Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mouse/keyboard freeze, windows update not avail, BSOD happens


  • This topic is locked This topic is locked
16 replies to this topic

#1 Tomterific

Tomterific

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Melbourne, FL
  • Local time:04:38 PM

Posted 03 October 2010 - 05:37 PM

I have no idea what the infection/s is.

PC description is attached file in JPG format

Mouse/keyboard freeze problems started with another PC that had a C:, D: and E: partitions. (All personal data is on the D and E part.)

Because this is my wife's PC she uses for her busines, I switched data over to a spare,very reliable, uninfected PC that has XP home SP3 on it. Then problem started on this one. On this one, I tried these efforts to fix it: Defraged all partitions, ran C:>properties>Tools>Check Disk>fix errors, Malwarebytes scan (no results), Windows Defender scan (no results), Uniblue's Registry Booster (some fixes). Then I did the XP repair install.

Right after the repair install, I upgraded to SP3 via a CD. But then found that I cannot get into the Windows update site anyway I try. So, I'm without MS XP fixes now. I could download all XP updates on my own PC, put them on a CD, and try to load them on the OS but decided to go to you first.

Then we noticed we were getting unasked for new tabs on browsers which always went to different shopping sites. This happens with both IE6 and the newest Firefox (her default browser).

The most recent problem is the BSOD. It began during both tries at running GMER. I never got through the scan. Ark.txt not attached.

I will attach 5 screen shots of system information and 4 error messages that might help.



Here is the log info:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Nina at 8:40:35.67 on Sun 10/03/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.337 [GMT -4:00]

AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Speed Meter Pro\smp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Novosoft\HANDYB~1\hbagent.exe
C:\Program Files\Warecentral\PrintKey-Pro\PKey_Pro.exe
C:\Program Files\Linksys\WUSB600N\WUSB600N.exe
C:\Program Files\Uniblue\PowerSuite\powersuite.exe
C:\Program Files\Uniblue\SpeedUpMyPC\sump.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Nina\Desktop\ProblemSolving\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.accuweather.com/us/fl/melbourne/32934/city-weather-forecast.asp
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\progra~1\skype\phone\ieplugin\SKYPEI~1.DLL
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100921230239.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PowerSuite] "c:\program files\uniblue\powersuite\launcher.exe" delay 20000 -m
uRun: [Handy Backup 6.0] "c:\progra~1\novosoft\handyb~1\hbagent.exe" -logon
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SM1BG] c:\windows\SM1BG.EXE
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [smp.exe] "c:\program files\pure networks\speed meter pro\smp.exe" -autorun -nosplash
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\printk~1.lnk - c:\program files\warecentral\printkey-pro\PKey_Pro.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\linksys\wusb600n\WUSB600N.exe
mPolicies-explorer: NoResolveTrack = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\progra~1\skype\phone\ieplugin\SKYPEI~1.DLL
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: windowsupdate.com\download
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170787802472
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1203691222093
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F616A15A-B2D9-44C4-A61D-CA7FA1EBA861} - hxxp://www.investors.com/member/ocx/eSigRT.ocx
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\615\G2AWinLogon.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs:
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Authentication Packages = msv1_0 relog_ap
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nina\applic~1\mozilla\firefox\profiles\ke7wlcdb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.accuweather.com/us/fl/melbourne/32934/city-weather-forecast.asp
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-9-16 386712]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-9-5 84072]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-11-14 88176]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-9-5 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-9-5 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-9-5 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-9-5 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-9-5 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-9-5 141792]
R2 pnpcap;Pure Networks Packet Capture Driver;c:\windows\system32\drivers\pnpcap.sys [2008-12-1 23352]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-9-5 55840]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-9-5 152992]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-9-5 52104]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-9-5 312904]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-9-5 88544]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2007-12-14 730240]
S0 ElbyVCD;ElbyVCD;c:\windows\system32\drivers\elbyvcd.sys --> c:\windows\system32\drivers\ElbyVCD.sys [?]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2005-3-22 450400]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2008-12-14 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2008-12-14 3072]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-9-5 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-9-5 84264]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-11-14 34248]
S3 mgau;mgau;c:\windows\system32\drivers\mgaum.sys [2007-2-6 320384]

