Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows XP SP2 - All services disabled


  • This topic is locked This topic is locked
10 replies to this topic

#1 vernel1008

vernel1008

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 PM

Posted 17 December 2011 - 04:48 AM

I have Windows XP on my System.

It was running fine last month. To my surprise, I cannot connect to internet last week. Then I checked my Task Manager, there were no running svchost.exe

Then I look deeply and run services.msc, surprisingly all services were disabled.
The only one running is RPCss. However I cannot control the said service. I looked into the Properties of the RPCss there were login username and password indicated but it is not familiar to me.


I ran Hijackthis and Combofix. There were nothing unfamiliar except what the combofix has detected. There was another system32 folder inside my c:/windows/system32. The combofix deleted the files.


I tried to run the system to Safe Mode but it just stays on checking and will hang.

I tried to run the Recovery Console using installation CD and I would try to repair the system but it stops on a BSOD
with these details:
0x000007B (0xF898D524, 0XC0000034n 0X00000000, 0X00000000)



What should I do to fix my Windows XP installation?






P.S.
I'm running a dual boot of Ubuntu to send this message so technically the computer is usable except the installation of XP. Any help would be very much appreciated. Thanks bleeping computer.



Attached herewith are the following:
the full system information of my computer as generated by Checkbox.
Log of Hijackthis

I may also post the Combofix log as request.

Attached Files


Edited by elise025, 17 December 2011 - 08:39 AM.
Topic moved from XP to malware removal forum


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,623 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:07 AM

Posted 23 December 2011 - 06:40 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/432939 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 vernel1008

vernel1008
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 PM

Posted 24 December 2011 - 08:53 PM

Attached herewith are the defrogger, DDS, and GMER logs.



Thanks for the help.


Always,
Vernel

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,933 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:07 AM

Posted 26 December 2011 - 11:02 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) ( 511KB ) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Please post the logs for my review.

#5 vernel1008

vernel1008
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 PM

Posted 01 January 2012 - 05:12 AM

aswMBR Log


aswMBR version 0.9.9.1124 Copyright© 2011 AVAST Software

Run date: 2010-01-10 14:32:28

-----------------------------

14:32:28.203 OS Version: Windows 5.1.2600 Service Pack 3

14:32:28.203 Number of processors: 2 586 0x401

14:32:28.203 ComputerName: HP28189565032 UserName: Mommy

14:32:29.250 Initialize success

14:32:45.671 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

14:32:45.671 Disk 0 Vendor: WDC_WD800BB-60JKA0 05.01C05 Size: 76319MB BusType: 3

14:32:45.703 Disk 0 MBR read successfully

14:32:45.703 Disk 0 MBR scan

14:32:45.703 Disk 0 unknown MBR code

14:32:45.703 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 62918 MB offset 63

14:32:45.703 Disk 0 Partition - 00 0F Extended LBA 13397 MB offset 128857365

14:32:45.734 Disk 0 Partition 2 00 83 Linux 5247 MB offset 128857428

14:32:45.734 Disk 0 Partition - 00 05 Extended 7357 MB offset 141227415

14:32:45.750 Disk 0 Partition 3 00 0B FAT32 MSDOS5.0 7357 MB offset 141227478

14:32:45.750 Disk 0 Partition - 00 05 Extended 792 MB offset 151974900

14:32:45.765 Disk 0 Partition 4 00 82 Linux swap 792 MB offset 139604913

14:32:45.765 Disk 0 scanning sectors +156296385

14:32:45.828 Disk 0 scanning C:\WINDOWS\system32\drivers

14:32:55.968 Service scanning

14:32:57.500 Modules scanning

14:33:07.437 Disk 0 trace - called modules:

14:33:07.453 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS

14:33:07.453 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8378cab8]

14:33:07.453 3 CLASSPNP.SYS[f874305b] -> nt!IofCallDriver -> \Device\00000089[0x83787f18]

14:33:07.453 5 ACPI.sys[f86b9620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x837cb300]

14:33:07.453 Scan finished successfully

14:33:37.796 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Mommy\Desktop\MBR.dat"

14:33:37.796 The log file has been saved successfully to "C:\Documents and Settings\Mommy\Desktop\aswMBR.txt"







-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------


TDSSKiller Log


14:35:55.0140 1384 TDSS rootkit removing tool 2.6.25.0 Dec 23 2011 14:51:16

14:35:55.0156 1384 ============================================================

14:35:55.0156 1384 Current date / time: 2010/01/10 14:35:55.0156

14:35:55.0156 1384 SystemInfo:

