Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost.exe Pop-Up


  • This topic is locked This topic is locked
21 replies to this topic

#1 sixreagans

sixreagans

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 09 November 2010 - 06:00 PM

I found this site while looking for some help to solve my computer problem. I have done a search of some of the other topics and, from what I've read, this seems like a very helpful place!

I recently found my computer running very slow. Then, while on the internet my computer opened up a new internet window taking me to a page trying to sell anti-virus software. When I tried to close the window I kept getting pop-ups asking me if i was sure I wanted to leave. I wound up having to shut my computer down to get out of that circle. After restarting my computer I found I was able to work for a few minutes before getting at pop-up warning "0x7c923845 referenced memory at 0x00000000. the memory could not be "read" OK to Terminate or Cancel to Debug". Clicking either choice didn't seem to help anything and my Windows would freeze up and I would be unable to click on anything else, including the Start button to shut the computer down.

Here's what I've done so far: I've updated and run my "AVG 2011" and also ran Malwarebytes' Anti-Malware. I've also run a couple of online scans from Microsoft (their OneCare scan) which kept locking up after the above pop-up showed up. After reading about some other peoples problems with this error message, I also ran an scan from F-Secure.com called "Blacklight". It found a couple of things, but after deleting them, I still have the same problems; locking up, slow moving computer, and unwanted windows opening while I'm online.

Thank you in advance for any help that you are able to give.

I just finished doing Steps 6 (running Defogger), 7 (Running DDS), & 8 (creating a GMER log)

Below are the results of those logs:

DDS (Ver_10-11-09.01) - NTFSx86
Run by Tom at 11:38:38.59 on Tue 11/09/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.343 [GMT -6:00]

AV: AVG Anti-Virus Free Edition 2011 *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Webroot Desktop Firewall *enabled* {AF0CFAAE-AAB5-450a-8C74-0DEEB429DF50}

============== Running Processes ===============

C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\PixArt\PAC207\Monitor.exe
C:\Program Files\ATT-SST\McciTrayApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tom\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://mail.yahoo.com/
uSearch Page =
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uWindow Title = Windows Internet Explorer provided by Yahoo!
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = *.local
mSearchAssistant =
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Google Update] "c:\documents and settings\tom\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [IgfxTray] "c:\windows\system32\igfxtray.exe"
mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe"
mRun: [Persistence] "c:\windows\system32\igfxpers.exe"
mRun: [SigmatelSysTrayApp] "c:\windows\stsystra.exe"
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [DMXLauncher] "c:\program files\dell\media experience\DMXLauncher.exe"
mRun: [DLA] "c:\windows\system32\dla\DLACTRLW.EXE"
mRun: [PAC207_Monitor] "c:\windows\pixart\pac207\Monitor.exe"
mRun: [Monitor] "c:\windows\pixart\pac207\Monitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ATT-SST_McciTrayApp] "c:\program files\att-sst\McciTrayApp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG_TRAY] "c:\program files\avg\avg10\avgtray.exe"
mRun: [<NO NAME>]
mRun: [Webroot Desktop Firewall] "c:\program files\webroot\webroot desktop firewall\WDF.exe"
mRun: [KernelFaultCheck] "c:\windows\system32\dumprep.exe" 0 -k
dRun: [Eyusocu] rundll32.exe "c:\windows\mdltsn.dll",Startup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
IE: Add to Evernote - c:\program files\evernote\evernote3\enbar.dll/2000
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {E0B8C461-F8FB-49b4-8373-FE32E9252800} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEE1} - c:\program files\evernote\evernote3\enbar.dll
Trusted Zone: motive.com\patttbc.att
DPF: {38AB6A6C-CC4C-4F9E-A3DD-3C5681EF18A1} - hxxp://www-cdn.freerealms.com/gamedata/plugins/1.0.3.93/FreeRealmsInstaller.cab?v=1043
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
STS: {B6BA40C1-A501-59BD-F413-03B03A2C8952} - No File
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tom\applic~1\mozilla\firefox\profiles\4i078eot.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.fast-find.net/?sid=10101066100&s=
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\tom\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\tom\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\tom\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\tom\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\sony online entertainment\npsoe.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {B3291985-3767-4624-B5D3-442A49F742C5} - c:\documents and settings\tom\local settings\application data\{B3291985-3767-4624-B5D3-442A49F742C5}

