there is a way to get in and attempt a fix rather than a complete reinstall, i'm all for it; however, i'd prefer to at least allow the personal files backup to complete before making the attempt. i'm at work now; i should get home around 5:30 CST, around 90 minutes from now. if you're still online at that time, i can try to back-and-forth with you through my other PC. if you won't be available then, perhaps you could post methods of regaining my desktop now so that i have the information when i'm in front of the PC??

i appreciate your efforts.

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:48 PM

Posted 21 January 2010 - 02:53 AM

Okay, for the best investigation, we need to download a rather large iso file (I believe its around 600 MB) and burn that to a CD. If you are not able to download and burn this iso to a CD, let me know and I will find a workaround.

OK this file is big Print these instruction out so that you know what you are doing

Two programs to download

First

ISOBurner this will allow you to burn OTLPE ISO to a cd and make it bootable. Just install the program, from there on in it is fairly automatic. Instructions

Second
  • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 292Mb in size so it may take some time to download.
  • When downloaded double click and this will then open ISOBurner to burn the file to CD
  • Reboot your system using the boot CD you just created.

    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Change Drivers to Non-Microsoft
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\_OTL\MovedFiles
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the OTL.txt file in your reply.

Edited by elise025, 21 January 2010 - 02:54 AM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 ldj9575

ldj9575
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 21 January 2010 - 08:13 AM

the iso burner appears to have installed correctly, but i'm having difficulty downloading OTLPE.iso successfully.

i've tried several times, and while the download appears to finish, i keep getting files of differing sizes, none of which is 292 MB as you've indicated. when the download is running, firefox consistently indicates the full file size is 270 MB; however, i've gotten seemingly complete files which were 122, 148, and 223 MB in size.

will try again at work in case the download process is being interrupted through my home connection for some reason; i'm on DSL at home but have a T3 connection (i think) at work. assuming i get the full download, i'll burn the ISO to a CD as you've indicated and try again tonight.

also, and not that this is something you'd necessarily need to know since you didn't recommend it, but my day-long backup process initiated through HP's recovery utility seems to have utterly failed; there's nothing resembling a backup file or any of my personal files such as music, documents, etc on the external hard drive i used. the recovery utility indicated the backup was successful, but i can't see any evidence that it's right.

keeping at it....

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:48 PM

Posted 21 January 2010 - 09:22 AM

I can only guess as to what is the problem with the iso file, but I think it might be a connection interruption.

Let me know if you are still having the problem.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 ldj9575

ldj9575
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 21 January 2010 - 11:24 AM

yep, still having problems from work PC. after downloading about 30 MB of the file, the download aborted and i got the following error message :

C:\Documents and Settings\XXXXXX\Desktop\OTLPE.iso.part could not be saved, because the source file could not be read.
Try again later, or contact the server administrator.

#10 ldj9575

ldj9575
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 21 January 2010 - 01:38 PM

update : i've now encountered the downloading failure on OTLPE.iso on three different PCs over the course of around six or seven hours. my 2nd PC at home didn't give the "source file could not be read\contact admin" error message, but the two PCs here at work did. is there a problem with the host server for that file?? should we attempt a different workaround for my issue?? awaiting word....

Edited by ldj9575, 21 January 2010 - 01:39 PM.


#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:48 PM

Posted 21 January 2010 - 01:54 PM

I put this problem up to the developper of OTLPE (my own connection is not too fast, so I can't check it out).

If we don't get this worked out in a timely matter we will just try something else smile.gif

My apologies for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:48 PM

Posted 21 January 2010 - 02:21 PM

OTLPE's developper replied back and told me there are no issues with the download link.

However, you have to make sure, when you save the download, that the file type is set to "all files". There have been issues when ISO burner is already installed, it wants to pre-set the file type.

Also do not use a download manager, just download it directly.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 ldj9575

ldj9575
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 21 January 2010 - 02:36 PM

i tried using internet explorer 8.0.6001.18702 instead of firefox (which was used during the download failures on all 3 PCs). i right-clicked on your link, chose "save target as...", and set the filetype to "All Types". 25.4 MB of the file was downloaded, and then the download crashed and IE gave the following error message :

"Internet Explorer cannot download OTLPE.iso from oldtimer.geekstogo.com. The connection with the server was reset."

that's four download failures across two web browsers on three PCs. is the developer absolutely sure there's no link issue?? is there an alternative link i could try??

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:48 PM

Posted 21 January 2010 - 03:48 PM

I doublechecked with a few people, link is okay. It might be your internet connection having problems (disconnecting/reconnecting).

To avoid a lot of trying, lets see if we can find a work-around.

Do you know of any rogue program that was on your computer just before the logon/logoff problems started? (for example, Internet Security 2010, Malware defense, Antivirus Live).

Some of such rogues modify the userinit registry value, so that, once "their" file is removed, your computer can no longer log on.

If I know there was such an application on your computer, I also know what file to modify in order to get us logging on again.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 ldj9575

ldj9575
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 21 January 2010 - 04:01 PM

no, i can't recall (purposely) installing anything on the PC recently. i notice the examples you mentioned all sound very positive and security-oriented. some of the popups i was getting in the first "stage" of the issue were telling me my computer wasn't protected, i had virus blah-blah-blah (never the same one twice), go here, install this, etc., so it's very possible something like that was installed at some point. but i don't have any idea which program it would be.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users