Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows XP Wont Go past [Black] Screen - Need help.


  • This topic is locked This topic is locked
62 replies to this topic

#1 bretmj1

bretmj1

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 19 September 2010 - 10:40 AM

Hey guys,

I'm usually pretty savvy with fixing these virus/malware problems with my computer, but this one seems to have me keeling over.

I believe it was a Trojan virus that infected my computer. The reason I say this is because a similar screen to the Antivirus2009 virus showed up saying it found a Trojan. It completely froze my computer so I was forced to shut it down. Upon reloading the computer, it got to the black screen after windows loading screen and froze there with a movable cursor. The computer stopped loading as a whole, but the cursor was still able to be moved.

First step I tried was f8 upon loading, and then reload windows with the last working configuration - This did not work. Then I loaded the computer in safe mode with networking, ran rkill, ran malwarebytes [both fast and full system checks]. I believe it found the virus as many infected items were found, I removed them then proceeded to restart the computer in normal mode. Same thing happened, computer stopped loading at black screen [one you see immediately before you see your desktop]. I restarted again in safe mode with networking [both safe mode and safe mode with networking work fine]. This time I performed a system restore for 2 weeks prior to this virus. Restarted computer and system restore said there were no changes made.

Currently the computer will work in safe modes, but still will not go past black screen. What are my options here? I understand at this point I can repair windows with the cd, but I was not sure if there were any other tricks with start-up to allow me to get through (maybe some configurations were changed with virus).

Please do help at your convenience.

-Bret

Edited by hamluis, 19 September 2010 - 10:57 AM.
Moved from XP forum to Am I Infected ~ Hamluis.


BC AdBot (Login to Remove)

 


#2 bretmj1

bretmj1
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 19 September 2010 - 12:54 PM

85 views and no one? Is this a very uncommon problem? I could really use some help, I'll surely return the favor.

#3 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:01 AM

Posted 19 September 2010 - 12:59 PM

Post the last logs from MBAM that show the infection


Chewy

No. Try not. Do... or do not. There is no try.

#4 bretmj1

bretmj1
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 19 September 2010 - 01:07 PM

Ok guys, here are the mbam logs; Separated by dashed lines.
----------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4648

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 6.0.2900.5512

9/18/2010 4:33:16 PM
mbam-log-2010-09-18 (16-33-16).txt

Scan type: Full scan (C:\|)
Objects scanned: 204332
Time elapsed: 38 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP32\A0011142.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP32\A0012234.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP32\A0012235.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
---------------------------------------------------------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4648

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 6.0.2900.5512

9/18/2010 3:38:41 PM
mbam-log-2010-09-18 (15-38-41).txt

Scan type: Quick scan
Objects scanned: 144299
Time elapsed: 8 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 20

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Digital Protection (Rogue.DigitalProtection) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\7bde84a2-f58f-46ec-9eac-f1f90fead080 (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Digital Protection (Rogue.DigitalProtection) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMAycbdwfjpya (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\pragmabbr.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pragmaserf.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bret Johnson\Local Settings\Temp\E0.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bret Johnson\Local Settings\Temporary Internet Files\Content.IE5\OPQFGHU7\ew9tqYXC[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\Digital Protection\about.ico (Rogue.DigitalProtection) -> Quarantined and deleted successfully.
C:\Program Files\Digital Protection\activate.ico (Rogue.DigitalProtection) -> Quarantined and deleted successfully.
C:\Program Files\Digital Protection\buy.ico (Rogue.DigitalProtection) -> Quarantined and deleted successfully.
C:\Program Files\Digital Protection\dig.db (Rogue.DigitalProtection) -> Quarantined and deleted successfully.
C:\Program Files\Digital Protection\help.ico (Rogue.DigitalProtection) -> Quarantined and deleted successfully.
C:\Program Files\Digital Protection\scan.ico (Rogue.DigitalProtection) -> Quarantined and deleted successfully.
C:\Program Files\Digital Protection\settings.ico (Rogue.DigitalProtection) -> Quarantined and deleted successfully.
C:\Program Files\Digital Protection\splash.mp3 (Rogue.DigitalProtection) -> Quarantined and deleted successfully.
C:\Program Files\Digital Protection\update.ico (Rogue.DigitalProtection) -> Quarantined and deleted successfully.
C:\Program Files\Digital Protection\virus.mp3 (Rogue.DigitalProtection) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMAycbdwfjpya\PRAGMAcfg.ini (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\pragmamfeklnmal.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Favorites\_favdata.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pragmasrcr.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\PRAGMAb987.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\pragmamainqt.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
---------------------------------------------------------------------------------------------------------------------

Your help is invaluable. Thank you.

#5 bretmj1

bretmj1
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 19 September 2010 - 01:09 PM

Also, this should be useful. This is my HIJACKTHIS log.
-------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:09:02 PM, on 9/19/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: lupasaye.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate1ca8032ee22f44e) (gupdate1ca8032ee22f44e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 4663 bytes


#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:01 AM

Posted 19 September 2010 - 01:27 PM

I have refered this thread to one of our malware removal experts, please be patient.


