Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dead slow computer, contagious too.


  • This topic is locked This topic is locked
9 replies to this topic

#1 Walking Through

Walking Through

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston
  • Local time:08:13 PM

Posted 24 May 2011 - 09:10 AM

Hello to the BC Experts -

This is long.. because I've been at this for two weeks. The "usual" fixit almost worked and then got nailed again.

Preliminaries:
--------------

Windows XP Media Edition SP3 + patches kept it up to date via Microsoft's Update site. This system has been upgraded from SP1.1 to SP2 and finally to SP3 via Microsoft service packs. I've got the SP3 CD at hand. And my partition and system recovery CD is nearby.

Microsoft Essentials Security. Up to this, it's done a good job at stopping the malware.

HP Pavilion a1240n, 3 GHz, hyperthreaded, 4 GB RAM, 250 GB disk (about 180 GB available), NVidia 6200 (runs dual monitor).

Side note: I've been fiddling with computers for a while now; written some software for Windows and Linux as part of my job. A few of my friends might consider me "technical". For all of that, this ...problem... has me nearing the end of my rope.


Trouble
-------
Aw, this machine was fast. Now? Several minutes to boot up in normal mode. The hard drive access light goes on SOLID a moment or two after the splash screen and the system is unresponsive. After a minute or two the drive can be heard to twitch ... and things start happening during the twitches.

It's "stuttering". Near unusable.

Give it maybe five minutes and it's sort-of active. But whatever's in there is putting a few seconds of delay into normal XP operations.

On start, Microsoft Essentials puts up that little red "house" in the System Tray. A few seconds later a warning panel pops up. "Security Essentials isn't monitoring your computer because the program's service stopped. You should restart it now." and there's a pretty button.

It does not matter if the button is pressed or not; a minute or so later the "house" symbol turns green.


What's been done so far:
-----------------------

1. Hauled out my 80 GB USB drive and backed up everything in sight while in Safe Mode. I think I've got a complete set of data.

2. Pulled a spare drive out of the closet, unplugged the drive with the problem, and built a new install of XPSP3 onto the new drive. I mean I started with the SP1.1a CD (it's a two-CD set) (three hours for the recovery system to finish the build and install) then SP3, then several visits to Microsoft's Update for on the order of 200 patches and packages. The computer is on a fairly fast link (Comcast) and all this took perhaps five hours.

Installed Essentials Security at the end of the patchfest.

3. Plugged in the USB drive with the intent of copying everything off it and onto the new system. That was a mistake: the drive was connected, recognized by XP, and then AutoRun/AutoPlay started. Two bright flashes of the drive access light, a pause, and the drive access light goes solid on and system response time goes to zilch.

This (3) is really irritating. I remember one patch indicating "Installing this patch will prevent Auto-something, do you wish to continue?" And I clicked Yes to install the patch. Apparently that didn't apply to USB-connected disk drives.

Then comes the sinking feeling that I'm in over my head.


What I have Done So Far
-----------------------

Well, at least the data is safe (I HOPE!).. albeit to what appears to be an infected USB drive. So far I haven't seen signs of massive data corruption (chewed up text or Word '97 files, corrupted and unrunnable executables, etc). So I'm hoping my electronic records are intact.

Task Manager reports the System Idle Process at between 92% and 99%.

SysInternals reports the same. It also reports lsass reading a LOT of data from the drive. Last I looked, it was past 200M and zooming right along. In Safe Mode (where this note is being written), it seems well-behaved.

Starting the Computer Management console, I'm looking at the Event Viewer under Application. There are a number of Errors. Here's one from just a little bit ago:

Event 5000
----------
EventType mptelemetry, P1 8007043c, P2 beginsearch, P3 search, P4 3.0.8107.0, P5 mpsigdwn.dll, P6 3.0.8107.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094), P8 NIL, P9 NIL, P10 NIL.

Event 5001
----------
Bucket 1568835785, bucket table 5, EventType mptelemetry, P1 8007043c, P2 beginsearch, P3 search, P4 3.0.8107.0, P5 mpsigdwn.dll, P6 3.0.8107.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094), P8 NIL, P9 NIL, P10 NIL.

There are several notices of applications being "hung". Partial list: msseces, mmc, all with address 0x00000000 .

CHKDSK /r

Produced one bad sector. It says the data was recovered and the sector locked out.

CCleaner 3.0.6 cleaned out a pile of temp files.

I run Firefox and occasionally Internet Explorer 7. Both have had their respective "clean up the mess" buttons pushed.

Ran Trend Micro's HouseCall software. Several times. System comes up clean.

Ran Panda's online antivirus. System comes up clean.

Someone pointed me at HitmanPro 3.5 and that reported the system as clean.

Started a full scan by Microsoft's Essentials and that came up clean.

By now I'm wondering what has invaded the computer and either how to get rid of it or to build a system that won't get infected by it when that USB drive is plugged in.