=============== Created Last 30 ================

2010-10-03 12:36:39 0 ----a-w- c:\documents and settings\nina\defogger_reenable
2010-10-02 00:14:33 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe
2010-10-02 00:06:06 19569 ----a-w- c:\windows\003173_.tmp
2010-10-01 23:27:06 2444 ----a-w- c:\windows\system32\wpa.bak
2010-10-01 22:07:59 26112 -c--a-w- c:\windows\system32\dllcache\romanime.ime
2010-10-01 22:06:59 10096640 -c--a-w- c:\windows\system32\dllcache\hwxcht.dll
2010-10-01 22:04:05 488 ---ha-r- c:\windows\system32\logonui.exe.manifest
2010-10-01 22:03:56 749 ---ha-r- c:\windows\WindowsShell.Manifest
2010-10-01 22:03:56 749 ---ha-r- c:\windows\system32\wuaucpl.cpl.manifest
2010-10-01 22:03:56 749 ---ha-r- c:\windows\system32\sapi.cpl.manifest
2010-10-01 22:03:56 749 ---ha-r- c:\windows\system32\ncpa.cpl.manifest
2010-10-01 22:03:33 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-09-27 22:25:53 0 d-----w- c:\documents and settings\all users\Uniblue
2010-09-26 19:55:32 0 d-----w- c:\docume~1\nina\applic~1\Uniblue
2010-09-26 19:55:25 0 d-----w- c:\program files\Uniblue
2010-09-25 09:51:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-25 09:50:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-21 23:20:29 0 d-----w- c:\windows\system32\wbem\Repository
2010-09-21 12:13:43 0 d-----w- c:\docume~1\nina\applic~1\Malwarebytes
2010-09-21 12:13:26 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-09-21 12:13:25 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-16 13:49:08 3247 ----a-w- c:\windows\system32\wbem\Outlook_01cb55a5ef35572a.mof
2010-09-15 11:19:48 3247 ----a-w- c:\windows\system32\wbem\Outlook_01cb54c7e85bda70.mof
2010-09-14 12:31:48 3247 ----a-w- c:\windows\system32\wbem\Outlook_01cb5408cd19653a.mof
2010-09-12 12:18:44 0 d-----w- c:\program files\Citrix
2010-09-12 12:18:27 103784 ----a-w- c:\documents and settings\nina\GoToAssistDownloadHelper.exe
2010-09-08 10:50:42 54 --s-a-w- c:\windows\__$$key_file$$__
2010-09-08 10:49:15 32 ----a-w- c:\windows\__$tofn$__
2010-09-08 10:49:05 0 d-----w- c:\program files\AdvancedDefrag
2010-09-07 23:15:48 0 d-----w- c:\docume~1\nina\applic~1\Novosoft
2010-09-07 23:15:24 0 d-----w- c:\program files\Novosoft
2010-09-07 00:38:52 3247 ----a-w- c:\windows\system32\wbem\Outlook_01cb4e250bb2622c.mof
2010-09-06 19:19:10 0 d-----w- c:\program files\Microsoft Picture It! 9
2010-09-06 00:45:23 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-09-06 00:38:27 6784 ----a-w- c:\windows\system32\drivers\serscan.sys
2010-09-06 00:37:57 223744 ----a-w- c:\windows\system32\CNMLM98.DLL
2010-09-06 00:37:45 98304 ----a-w- c:\windows\system32\CNC850I.DLL
2010-09-06 00:37:45 204800 ----a-w- c:\windows\system32\CNC850L.DLL
2010-09-06 00:37:45 188416 ----a-w- c:\windows\system32\CNC850O.DLL
2010-09-06 00:37:45 1339392 ----a-w- c:\windows\system32\CNC850C.DLL
2010-09-06 00:37:44 3584 ----a-w- c:\windows\system32\CNCFLfUS.DLL
2010-09-06 00:37:44 3072 ----a-w- c:\windows\system32\CNCFLfJP.DLL
2010-09-06 00:37:44 156160 ----a-w- c:\windows\system32\CNCF2Lf.DLL
2010-09-06 00:37:44 106496 ----a-w- c:\windows\system32\CNCFMSf.EXE
2010-09-06 00:13:17 0 d-----w- c:\program files\common files\L&H
2010-09-05 23:38:13 3247 ----a-w- c:\windows\system32\wbem\Outlook_01cb4d53682fd782.mof
2010-09-05 22:58:14 28040 ----a-w- c:\windows\system32\mdimon.dll
2010-09-05 22:55:20 0 d-----w- c:\program files\Microsoft ActiveSync
2010-09-05 22:08:12 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-09-05 22:07:48 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-09-05 22:07:48 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-09-05 22:07:48 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-09-05 22:07:48 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-09-05 22:07:48 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-09-05 22:07:48 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-09-05 22:07:48 312904 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-09-05 22:07:48 152992 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-09-05 18:08:35 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys

==================== Find3M ====================

2010-10-01 22:02:50 23388 ----a-w- c:\windows\system32\emptyregdb.dat
2010-09-27 22:53:59 730240 ----a-w- c:\windows\system32\drivers\rt2870.sys
2010-09-07 16:22:00 72420 ----a-w- c:\windows\fonts\PT Impressive Bold.ttf
2010-08-24 18:57:38 386712 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2003-08-27 18:19:18 36963 ----a-r- c:\program files\common files\SM1updtr.dll
2002-09-11 21:26:52 63730 ----a-w- c:\program files\viewsonicinstruct_xp.pdf
2008-12-19 00:29:01 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008121820081219\index.dat

============= FINISH: 8:42:45.95 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:38 PM

Posted 10 October 2010 - 08:04 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 Tomterific

Tomterific
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Melbourne, FL
  • Local time:04:38 PM

Posted 11 October 2010 - 11:53 AM

I have subscribed already. Thanks for your time and experience.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:38 PM

Posted 11 October 2010 - 01:41 PM

My money's on a rootkit here.

Please run the following programs
  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\


And

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#5 Tomterific

Tomterific
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Melbourne, FL
  • Local time:04:38 PM

Posted 11 October 2010 - 03:10 PM

Since I last posted my wife's PC has changed. It now only shows signs of doing the POST functions, i. e., bar for Dell Dimension start up indicator begins 80% of the way to the right side, then screen goes black and stays there. If I press F12 as I hit the on button, instead of a black screen, I get the menu offering 1.- 6. options, one of which is setup. If I select that I get the BIOS setup screen. Only thing I know to do is go there and change the date and time. When I do that it goes and hit esc to save it, it then reboots and goes to a black screen. I'm lost.

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:38 PM

Posted 11 October 2010 - 05:58 PM

Let's try to boot your computer using the Ultimate Boot CD for Windows (UBCD4win). This is failing quite a lot but it is the quickest way to boot the PC when the malware has disabled the boot.

Please print this guide for future reference!

You will need a blank CD, a clean computer and a flash drive.

Please follow the steps below and let me know if you were successful. If you were unable to create the UBCD4win, please tell me what error messages you got and/or what steps you got hung up on.

1. Download and Run Ultimate Boot CD for Windows
  • Save it to your Desktop.
  • Double-Click on the UBCD4Win.EXE that you just downloaded to your desktop.
  • Follow all of the instructions/prompts that come up.
    NOTES:
    • Do not install to a folder with spaces in it's name.
    • Your Anti-Virus may report viruses or trojans when you extract UBCD4Win, these are "False-Positives." Read HERE for information regarding the files that normally trigger AV software.
2. Insert your XP CD with SP1/SP2/SP3 into a CD Rom drive
  • Double-Click on UBCD4WinBuilder.exe located in your C:\ubcd4win folder.
  • Click "I agree" to the Builders License.
  • Click NO to Search for Windows Installation Files
  • Make the following selections from the Main Screen that pops up:
    • Builder
      • Source:(path to Windows installation files)
        • Enter the path to the drive where your XP CD is located.
        • You can click on the "..." button on the right to navigate to the path as well.
      • Custom: (include files and folders from this directory)
        • No information is necessary, leave blank.
      • Output: (C:\ubcd4win\BartPE)
        • Keep the default BartPE
    • Media output
      • Choose Create ISO image
      • Do not choose Burn to CD/DVD


        Please note: If your XP install disc is SP1 then please .....
        1. Disable- DComLaunch Service
        2. Enable- LargeIDE Fix

          This can be done by pressing the "Plugin" button and checking or unchecking the appropriate selections

      Also note: If you have a Dell XP install disc you will need to follow the instructions here
      http://www.ubcd4win.com/faq.htm#dell

    3. Click on the "Build" button
    • You will see the Windows EULA message. Click on I Agree
    • You will now see the Build Screen. Let it run it's course
    • When the Build is finished you can click close, then exit


    4. Burn your ISO file to CD
    • Please see HERE on how to burn an ISO to CD.

    ==========

    Next........

    From your clean computer..

    Please download OTLPE.zip and save it to a flash drive.
    http://oldtimer.geekstogo.com/OTLPE.zip
    http://www.itxassociates.com/OT-Tools/OTLPE.zip

    Double click and unzip OTLPE.zip to its own folder on your flash drive. Name it OTLPE <-- Important!!

