Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help with Malware


  • This topic is locked This topic is locked
61 replies to this topic

#1 busch

busch

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 05 October 2010 - 12:53 PM

OK, I need some major help with my computer.
Two weeks ago, I was affected by the AntiVirus 2010 Security Centre bug and it has been all down hill from there.
I have run Malwarebytes anti malware, Super Anti Spyware, Ad aware, and avg free and I am still having problems.
I am having problems connecting to the internet thru IE8. I keep getting the message that IE cannot connect. to the webapage.
Most of the time I can hit the refresh button and it will then load. Also sometimes, I get a second browser opened and a "consumer news online" website pops up.
I also see in the task manager, that I have alot of svchost.exe processes. A couple seem to run even when the computer should be idle.
One last item, when i boot up the computer, I get two error messages telling me that two seperate files can not be located.
Can someone please help me get this fixed.
I saw a similar post and read it but I did not want to run any program that I should not run.
I am using Dell GX260 with WinXp with IE 8

I followed boopme's advice and ran several programs. I have pasted the DSS log here and attached the Attach and Ark logs.
Thanks in Advance.
Busch


DDS (Ver_10-03-17.01) - NTFSx86
Run by Renee Bridges at 11:00:05.00 on Tue 10/05/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uDefault_Page_URL = hxxp://www.dellnet.com
uSearch Bar =
uSearch Page =
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = localhost;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant =
uURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - No File
TB: Avery Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {40D41A8B-D79B-43D7-99A7-9EE0F344C385} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {9404901D-06DA-4B23-A0EE-3EA4F64EC9B3} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Hjatititefed] rundll32.exe "c:\windows\mgrcopst.dll",Startup
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
mRun: [vdrdpup] c:\windows\system32\rundll32 c:\windows\system32\vdrdpup.dll,RegisterVirtualChannel
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [EPSON Stylus CX4800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB002" /M "Stylus CX4800"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime
mRun: [Qfijuqosejefiq] rundll32.exe "c:\windows\uwitohekafo.dll",Startup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
mPolicies-explorer: <NO NAME> =
mPolicies-system: EnableLUA = 0 (0x0)
IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm
IE: &Search - ?s=100000341&p=GRman000&si=&a=9bl2aRlCS9Hfk5uFbmc1uA&n=2010081616
IE: Add to AMV Convert Tool... - c:\program files\mp3 player utilities 4.00\amvconverter\grab.html
IE: Add to AMV Converter... - c:\program files\mp3 player utilities 4.15\amvconverter\grab.html
IE: Add to Media Manager... - c:\program files\mp3 player utilities 4.15\mediamanager\grab.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Save with Download Manager... - file://c:\program files\charter music\DMDownload.htm
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
Trusted Zone: download.com
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://www.yahoo.com/diskless/bin/tgctlcm.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {03DF0933-6E10-4D32-9835-B9A815622831} - hxxps://gopublic.wspan.com/secure/DLLs/WSSystemInformation.cab
DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} - hxxps://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} - hxxp://216.249.24.142/code/PWActiveXImgCtl.CAB
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201407053156
DPF: {7B72C3FC-34B5-4504-B4BE-EB38971A0888} - hxxp://go.worldspan.com/Dlls/WSFileIO3.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} - hxxp://www.shockwave.com/content/tumblebugs/axhost.cab
DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - hxxp://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9145A52A-9B22-4858-AEE7-74D6C7D3F366} - hxxps://gopublic.wspan.com/Secure/DLLs/WSBrowserConfig.cab
DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {A8683C98-5341-421B-B23C-8514C05354F1} - hxxp://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://download.yahoo.com/dl/mail/autocomplete.cab
DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} - hxxp://reportserver.nexionnet.com/viewer/activeXViewer/activexviewer.cab