SFC runs, claims DLLs are corrupted, and wants my Windows Professional Service Pack 3 CD to install correct copies. Plugging in the SP3 CD produces, "You inserted the wrong CD." and a repeated request for the correct CD.

I've gone through several iterations of turning everything off in the Startup then turning them on one at a time. The problem persists; nothing I turn off or turn on seems to have an effect. I'm a little leery of turning off Services (which service interacts with which ability?).

Per instructions, DDS has been run. Log files will be posted and attached per instructions.

I cannot get GMER to complete in WinXP SP3 normal boot. It gets to "IDE Part 0" (think that's what it said) then XP crashes itself. The screens blank, the drive spins down (!), the computer POSTs itself, reboots (now up to several minutes of the drive stuttering and performance crawling) and XP says, "The system has recovered from a serious error." and wants permission to tell Microsoft. I clicked OK. The report back from Microsoft says:

Stop (blue screen) error caused by device or driver.

The last driver installed was applied to the video interface, an NVidia 6200; it showed up in a Microsoft update cycle. Rolling the driver back didn't have an effect; GMER in normal mode is crashed dead a few seconds after launch.

GMER run to completion (several hours) in Safe Mode. GMER then reports it could not find any system modifications.


What I have available
---------------------

Backup of data. Unfortunately, I recently moved and a few installation disks are somewhere in storage. The search for those continues.

An old P1 @ 233 MHz laptop is available. I can get on the net with it (it's faster than the P4 right now!). It runs Win98SE, has a USB port, and I've got USB memory sticks.

As mentioned above, the System Recovery and Service Pack 3 are available.

A spare drive. Another five hours and a fresh system could be built. I don't know how to stop AutoRun/AutoPlay when inserting a USB drive. Stopping that with CD's is easy: hold down the left-shift key. But USB drives?

Your time is appreciated.

WalkingThrough

================================
.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 7.0.5730.11
Run by HP_Administrator at 1:12:12 on 2011-05-24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2942.2313 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\ALCMTR.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr
C:\WINDOWS\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mWindow Title =
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [Iomega Drive Icons] c:\program files\iomega\driveicons\ImgIcon.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [Deskup] c:\program files\iomega\driveicons\deskup.exe /IMGSTART
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [ADUserMon] c:\program files\iomega\autodisk\ADUserMon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: E&xport to Microsoft Excel
IE: {6224f700-cba3-4071-b251-47cb894244cd} - c:\progra~1\icq\ICQ.exe
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188396583656
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5131/mcfscan.cab
DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} - file:///C:/PSDK/controls/sdkinst.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Notify: AutorunsDisabled - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\hp_administrator\application data\mozilla\firefox\profiles\a0whf4qj.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxps://www.google.com/search?ZUGO&form=2GAADF&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsl0fb96d48;MpKsl0fb96d48;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3b629575-beae-4f27-b9b6-28019eb30b96}\MpKsl0fb96d48.sys [2011-5-23 28752]
R1 MpKsla5b92dd3;MpKsla5b92dd3;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3b629575-beae-4f27-b9b6-28019eb30b96}\MpKsla5b92dd3.sys [2011-5-24 28752]
R2 DriverX;DriverX;c:\windows\system32\drivers\driverx.sys [2009-3-30 234140]
R2 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2007-8-29 14336]
R3 NmPar;PCI Parallel Port;c:\windows\system32\drivers\NmPar.sys [2008-4-9 80256]
R3 nmserial;PCI Serial Port;c:\windows\system32\drivers\NmSerial.sys [2008-4-4 70016]
S1 MpKslc1662846;MpKslc1662846;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3b629575-beae-4f27-b9b6-28019eb30b96}\MpKslc1662846.sys [2011-5-23 28752]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 4mmdat;4mmdat;c:\windows\system32\drivers\4mmdat.sys [2009-4-20 12288]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2008-10-11 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
.
=============== Created Last 30 ================
.
2011-05-24 05:00:20 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3b629575-beae-4f27-b9b6-28019eb30b96}\MpKsla5b92dd3.sys
2011-05-24 04:00:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-24 04:00:33 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-24 04:00:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-24 03:50:25 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3b629575-beae-4f27-b9b6-28019eb30b96}\MpKslc1662846.sys
2011-05-24 03:35:43 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3b629575-beae-4f27-b9b6-28019eb30b96}\MpKsl0fb96d48.sys
2011-05-23 06:07:41 6962000 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3b629575-beae-4f27-b9b6-28019eb30b96}\mpengine.dll
2011-05-23 00:22:49 6962000 ------w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\updates\mpengine.dll
2011-05-22 23:41:29 -------- d-----w- c:\program files\Microsoft Security Client
2011-05-22 16:42:54 -------- d-----w- c:\documents and settings\hp_administrator\local settings\application data\Sunbelt Software
2011-05-22 05:53:20 -------- d-----w- c:\documents and settings\all users\application data\NVIDIA Corporation
2011-05-22 05:47:20 252080 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-05-22 05:46:20 252080 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-05-22 05:46:20 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-05-22 05:43:01 6397824 ----a-w- c:\windows\system32\nv4_disp.dll
2011-05-22 05:43:01 6397824 ----a-w- c:\windows\system32\dllcache\nv4_disp.dll
2011-05-22 05:40:35 941160 ----a-w- c:\windows\system32\nvdispco322090.dll
2011-05-22 05:40:35 837736 ----a-w- c:\windows\system32\nvgenco322040.dll
2011-05-22 05:40:35 2916968 ----a-w- c:\windows\system32\nvcuvid.dll
2011-05-22 05:40:35 2292678 ----a-w- c:\windows\system32\nvdata.bin
2011-05-22 05:40:35 2251368 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-05-22 05:40:35 14671872 ----a-w- c:\windows\system32\nvoglnt.dll
2011-05-22 05:40:33 4980736 ----a-w- c:\windows\system32\nvcuda.dll
2011-05-22 05:39:34 1958400 ----a-w- c:\windows\system32\nvapi.dll
2011-05-22 05:39:34 13004800 ----a-w- c:\windows\system32\nvcompiler.dll
2011-05-22 05:34:15 -------- d-----w- C:\NVIDIA
2011-05-17 23:48:16 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-05-13 10:17:07 -------- d-sh--r- C:\cmdcons
2011-05-13 10:16:54 -------- d-----w- c:\windows\setupupd
2011-05-13 08:24:04 -------- d-----w- c:\documents and settings\hp_administrator\local settings\application data\PCHealth
2011-05-13 03:38:01 -------- d-----w- C:\ToolBar SD
2011-05-11 08:42:23 -------- d-----w- C:\COMPARE
2011-05-10 01:16:11 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2011-05-07 15:57:57 -------- d-----w- C:\CCleaner Registry Backups
2011-05-07 15:41:33 -------- d-----w- c:\program files\CCleaner
2011-05-07 09:15:21 -------- d-----w- c:\program files\common files\Symantec Shared
2011-05-07 08:59:34 -------- d-----w- c:\documents and settings\hp_administrator\local settings\application data\Tific
2011-05-07 08:59:34 -------- d-----w- c:\documents and settings\hp_administrator\application data\Tific
2011-05-07 08:58:22 -------- d-----w- c:\documents and settings\all users\application data\Norton
2011-05-07 08:57:23 -------- d-----w- c:\documents and settings\all users\application data\NortonInstaller
2011-05-03 02:31:06 61440 ----a-w- c:\windows\system32\OpenCL.dll
.
==================== Find3M ====================
.
2011-05-17 22:05:17 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-24 05:18:19 1424 ----a-w- C:\output.bat
2011-03-11 14:10:38 471552 ----a-w- c:\windows\apppatch\aclayers.dll
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-23 06:57:00 941160 ----a-w- c:\windows\system32\SET20.tmp
2011-02-23 06:57:00 6398720 ----a-w- c:\windows\system32\SETF.tmp
2011-02-23 06:57:00 1958400 ----a-w- c:\windows\system32\SET11.tmp
.
============= FINISH: 1:14:24.45 ===============