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.fast-find.net/?sid=10101066100&s=c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 298448]
R1 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.sys [2008-7-31 103304]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-10-11 6104656]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-9-10 265400]
R2 WDFNet;Webroot Desktop Firewall network service;c:\program files\webroot\webroot desktop firewall\wdfsvc.exe [2008-7-31 353672]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
S1 938WBB2;938WBB2;c:\windows\system32\drivers\938wbb2.sys --> c:\windows\system32\drivers\938WBB2.sys [?]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2010-11-3 517448]
S3 DM9USB;DM9601 USB To Fast Ethernet Adapter;c:\windows\system32\drivers\dm9usb.sys [2010-6-18 21376]
S3 PAC207;PC Camer@;c:\windows\system32\drivers\PFC027.SYS [2009-1-16 616064]

=============== Created Last 30 ================

2010-11-06 18:39:22 -------- d-----w- c:\program files\Webroot
2010-11-06 18:39:22 -------- d-----w- c:\docume~1\alluse~1\applic~1\Webroot
2010-11-05 21:10:03 -------- d-----w- c:\docume~1\alluse~1\applic~1\F-Secure
2010-11-03 21:24:18 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2010-11-03 21:23:26 -------- d-----w- c:\windows\system32\drivers\AVG
2010-11-03 21:23:07 -------- d-----w- c:\program files\AVG
2010-11-03 21:21:13 4329496 ----a-w- c:\program files\avg_free_stb_all_2011_1153_cnet.exe
2010-10-28 16:54:57 -------- d-----w- c:\program files\CCleaner
2010-10-28 16:53:15 3430224 ----a-w- C:\ccsetup236.exe
2010-10-28 16:25:44 -------- d-----w- c:\docume~1\tom\locals~1\applic~1\AVG Security Toolbar
2010-10-28 14:38:21 -------- d-----w- c:\docume~1\tom\applic~1\AVG10
2010-10-28 01:27:21 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2010-10-28 01:25:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2010-10-28 00:59:13 0 ----a-w- c:\windows\Pwepebo.bin
2010-10-28 00:59:12 -------- d-----w- c:\docume~1\tom\locals~1\applic~1\{B3291985-3767-4624-B5D3-442A49F742C5}
2010-10-28 00:57:31 761344 ----a-w- c:\windows\system32\drivers\klbddoja.sys
2010-10-28 00:56:23 -------- d-----w- c:\docume~1\alluse~1\applic~1\Update
2010-10-26 20:18:04 -------- d-----w- c:\program files\TweetDeck
2010-10-22 17:05:23 -------- d-----w- c:\program files\iPod
2010-10-19 14:24:38 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2010-10-14 03:59:10 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-14 03:59:10 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2010-10-14 03:59:10 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-14 03:59:01 617472 ------w- c:\windows\system32\dllcache\comctl32.dll

==================== Find3M ====================

2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-08 16:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 16:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-25 16:00:43 51615410 ----a-w- C:\xmind-win-3.1.1.200912022330.exe
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-01-21 20:32:08 8327264 ----a-w- c:\program files\Firefox Setup 3.6.exe
2009-12-22 18:29:49 22245232 ----a-w- c:\program files\Evernote_3.1.0.1225.exe
2009-12-10 18:51:59 563864 ----a-w- c:\program files\ChromeSetup.exe
2009-10-29 16:19:52 21962640 ----a-w- c:\program files\IE8-BetterBrowser-WindowsXP-x86-ENU.exe
2009-10-28 19:14:47 629288 ----a-w- c:\program files\WindowsXP-KB932823-v3-x86-ENU.exe
2009-10-28 19:10:29 16883056 ----a-w- c:\program files\IE8-WindowsXP-x86-ENU.exe
2009-10-28 16:56:53 93074728 ----a-w- c:\program files\iTunesSetup.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD80 rev.10.0 -> Harddisk0\DR0 -> \Device\Ide\iaStor0

