Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows XP startup issues


  • This topic is locked This topic is locked
34 replies to this topic

#1 minwoo718

minwoo718

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:12 PM

Posted 16 February 2010 - 02:55 PM

I recently was infected with Antivirus Plus and removed it with Malware Bytes... or so I thought.
Then upon restarting, somehow Internet Security 2010 got onto my computer, so again, I used rkill.exe to kill the processes and run MBAM. It detected almost 100 things and tried to delete them. Every so often, it would tell me that the regedit was disabled so MBAM would enable it to delete the files. I was asked to restart to remove some files, so I did. I ran a quick scan, but once MBAM found an infected file, it froze. I quit the program and reopened it to do a full scan. Things were going fine until it discovered an infected file, and again, the program stopped responding, and I had to use the task manager to quit the program. Then my desktop shut down automatically and restarted again. Since that, my desktop's been cycling through the sick cycle of restarting, then shutting down, then starting up, and restarting about 15 seconds into the startup.
Is there a way to work around this?
I cannot even start in any kind of Safe Mode, and when I try, it tells me to start in Normal mode because Safe Mode won't work.
I thought I was close to removing the malicious programs, but now I can't even start my computer...
Any help would be appreciated...
Thank you!!!

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:12 AM

Posted 16 February 2010 - 05:29 PM

Hi minwoo718,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

We need to make a boot CD.
  • Download Hiren's BootCD Iso to the desktop of the clean computer.
  • Extract the zipped HirensBootCD.zip to your desktop or to its folder.
  • Double click the BurnToCD.cmd bat file contained in the HirensBootCD folder. This will launch BurnCDCC.
  • Insert a blank CD in your drive.
  • Press Start. This will burn the image to disc.

Let me know if it is done.

#3 minwoo718

minwoo718
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:12 PM

Posted 17 February 2010 - 09:11 AM

Hello, I have successfully burned the CD and have not changed any settings on my desktop (it's not possible, since it won't stay on long enough.... mellow.gif )

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:12 AM

Posted 17 February 2010 - 12:50 PM

QUOTE
have not changed any settings on my desktop (it's not possible, since it won't stay on long enough..

You have changed enough (together with the malware) to make the the computer unbootable. smile.gif
And I meant don't change when you can, as we are going to boot the computer when those logs are ready.
  1. Insert the CD in the CD/DVD-Rom of the problematic computer and and restart.
    • When the CD boots choose "Start MiniWindowsXP". Allow Windows to load. You will see a typical Windows Desktop.
    • You will be able to access your sick drive and save files/folders from here.

  2. Please download dds-bootcd.exe and save it to your flash drive.
    Then insert the flash drive to the infected computer and double-click on the program to runit. Save the log it creates and post it to your reply.




#5 minwoo718

minwoo718
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:12 PM

Posted 17 February 2010 - 04:59 PM

Hahahaa, touche. dance.gif


Sigh, I tried putting the burned disc in and start the computer, but as soon as it starts up, after about 45 seconds, it shuts off before I can even run any programs or start Windows the way you said... The computer either restarts on its own or just freezes. Every now and then, a Windows Installer window pops up and tries to install something, but it never succeeds, as the computer restarts before I can do anything.
Oy. mellow.gif

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:12 AM

Posted 17 February 2010 - 05:09 PM

45 second is enough to boot into the CD unless the BIOS is not set to boot from CD and it is set to boot from HD.

If your PC is not booting from the CD, you need to change the boot order:
  • Restart your PC
  • As soon as you get an image, press the Setup key. This is usually F2, F10, F12 or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
  • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
  • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
  • The tab should now show your current boot order.
  • If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
  • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
  • Your PC should now boot from your CD.


#7 minwoo718

minwoo718
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:12 PM

Posted 17 February 2010 - 11:02 PM

I am currently in awe of you right now.
Yes, the BIOS was setup to run from the HD first. I changed the order according to your directions.
I was able to get the requested file.
(attached and shown below)
Yikes, I'm worried about what this all means!!