Followup....

Deleted all partitions on the spare drive, inserted the WinXP Partition Restore CD's, and that tripped a rebuild when the system was rebooted. Five hours later I've got a stable XP SP3 system.

Now, I know the USB backup drive is contaminated; a previously fresh-built XP was pwned in seconds after plugging it in.

Please... how can I stop XP from AutoPlay'ing the drive on attach?

Your time is appreciated.

Mod Edit: Merged posts ~ Hamluis.

Edited by hamluis, 29 May 2011 - 05:10 AM.


BC AdBot (Login to Remove)

 


#2 Walking Through

Walking Through
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston
  • Local time:08:13 PM

Posted 02 June 2011 - 05:08 AM

Hello -

This is not good.

The Win XP SP3 plus patches system was rebuilt and I tried to transfer data from the backup drive. Fail. Reinfected in the blink of an eye (one article read on the net suggested holding down the left-shift key before plugging in the USB drive. That... didn't seem to stop the bug from getting in).

Booted the original system. Managed to half-cripple the infection through some fast clicking with Process Explorer to suspend tasks doing HUGE amounts of disk I/O. CCleaner found a number of locked empty registry keys.

Stopped doing that. Yes, I'm in over my head.

DDS ran to completion and created two log files. Twice ran GMER. The first time the system crashed in seconds. Time to the second crash was about a half-hour. Both times the screen blanked, drive spun down, and the system POSTed itself before restarting.

Restarted the system in Safe Mode. Ran DDS and GMER again. Both completed. DDS created two log files which were saved as ddsSafe and attachSafe. GMER ran overnight but didn't seem to generate anything. Left-clicked on Save anyway and saved "gmerSafe.log". I'll append it to this note.

This note is being typed in Safe Mode with Networking support. The logs are appended below.

System configuration:

HP Pavilion a1240n running Windows XP SP3 Media Edition + patches from Microsoft.