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86A1C446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86a22504]; MOV EAX, [0x86a22580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x87386030]
3 CLASSPNP[0xF7630FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86766350]
\Driver\iaStor[0x87383A50] -> IRP_MJ_CREATE -> 0x86A1C446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskWDC_WD800JD-75MSA3______________________10.01E04#4&3836d654&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\iaStor DriverStartIo -> 0x86A1C292
user != kernel MBR !!!
sectors 156249998 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 11:40:28.53 ===============




GMER Log:
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-11-09 16:17:46
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\iaStor0 WDC_WD80 rev.10.0
Running: gmer.exe; Driver: C:\DOCUME~1\Tom\LOCALS~1\Temp\uftdapow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xA119C6C0] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xA119C770] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xA119C810] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xA119C8B0] <-- ROOTKIT !!!

---- Kernel code sections - GMER 1.0.15 ----

.text klbddoja.sys F73F3028 280 Bytes [00, 66, 89, 45, 00, FF, 74, ...]
.text klbddoja.sys F73F3357 42 Bytes [60, 60, 8D, 64, 24, 40, 0F, ...]
.text klbddoja.sys F73F3382 348 Bytes [00, 89, 7C, 24, 14, 9C, 60, ...]
.text klbddoja.sys F73F34DF 45 Bytes [C0, 01, 00, C6, 04, 24, B2, ...]
.text klbddoja.sys F73F350D 17 Bytes [00, 0F, B6, C0, 66, C7, 44, ...]
.text ...
? C:\WINDOWS\system32\drivers\klbddoja.sys A device attached to the system is not functioning.
PAGE Ntfs.sys F7267E55 4 Bytes CALL 873C5AE1
init C:\WINDOWS\system32\DRIVERS\mohfilt.sys entry point in "init" section [0xF7903720]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[432] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00EF000A
.text C:\WINDOWS\Explorer.EXE[432] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00F0000A
.text C:\WINDOWS\Explorer.EXE[432] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00EE000C
.text C:\WINDOWS\System32\svchost.exe[1644] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D7000A
.text C:\WINDOWS\System32\svchost.exe[1644] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D8000A
.text C:\WINDOWS\System32\svchost.exe[1644] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D6000C
.text C:\WINDOWS\System32\svchost.exe[1644] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00E7000A
.text C:\Program Files\Palm\Hotsync.exe[1980] msvcrt.dll!??2@YAPAXI@Z 77C29CC5 5 Bytes JMP 0A93C080 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[1980] msvcrt.dll!??3@YAXPAX@Z 77C29CDD 5 Bytes JMP 0A93C0E0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[1980] msvcrt.dll!?set_new_handler@@YAP6AXXZP6AXXZ@Z 77C29D9F 5 Bytes JMP 0A93C110 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[1980] msvcrt.dll!_aligned_offset_malloc 77C29DAF 5 Bytes JMP 0A93BFE0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[1980] msvcrt.dll!_aligned_free 77C29E33 5 Bytes JMP 0A93C0E0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[1980] msvcrt.dll!_aligned_malloc 77C29E52 5 Bytes JMP 0A93BFC0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[1980] msvcrt.dll!_aligned_offset_realloc 77C29E6E 5 Bytes JMP 0A93C020 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[1980] msvcrt.dll!_aligned_realloc 77C29FC6 5 Bytes JMP 0A93C000 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[1980] msvcrt.dll!_expand 77C29FE5 5 Bytes JMP 0A93BFA0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[1980] msvcrt.dll!_heapadd 77C2BC9F 5 Bytes JMP 0A93C160 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[1980] msvcrt.dll!_heapchk 77C2BCB3 5 Bytes JMP 0A93C170 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[1980] msvcrt.dll!_heapset + 1 77C2BD83 4 Bytes JMP 0A93C191 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[1980] msvcrt.dll!_heapmin 77C2BD8C 5 Bytes JMP 0A93C260 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[1980] msvcrt.dll!_heapused 77C2BE3A 5 Bytes JMP 0A93C230 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[1980] msvcrt.dll!_heapwalk 77C2BE4D 5 Bytes JMP 0A93C1A0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[1980] msvcrt.dll!_msize 77C2BF6C 5 Bytes JMP 0A93BEB0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[1980] msvcrt.dll!calloc 77C2C0C3 5 Bytes JMP 0A93BE50 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[1980] msvcrt.dll!free 77C2C21B 5 Bytes JMP 0A93C0E0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[1980] msvcrt.dll!malloc 77C2C407 5 Bytes JMP 0A93BE10 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Palm\Hotsync.exe[1980] msvcrt.dll!realloc 77C2C437 5 Bytes JMP 0A93BE90 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\WINDOWS\system32\wuauclt.exe[3308] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 029E000A
.text C:\WINDOWS\system32\wuauclt.exe[3308] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 02A9000A
.text C:\WINDOWS\system32\wuauclt.exe[3308] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0299000C