DPF: {CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131-win.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} - hxxp://www.disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
DPF: {D4233B6D-88A0-11D3-BC29-400011500032} - hxxps://gopublic.wspan.com/scripts/us/bin/WSCAL.CAB
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://blockade-runner.axiscam.net/activex/AMC.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://premconf.webex.com/client/T25L10NSP41EP2-premconf/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E99BF99C-5D95-11D4-A0EC-00500489A32D} - hxxp://gopublic.wspan.com/scripts/us//DLLs/WSFileIO.cab
DPF: {F2C74EB6-1E7C-44A1-8EBA-CEDB52D47108} - hxxps://gopublic.wspan.com/Secure/Dlls/WSClient.cab
DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} - hxxp://cdn.digitalcity.com/_media/dalaillama/ampx.cab
DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} - hxxp://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
TCP: NameServer = 208.67.220.220,208.67.222.222
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\reneeb~1\applic~1\mozilla\firefox\profiles\tii5367a.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.search-tab.com/?sid=10101058100&s=
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\mozilla firefox\extensions\{648ae81b-1966-43cf-bcb4-ff85276e4f6d}\components\FFExternalAlert.dll
FF - plugin: c:\documents and settings\renee bridges\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1399.3742\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll
FF - HiddenExtension: XULRunner: {227A8D01-F5FE-475A-93A4-F1012D77C94A} - c:\documents and settings\renee bridges\local settings\application data\{227A8D01-F5FE-475A-93A4-F1012D77C94A}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.search-tab.com/?sid=10101058100&s=
============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-10-05 14:58:19 0 ----a-w- c:\documents and settings\renee bridges\defogger_reenable
2010-10-01 08:03:16 0 ----a-w- c:\windows\Htoquvogepuwid.bin
2010-10-01 08:03:15 120 ----a-w- c:\windows\Gruyusumocarez.dat
2010-10-01 08:01:40 0 d-----w- c:\docume~1\reneeb~1\applic~1\Genieo
2010-10-01 08:01:29 841216 ----a-w- c:\windows\system32\drivers\ljamuk.sys
2010-10-01 08:01:04 149 ----a-w- c:\docume~1\reneeb~1\applic~1\srsf.bat
2010-10-01 08:00:42 0 d-----w- c:\docume~1\alluse~1\applic~1\Update
2010-09-27 17:35:04 0 d-----w- c:\docume~1\reneeb~1\applic~1\SUPERAntiSpyware.com
2010-09-27 17:35:04 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-09-27 17:34:45 0 d-----w- c:\program files\SUPERAntiSpyware
2010-09-27 01:42:53 54016 ----a-w- c:\windows\system32\drivers\ucupllo.sys
2010-09-26 23:55:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-26 23:55:47 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-26 23:55:47 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-26 20:20:30 74752 ----a-w- c:\windows\system32\drivers\ipsec.sys
2010-09-26 20:20:30 74752 ----a-w- c:\windows\system32\dllcache\ipsec.sys
2010-09-26 20:20:30 51328 ----a-w- c:\windows\system32\dllcache\rasl2tp.sys
2010-09-24 23:33:02 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-09-24 20:52:56 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-09-24 20:52:29 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-09-24 20:48:27 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-09-24 20:47:19 0 d-----w- c:\program files\Lavasoft
2010-09-24 16:57:13 0 d-----w- c:\program files\Bonjour
2010-09-24 00:08:36 54016 ----a-w- c:\windows\system32\drivers\wvobli.sys
2010-09-23 00:25:16 0 d-sh--w- c:\documents and settings\renee bridges\IECompatCache
2010-09-23 00:24:41 0 d-sh--w- c:\documents and settings\renee bridges\PrivacIE
2010-09-23 00:23:21 0 d-sh--w- c:\documents and settings\renee bridges\IETldCache
2010-09-23 00:09:51 0 dc-h--w- c:\windows\ie8
2010-09-23 00:08:57 112 ----a-w- c:\docume~1\alluse~1\applic~1\tTa7882k1.dat
2010-09-22 02:10:14 54016 ----a-w- c:\windows\system32\drivers\pdsebsq.sys
2010-09-22 00:16:19 291608 ----a-w- C:\SoftonicDownloader_for_stinger.exe
2010-09-21 02:31:17 54016 ----a-w- c:\windows\system32\drivers\wwejqojs.sys
2010-09-21 00:44:04 0 d-----w- c:\docume~1\reneeb~1\applic~1\Malwarebytes
2010-09-21 00:43:55 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-09-14 01:46:26 0 d-----w- c:\docume~1\reneeb~1\applic~1\HandBrake
2010-09-14 01:38:44 0 d-----w- c:\docume~1\reneeb~1\applic~1\AnvSoft
2010-09-06 18:57:02 0 d-----w- C:\Beach2010