4 GB RAM, 250 GB disk (about 180 GB available).

This installation of Windows XP was done in 2007 and upgraded via service packs and patches as Microsoft released them. The few times I've tried running SFC, SFC reported corrupted DLLs and wanted the "Windows XP Professional Service Pack CD" inserted. Inserting the SP3 CD produced a message saying the wrong CD had been inserted and that it could not replace the corrupted files.

-----

Your time is appreciated.

=================
ddsSafe.txt
=================

.
DDS (Ver_11-05-19.01) - NTFSx86 MINIMAL
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_25
Run by HP_Administrator at 21:43:52 on 2011-06-01
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2942.2470 [GMT -4:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr
C:\WINDOWS\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mWindow Title =
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Iomega Drive Icons] c:\program files\iomega\driveicons\ImgIcon.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Deskup] c:\program files\iomega\driveicons\deskup.exe /IMGSTART
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [ADUserMon] c:\program files\iomega\autodisk\ADUserMon.exe
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: E&xport to Microsoft Excel
IE: {6224f700-cba3-4071-b251-47cb894244cd} - c:\progra~1\icq\ICQ.exe
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188396583656
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5131/mcfscan.cab
DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} - file:///C:/PSDK/controls/sdkinst.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Notify: AutorunsDisabled - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\hp_administrator\application data\mozilla\firefox\profiles\a0whf4qj.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxps://www.google.com/search?ZUGO&form=2GAADF&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-5-30 64512]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-5-25 2151128]
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
S1 MpKslc1662846;MpKslc1662846;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3b629575-beae-4f27-b9b6-28019eb30b96}\mpkslc1662846.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3b629575-beae-4f27-b9b6-28019eb30b96}\MpKslc1662846.sys [?]
S2 DriverX;DriverX;c:\windows\system32\drivers\driverx.sys [2009-3-30 234140]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-5-31 2218600]
S2 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2007-8-29 14336]
S3 4mmdat;4mmdat;c:\windows\system32\drivers\4mmdat.sys [2009-4-20 12288]
S3 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-5-25 15232]
S3 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 NmPar;PCI Parallel Port;c:\windows\system32\drivers\NmPar.sys [2008-4-9 80256]
S3 nmserial;PCI Serial Port;c:\windows\system32\drivers\NmSerial.sys [2008-4-4 70016]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2008-10-11 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-06-01 04:42:01 17124 ----a-w- C:\cc_20110601_004149.reg
2011-06-01 04:21:40 -------- d-----w- c:\program files\CCleaner
2011-05-31 07:28:08 6962000 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d3ec7513-04f0-4965-b467-db407b62b289}\mpengine.dll
2011-05-31 06:57:43 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-31 06:05:00 -------- d-----w- c:\documents and settings\all users\application data\NVIDIA Corporation
2011-05-31 05:56:39 259604 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-05-31 05:56:39 259604 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-05-31 05:56:39 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-05-31 05:47:39 944232 ----a-w- c:\windows\system32\nvdispco3220140.dll
2011-05-31 05:47:39 855656 ----a-w- c:\windows\system32\nvgenco322060.dll
2011-05-31 05:47:39 61440 ----a-w- c:\windows\system32\OpenCL.dll
2011-05-31 05:47:39 5210112 ----a-w- c:\windows\system32\nvcuda.dll
2011-05-31 05:47:39 2770536 ----a-w- c:\windows\system32\nvcuvid.dll
2011-05-31 05:47:39 2116894 ----a-w- c:\windows\system32\nvdata.bin
2011-05-31 05:47:39 2074216 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-05-31 05:47:39 14856192 ----a-w- c:\windows\system32\nvoglnt.dll
2011-05-31 05:47:38 2027008 ----a-w- c:\windows\system32\nvapi.dll
2011-05-31 05:47:38 13000704 ----a-w- c:\windows\system32\nvcompiler.dll
2011-05-31 04:00:16 12501600 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2011-05-31 04:00:16 12501600 ----a-w- c:\windows\system32\dllcache\nv4_mini.sys
2011-05-31 03:59:47 4111232 ----a-w- c:\windows\system32\nv4_disp.dll
2011-05-31 03:59:47 4111232 ----a-w- c:\windows\system32\dllcache\nv4_disp.dll
2011-05-30 20:42:26 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-05-30 19:09:45 -------- d-----w- c:\windows\PW29FLSY5BHOV17E
2011-05-30 19:04:07 359040 ----a-w- C:\tcpip.sys
2011-05-30 15:58:31 9728 ------w- c:\windows\system32\rwnh.dll
2011-05-30 15:58:31 10752 ------w- c:\windows\system32\smtpapi.dll
2011-05-30 15:58:26 229376 ------w- c:\windows\system32\ati2cqag.dll
2011-05-30 15:58:18 377984 ------w- c:\windows\system32\ati2dvaa.dll
2011-05-30 15:58:18 201728 ------w- c:\windows\system32\ati2dvag.dll
2011-05-30 15:58:17 870784 ------w- c:\windows\system32\ati3d1ag.dll
2011-05-30 15:58:15 1888992 ------w- c:\windows\system32\ati3duag.dll
2011-05-30 15:58:14 9728 ------w- c:\windows\system32\ativdaxx.ax
2011-05-30 15:58:14 32768 ------w- c:\windows\system32\ativtmxx.dll
2011-05-30 15:58:14 23040 ------w- c:\windows\system32\ativmvxx.ax
2011-05-30 15:58:11 516768 ------w- c:\windows\system32\ativvaxx.dll
2011-05-30 15:51:03 19569 ----a-w- c:\windows\000001_.tmp
2011-05-28 07:31:22 40088 ----a-w- C:\TCPIP.reg
2011-05-28 05:22:03 -------- d-----w- c:\program files\Free Window Registry Repair
2011-05-26 23:30:27 -------- d-sh--r- C:\cmdcons
2011-05-26 23:30:08 -------- d-----w- c:\windows\setupupd
2011-05-25 06:48:43 6962000 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-05-24 04:00:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-23 00:22:49 6962000 ------w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\updates\mpengine.dll
2011-05-22 23:41:29 -------- d-----w- c:\program files\Microsoft Security Client
2011-05-22 16:42:54 -------- d-----w- c:\documents and settings\hp_administrator\local settings\application data\Sunbelt Software
2011-05-22 05:34:15 -------- d-----w- C:\NVIDIA
2011-05-17 23:48:16 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-05-13 08:24:04 -------- d-----w- c:\documents and settings\hp_administrator\local settings\application data\PCHealth
2011-05-13 03:38:01 -------- d-----w- C:\ToolBar SD
2011-05-11 08:42:23 -------- d-----w- C:\COMPARE
2011-05-10 01:16:11 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2011-05-07 15:57:57 -------- d-----w- C:\CCleaner Registry Backups
2011-05-07 09:15:21 -------- d-----w- c:\program files\common files\Symantec Shared
2011-05-07 08:59:34 -------- d-----w- c:\documents and settings\hp_administrator\local settings\application data\Tific
2011-05-07 08:59:34 -------- d-----w- c:\documents and settings\hp_administrator\application data\Tific
2011-05-07 08:58:22 -------- d-----w- c:\documents and settings\all users\application data\Norton
2011-05-07 08:57:23 -------- d-----w- c:\documents and settings\all users\application data\NortonInstaller
.
==================== Find3M ====================
.
2011-05-31 06:53:42 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-24 05:18:19 1424 ----a-w- C:\output.bat
2011-04-08 02:15:38 81920 ----a-w- c:\windows\system32\nvwddi.dll
2011-04-08 02:15:38 580200 ----a-w- c:\windows\system32\easyUpdatusAPIU.dll
2011-04-08 02:15:34 277608 ----a-w- c:\windows\system32\nvmccs.dll
2011-04-08 02:15:34 13891176 ----a-w- c:\windows\system32\nvcpl.dll
2011-04-08 02:15:34 111208 ----a-w- c:\windows\system32\nvmctray.dll
2011-04-08 02:15:32 155752 ----a-w- c:\windows\system32\nvsvc32.exe
2011-04-08 02:15:32 145000 ----a-w- c:\windows\system32\nvcolor.exe
2011-03-11 14:10:38 471552 ----a-w- c:\windows\apppatch\aclayers.dll
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll
.
============= FINISH: 21:46:13.12 ===============
=================
gmerSafe.txt
=================
GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-02 05:03:58
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-17 WDC_WD2500KS-00MJB0 rev.02.01C03
Running: gmer.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\kxldapog.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xB812887E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xB8128BFE]