DDS_BootCD_Version (Ver_09-10-04.01) - NTFSx86
Run at 22:59:06.09 on Wed 02/17/2010
Internet Explorer: 8.0.6001.18702

============== Pseudo HJT Report ===============

S-1-5-21-874574627-135449575-3207847200-1005_Start Page = hxxp://www.xanga.com/
S-1-5-21-874574627-135449575-3207847200-1005_Default_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=0&o=xph&d=0709&m=el1600
S-1-5-21-874574627-135449575-3207847200-1005_URLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFree.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.8.0.41\IPSBHO.DLL
BHO: {ef264031-a6f5-4639-9614-9fe8b0dd20b0} - rigebevu.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.8.0.41\IPSBHO.DLL
BHO: {ef264031-a6f5-4639-9614-9fe8b0dd20b0} - rigebevu.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.8.0.41\coIEPlg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFree.dll
S-1-5-21-874574627-135449575-3207847200-1005_Run: [ctfmon.exe] c:\windows\system32\ctfmon.exe
S-1-5-21-874574627-135449575-3207847200-1005_Run: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
S-1-5-21-874574627-135449575-3207847200-1005_Run: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [eRecoveryService]
mRun: [Vsemonusohomat] rundll32.exe "c:\windows\axucebepaguhey.dll",Startup
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim .exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
Trusted Zone: is-software-download.com
Trusted Zone: is-software-download25.com
Trusted Zone: is10-soft-download.com
DPF: {575594D5-8974-4AFE-9919-8FE4AA687DEF} - hxxp://down.hangame.com/iservice/chat/NHNPlayer/nhnplayerx.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8DC067B8-911D-473A-90F1-1171B887CDE0} - hxxp://cyimg8.cyworld.com/ImageUpload/CyPictureU1233.cab?20081124
DPF: {B9B38E70-EEF6-4E3A-AE84-DDE59A053B7C} - hxxp://mail.daum.net/hanmail-ax/DaumActiveX/2_0_0_8/DaumActiveX.cab?ver=2,0,0,8
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CB5C683C-416A-4701-B018-0F1B21D64D6B} - hxxp://cyimg7.cyworld.com/cymusic/package/skcinst.cab
DPF: {CEAF43B1-E8C1-426D-A63C-92C71212E6E5} - hxxp://touch.imbc.com/ActiveX/iMBCOnlineService.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://sa.bcps.org/dana-cached/setup/JuniperSetupSP1.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.8.0.41\CoIEPlg.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: app_dll.dll

================= FIREFOX ===================

FF - ProfilePath - c:\documents and settings\minna woo\application data\mozilla\firefox\profiles\v2i3rwca.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.blackle.com/
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\minna woo\local settings\application data\yahoo!\browserplus\2.4.21\plugins\npybrowserplus_2.4.21.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {C30319A7-8F6C-4CB7-A2BC-57C8E2F69EDC} - c:\documents and settings\minna woo\local settings\application data\{C30319A7-8F6C-4CB7-A2BC-57C8E2F69EDC}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

AdobeDriveCS4_NP; [x]
Ambfilt; system32\drivers\Ambfilt.sys
aswFsBlk; [x]
aswSP; [x]
ayohmkpkcjugouo; \??\c:\windows\system32\drivers\uccwlqeijksn.sys
BHDrvx86; \SystemRoot\System32\Drivers\NIS\1008000.029\BHDrvx86.sys
ccHP; \SystemRoot\System32\Drivers\NIS\1008000.029\ccHPx86.sys
EraserUtilRebootDrv; \??\c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys
ETService; c:\program files\emachines\emachines recovery management\service\ETService.exe
gupdate; "c:\program files\google\update\GoogleUpdate.exe" /svc
IDSxpx86; \??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090916.003\IDSxpx86.sys
jhuxnc; System32\drivers\hudgnjak.sys
MBAMSwissArmy; \??\c:\windows\system32\drivers\mbamswissarmy.sys
Norton Internet Security; "c:\program files\norton internet security\engine\16.8.0.41\ccsvchst.exe" /s "norton internet security" /m "c:\program files\norton internet security\engine\16.8.0.41\diMaster.dll" /prefetch:1
SymEFA; system32\drivers\NIS\1008000.029\SYMEFA.SYS
tyxxssqj; [x]
{3910EEC2-D2BA-43B0-BB9C-7598263ABCFB}; [x]