14:35:55.0156 1384

14:35:55.0156 1384 OS Version: 5.1.2600 ServicePack: 3.0

14:35:55.0156 1384 Product type: Workstation

14:35:55.0156 1384 ComputerName: HP28189565032

14:35:55.0156 1384 UserName: Mommy

14:35:55.0156 1384 Windows directory: C:\WINDOWS

14:35:55.0156 1384 System windows directory: C:\WINDOWS

14:35:55.0156 1384 Processor architecture: Intel x86

14:35:55.0156 1384 Number of processors: 2

14:35:55.0156 1384 Page size: 0x1000

14:35:55.0156 1384 Boot type: Normal boot

14:35:55.0156 1384 ============================================================

14:35:56.0078 1384 Initialize success

14:36:05.0625 1676 ============================================================

14:36:05.0625 1676 Scan started

14:36:05.0625 1676 Mode: Manual;

14:36:05.0625 1676 ============================================================

14:36:05.0640 1676 Abiosdsk - ok

14:36:05.0640 1676 abp480n5 - ok

14:36:05.0656 1676 ac97intc - ok

14:36:05.0656 1676 ACPI - ok

14:36:05.0671 1676 ACPIEC - ok

14:36:05.0687 1676 adpu160m - ok

14:36:05.0703 1676 adpu320 - ok

14:36:05.0703 1676 aeaudio - ok

14:36:05.0703 1676 aec - ok

14:36:05.0718 1676 AFD - ok

14:36:05.0718 1676 Aha154x - ok

14:36:05.0734 1676 aic78u2 - ok

14:36:05.0734 1676 aic78xx - ok

14:36:05.0750 1676 AliIde - ok

14:36:05.0765 1676 amsint - ok

14:36:05.0765 1676 asc - ok

14:36:05.0781 1676 asc3350p - ok

14:36:05.0781 1676 asc3550 - ok

14:36:05.0796 1676 ASPI32 - ok

14:36:05.0812 1676 AsyncMac - ok

14:36:05.0812 1676 atapi - ok

14:36:05.0828 1676 Atdisk - ok

14:36:05.0828 1676 Atmarpc - ok

14:36:05.0843 1676 audstub - ok

14:36:05.0859 1676 BdRawPr - ok

14:36:05.0875 1676 Beep - ok

14:36:05.0875 1676 BlueletAudio - ok

14:36:05.0890 1676 BlueletSCOAudio - ok

14:36:05.0890 1676 Bridge - ok

14:36:05.0906 1676 BridgeMP - ok

14:36:05.0921 1676 BT - ok

14:36:05.0921 1676 Btcsrusb - ok

14:36:05.0937 1676 BthEnum - ok

14:36:05.0937 1676 BTHidEnum - ok

14:36:05.0937 1676 BTHidMgr - ok

14:36:05.0953 1676 BTHMODEM - ok

14:36:05.0953 1676 BthPan - ok

14:36:05.0968 1676 BTHPORT - ok

14:36:05.0984 1676 BTHUSB - ok

14:36:05.0984 1676 catchme - ok

14:36:06.0000 1676 cbidf2k - ok

14:36:06.0000 1676 CCDECODE - ok

14:36:06.0015 1676 cd20xrnt - ok

14:36:06.0015 1676 CdaC15BA - ok

14:36:06.0031 1676 Cdaudio - ok

14:36:06.0031 1676 Cdfs - ok

14:36:06.0046 1676 Cdr4_xp - ok

14:36:06.0046 1676 Cdralw2k - ok

14:36:06.0062 1676 Cdrom - ok

14:36:06.0062 1676 Changer - ok

14:36:06.0093 1676 CmdIde - ok

14:36:06.0109 1676 Cpqarray - ok

14:36:06.0125 1676 CrystalSysInfo - ok

14:36:06.0125 1676 dac2w2k - ok

14:36:06.0140 1676 dac960nt - ok

14:36:06.0140 1676 dgderdrv - ok

14:36:06.0156 1676 dg_ssudbus - ok

14:36:06.0156 1676 Disk - ok

14:36:06.0171 1676 dmboot - ok

14:36:06.0187 1676 dmio - ok

14:36:06.0187 1676 dmload - ok

14:36:06.0203 1676 DMusic - ok

14:36:06.0218 1676 dpti2o - ok

14:36:06.0218 1676 drmkaud - ok

14:36:06.0234 1676 duse - ok

14:36:06.0234 1676 E100B - ok

14:36:06.0234 1676 EagleNT - ok

14:36:06.0265 1676 Ext2fs - ok

14:36:06.0265 1676 Fastfat - ok

14:36:06.0281 1676 Fdc - ok

14:36:06.0281 1676 Fips - ok

14:36:06.0296 1676 Flpydisk - ok

14:36:06.0312 1676 FltMgr - ok

14:36:06.0312 1676 Fs_Rec - ok