---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs B649C400

---- EOF - GMER 1.0.15 ----

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:13 PM

Posted 02 June 2011 - 03:22 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks and again sorry for the delay.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 Walking Through

Walking Through
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston
  • Local time:08:13 PM

Posted 02 June 2011 - 07:36 PM

Hello Orange and thank you for your prompt response. I posted recent status Thursday morning around 6 AM and have been checking the forums while at work during the day.

This message is being typed on an old IBM ThinkPad 390. Typing on this is faster than typing on the Pavilion.

Current Status: Computer on Life Support. Booting the computer into Normal mode
produces a WinXP lockup. The hard disk access light goes solid on but no nominal drive noises (example: whickering of the disk heads) are heard. There is no response to keyboard key-taps, and no reaction to mouse clicks of any kind.

Once in a while I can get Task Manager or SysInternal's Process Monitor running. The System Idle Task is at 99% (or better) and everything else is quiet. It looks like the system isn't "doing" anything.. but that hard drive access light is solid ON.

Once in a while there will be a fast whickering of the heads and "something" will happen. For example, one or two desktop icons will change from the default to the icon that's supposed to be in place. Last time I let it run that far, it was 30 minutes until some semblance of order returned. But running almost any command returned the computer to the locked up, drive-access-light-on, condition.