    ==========

    Plug your flash drive into your sick computer now and do as instructed below..

    ==========

    1. Restart Your sick Computer Using the UBCD4Win Disc That You Have Created
    • Insert the UBCD4Win disc in to one of your CD/DVD drives.
    • Restart your computer.
      • The computer should choose to boot from the UBCD4Win CD automatically. If it doesn't and you are asked if you want to boot from CD, then choose that option.
    • In the window that pops up select Launch The Ultimate Boot CD For Windows and press Enter.
      • It may take a little longer for the Desktop to appear than it does when you start your computer normally. Just let the process run itself until the desktop appears.
    • Once the desktop appears, you will receive a message asking: Do you want to start Network support?
      • Click on Yes if you want to use the PE environment to get online post your log and reply by way of an Ethernet connection.
    • You should now have a desktop that looks like this:

    ==========

    Single click My computer from your UBCD4W desktop to navigate to the OTLPE folder that you saved to your flash drive.

    Open the OTLPE folder and double click Start.bat.
    • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
    • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
    • OTLPE should now start

      Change the following settings
      • Change Services, Drivers, Standard and Extra Registry to All

    • Copy and Paste the following code into the textbox. Do not include the word "Code"

      CODE
      netsvcs
      msconfig
      safebootminimal
      safebootnetwork
      activex
      drivers32
      %ALLUSERSPROFILE%\Application Data\*.
      %ALLUSERSPROFILE%\Application Data\*.exe /s
      %APPDATA%\*.
      %APPDATA%\*.exe /s
      %SYSTEMDRIVE%\*.exe
      /md5start
      userinit.exe
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      /md5stop
      %systemroot%\system32\drivers\*.sys /lockedfiles
      %systemroot%\System32\config\*.sav
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\system32\drivers\*.sys /90
      CREATERESTOREPOINT

    • Push
    • A report will open. Save that log to your flash drive. Copy and Paste that report in your next reply.

    =========

    With your next post please provide:

    * OTLPE.txt
    Posted Image
    m0le is a proud member of UNITE

    #7 Tomterific

    Tomterific
    • Topic Starter

    • Members
    • 73 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Melbourne, FL
    • Local time:04:38 PM

    Posted 11 October 2010 - 06:53 PM

    Wow, I'm impressed. OK will do as you direct. Can I use my slipstreamed windows XP home CD or do I have to use the original for this boot cd?

    #8 m0le

    m0le

      Can U Dig It?


    • Malware Response Team
    • 34,527 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:London, UK
    • Local time:08:38 PM

    Posted 12 October 2010 - 01:22 PM

    Your PM confirms that this is not going to work with the above method.

    Please download xPUD and we'll do some scanning in its environment

    Try this please. You will need a USB drive.
    • Download UNetbootin to the desktop of your working computer.
    • Download xpud-0.9.2.iso from noahdfear.net and save it to the desktop as well.
    • Once the download(s) have completed, double click the unetbootin-xpud-windows-387.exe file to run the installer.
    • Select the DiskImage option then click the browse button located on the right side of the textbox field.
    • Browse to and select the xpud-0.9.2.iso file
    • Verify the correct drive letter is selected for your usb device then click OK
    • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface.
    • Next download http://noahdfear.net/downloads/driver.sh to your USB
    • Remove the USB and insert it in the sick computer
    • Boot the Sick computer
    • Press F12 and choose to boot from the USB
    • Follow the prompts
    • A Welcome to xPUD screen will appear
    • Press File
    • Expand mnt
    • sda1,2...usually corresponds to your HDD
    • sdb1 is likely your USB
    • Click on the folder that represents your USB drive (sdb1 ?)
    • Confirm that you see driver.sh that you downloaded there
    • Press Tool at the top
    • Choose Open Terminal
    • Type bash driver.sh
    • Press Enter
    • After it has finished a report will be located on your USB drive named report.txt
    • Remove the USB drive and insert back in your working computer and navigate to report.txt

      Please note - all text entries are case sensitive
    Copy and paste the report.txt for my review
    Posted Image
    m0le is a proud member of UNITE

    #9 Tomterific

    Tomterific
    • Topic Starter

    • Members
    • 73 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Melbourne, FL
    • Local time:04:38 PM

    Posted 12 October 2010 - 06:08 PM

    With usb memory stick insterted, I rebooted, used F12, selected boot from USB, selected language, it went through "loading xpud and many dots, then the message "loading /opt/media, followed by quite a few dots then the word ready came up and the screen went black, flashed 1 or 2 times and went black. I waited a long time on one try and shut it down. It did take 4-5 seconds to go off. Before this effort it will go off immediately when the on/off button is pushed.