=============== Created Last 30 ================

2010-02-17 21:55 <DIR> --d----- c:\windows\0DE3STUVKLABCDEF
2010-02-16 19:18 <DIR> --d----- c:\documents and settings\all users\application data\Alwil Software
2010-02-16 18:10 233,504 -------- c:\windows\system32\drivers\str.sys
2010-02-16 14:51 73,216 a------- c:\windows\system32\drivers\uccwlqeijksn.sys
2010-02-16 14:41 120 a------- c:\windows\Lcocujofulohoq.dat
2010-02-16 14:41 0 a------- c:\windows\Wliteduzuvifuk.bin
2010-02-16 05:09 4 a------- c:\program files\6752906.dat
2010-02-16 03:16 4 a------- c:\program files\1147328.dat
2010-02-16 03:07 <DIR> --d-h--- C:\$AVG
2010-02-16 03:06 <DIR> --d----- c:\program files\AVG
2010-02-16 03:06 <DIR> --d----- c:\documents and settings\all users\application data\avg9
2010-02-14 20:27 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-14 20:27 19,160 a------- c:\windows\system32\drivers\mbam.sys
2010-02-14 15:34 4 a------- c:\program files\729562.dat
2010-02-14 15:26 <DIR> --d----- c:\windows\system32\LogFiles

==================== Find3M ====================

2010-02-16 14:43 56,320 a------- c:\windows\system32\igfxpers.exe
2010-02-13 17:09 10,878 a------- c:\documents and settings\minna woo\application data\wklnhst.dat
2009-12-31 16:50 353,792 a------- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 916,480 a------- c:\windows\system32\wininet.dll
2009-12-16 18:43 343,040 a------- c:\windows\system32\mspaint.exe
2009-12-14 07:08 33,280 a------- c:\windows\system32\csrsrv.dll
2009-12-12 15:37 497,000 a------- c:\windows\system32\skcppl.dll
2009-12-12 15:37 460,136 a------- c:\windows\system32\skcbgm.dll
2009-12-12 15:37 144,744 a------- c:\windows\system32\skcef.dll
2009-12-12 15:37 144,744 a------- c:\windows\system32\skcbgmf1.dll
2009-12-12 15:37 38,248 a------- c:\windows\system32\ShortCutIcon.dll
2009-12-12 15:37 206,184 a------- c:\windows\system32\skcbgm.exe
2009-12-12 15:37 202,088 a------- c:\windows\system32\skcwmf.dll
2009-12-12 15:37 79,208 a------- c:\windows\system32\nppeeraod.dll
2009-12-12 15:37 66,920 a------- c:\windows\system32\CMListControl.dll
2009-12-08 19:26 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-11-27 17:11 1,291,776 a------- c:\windows\system32\quartz.dll
2009-11-27 17:11 17,920 a------- c:\windows\system32\msyuv.dll
2009-11-27 16:07 28,672 a------- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 8,704 a------- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 84,992 a------- c:\windows\system32\avifil32.dll
2009-11-27 16:07 48,128 a------- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07 11,264 a------- c:\windows\system32\msrle32.dll
2009-11-26 21:36 2,360,712 a------- c:\windows\system32\DaumActiveX.dll
2009-11-21 15:51 471,552 a------- c:\windows\apppatch\aclayers.dll
2009-07-18 05:12 262,144 a------- c:\documents and settings\all users\NTUSER.DAT
2009-04-22 18:13 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2009-07-18 05:11 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009071720090718\index.dat
2009-07-18 05:11 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2009-07-18 05:11 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2009-07-18 05:11 16,384 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