When booted into Safe Mode (no network support), the system will show a lot of activity then occasionally the drive access light will blink. There are error messages in the System Event Log indicating that services couldn't start for one reason or another. Most entries are of the form, "Service so-and-so could respond in a timely manner.". Usually a timeout in 30000 milliseconds.

Summary of my 6 AM post:

In a normal mode boot, GMER has been crashing in between one and thirty minutes. It
will be scanning along and then >bang<: The display goes black, disk drive spins
down, and the computer POST's itself. There is a message from WinXP indicating it has
recovered from a serious message and wants to report same to Microsoft.

From Wednesday (6/1/2011) night to Thursday morning, the system was running GMER while
in Safe Mode (no network support) running GMER. My previous post to BleepingComputer
contained a GMER log that was produced during that run.

There isn't much in it.

I was able to run DDS Wednesday evening in Safe Mode. Just prior to trying to run it in
normal mode, system activity crawled to a stop and nothing I did would get DDS to run in
Normal mode.

The two text files were inserted into my last post. The "attach.txt" file was renamed, zipped up, and attached.

=====

Summary: My last post contains the most recent run of GMER and DDS.

Hopefully yours,

Walking

#5 Tomk_

Tomk_

    Malware Eradicator


  • Malware Response Team
  • 686 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 03 June 2011 - 11:27 AM

Hi Walking Through,

Welcome to Bleeping Computers

My name is Tomk_. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, feel free to create a new one.

I apologize for the delay in response. We get overwhelmed at times but we are trying our best to keep up.

It would be best to run the following tool in normal mode... but if it won't work.. then run it in safe mode with networking.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Posted Image

#6 Walking Through

Walking Through
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston
  • Local time:08:13 PM

Posted 04 June 2011 - 04:59 AM

Hello TomK_ -

Your time on this is appreciated.

The first time ComboFix was run, XP blue-screened with a STOP F4 error. It took several hours to get to that point.

Started early Saturday.. running in Normal Mode... below is the ComboFix log.

I'm switching to my laptop (Win98SE) right after posting this note and will be monitoring BC.