==================== Find3M ====================

2010-07-27 22:44:10 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-27 22:44:10 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-07-27 22:44:10 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-07-15 13:39:48 12536 ----a-w- c:\windows\system32\avgrsstx.dll

============= FINISH: 11:01:40.59 ===============

Just a quick addition that I forgot. I have the cable modem run to a Linksys Wireless router. Other computers in the house are also having a problem connecting online. You usually have to hit refresh to get the webpage to load. Has this affected the router as well?
Busch

EDIT: Posts merged ~BP

Attached Files


Edited by Budapest, 05 October 2010 - 05:39 PM.


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:08 PM

Posted 12 October 2010 - 05:45 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    drivers32 /all
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.sys /90
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.


In your reply, please post both OTL logs.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 busch

busch
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 13 October 2010 - 12:17 PM

Thanks for the reply. I tried to boot the computer and now i can not get windows to come up. I can get to the "which copy of windows xp or windows recovery console" and then the screen goes black. Nothing loads.
I did take the hard drive out and tried it as a slave in an old spare computer. I can see everything on the hard drive with no problem. I reinstalled it in the original computer, made sure I had the jumper settings correct, and i still have the no boot problem.
Where do I go from here?
Busch

#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:08 PM

Posted 13 October 2010 - 05:50 PM

Hello, busch.
OK, I have some tools that can help. First question...the screen goes blank. Did you select Windows XP with the arrow keys and Press Enter and it hangs? Or you let it go and it just goes blank by itself?

I see you have the recovery console installed. Did you run Combofix on this computer? What, if anything, have you done since you posted the original log? Sometimes, this happens if the removal process gets stopped; or other tools (many AVs do this from time to time) delete an infected, but required file and don't replace it with a clean version. If you did run something, we can pull off the logfile and help our troubleshooting.

Next, please leave that infected harddrive connected to the spare computer. On the spare computer, please run MBR_Check and post the resulting log.

Please download MBRCheck by ad_13 and save it to your desktop.

Double-click to run. A window will pop up. If it says 'non-standard' or 'infected' MBR code detected, please type 3 for Exit for now and press Enter.

It will save a logfile on your desktop that starts with MBR, then has the date, etc. Please copy and paste the contents of that log in your reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 busch

busch
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 13 October 2010 - 08:29 PM

etavares,
I select the Windows XP with the arrow keys and once I have selected it, it then attemps to load xp then goes black.
I did run combo fix on the computer. But after I had ran combo fix, I did get a log and at that time i did not have the recovery console installed. After it was finished. I rebooted the computer, installed the recovery console. I remembered that the combo fix stated that it would not remove some items since I did not have the recovery console installed. After I had installed the recovery console, I ran combo fix again. Waited to get a new log and saved it. I rebooted the computer and used it for a while then cut it off, to wait for help from this forum. When I went to turn on the computer, that is when it happened.
I will run the items you requested and post them on thursday.
Thanks for the help.
Busch

#6 busch

busch
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 14 October 2010 - 02:50 PM

OK, here is the mbrtxt log. I also included the combofix logs from both times i ran it and also the quarantined log. I hope this will help.
busch

Attached Files



#7 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:08 PM

Posted 14 October 2010 - 06:00 PM

Hello, busch.