==== Installed Programs ======================

1600
1600_Help
1600Trb
Acrobat.com
Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Drive CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Illustrator CS4
Adobe Linguistics CS4
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Reader 9.2
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
AiO_Scan
AiOSoftware
AntiVirus Plus
AOL Instant Messenger
avast! Free Antivirus
BufferChm
Choice Guard
Compatibility Pack for the 2007 Office system
Connect
Copy
CP_AtenaShokunin1Config
cp_dwShrek2Albums1
cp_dwShrek2Cards1
CreativeProjects
CreativeProjectsTemplates
CueTour
CyberLink Power2Go
CyberLink PowerDVD 8
Daum ActiveX ΔΑΖ®·Ρ - Daum ???? ????
Destinations
Director
DocProc
DocumentViewer
eMachines Games
eMachines Recovery Management
Fax
Freecorder Toolbar
GOM Player
Google Toolbar for Internet Explorer
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HP Image Zone 4.7
HP Product Assistant
HP PSC & OfficeJet 4.7
HP Software Update
HPSystemDiagnostics
InstantShare
Intel® Graphics Media Accelerator Driver
Java™ 6 Update 5
Juniper Networks Host Checker
Juniper Networks Setup Client
Juniper Networks Setup Client Activex Control
Junk Mail filter update
kuler
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Suite Activation Assistant
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
Mozilla Firefox (3.5.7)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Norton Internet Security
PanoStandAlone
PDF Settings CS4
PhotoGallery
Photoshop Camera Raw
ProductContext
QFolder
Readme
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Scan
ScannerCopy
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Segoe UI
SkinsHP1
Spelling Dictionaries Support For Adobe Reader 9
Suite Shared Configuration CS4
TrayApp
Unload
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Viewpoint Media Player
WebFldrs XP
WebReg
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
Yahoo! BrowserPlus

============= FINISH: 22:59:25.85 ===============

Attached Files

  • Attached File  DDS.txt   19.8KB   8 downloads


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:12 AM

Posted 18 February 2010 - 04:54 PM

Windows is updated on February 8. Not clear if it is done after being infected or before it. We are going to remove one of the patches along with some infected files. The patch is known to cause trouble if it is installed while the system is infected.

The next post when you provided the log we are going to replace a system file often patched by a rootkit also known for creating boot problems.

When you could boot the first thing you should do is disconnecting from internet and disabling Windows update. To do that:
  • Go to start -> Control Panel -> double-click System to open it.
  • Go to the Automatic Updates tab.
  • Select the "Turn off Automatic Updates" box.
  • Click Apply and then OK.
  • Important: Reboot.

**********
**********

  1. Insert your flash drive to the clean computer.
    On the clean computer run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:


    CODE
    @echo off
    echo %0 >log.txt
    copy /y "C:\WINDOWS\$NtUninstallKB977165$\spuninst\spuninst.txt" c:\spuninst.bat >>log.txt 2>&1
    attrib -r -h -s c:\spuninst.bat
    Reg load HKLM\99 c:\windows\system32\config\software >>log.txt 2>&1
    Reg add "HKLM\99\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d  C:\WINDOWS\system32\userinit.exe, /f >>log.txt 2>&1
    Reg unload HKLM\99  >>log.txt 2>&1
    Reg load HKLM\88 c:\windows\system32\config\system >>log.txt 2>&1
    reg delete HKLM\88\ControlSet001\Services\ayohmkpkcjugouo /f >>log.txt 2>&1
    reg delete HKLM\88\ControlSet001\Services\jhuxnc /f >>log.txt 2>&1
    reg delete HKLM\88\ControlSet001\Services\tyxxssqj /f >>log.txt 2>&1
    Reg unload HKLM\88 >>log.txt 2>&1
    del /a /f /q c:\windows\axucebepaguhey.dll
    del /a /f /q c:\windows\system32\drivers\uccwlqeijksn.sys
    del /a /f /q c:\windows\System32\drivers\hudgnjak.sys
    del /a /f /q c:\windows\Lcocujofulohoq.dat
    del /a /f /q c:\windows\Wliteduzuvifuk.bin
    dir /a /s c:\userinit.exe >>log.txt 2>&1
    dir /a /s c:\atapi.*>>log.txt 2>&1
    dir /a /s c:\iastor.* >>log.txt 2>&1
    dir /a /s x:\atapi.*>>log.txt 2>&1
    del /a /f /q c:\windows\System32\rigebevu.dll
    del /a /f /q c:\windows\rigebevu.dll

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: flash drive
    • Fill in File name: dirlook.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.