--------------
ComboFix 11-06-04.02 - HP_Administrator 06/04/2011 5:09.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2942.2500 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((( Files Created from 2011-05-04 to 2011-06-04 )))))))))))))))))))))))))))))))
.
.
2011-06-01 04:42 . 2011-06-01 04:42 17124 ----a-w- C:\cc_20110601_004149.reg
2011-06-01 04:21 . 2011-06-01 04:22 -------- d-----w- c:\program files\CCleaner
2011-05-31 07:28 . 2011-05-18 16:37 6962000 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D3EC7513-04F0-4965-B467-DB407B62B289}\mpengine.dll
2011-05-31 07:00 . 2011-05-31 07:00 -------- d-----w- c:\program files\Common Files\Java
2011-05-31 06:57 . 2011-05-31 06:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-31 06:50 . 2011-05-31 06:50 -------- d-----w- c:\program files\Java
2011-05-31 06:05 . 2011-05-31 06:08 -------- d-----w- c:\documents and settings\UpdatusUser
2011-05-31 06:05 . 2011-05-31 06:05 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA
2011-05-31 06:05 . 2011-05-31 06:05 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2011-05-31 05:56 . 2011-05-31 05:56 259604 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-05-31 05:56 . 2011-05-31 05:56 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-05-31 05:56 . 2011-05-31 05:56 259604 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-05-31 05:47 . 2011-04-08 05:14 944232 ----a-w- c:\windows\system32\nvdispco3220140.dll
2011-05-31 05:47 . 2011-04-08 05:14 855656 ----a-w- c:\windows\system32\nvgenco322060.dll
2011-05-31 05:47 . 2011-04-08 05:14 61440 ----a-w- c:\windows\system32\OpenCL.dll
2011-05-31 05:47 . 2011-04-08 05:14 5210112 ----a-w- c:\windows\system32\nvcuda.dll
2011-05-31 05:47 . 2011-04-08 05:14 2770536 ----a-w- c:\windows\system32\nvcuvid.dll
2011-05-31 05:47 . 2011-04-08 05:14 2116894 ----a-w- c:\windows\system32\nvdata.bin
2011-05-31 05:47 . 2011-04-08 05:14 2074216 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-05-31 05:47 . 2011-04-08 05:14 14856192 ----a-w- c:\windows\system32\nvoglnt.dll
2011-05-31 05:47 . 2011-04-08 05:14 2027008 ----a-w- c:\windows\system32\nvapi.dll
2011-05-31 05:47 . 2011-04-08 05:14 13000704 ----a-w- c:\windows\system32\nvcompiler.dll
2011-05-31 04:00 . 2011-04-08 05:14 12501600 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2011-05-31 04:00 . 2011-04-08 05:14 12501600 ----a-w- c:\windows\system32\dllcache\nv4_mini.sys
2011-05-31 03:59 . 2011-04-08 05:14 4111232 ----a-w- c:\windows\system32\nv4_disp.dll
2011-05-31 03:59 . 2011-04-08 05:14 4111232 ----a-w- c:\windows\system32\dllcache\nv4_disp.dll
2011-05-30 19:09 . 2011-05-30 19:09 -------- d-----w- c:\windows\PW29FLSY5BHOV17E
2011-05-30 19:04 . 2004-08-04 03:14 359040 ----a-w- C:\tcpip.sys
2011-05-30 15:58 . 2008-04-14 09:42 10752 ------w- c:\windows\system32\smtpapi.dll
2011-05-30 15:58 . 2008-04-14 09:42 9728 ------w- c:\windows\system32\rwnh.dll
2011-05-30 15:58 . 2008-04-14 09:41 229376 ------w- c:\windows\system32\ati2cqag.dll
2011-05-30 15:58 . 2008-04-14 09:41 377984 ------w- c:\windows\system32\ati2dvaa.dll
2011-05-30 15:58 . 2008-04-14 09:41 201728 ------w- c:\windows\system32\ati2dvag.dll
2011-05-30 15:58 . 2008-04-14 09:41 870784 ------w- c:\windows\system32\ati3d1ag.dll
2011-05-30 15:58 . 2008-04-14 09:41 1888992 ------w- c:\windows\system32\ati3duag.dll
2011-05-30 15:58 . 2008-04-14 09:42 9728 ------w- c:\windows\system32\ativdaxx.ax
2011-05-30 15:58 . 2008-04-14 09:42 23040 ------w- c:\windows\system32\ativmvxx.ax
2011-05-30 15:58 . 2008-04-14 09:41 32768 ------w- c:\windows\system32\ativtmxx.dll
2011-05-30 15:58 . 2008-04-14 09:41 516768 ------w- c:\windows\system32\ativvaxx.dll
2011-05-30 15:51 . 2006-12-29 04:31 19569 ----a-w- c:\windows\000001_.tmp
2011-05-28 07:31 . 2011-05-28 07:31 40088 ----a-w- C:\TCPIP.reg
2011-05-28 05:22 . 2011-05-28 05:23 -------- d-----w- c:\program files\Free Window Registry Repair
2011-05-25 06:48 . 2011-05-18 16:37 6962000 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-05-24 04:00 . 2011-05-26 23:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-23 00:22 . 2011-05-09 17:46 6962000 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll
2011-05-22 23:41 . 2011-05-22 23:42 -------- d-----w- c:\program files\Microsoft Security Client
2011-05-22 16:42 . 2011-05-22 16:42 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Sunbelt Software
2011-05-22 05:34 . 2011-05-22 05:34 -------- d-----w- C:\NVIDIA
2011-05-17 23:48 . 2011-05-18 02:03 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-05-13 08:24 . 2011-05-13 08:24 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\PCHealth
2011-05-13 03:38 . 2011-05-13 03:40 -------- d-----w- C:\ToolBar SD
2011-05-11 08:42 . 2011-05-11 23:18 -------- d-----w- C:\COMPARE
2011-05-10 01:16 . 2001-08-17 18:56 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2011-05-07 15:57 . 2011-05-07 16:00 -------- d-----w- C:\CCleaner Registry Backups
2011-05-07 09:15 . 2011-05-07 09:15 -------- d-----w- c:\program files\Common Files\Symantec Shared
2011-05-07 08:59 . 2011-05-07 09:00 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Tific
2011-05-07 08:59 . 2011-05-07 08:59 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Tific
2011-05-07 08:58 . 2011-05-07 15:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-31 06:53 . 2010-04-21 12:43 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-24 05:18 . 2011-04-24 05:09 1424 ----a-w- C:\output.bat
2011-04-13 04:10 . 2008-05-02 00:21 18368 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSA\9.0\1033\ResourceCache.dll
2011-04-13 04:10 . 2008-05-02 00:21 1721216 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VisualStudio\9.0\1033\ResourceCache.dll
2011-04-08 02:15 . 2011-04-08 02:15 81920 ----a-w- c:\windows\system32\nvwddi.dll
2011-04-08 02:15 . 2011-04-08 02:15 580200 ----a-w- c:\windows\system32\easyUpdatusAPIU.dll
2011-04-08 02:15 . 2011-04-08 02:15 277608 ----a-w- c:\windows\system32\nvmccs.dll
2011-04-08 02:15 . 2011-04-08 02:15 13891176 ----a-w- c:\windows\system32\nvcpl.dll
2011-04-08 02:15 . 2011-04-08 02:15 111208 ----a-w- c:\windows\system32\nvmctray.dll
2011-04-08 02:15 . 2011-04-08 02:15 155752 ----a-w- c:\windows\system32\nvsvc32.exe
2011-04-08 02:15 . 2011-04-08 02:15 145000 ----a-w- c:\windows\system32\nvcolor.exe
2011-03-11 14:10 . 2007-08-29 04:25 471552 ----a-w- c:\windows\apppatch\aclayers.dll
2011-03-07 05:33 . 2007-08-29 04:26 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-09-21 86016]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-03 98304]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-03 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-03 77824]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-08 61952]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"AlcWzrd"="ALCWZRD.EXE" [2005-09-21 2807808]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"Iomega Drive Icons"="c:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-25 245760]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"Deskup"="c:\program files\Iomega\DriveIcons\deskup.exe" [2002-07-16 32768]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456]
"NvMediaCenter"="NvMCTray.dll" [2011-04-08 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-04-08 13891176]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-02-24 1753192]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
2005-11-03 19:21 135168 ----a-w- c:\windows\system32\igfxdev.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\pirch98\\pirch98.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\SecondLifeViewer2\\slplugin.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SecondLife\\SecondLife.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Hippo_OpenSim_Viewer\\SLVoice.exe"=
"c:\\Program Files\\SecondLife\\SLVoice.exe"=
"c:\\XX\\SLG2\\Release\\SLG2.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\XX\\SLG2\\Debug\\SLG2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundTimestampRequest"= 0 (0x0)
"AllowInboundMaskRequest"= 0 (0x0)
"AllowInboundRouterRequest"= 0 (0x0)
"AllowOutboundDestinationUnreachable"= 0 (0x0)
"AllowOutboundSourceQuench"= 0 (0x0)
"AllowOutboundParameterProblem"= 0 (0x0)
"AllowOutboundTimeExceeded"= 0 (0x0)
"AllowRedirect"= 0 (0x0)
"AllowOutboundPacketTooBig"= 0 (0x0)
.
R2 DriverX;DriverX;c:\windows\system32\drivers\driverx.sys [3/30/2009 9:12 PM 234140]
R2 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/29/2007 12:28 AM 14336]
R3 NmPar;PCI Parallel Port;c:\windows\system32\drivers\NmPar.sys [4/9/2008 9:28 AM 80256]
R3 nmserial;PCI Serial Port;c:\windows\system32\drivers\NmSerial.sys [4/4/2008 7:30 AM 70016]
S1 MpKslc1662846;MpKslc1662846;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3B629575-BEAE-4F27-B9B6-28019EB30B96}\MpKslc1662846.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3B629575-BEAE-4F27-B9B6-28019EB30B96}\MpKslc1662846.sys [?]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [5/31/2011 2:05 AM 2218600]
S3 4mmdat;4mmdat;c:\windows\system32\drivers\4mmdat.sys [4/20/2009 7:49 PM 12288]
S3 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [10/11/2008 1:04 AM 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mWindow Title =
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\a0whf4qj.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxps://www.google.com/search?ZUGO&form=2GAADF&q=
FF - prefs.js: network.proxy.type - 0
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-04 05:26
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3008)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~1\wmpband.dll
c:\program files\Iomega\DriveIcons\IMGHOOK.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-06-04 05:53:47
ComboFix-quarantined-files.txt 2011-06-04 09:53
ComboFix2.txt 2011-06-04 04:05
.
Pre-Run: 185,795,416,064 bytes free
Post-Run: 185,762,557,952 bytes free
.
- - End Of File - - 9792AE26CE765DEB1422164A34A35B2A