    Curious so just now I tried this. After boot up, if F12 is pressed early enough and if set to boot first from a CD, it will boot into the XP Home OS on the CD. I goes into the reading of the files then offers the three usual choices. But pressing enter, or R, or F3 to exit will not function.
    BUT, I tried to duplicate this and cannot. Weird.

    Should I have tried to replace the BIOS with a download from Dell onto a floppy. I don't know how to make a bootable CD.

    BTW I also tried setting the BIOS to default by removing the 3v battery, moving the jumper for 5 sec. then back to rebooting. No help.

    I'm wondering if the HDD has lost it's MBR and so is causing this when the POST looks for it?

    I checked the system event log in the BIOS. It says each time I have rebooted "POST error" and "Keyboard error."

    Stuck in this mud,

    Tom

    Edited by Tomterific, 12 October 2010 - 06:39 PM.


    #10 m0le

    m0le

      Can U Dig It?


    • Malware Response Team
    • 34,527 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:London, UK
    • Local time:08:38 PM

    Posted 12 October 2010 - 06:38 PM

    Can you boot into the recovery environment via F8?

    Reboot your computer.

    Tap F8 on startup and select Startup Repair from the list of startup options.


    Posted Image
    m0le is a proud member of UNITE

    #11 Tomterific

    Tomterific
    • Topic Starter

    • Members
    • 73 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Melbourne, FL
    • Local time:04:38 PM

    Posted 12 October 2010 - 07:00 PM

    I get the menu for F8 but when I go to Safe Mode it goes no where - black screen.
    There is no option "Startup Repair" offered. I tried several others with no effect.

    30 MINUTES LATER:
    I'M SICK OVER THIS, M0LE. ON A HUNCH I WENT BACK TO SOME OLD HDD I HAVE AND FOUND THE ORIGINAL ONE FOR THIS PC. STUCK IT IN AND IT BOOTS RIGHT AWAY INTO WINDOWS! I AM VERY SORRY TO HAVE GOTTEN YOU INTO THIS MESS. I WISH I COULD UNDERSTAND WHY THIS THING ACTED THE WAY IT DOES WITH THE INFECTED (I GUESS) HDD.

    Edited by Tomterific, 12 October 2010 - 07:24 PM.


    #12 m0le

    m0le

      Can U Dig It?


    • Malware Response Team
    • 34,527 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:London, UK
    • Local time:08:38 PM

    Posted 12 October 2010 - 07:08 PM

    What make/model is the machine?
    Posted Image
    m0le is a proud member of UNITE

    #13 Tomterific

    Tomterific
    • Topic Starter

    • Members
    • 73 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Melbourne, FL
    • Local time:04:38 PM

    Posted 12 October 2010 - 07:25 PM

    DELL Dimension 2400.

    How should I treat the other none working HDD to fix it?

    Edited by Tomterific, 12 October 2010 - 08:37 PM.


    #14 m0le

    m0le

      Can U Dig It?


    • Malware Response Team
    • 34,527 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:London, UK
    • Local time:08:38 PM

    Posted 12 October 2010 - 07:39 PM

    QUOTE(Tomterific @ Oct 13 2010, 01:00 AM) View Post
    30 MINUTES LATER:
    I'M SICK OVER THIS, M0LE. ON A HUNCH I WENT BACK TO SOME OLD HDD I HAVE AND FOUND THE ORIGINAL ONE FOR THIS PC. STUCK IT IN AND IT BOOTS RIGHT AWAY INTO WINDOWS! I AM VERY SORRY TO HAVE GOTTEN YOU INTO THIS MESS. I WISH I COULD UNDERSTAND WHY THIS THING ACTED THE WAY IT DOES WITH THE INFECTED (I GUESS) HDD.


    Would be nice to know what's happening with the other HDD though.

    Are you okay for this topic to be closed?
    Posted Image
    m0le is a proud member of UNITE

    #15 Tomterific

    Tomterific
    • Topic Starter

    • Members
    • 73 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Melbourne, FL
    • Local time:04:38 PM

    Posted 13 October 2010 - 06:45 AM

    Can you tell me how best to check out and possibly repair the infected HD before we close this?




    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users