  2. While your are booted to the boot CD insert your flash drive to the infected computer.
    Go to your flash drive and double-click on dirlook.bat to run it. Run it just once. A log.txt file will be created on your flash drive.
    Post the content of it later on to your reply.

  3. Go to the root of C drive (c:\) and open it.
    Locate spuninst.bat and double click it to run it. Run it just once.

  4. Now restart the computer, remove the CD or select Boot from Hard Drive and let Windows boot normally.
    In case Windows didn't boot tell me exactly what you see from the moment you start the computer:
    Does it get to Windows logo and Windows loading bar? does it get to welcome screen or the log on screen? etc.


#9 minwoo718

minwoo718
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:12 PM

Posted 19 February 2010 - 12:27 AM

Here is what I did.
I started my infected computer with the CD and started in miniXP again.
I tried locating the steps for turning off the automatic updates like you said:
* Go to start -> Control Panel -> double-click System to open it.
* Go to the Automatic Updates tab.
* Select the "Turn off Automatic Updates" box.
* Click Apply and then OK.
* Important: Reboot.
I was not able to locate this. When I got to the System folder, I could not find any tabs for turning off Automatic Updates.

I copied the txt and saved as dirlook.bat. I copied this to a flash drive and ran it on the infected computer. A screen came up and told me that several of the files could not be found... I could not copy that text but I think it said that it couldn't find the files from these lines:
del /a /f /q c:\windows\system32\drivers\uccwlqeijksn.sys
del /a /f /q c:\windows\System32\drivers\hudgnjak.sys
del /a /f /q c:\windows\Lcocujofulohoq.dat
del /a /f /q c:\windows\Wliteduzuvifuk.bin

I tried running the spuninst.bat once and then restarted in Hard Drive mode. I was able to hear a beep and see the Windows XP startup screen for a split second before the computer shuts off, restarts, and asks me again if I want to start in Safe or Normal mode. I can't start in Safe mode, and when I start in Normal, it shuts off again....

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:12 AM

Posted 19 February 2010 - 02:11 AM

QUOTE
I tried locating the steps for turning off the automatic updates like you said:

This is a misunderstanding. You can't disable Windows update from there. You should first be able to boot.

What I said was:
QUOTE
When you could boot the first thing you should do is disconnecting from internet and disabling Windows update.


Now please post the content of the log.txt from step 2. It is on your flash drive.

#11 minwoo718

minwoo718
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:12 PM

Posted 19 February 2010 - 08:34 AM

"D:\dirlook.bat"
1 file(s) copied.

The operation completed successfully

The operation completed successfully

The operation completed successfully

The operation completed successfully

Error: The system was unable to find the specified registry key or value

Error: The system was unable to find the specified registry key or value

Error: The system was unable to find the specified registry key or value

The operation completed successfully
Volume in drive C is OS
Volume Serial Number is 848C-C1BC

Directory of c:\WINDOWS\system32

04/14/2008 12:00 PM 26112 userinit.exe
1 File(s) 26112 bytes

Directory of c:\WINDOWS\system32\dllcache

04/14/2008 12:00 PM 26112 userinit.exe
1 File(s) 26112 bytes

Total Files Listed:
2 File(s) 52224 bytes
0 Dir(s) 129390157824 bytes free
Volume in drive C is OS
Volume Serial Number is 848C-C1BC