#7 Tomk_

Tomk_

    Malware Eradicator


  • Malware Response Team
  • 686 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 04 June 2011 - 10:13 AM

Walking Through,

Fortunately... I don't believe your problems are being caused by malware. Unfortunately this means that I am going to be little help to you. You have alot of services that are failing to start. Typically I would suggest that you run SFC /scannow - but you state that you've already tried that without success. I suggest that you post your problem in the Windows XP forum and see if they can provide assistance with your problem.

But first:

Time for some housekeeping
  • Click START then RUN
  • Now type ComboFix /Uninstall in the runbox and click OK.
  • Note the space between the X and the U, it needs to be there.
  • Posted Image
The above procedure will:
  • Implement some cleanup procedures.
  • Reset System Restore.

Please re-enable any security that was disabled.

Let me know if you have any questions... otherwise I'll expect to see you posting in the other forum and this thread will be closed.
Posted Image

#8 Walking Through

Walking Through
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston
  • Local time:08:13 PM

Posted 04 June 2011 - 03:58 PM

Hello Tomk_ -

A ?services? problem?

Hm. I had looked at the Event logs (available in Safe mode boots) and noticed complaints from ..somewhere.. of services taking too long to start (or not starting promptly).

I think what raised the alarm in my mind were several logged entries from Microsoft Essentials attempting to send a report somewhere and failing.

I'll drop a note into the XP forum.

Your time is appreciated.

#9 Tomk_

Tomk_

    Malware Eradicator


  • Malware Response Team
  • 686 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 04 June 2011 - 05:11 PM

You are welcome.

Good luck and be well. :thumbup2:
Posted Image

#10 Tomk_

Tomk_

    Malware Eradicator


  • Malware Response Team
  • 686 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 04 June 2011 - 05:11 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users