Chewy

No. Try not. Do... or do not. There is no try.

#7 bretmj1

bretmj1
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 19 September 2010 - 01:37 PM

Thank you very much.

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,831 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:01 PM

Posted 19 September 2010 - 01:39 PM

Hi, since you posted a HJT log, I'll move this topic to the malware removal forum.

Please download Rootkit Unhooker and save it to your Desktop
  • Double-click on RKUnhookerLE to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth, and uncheck the rest
  • Click OK
  • Wait until it's finished and then go to File > Save Report
  • Save the report to your Desktop
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 bretmj1

bretmj1
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 19 September 2010 - 01:40 PM

I will do this right now..please stand by! smile.gif

#10 bretmj1

bretmj1
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 19 September 2010 - 01:44 PM

I downloaded but got an error when trying to open.

Error loading/opening driver.

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,831 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:01 PM

Posted 19 September 2010 - 02:04 PM

Hi, please try this instead:

COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 bretmj1

bretmj1
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 19 September 2010 - 02:33 PM

C:\ComboFix.txt
-----------------------------


Here is the log for you. Thank you for your help thus far!
-------------------------------------------------------------------ComboFix 10-09-17.04 - Bret Johnson 09/19/2010 14:14:27.1.1 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1271.773 [GMT -5:00]
Running from: c:\documents and settings\Bret Johnson\My Documents\Downloads\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Bret Johnson\g2mdlhlpx.exe
c:\documents and settings\Bret Johnson\Local Settings\Application Data\Windows Server
c:\documents and settings\Bret Johnson\Recent\Thumbs.db

.
((((((((((((((((((((((((( Files Created from 2010-08-19 to 2010-09-19 )))))))))))))))))))))))))))))))
.

2010-09-19 18:08 . 2010-09-19 18:08 -------- d-----w- c:\program files\Trend Micro
2010-09-18 20:28 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-18 20:28 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-18 20:04 . 2010-09-19 19:01 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-18 19:24 . 2010-09-18 19:24 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 20:28 . 2010-04-29 01:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-05 17:55 . 2010-02-21 20:44 -------- d-----w- c:\documents and settings\Bret Johnson\Application Data\Skype
2010-09-05 15:51 . 2010-02-21 20:48 -------- d-----w- c:\documents and settings\Bret Johnson\Application Data\skypePM
2010-09-04 22:33 . 2008-12-26 00:41 -------- d-----w- c:\documents and settings\Bret Johnson\Application Data\U3
2010-09-02 02:38 . 2010-06-24 23:05 188152 ----a-w- c:\documents and settings\Bret Johnson\Application Data\Mozilla\Firefox\Profiles\dqcy8ysc.default\FlashGot.exe
2010-08-28 02:32 . 2009-05-28 15:20 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-15 17:14 . 2009-08-19 02:09 -------- d-----w- c:\documents and settings\Bret Johnson\Application Data\Apple Computer
2010-08-15 06:40 . 2010-08-15 06:39 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-08-15 06:40 . 2009-08-19 02:08 -------- d-----w- c:\program files\iTunes
2010-08-15 06:39 . 2010-08-15 06:39 -------- d-----w- c:\program files\iPod
2010-08-15 06:39 . 2009-08-19 02:06 -------- d-----w- c:\program files\Common Files\Apple
2010-08-15 06:32 . 2009-09-10 19:58 -------- d-----w- c:\program files\QuickTime
2010-08-15 06:23 . 2010-08-15 06:23 -------- d-----w- c:\program files\Bonjour
2010-08-15 06:13 . 2010-08-15 06:13 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-08-04 00:01 . 2010-08-04 00:01 503808 ----a-w- c:\documents and settings\Bret Johnson\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-51e4e1cb-n\msvcp71.dll
2010-08-04 00:01 . 2010-08-04 00:01 499712 ----a-w- c:\documents and settings\Bret Johnson\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-51e4e1cb-n\jmc.dll
2010-08-04 00:01 . 2010-08-04 00:01 12800 ----a-w- c:\documents and settings\Bret Johnson\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3ed478e4-n\decora-d3d.dll
2010-08-04 00:01 . 2010-08-04 00:01 61440 ----a-w- c:\documents and settings\Bret Johnson\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3ed478e4-n\decora-sse.dll
2010-08-04 00:01 . 2010-08-04 00:01 348160 ----a-w- c:\documents and settings\Bret Johnson\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-51e4e1cb-n\msvcr71.dll
2010-07-12 15:56 . 2009-03-17 04:31 1 ----a-w- c:\documents and settings\Bret Johnson\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-06-23 00:09 . 2010-06-23 00:09 503808 ----a-w- c:\documents and settings\Bret Johnson\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-46608615-n\msvcp71.dll
2010-06-23 00:09 . 2010-06-23 00:09 61440 ----a-w- c:\documents and settings\Bret Johnson\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1d2aba26-n\decora-sse.dll
2010-06-23 00:09 . 2010-06-23 00:09 499712 ----a-w- c:\documents and settings\Bret Johnson\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-46608615-n\jmc.dll
2010-06-23 00:09 . 2010-06-23 00:09 348160 ----a-w- c:\documents and settings\Bret Johnson\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-46608615-n\msvcr71.dll
2010-06-23 00:09 . 2010-06-23 00:09 12800 ----a-w- c:\documents and settings\Bret Johnson\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1d2aba26-n\decora-d3d.dll
2010-04-29 01:32 . 2010-04-29 01:32 115 -c--a-w- c:\program files\ypp_260687.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-09-08 115560]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Bret Johnson^Start Menu^Programs^Startup^Antimalware Doctor.lnk]
path=c:\documents and settings\Bret Johnson\Start Menu\Programs\Startup\Antimalware Doctor.lnk
backup=c:\windows\pss\Antimalware Doctor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowLOMControl]
 [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2005-10-07 12:13 176128 -c--a-r- c:\program files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-12-06 07:05 127035 -c--a-w- c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 22:19 53248 -c----w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-10-15 02:46 77824 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-10-15 02:50 114688 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-10-15 02:49 94208 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 22:50 81920 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-21 20:53 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-04-29 20:39 1090952 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-19 03:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2006-12-29 07:05 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\US4Service]
2009-09-15 18:15 32768 -c--a-w- c:\program files\Universal Shield 4.3\US4Service.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

