Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

.exe files do not run, black screen on startup in Vista


  • This topic is locked This topic is locked
27 replies to this topic

#1 monkeydust35

monkeydust35

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 01 September 2010 - 04:01 PM

Hi, my laptop loads to the login screen, the welcome and then a black screen with a mouse pointer i.e no desktop appears. Task manager is available and runs and I can get explorer.exe to run and show the desktop.

However almost every file will not run, control panel, regedit, iexplorer, avg, anything that would hep to resolve it. Firefox will run but not allow downloads it hangs the system.

At one point I had multiple explorer.exe running at a time (visible in task manager), this appears to be reduced to one now after running AVG in safe mode on a command line, registry mechanic and online scanner from f-secure.com. I have tried to roll back the system using restore points, no luck.

I have managed to do more in safe mode with networking as firefox and ie will load in safe mode alowing me to download virus and registry checkers but although they have removed some errors. This has made no difference.

At present the machine doesn`t fully boot (as described above, I have to kill explorer.exe in Task Manager and reload it in TM to show desktop.)

The problem I have is that I cannot run any of the .exe files you require unless in safe mode... that is defogger, dds and gmer. Therefore I have only been able to run these in safe mode, if this doesn`t help, what can I do ? I have posted them anyway.

Thanks for your help....

Here is the DDS.txt output :-)

DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by ant at 20:27:53.28 on 01/09/2010
Internet Explorer: 8.0.6001.18928 BrowserJavaVersion: 1.6.0_20
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1013.546 [GMT 1:00]

AV: Windows Live OneCare *On-access scanning disabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Windows Live OneCare *disabled* (Updated) {CC7E50BA-BA8C-4DDE-B5AC-EA53BC38D01B}
FW: Windows Live OneCare Firewall *enabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\ant\Desktop\Defogger.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\ant\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [TOSCDSPD] TOSCDSPD.EXE
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\users\ant\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [RegistryMechanic] c:\program files\registry mechanic\RMTray.exe /H
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [topi] c:\program files\toshiba\toshiba online product information\topi.exe -startup
mRun: [TOSHIBA Volume Indicator] "c:\program files\toshiba\utilities\VolControl.exe"
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [SSDMonitor] c:\program files\common files\pc tools\smonitor\SSDMonitor.exe
mRunOnce: [Uninstall Adobe Download Manager] "c:\windows\system32\rundll32.exe" "c:\program files\nos\bin\getPlus_Helper_3004.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
StartupFolder: c:\users\ant\appdata\roaming\micros~1\windows\startm~1\programs\startup\pmbmed~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?EN
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D00E9550-440D-4EF8-BFCE-174300890C05} - hxxp://www.gomusic.ru/cabs/xdownloader.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\ant\appdata\roaming\mozilla\firefox\profiles\m8cnxz8r.default\
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\ant\appdata\local\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\users\ant\appdata\roaming\mozilla\firefox\profiles\m8cnxz8r.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-8-30 243024]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-8-30 216400]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-8-30 29584]
S2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-8-30 308136]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-19 135664]
S2 OcHealthMon;Windows Live OneCare Health Monitor;"c:\program files\microsoft windows onecare live\ochealthmon.exe" --> c:\program files\microsoft windows onecare live\OcHealthMon.exe [?]
S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-8-31 632792]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-10-29 21504]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-12-27 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-4-3 13352]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2008-10-29 21504]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-09-01 19:26:32 0 ----a-w- c:\users\ant\defogger_reenable
2010-09-01 17:58:19 0 d-----w- c:\programdata\F-Secure
2010-08-31 21:19:12 880640 ----a-w- c:\windows\system32\UniBox10.ocx
2010-08-31 21:19:12 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx
2010-08-31 21:19:12 1101824 ----a-w- c:\windows\system32\UniBox210.ocx
2010-08-31 21:19:11 506368 ----a-w- c:\windows\system32\msxml.dll
2010-08-31 21:15:20 0 d-----w- c:\users\ant\appdata\roaming\Registry Mechanic
2010-08-31 21:01:21 0 d-----w- c:\program files\common files\PC Tools
2010-08-31 21:01:19 0 d-----w- c:\programdata\NOS
2010-08-31 20:58:34 0 d---a-w- c:\programdata\TEMP
2010-08-31 20:58:18 0 d-----w- c:\program files\Promosoft Corporation
2010-08-30 22:43:35 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-08-30 22:43:31 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-08-30 22:43:25 0 d-----w- c:\windows\system32\drivers\Avg
2010-08-30 22:42:25 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-08-30 22:40:18 0 d-----w- c:\program files\AVG
2010-08-30 22:40:00 0 d-----w- c:\programdata\avg9
2010-08-30 22:18:48 0 d-----w- C:\WINSSLog
2010-08-30 19:13:04 0 d-----w- c:\users\ant\appdata\roaming\Malwarebytes
2010-08-30 19:12:56 0 d-----w- c:\programdata\Malwarebytes
2010-08-30 19:12:55 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-30 07:03:41 0 d-----w- C:\732004b2b122f15ba59643b4
2010-08-29 16:49:53 0 dc-h--w- c:\programdata\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-08-29 16:25:03 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-08-29 16:25:03 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-08-12 08:46:09 36864 ----a-w- c:\windows\system32\rtutils.dll
2010-08-12 08:46:05 274944 ----a-w- c:\windows\system32\schannel.dll
2010-08-12 08:46:02 2037760 ----a-w- c:\windows\system32\win32k.sys
2010-08-12 08:45:59 81920 ----a-w- c:\windows\system32\iccvid.dll
2010-08-12 08:45:28 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-12 08:45:28 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-08-12 08:45:23 3600768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-08-12 08:45:21 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-08-12 08:45:17 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-08-12 04:19:47 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-08-03 08:53:03 0 d-----w- c:\programdata\Office Genuine Advantage

