Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Windows Vista Business Startup Error

  • This topic is locked This topic is locked
2 replies to this topic

#1 needalittlehelp


  • Members
  • 5 posts
  • Local time:09:32 PM

Posted 15 November 2010 - 12:00 AM

I don't actually end up with the BSOD, I just get a black screen asking me to put in my windows installation disk to perfrom a startup repair. However, I don't want to do anything without advice. I have malware the redirects me to google ads, I did a scan with malwarebytes which detected 4 items:

Files Infected:
C:\Users\Jeremy\AppData\Roaming\020000002abe4b60922C.manifest (Malware.Trace) -> No action taken.
C:\Users\Jeremy\AppData\Roaming\020000002abe4b60922O.manifest (Malware.Trace) -> No action taken.
C:\Users\Jeremy\AppData\Roaming\020000002abe4b60922P.manifest (Malware.Trace) -> No action taken.
C:\Users\Jeremy\AppData\Roaming\020000002abe4b60922S.manifest (Malware.Trace) -> No action

I clicked remove, and rebooted the computer. I haven't been able to boot back up since. Did removing these files damage windows startup? Note that I had successfully booted my computer witht he malware before using malwarebytes. Subsequent scans with all the updates turn up nothing. Here is a DDS scan logfile. I was asked to run this scan by a moderator in another forum, but I haven't had a second response for while now...

DDS (Ver_10-11-10.01) - NTFSx86 NETWORK
Run by Jeremy at 14:13:49.08 on Sun 11/14/2010
Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_14
Microsoft® Windows Vista™ Business 6.0.6000.0.1252.1.1033.18.2045.1446 [GMT -5:00]

============== Running Processes ===============

C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Jeremy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IXRS1QXZ\dds[1].scr
C:\Windows\system32\svchost.exe -k netsvcs

============== Pseudo HJT Report ===============

uSearch Page =
uStart Page = hxxp://www.inbox.com/homepage.aspx?tbid=80114&lng=en
uWindow Title = Internet Explorer, optimized for Bing and MSN
uInternet Settings,ProxyServer = http=
uInternet Settings,ProxyOverride = <local>
mSearchAssistant = hxxp://toolbar.inbox.com/search/ie.aspx?tbid=80114&lng=en
mCustomizeSearch = hxxp://toolbar.inbox.com/help/sa_customize.aspx?tbid=80114
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Inbox Toolbar: {d3d233d5-9f6d-436c-b6c7-e63f77503b30} - c:\progra~1\inboxt~1\Inbox.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: &Inbox Toolbar: {d7e97865-918f-41e4-9cd0-25ab1c574ce8} - c:\progra~1\inboxt~1\Inbox.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: {D0523BB4-21E7-11DD-9AB7-415B56D89593} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [BitTorrent DNA] "c:\users\jeremy\program files\dna\btdna.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [icardial] rundll32 "c:\users\jeremy\appdata\local\temp\dvdpolor.dll",DllEntryPoint
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - c:\progra~1\inboxt~1\Inbox.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\jeremy\appdata\roaming\mozilla\firefox\profiles\fb4munjd.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Inbox Search
FF - prefs.js: browser.startup.homepage - hxxp://www.inbox.com/homepage.aspx?tbid=80114&lng=en
FF - prefs.js: keyword.URL - hxxp://toolbar.inbox.com/search/dispatcher.aspx?tp=sf&tbid=80114&language=en&qkw=
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1601.7122\npCIDetect13.dll
FF - plugin: c:\program files\google\update\\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\users\jeremy\program files\dna\plugins\npbtdna.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

S2 gupdate1c9c2201c686ef0;Google Update Service (gupdate1c9c2201c686ef0);c:\program files\google\update\GoogleUpdate.exe [2009-4-20 133104]

=============== Created Last 30 ================

2010-11-12 06:24:54 6146896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{19508b92-f3a3-4e9c-957e-513f21091aca}\mpengine.dll
2010-10-23 04:56:27 -------- d-----w- c:\users\jeremy\photos
2010-10-22 05:34:34 -------- d-----w- c:\users\jeremy\tongueart

==================== Find3M ====================

2010-10-19 15:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
2009-04-20 10:59:29 7349664 ----a-w- c:\program files\FLV PlayerATBSetup.exe
2000-12-08 14:42:14 2154496 ------w- c:\program files\DjVuSolo.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6000 Disk: ST9120822AS rev.3.ALC -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-0

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x84268EC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x84659872; SUB DWORD [EBP-0x4], 0x8465912e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 nt!IofCallDriver[0x81C67985] -> \Device\Harddisk0\DR0[0x84307030]
3 nt[0x81CA80AF] -> nt!IofCallDriver[0x81C67985] -> [0x8420CB20]
5 acpi[0x8047632A] -> nt!IofCallDriver[0x81C67985] -> [0x84206BB0]
[0x8432B388] -> IRP_MJ_CREATE -> 0x84268EC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskST9120822AS_____________________________3.ALC___#5&11cf82de&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x84268AEA
user & kernel MBR OK
sectors 234441646 (+235): user != kernel
Warning: possible TDL3 rootkit infection !

============= FINISH: 14:15:49.81 ===============

Edited by Budapest, 15 November 2010 - 12:58 AM.
Moved from Vista ~BP

BC AdBot (Login to Remove)


#2 needalittlehelp

  • Topic Starter

  • Members
  • 5 posts
  • Local time:09:32 PM

Posted 16 November 2010 - 12:55 PM

EDIT: This issue has been resolved, thanks for reading... B)

#3 Budapest


    Bleepin' Cynic

  • Moderator
  • 23,573 posts
  • Gender:Male
  • Local time:12:32 PM

Posted 16 November 2010 - 04:10 PM

As this issue appears to be resolved I am closing the topic. Please send me (or any other Moderator) a Personal Message (PM) if you would like the topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users