S0 avxql;avxql;c:\windows\system32\drivers\clyx.sys --> c:\windows\system32\drivers\clyx.sys [?]
S2 gupdate1ca8032ee22f44e;Google Update Service (gupdate1ca8032ee22f44e);c:\program files\Google\Update\GoogleUpdate.exe [12/18/2009 5:39 PM 133104]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\coh_mon.sys [9/8/2008 4:00 PM 23888]
S3 EraserUtilDrv11010;EraserUtilDrv11010;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11010.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11010.sys [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/3/2010 7:27 PM 102448]
S3 Normandy;Normandy SR2; [x]
S3 rkhdrv40;Rootkit Unhooker Driver; [x]
.
Contents of the 'Scheduled Tasks' folder

2010-09-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-09-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-18 22:39]

2010-09-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-18 22:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell.com/
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyOverride = <local>;*.local
uInternet Settings,ProxyServer = http=127.0.0.1:5555
FF - ProfilePath - c:\documents and settings\Bret Johnson\Application Data\Mozilla\Firefox\Profiles\dqcy8ysc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/?src=aim&ncid=snsusaimc00000001
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-ytbm&p=
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-Symantec Antvirus
MSConfigStartUp-Digital Protection - c:\program files\Digital Protection\digprot.exe
MSConfigStartUp-egrpcfer - c:\documents and settings\Bret Johnson\Local Settings\Application Data\tiymecdcu\tfhneoatssd.exe
MSConfigStartUp-fusapiyiga - dotojupe.dll
MSConfigStartUp-lsdefrag - c:\docume~1\BRETJO~1\LOCALS~1\Temp\ecsrwmoxna.tmp
MSConfigStartUp-newupdate1142C - c:\documents and settings\BRET JOHNSON\APPLICATION DATA\EE4F177121E74416B8D0D32A4CED0BC3\NEWUPDATE1142C.EXE
MSConfigStartUp-sysmon64x - c:\docume~1\BRETJO~1\LOCALS~1\TEMP\SYSMON64X.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-19 14:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3256490625-1947195734-1316722461-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A16C63AC-FD0C-06DE-6C9B-C789990FCC15}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1288)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
.
**************************************************************************
.
Completion time: 2010-09-19 14:28:51 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-19 19:28

Pre-Run: 11,218,251,776 bytes free
Post-Run: 12,920,229,888 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 9AB3EE8AD08AED29AEEA27DD7DB42BA7

Attached Files



#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,831 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:01 PM

Posted 19 September 2010 - 02:38 PM

Try to reboot in normal mode and describe exactly at which point it crashes.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 bretmj1

bretmj1
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 19 September 2010 - 08:07 PM

I mentioned above that the computer -stops loading- at the black screen immediately before you see your desktop. This is also the same black screen immediately after the windows loading screen (one where the loading marquee scrolls across the screen below the large windows logo). I never get to see my desktop, maybe 5-10 more seconds needed at the black screen for me to be able to see my desktop. The cursor is active and i can move it, but the computer just stops loading as if its done loading at the black screen.

#15 bretmj1

bretmj1
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 19 September 2010 - 09:42 PM

Tried booting up again normally after all this, and nothing. Not sure what to do from here.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users