==================== Find3M ====================

2009-12-02 20:11:03 51200 ----a-w- c:\windows\inf\infpub.dat
2009-12-02 20:11:03 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-12-02 20:11:03 143360 ----a-w- c:\windows\inf\infstor.dat
2009-11-17 21:58:27 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-11-04 15:59:36 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2007-05-08 11:01:59 16384 --sha-w- c:\windows\temp\cookies\index.dat
2007-05-08 11:01:59 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2007-05-08 11:01:59 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 20:30:03.88 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:02 PM

Posted 10 September 2010 - 08:07 PM

Hi,
Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif


Posted Image
m0le is a proud member of UNITE

#3 monkeydust35

monkeydust35
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 12 September 2010 - 03:16 AM

Hi m0le, I am here! Please let me know what to do next :-)

Thanks for your help.....

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:02 PM

Posted 12 September 2010 - 06:08 PM

Can you try and run Combofix in safe mode

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#5 monkeydust35

monkeydust35
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 13 September 2010 - 01:47 AM

Hi mOle

I ran ComboFix as requested, it flagged up that I wasn`t running under administrator at a number of points and that it wasn`t possible to carry out certain commands...(but I assume this is because this is being run in safe mode?)

Log attached....

(I notice it says I have Windows Live Onecare Firewall enabled - but Onecare has been uninstalled?)

Attached Files


Edited by monkeydust35, 13 September 2010 - 01:50 AM.


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:02 PM

Posted 13 September 2010 - 04:09 PM

Click this link and find the .EXE file program.

Download it and run it. I think you would need to transfer the program via a flashdrive.


Then attempt to run Combofix as below:

Click the Windows 'Start' button > Select 'Run' - then copy/paste the following bolded text into the run box & click OK.

"%userprofile%\desktop\comfix.exe" /killall

When finished, it shall produce a log for you. Post that log in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 monkeydust35

monkeydust35
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 13 September 2010 - 04:22 PM

Hi, Do you want me to re-run Combofix in or out of safe mode?

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:02 PM

Posted 13 September 2010 - 04:42 PM

Out of safe mode please.

Let me know what happens.
Posted Image
m0le is a proud member of UNITE

#9 monkeydust35

monkeydust35
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 13 September 2010 - 05:36 PM

Hi mOle (Thanks for your continuing help!)

.exe file Association fix:

I ran the .exe file association fix .REG file in Safe mode, because no matter what I try it will not run out of safe mode, the REGEDIT program won't load in normal mode, even if I try and manually execurte it from Task Manager.

