Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Botched fixing - I made explorer stop starting


  • This topic is locked This topic is locked
2 replies to this topic

#1 LionClan

LionClan

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 28 May 2011 - 09:59 AM

I was trying to help someone fix their malware problems but I screwed up and advised them to 'fix' some things that seem to have rendered the OS (Windows XP Pro SP1) mostly unusable. The computer boots and Windows starts, then you just get a black background and a mouse cursor -- no icons, no taskbar, ctrl-alt-del doesn't bring up task manager. I think Explorer isn't starting.

In the process of trying to help I had them create and send me HijackThis, DDS, and GMER logs. Then I looked those over and decided to have them run ComboFix. Upon restarting I had the user make new logs. Logs which made me think ComboFix didn't do much. Then I told them a bit prematurely to fix these items in HijackThis:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\gcc.exe,
O2 - BHO: (no name) - {18D69F3C-27AA-2D5C-8E38-58C02C5385E8} - C:\WINDOWS\System32\dppq.dll
O2 - BHO: BndShell3 BHO Class - {875A1348-7674-42aa-ADAC-B4F36A004A2D} - C:\Program Files\QdrDrive\QdrDrive8.dll (file missing)
O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - C:\WINDOWS\System32\fccabba.dll
O2 - BHO: (no name) - {EAF1AF45-6130-4CC5-8051-6A58BB253F93} - C:\WINDOWS\System32\pmkhh.dll (file missing)
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxrnet.net/code/chm/xpre.chm::/xpreload.ocx
O20 - Winlogon Notify: fccabba - fccabba.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: FCI - Unknown owner - C:\WINDOWS\System32\svchost.exe:ext.exe (file missing)
O23 - Service: PEVSystemStart - Unknown owner - C:\ComboFix\pev.cfxxe

I realized I told them some items I was uncertain of and told them to wait. But too late, they already had clicked fix. I then decided to just continue and hope for the best. Before restarting, I had them load a registry file containing the following:

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"=-

Started up to what I described. I think the two browseui items or the PEVSystemStart one might have been wrong to fix. How can I undo the changes from 'fixing' these? No safe mode, no safe mode command prompt, I'm told, but can get to the recovery console. This computer has no CD/DVD drive, I should note. What can be done?

Edited by LionClan, 28 May 2011 - 10:02 AM.


BC AdBot (Login to Remove)

 


#2 LionClan

LionClan
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 31 May 2011 - 07:57 PM

Nevermind, I found the Combofix registry backup in C:\WINDOWS\ERDNT\hiv-backup and used the command batch erdnt.con thankfully. A word to the wise, either get properly trained to deal with malware or let trained people do the fixing and proceed carefully!

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:47 AM

Posted 01 June 2011 - 04:48 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users