OK, first the bad news. That drive is infected with a file-infector version of Vundo and has signs of a rootkit. Both are backdoor infections:

Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.






Given that you have access to your files by slaving the HDD, you may want to copy your documents (documents, spreadsheets, video, photos, music, saved games, email inbox). Do NOT back up programs, executable files (EXE, BAT, COM, SCR, PIF, etc.) or system files (SYS, DLL) or anything in C:\windows as doing this will minimize yoru chance of copying the infection over.

If you want to proceed to save this system, we can attempt to do so as well. Please let me know how you want to proceed.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#8 busch

busch
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 14 October 2010 - 07:02 PM

Yes, I want to proceed and clean my system.
I have already changed all my passwords to banking and such.
Just let me know what I need to do from here.
Busch

#9 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:08 PM

Posted 15 October 2010 - 07:45 PM

OK, please put the HDD back into the other chassis and make sure you reset the jumper to make it the master. Are you able to get into the REcovery Console at the boot menu?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#10 busch

busch
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 15 October 2010 - 08:01 PM

Yes, I can get to the screen to select either windows xp or the recovery console


#11 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:08 PM

Posted 16 October 2010 - 06:52 AM

OK, please boot into the Recovery Console.

It will ask you which Windows installation to select, you likely want C:\windows (usually option 1, but since the log is not complete, I don't know if you have multiple OSes on it), so type the number corresponding to the infected partition and press Enter.

At the C:\windows prompt, type the bold lines as shown and press Enter after each one. The italicized text says what should happen after pressing enter for each line

cd erdnt\hiv-backup
The prompt should change to the hiv-backup directory

batch erdnt.con
You should see files being copied

exit
Computer will reboot

Try loading Windows on the reboot...did restoring the registry backups allow you to boot up?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#12 busch

busch
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 16 October 2010 - 06:51 PM

etavares,
Ok, Followed the instructions and everything went ok till the reboot. The screen that should give me the choice of Windows Xp or the Recovery Console, flashed real quick and did not give me a chance to make a choice. The Windows XP choice was highlighted. After it flashed, the screen went black on nothing. Not even a cursor showing. I waited for over 5 minutes and still nothing happened.
At that time, I cut the computer off and then replied to you.
What can we try next?
Busch

#13 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:08 PM

Posted 17 October 2010 - 06:15 AM

OK, please try it one more time. Once you select XP (or it's selected for you), please press F8 and try and get into safe mode via the Windows menu that hopefully will popup. If you can get that menu or not will tell us a lot about what may be the cause here. I think the MBR may be corrupted.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#14 busch

busch
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 17 October 2010 - 03:24 PM

etavares,
Ok went thru the steps again, but this time i hit f8 to get into safe mode. It allowed me to chose safe mode. I highlighted the safe mode option and hit enter. Once I did, i began to load. Then it stopped. The last file it loaded in safe mode was "multi(0)disk(0)rdisk(0)patition(2)\windows\system32\DRIVERS\isapnp.sys."
Then it stopped and would not do anything else.
Busch

#15 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:08 PM

Posted 18 October 2010 - 05:28 PM

OK, that's good. That's narrowing it down quite a bit. Unfortunately, it's the driver after isapnp.sys that is hanging the system and of course it doesn't tell us which one.

So, please get into the F8 menu again, but choose Enable boot logging and press enter. Select the appropriate Windows installation and let it load.

When it hangs, I need you to find this file in bold below by slaving the drive again and post it here. If you're sick of taking the drive in/out and have a flash drive to spare, i can create a Linux environment that will allow you to not have to swap the HDs.
c:\windows\ntbtlog.txt

If you do slave it, please also look for any *.sys file with a file size of 0 in \windows\system32\ and let me know the name.

Thanks,
-etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users