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 869E2238

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Ip 86749F08
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp 86749F08

Device \Driver\Avgtdix \Device\AvgTdi 86749F08
Device \Driver\iaStor -> DriverStartIo \Device\Ide\iaStor0 86A21292
Device \Driver\iaStor -> DriverStartIo \Device\Ide\IAAStorageDevice-0 86A21292

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp 86749F08
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp 86749F08

Device \FileSystem\Fastfat \Fat A0646D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskWDC_WD800JD-75MSA3______________________10.01E04#4&3836d654&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] klbddoja <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\klbddoja@voiwucyhk 2002492217
Reg HKLM\SYSTEM\CurrentControlSet\Services\klbddoja@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\klbddoja@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\klbddoja@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\klbddoja@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet004\Services\klbddoja@voiwucyhk 2002492217
Reg HKLM\SYSTEM\ControlSet004\Services\klbddoja@Type 1
Reg HKLM\SYSTEM\ControlSet004\Services\klbddoja@Start 0
Reg HKLM\SYSTEM\ControlSet004\Services\klbddoja@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet004\Services\klbddoja@Group Boot Bus Extender

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 11: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 156249744 (+255): rootkit-like behavior;

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KDXVX6L1\logCAKE6WY3 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KDXVX6L1\logCAR9W573 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\KDXVX6L1\logCA945V2L 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\M8Y0810P\AdId=1252910;BnId=1;ct=3930002879;st=430;adcid=1;itime=340227513;reqtype=5;kr6711=295238;kvcampaignid=all;kp=-1[1] 1 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\Q5VJNL8H\nad[1] 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\Q5VJNL8H\1638360215@x10[1] 3045 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\Q5VJNL8H\banner_shim[1].swf 809 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\Q5VJNL8H\track[2].js 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\Q5VJNL8H\;subnid=1;bnid=2;adid=1037166;header=yes;misc=440734705;dn75%25=1[1] 1 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\Q5VJNL8H\logCAVCUKVG 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\Q5VJNL8H\1299179013@x10[1] 3045 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\YB9MRAXL\afr[1].php 932 bytes

---- EOF - GMER 1.0.15 ----

Edit: Moved topic from AntiVirus, Firewall and Privacy Products and Protection Methods to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:51 PM

Posted 16 November 2010 - 01:00 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.


We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply



Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • extract RKUnhooker to your desktop
    Note** it is zipped up in a .rar file - If you do not have a program to unzip this type of file
    you can get a free one from here - http://www.7-zip.org/
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".


information and logs:

In your next post I need the following

1.logs from DDS
2.log from RKUnHooker
3.let me know of any problems you may have had
[/list]
Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 sixreagans

sixreagans
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 17 November 2010 - 11:10 AM

So glad to get a response. Sadly, when I went to start up my computer, it won't fully start. It'll try, but Windows won't fully load. When I try to go into "Safe Mode", I get the menu asking which way I would like to start it; Safe Mode, Safe Mode with Network, etc. When I click any of those, it goes to a black screen and won't go any further.

Is it time to take it to a professional?

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:51 PM

Posted 17 November 2010 - 12:17 PM

Burn recovery console cd

  • Download recovery_console_cd.zip file to your drive and extract it to its own folder (c:\recoverycd for example).
  • Download floppy disk setup package xp home for your operating system (XP home) and save it to the folder you extracted the zip to.
  • Rename the floppy disk setup package to Bootdisk.exe.
  • Insert a blank cd into your burner.
  • Double-click the RecoveryCD.bat file and follow the prompts to burn a cd that will allow you to boot to the recovery console.