So I ran this in Safe mode and the fix errored on the last setting. I traced this in safe mode as I can view REGEDIT, I was able to check every registry setting the .exe file program file is trying to resolve and they are all fine.

ComboFix

I Then rebooted to normal Windows and the Explorer.exe is loaded on Task Manager but not displaying, I have to manually End it and re-run it via Task Manager. i.e I still get the black Screen.

When I run Explorer.exe, I have tried to run Combofix as per your instructions it just hangs and no window appears, it doesnt appear in TM.



#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:02 PM

Posted 13 September 2010 - 05:40 PM

Let's try to boot your computer using the Ultimate Boot CD for Windows (UBCD4win).

Please print this guide for future reference!

You will need a blank CD, a clean computer and a flash drive.

Please follow the steps below and let me know if you were successful. If you were unable to create the UBCD4win, please tell me what error messages you got and/or what steps you got hung up on.

1. Download and Run Ultimate Boot CD for Windows
  • Save it to your Desktop.
  • Double-Click on the UBCD4Win.EXE that you just downloaded to your desktop.
  • Follow all of the instructions/prompts that come up.
    NOTES:
    • Do not install to a folder with spaces in it's name.
    • Your Anti-Virus may report viruses or trojans when you extract UBCD4Win, these are "False-Positives." Read HERE for information regarding the files that normally trigger AV software.
2. Insert your XP CD with SP1/SP2/SP3 into a CD Rom drive
  • Double-Click on UBCD4WinBuilder.exe located in your C:\ubcd4win folder.
  • Click "I agree" to the Builders License.
  • Click NO to Search for Windows Installation Files
  • Make the following selections from the Main Screen that pops up:
    • Builder
      • Source:(path to Windows installation files)
        • Enter the path to the drive where your XP CD is located.
        • You can click on the "..." button on the right to navigate to the path as well.
      • Custom: (include files and folders from this directory)
        • No information is necessary, leave blank.
      • Output: (C:\ubcd4win\BartPE)
        • Keep the default BartPE
    • Media output
      • Choose Create ISO image
      • Do not choose Burn to CD/DVD


        Please note: If your XP install disc is SP1 then please .....
        1. Disable- DComLaunch Service
        2. Enable- LargeIDE Fix

          This can be done by pressing the "Plugin" button and checking or unchecking the appropriate selections

      Also note: If you have a Dell XP install disc you will need to follow the instructions here
      http://www.ubcd4win.com/faq.htm#dell

    3. Click on the "Build" button
    • You will see the Windows EULA message. Click on I Agree
    • You will now see the Build Screen. Let it run it's course
    • When the Build is finished you can click close, then exit


    4. Burn your ISO file to CD
    • Please see HERE on how to burn an ISO to CD.

    ==========

    Next........

    From your clean computer..

    Please download OTLPE.zip and save it to a flash drive.
    http://oldtimer.geekstogo.com/OTLPE.zip
    http://www.itxassociates.com/OT-Tools/OTLPE.zip

    Double click and unzip OTLPE.zip to its own folder on your flash drive. Name it OTLPE <-- Important!!

    ==========

    Plug your flash drive into your sick computer now and do as instructed below..

    ==========

    1. Restart Your sick Computer Using the UBCD4Win Disc That You Have Created
    • Insert the UBCD4Win disc in to one of your CD/DVD drives.
    • Restart your computer.
      • The computer should choose to boot from the UBCD4Win CD automatically. If it doesn't and you are asked if you want to boot from CD, then choose that option.
    • In the window that pops up select Launch The Ultimate Boot CD For Windows and press Enter.
      • It may take a little longer for the Desktop to appear than it does when you start your computer normally. Just let the process run itself until the desktop appears.
    • Once the desktop appears, you will receive a message asking: Do you want to start Network support?
      • Click on Yes if you want to use the PE environment to get online post your log and reply by way of an Ethernet connection.
    • You should now have a desktop that looks like this:

    ==========

    Single click My computer from your UBCD4W desktop to navigate to the OTLPE folder that you saved to your flash drive.

