Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP laptop will not allow any browser to open


  • This topic is locked This topic is locked
4 replies to this topic

#1 emperor_wu

emperor_wu

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:16 AM

Posted 22 October 2010 - 09:23 AM

My brother in law dropped this laptop off for resuscitation, so I have no idea how it got to this state. Symptoms:
- although IE8 and Firefox are both installed, neither will start. Attempting to start either caused the hard drive to spin for a few seconds, but no windows pop, focus doesn't change, and the apps do not start.
- XP complains that Kapersky antivirus is not protecting the computer -- from what I see Kapersky isn't even installed.

I created a copy of the "ultimate boot cd for windows" (UBCD4W), booted to it, and ran a series of malware removal tools:
- SpyBot Search & Destroy - found and removed 97 items (mostly tracking cookies)
- McAfee's Stinger - found and removed several items
- Malwarebytes - found and removed an additional 47 items

After each of these processes I tested for browser start, and still failed.

I then broke the rules and ran ComboFix, with the following results. My base issue, neither Firefox nor IE8 will open, remains unchanged. Based on this, does anyone have a recommended course of action?
=====================================================================
ComboFix 10-10-21.01 - Robert 10/21/2010 22:29:06.2.1 - x86
Running from: c:\documents and settings\Robert\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((( Files Created from 2010-09-22 to 2010-10-22 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 2:42 PM 32272]
R3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\NtApm.sys [12/10/2009 5:06 PM 9344]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 7:39 PM 19472]
S3 rkhdrv40;Rootkit Unhooker Driver; [x]
.
Contents of the 'Scheduled Tasks' folder

2010-10-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]

2010-10-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-15 19:40]

2010-10-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-15 19:40]

2010-10-22 c:\windows\Tasks\Norton Security Scan for Robert.job
- c:\program files\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2010-01-13 17:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?ilc=1
uInternet Settings,ProxyOverride = *.local
IE: Crawler Search - tbr:iemenu
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} -
FF - ProfilePath - c:\documents and settings\Robert\Application Data\Mozilla\Firefox\Profiles\kv96mzgc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Inbox Search
FF - prefs.js: browser.startup.homepage - hxxp://www.crawler.com/?tbid=60282
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZUxdm265YYUS&fl=0&ptb=7XPT_oxKHxWUblizh9qOLw&url=http://search.mywebsearch.com/mywebsearch/GGmain.jhtml&st=kwd&n=77ce596a&si=21786&searchfor=

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{4bb34a78-c3bb-4fbb-b991-4ccda8d97ec3}]
@Denied: (Full) (Everyone)
"Model"=dword:00000043
"Therad"=dword:00000021
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,ab,9e,50,1b,eb,77,d1,ab,10,b8,96,85,77,c7,11,7d,83,e0,8b,c5,07,bb,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):e3,40,80,57,36,3f,1e,95,58,ab,20,39,70,af,65,75,75,01,80,5e,00,
04,60,2c,92,0b,bf,6f,16,ef,5e,57,af,0e,b2,67,49,5a,32,0d,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):1d,56,46,f0,fe,9c,b9,6f,c6,e4,bb,19,fc,e0,e8,5b,80,30,47,2c,a8,
6f,1f,f5,b8,02,e3,62,12,7d,fa,bb,ce,d2,f1,af,4c,2f,0e,da,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{9181b6ec-9a87-404a-b89b-589086af3129}]
@Denied: (Full) (Everyone)
"Model"=dword:000000ba
"Therad"=dword:00000015
"MData"=hex(0):43,ee,51,07,3a,5b,07,66,34,3f,b4,81,86,10,f4,47,b3,8a,73,55,06,
d6,c1,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1832)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-10-21 22:35:40
ComboFix-quarantined-files.txt 2010-10-22 05:35
ComboFix2.txt 2010-10-22 05:25

Pre-Run: 67,957,370,880 bytes free
Post-Run: 67,938,566,144 bytes free

- - End Of File - - DE0901D04CAB5346FEB1F78E81F44714

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,313 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:16 AM

Posted 31 October 2010 - 04:30 AM

Hello ,
And :welcome: to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Quick Scan button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download Rootkit Unhooker and save it to your Desktop
  • Double-click on RKUnhookerLE to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth and uncheck the rest
  • Click OK
  • Wait until it's finished and then go to File > Save Report
  • Save the report to your Desktop
Copy the entire contents of the report and paste it in a reply here.

Note - you may get this warning it is ok, just ignore: "Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • RKU log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 emperor_wu

emperor_wu
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:16 AM

Posted 31 October 2010 - 10:06 AM

Hi Elise,
thanks for the response. My time needs forced me to look for alternative solutions. Since his data appeared uninfected, I copied that off, formatted the drive, and reinstalled the OS. He's back up and running, and this time I took the precaution of creating a Ghost image of the machine with fresh OS, drivers, and browsers. If it happens again, I have an easy way now to get back to a good known state.

One comment on installing XP on this machine (Toshiba Satellite M55-S135) -- it would halt in the XP installation at the point that (if I recall correctly) it says something like "Setup is Starting Windows". To get around this I used F5 at the point that the XP install disk boots, and choose another value for the Hardware Abstraction Layer it will use during setup. I tried a few at random until I got one to work. YMMV

Summary:
- problem is gone, but only because I formatted and reinstalled
- I have no idea what the underlying issue really was
- The Satellite M55-S135 needs a non-standard HAL when I installed XP

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,313 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:16 AM

Posted 31 October 2010 - 10:12 AM

Hi, that is most likely caused by a driver that was not included on the CD. There is no way saying what has caused the original problems.

The only thing I can say is that any malware is gone now.

Please let me know if this answers your questions.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,313 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:16 AM

Posted 06 November 2010 - 05:51 AM

Due to lack of feedback, this topic is now closed.

If you are the original topic starter and you need this topic reopened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users