Boot into recovery console

  • insert the cd that we made into cd player
  • restart the computer
  • screen will say "Windows set up" just wait
  • at the welcome screen press "R"
  • type 1 to enter c:\windows
  • type in the following and press enter
  • disable klbddoja

let me know if it boots back up

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 sixreagans

sixreagans
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 17 November 2010 - 01:25 PM

Gringo, I sure appreciate your help!

OK, I made the recovery CD and put it in the computer. When I restarted it, it didn't start reading the CD. I restarted the computer again, this time hitting F12 for the Boot Device Menu and selected "Onboard or USB CD-Rom Drive". The computer began reading the CD and got me to the "Windows set up" screen and the bottom of the screen ran a bunch of file names until it said "Set Up is starting Windows", but then I got the blue screen that said that it "detected a problem and Windows had to be shut down." I don't know if you need this part, but at the bottom of the message was "Technical Information" followed by this "(0x0000007B, 0xF7A8a524, 0xC0000034, 0x00000000, 0x00000000)"

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:51 PM

Posted 17 November 2010 - 02:13 PM

Hello

Try to go into the BIOS and change the boot order from there

redownload the recovery CD as we have to go into the recovery console to fix this


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 sixreagans

sixreagans
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 17 November 2010 - 02:41 PM

I'm sorry Gringo, you lost me on that last post. You're going to have to walk me through it.

How do I go into BIOS?
How do I change the boot order? What should the order be?

I need to make a new CD? What should be changed from the first one?

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:51 PM

Posted 18 November 2010 - 03:47 AM

Hello

Sorry for the delay

please go here to see how to change the boot order of the computer to make the CD the first option - http://www.windowsreinstall.com/articles/bios/

I would like you to burn a new CD to make sure that it is ok as I have not heard of that error

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 sixreagans

sixreagans
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 19 November 2010 - 03:51 PM

I read the link that you gave me and changed the BIOS to start with the CD. I also went back through and burned another recovery CD. When I started up my computer, it opened the screen that says "Windows Setup" at the top and began checking files at the bottom. When it got to the end it said that it would start Windows, but it went to the "detected a problem and Windows had to be shut down." (My friend calls it the "blue screen of death"). Anyway, it will not boot back up.

Are there any other options?

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:51 PM

Posted 19 November 2010 - 04:32 PM

Hello

just for fun lets try the one for xp pro

Burn recovery console cd

  • Download recovery_console_cd.zip file to your drive and extract it to its own folder (c:\recoverycd for example).
  • Download floppy disk setup package xp Pro for your operating system (XP Pro) and save it to the folder you extracted the zip to.
  • Rename the floppy disk setup package to Bootdisk.exe.
  • Insert a blank cd into your burner.
  • Double-click the RecoveryCD.bat file and follow the prompts to burn a cd that will allow you to boot to the recovery console.

see if it will let you boot into the recovery console

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 sixreagans

sixreagans
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 19 November 2010 - 04:54 PM

When it went to read the new CD, it popped up "No boot device available - strike F1 to retry boot, F2 for Setup utility". It didn't even get to the "Windows Setup" screen.

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:51 PM

Posted 20 November 2010 - 12:50 AM

Try this please. You will need a USB drive.

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Next download http://noahdfear.net/downloads/driver.sh to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Remove the USB drive and insert back in your working computer and navigate to report.txt

    Please note - all text entries are case sensitive
Copy and paste the report.txt for my review
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:51 PM

Posted 23 November 2010 - 12:41 AM

Hello

three day bump

It has been Three days since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 sixreagans

sixreagans
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 23 November 2010 - 11:14 AM

Sorry it took so long to get back with you.

I'm having a hard time finding the folder that represents my USB drive in xPUD.

I entered xPUD, clicked on File and expanded mnt.
When expanding mnt, I have 3 options: sda1, sda2, sda3.
sda 1 and sda 2 seem to have hard drive "things" on them (Program Files, Documents, etc), sda3 has these folders in it: bat, bin, img, src1, src2, src3, src4, src5 and then has autoexec.bat, command.com, config.sys, dellbio.bin, and dellrmk.bin.

I cannot find anything that represents my USB and cannot find driver.sh

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:51 PM

Posted 23 November 2010 - 12:44 PM

Hello

take out the usb and put it back in and see if it shows up


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users