Directory of c:\i386

04/14/2008 12:00 PM 50028 ATAPI.SY_
1 File(s) 50028 bytes

Directory of c:\WINDOWS\system32\dllcache

04/14/2008 12:00 PM 96512 atapi.sys
1 File(s) 96512 bytes

Directory of c:\WINDOWS\system32\drivers

04/14/2008 12:00 PM 96512 atapi.sys
1 File(s) 96512 bytes

Directory of c:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\i386

04/14/2008 12:00 PM 96512 atapi.sys
1 File(s) 96512 bytes

Directory of c:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386

04/14/2008 07:10 AM 96512 atapi.sys
1 File(s) 96512 bytes

Total Files Listed:
5 File(s) 436076 bytes
0 Dir(s) 129390157824 bytes free
Volume in drive C is OS
Volume Serial Number is 848C-C1BC
File Not Found
Volume in drive X is MiniXP
Volume Serial Number is B0B6-63BA

Directory of x:\i386\System32\drivers

11/16/2009 10:53 PM 96512 atapi.sys
1 File(s) 96512 bytes

Total Files Listed:
1 File(s) 96512 bytes
0 Dir(s) 17399296 bytes free


#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:12 AM

Posted 19 February 2010 - 10:16 AM

  1. Insert your flash drive to the clean computer.
    On the clean computer run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:


    CODE
    @echo off
    ren c:\windows\system32\drivers\atapi.sys atapi.sys.vir
    copy /y x:\i386\system32\drivers\atapi.sys c:\windows\system32\drivers >log.txt
    start log.txt

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: flash drive
    • Fill in File name: fix.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.

  2. While your are booted to the boot CD insert your flash drive to the infected computer.
    Go to your flash drive and double-click on fix.bat to run it. Run it just once. A log.txt file will open. Tell me if it reads "1 file(s) copied".
    Only if that is the case proceed with the next step.

  3. Now restart the computer, remove the CD or select Boot from Hard Drive and let Windows boot normally.
    In case Windows didn't boot tell me exactly what you see from the moment you start the computer.


#13 minwoo718

minwoo718
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:12 PM

Posted 19 February 2010 - 08:10 PM

Hi,
Yes, I copied the file and ran it once. I opened it on the infected computer and it said that one file was copied.
I shut down and rebooted without the CD.
The WindowsXP screen came on, and I got to the login screen.
I had a RUNDLL error upon loading the desktop.
Error loading C:\WINDOWS\axucebepaguhey.dll
The specified module could not be found.

I also had errors saying that my HP software was being installed and that I needed to insert a CD-rom. This error had been popping up the last few times I tried starting up the infected computer.
But hooray!! The computer is staying on!


#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:12 AM

Posted 20 February 2010 - 08:05 AM

Great. thumbup.gif

The error at start up is because we removed the malware file but the registry is still there. We will take care of it.
Also we stop HP from installing anything or nagging about installing anything, but when you are clean we restore the entry you might need to insert your HP CD in it.
  1. Did you disabled Windows automatic update? Please make sure of it.

  2. Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:


    CODE
    @echo off
    md c:\backup
    copy /y c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk c:\backup
    del /a /f /q c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Vsemonusohomat /f >log.txt 2>&1
    dir /a /b c:\backup >log.txt 2>&1
    start log.txt

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: dirlook.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate dirlook.bat on the desktop.
    • IDouble-click to run it.
    • A notepad opens, copy and paste the content (log.txt) to your reply.

  3. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  4. Please perform the following scan:
    • Download DDS by sUBs from the following links. Save it to your desktop.
    • Double click on the DDS icon, allow it to run. When done it will open two logs:
      • DDS.txt
      • Attach.txt
    • Copy and paste just DDS.txt log to your reply, no need for Attach.txt now.




#15 minwoo718

minwoo718
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:12 PM

Posted 20 February 2010 - 08:54 AM

Hi!
Here's the log for the dirlook.bat run.
And yes, I disabled automatic updates.
I'll run MBAM now!

Attached Files

  • Attached File  log.txt   32bytes   11 downloads





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users