    Open the OTLPE folder and double click Start.bat.
    • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
    • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
    • OTLPE should now start

      Change the following settings
      • Change Services, Drivers, Standard and Extra Registry to All

    • Copy and Paste the following code into the textbox. Do not include the word "Code"

      CODE
      netsvcs
      msconfig
      safebootminimal
      safebootnetwork
      activex
      drivers32
      %ALLUSERSPROFILE%\Application Data\*.
      %ALLUSERSPROFILE%\Application Data\*.exe /s
      %APPDATA%\*.
      %APPDATA%\*.exe /s
      %SYSTEMDRIVE%\*.exe
      /md5start
      userinit.exe
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      /md5stop
      %systemroot%\system32\drivers\*.sys /lockedfiles
      %systemroot%\System32\config\*.sav
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\system32\drivers\*.sys /90
      CREATERESTOREPOINT

    • Push
    • A report will open. Save that log to your flash drive. Copy and Paste that report in your next reply.

    =========

    With your next post please provide:

    * OTLPE.txt
    Posted Image
    m0le is a proud member of UNITE

    #11 monkeydust35

    monkeydust35
    • Topic Starter

    • Members
    • 14 posts
    • OFFLINE
    •  
    • Local time:06:02 PM

    Posted 13 September 2010 - 06:23 PM

    Thanks for your speedy reply.

    I have a problem with Step 2 "Insert your XP CD with SP1/SP2/SP3 into a CD Rom drive", I do not have the original Op system disks, this is also a Vista machine?

    Thanks

    #12 m0le

    m0le

      Can U Dig It?


    • Malware Response Team
    • 34,527 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:London, UK
    • Local time:06:02 PM

    Posted 13 September 2010 - 06:58 PM

    Download the recovery disk for your Vista from NeoSmart here.

    Straightforward instructions (if you need them)
    Posted Image
    m0le is a proud member of UNITE

    #13 monkeydust35

    monkeydust35
    • Topic Starter

    • Members
    • 14 posts
    • OFFLINE
    •  
    • Local time:06:02 PM

    Posted 14 September 2010 - 01:27 AM

    Sorry mOle....more errors

    I have downloaded the Vista recovery CD and ran it - got the error when clicking Install - D:\Sources\Install.wim. The file does not exist. Make sure all files required for installation are available, and restart the installation. Error code: 0x80070002. So this will go no further. And no useable options when repairing.

    Have I misunderstood, did you want me to follow the instructions on post number 10, using the downloaded recovery disk instead of the System disk in point 2? Let me know, the next steps....

    Cheers

    Edited by monkeydust35, 14 September 2010 - 11:53 AM.


    #14 m0le

    m0le

      Can U Dig It?


    • Malware Response Team
    • 34,527 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:London, UK
    • Local time:06:02 PM

    Posted 14 September 2010 - 04:10 PM

    That means that the disk we are trying to burn has not got the same files as your operating system. Happens occasionally.

    Please run the following program

    Please download NTBR from here: Link
    • Save the file to your Desktop and double-click it. This will create a folder wit the same name as the file.
    • Open the folder and locate BurnItCD. Launch it by double-clicking it.
    • Follow the prompts to burn the CD
    • Insert the newly created CD into your infected PC and reboot from it.
      If you do not know how to reboot from CD, please let me know and I'll be happy to provide instructions
    • Once you have rebooted please hit enter when prompted to boot from CD.
    • On the first screen then select your keyboard layout. Hit enter to choose default english keyboard layout.
    • On the next screen select 1 to choose 1. MBRWORK and hit enter.
    • On the following screen select 5 to choose 5) Install standard MBR code and hit enter
    • Select 1 to overwrite the infected MBR Code with the Standard MBR code.
    • When asked to confirm please press Yes
    • Afterwards, please press E to leave MBRWORK, then select 6 to leave the Bootable CD and finally press ctrl+alt+del to reboot the CD.

    Tell me if the PC now boots all the way.
    Posted Image
    m0le is a proud member of UNITE

    #15 monkeydust35

    monkeydust35
    • Topic Starter

    • Members
    • 14 posts
    • OFFLINE
    •  
    • Local time:06:02 PM

    Posted 14 September 2010 - 04:46 PM

    Hi

    Followed your latest instructions, unfortunately, no change, black screen with mouse cursor as previous.






    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users