14:36:06.0328 1676 Ftdisk - ok

14:36:06.0328 1676 GarenaPEngine - ok

14:36:06.0343 1676 GGSAFERDriver - ok

14:36:06.0343 1676 Gpc - ok

14:36:06.0359 1676 hcmon - ok

14:36:06.0375 1676 HidUsb - ok

14:36:06.0375 1676 hpn - ok

14:36:06.0390 1676 HTTP - ok

14:36:06.0390 1676 i2omgmt - ok

14:36:06.0406 1676 i2omp - ok

14:36:06.0406 1676 i8042prt - ok

14:36:06.0421 1676 i81x - ok

14:36:06.0421 1676 iAimFP0 - ok

14:36:06.0437 1676 iAimFP1 - ok

14:36:06.0437 1676 iAimFP2 - ok

14:36:06.0453 1676 iAimFP3 - ok

14:36:06.0453 1676 iAimFP4 - ok

14:36:06.0453 1676 iAimFP5 - ok

14:36:06.0468 1676 iAimFP6 - ok

14:36:06.0468 1676 iAimFP7 - ok

14:36:06.0484 1676 iAimTV0 - ok

14:36:06.0484 1676 iAimTV1 - ok

14:36:06.0500 1676 iAimTV3 - ok

14:36:06.0500 1676 iAimTV4 - ok

14:36:06.0515 1676 iAimTV5 - ok

14:36:06.0515 1676 iAimTV6 - ok

14:36:06.0531 1676 ialm - ok

14:36:06.0546 1676 IfsMount - ok

14:36:06.0546 1676 Imapi - ok

14:36:06.0562 1676 ini910u - ok

14:36:06.0578 1676 IntelIde - ok

14:36:06.0578 1676 intelppm - ok

14:36:06.0593 1676 Ip6Fw - ok

14:36:06.0593 1676 IpFilterDriver - ok

14:36:06.0609 1676 IpInIp - ok

14:36:06.0609 1676 IpNat - ok

14:36:06.0625 1676 IPSec - ok

14:36:06.0625 1676 IRENUM - ok

14:36:06.0640 1676 isapnp - ok

14:36:06.0656 1676 Kbdclass - ok

14:36:06.0656 1676 kbfilter - ok

14:36:06.0656 1676 kmixer - ok

14:36:06.0671 1676 KSecDD - ok

14:36:06.0687 1676 lbrtfdc - ok

14:36:06.0703 1676 mnmdd - ok

14:36:06.0718 1676 Modem - ok

14:36:06.0734 1676 Mouclass - ok

14:36:06.0734 1676 moufiltr - ok

14:36:06.0750 1676 mouhid - ok

14:36:06.0750 1676 MountMgr - ok

14:36:06.0765 1676 mpfilt - ok

14:36:06.0765 1676 mraid35x - ok

14:36:06.0781 1676 MRxDAV - ok

14:36:06.0781 1676 MRxSmb - ok

14:36:06.0796 1676 Msfs - ok

14:36:06.0812 1676 MSKSSRV - ok

14:36:06.0812 1676 MSPCLOCK - ok

14:36:06.0828 1676 MSPQM - ok

14:36:06.0828 1676 mssmbios - ok

14:36:06.0843 1676 MSTEE - ok

14:36:06.0843 1676 Mup - ok

14:36:06.0859 1676 NABTSFEC - ok

14:36:06.0859 1676 NDIS - ok

14:36:06.0875 1676 NdisIP - ok

14:36:06.0875 1676 NdisTapi - ok

14:36:06.0890 1676 Ndisuio - ok

14:36:06.0890 1676 NdisWan - ok

14:36:06.0906 1676 NDProxy - ok

14:36:06.0906 1676 NetBIOS - ok

14:36:06.0921 1676 NetBT - ok

14:36:06.0953 1676 nm - ok

14:36:06.0953 1676 nmwcd - ok

14:36:06.0968 1676 nmwcdc - ok

14:36:06.0968 1676 NPF - ok

14:36:06.0984 1676 Npfs - ok

14:36:06.0984 1676 npkcrypt - ok

14:36:07.0000 1676 Ntfs - ok

14:36:07.0015 1676 NTProcDrv - ok

14:36:07.0015 1676 Null - ok

14:36:07.0031 1676 NwlnkFlt - ok

14:36:07.0031 1676 NwlnkFwd - ok

14:36:07.0062 1676 P3 - ok

14:36:07.0062 1676 Parport - ok

14:36:07.0078 1676 PartMgr - ok

14:36:07.0078 1676 ParVdm - ok

14:36:07.0078 1676 pccsmcfd - ok

14:36:07.0093 1676 PCI - ok

14:36:07.0093 1676 PCIDump - ok

14:36:07.0109 1676 PCIIde - ok

14:36:07.0109 1676 Pcmcia - ok

14:36:07.0125 1676 PDCOMP - ok

14:36:07.0125 1676 PDFRAME - ok

14:36:07.0140 1676 PDRELI - ok

14:36:07.0140 1676 PDRFRAME - ok

14:36:07.0156 1676 perc2 - ok

14:36:07.0156 1676 perc2hib - ok

14:36:07.0187 1676 PptpMiniport - ok

14:36:07.0203 1676 PSched - ok

14:36:07.0203 1676 Ptilink - ok

14:36:07.0218 1676 PxHelp20 - ok

14:36:07.0218 1676 ql1080 - ok

14:36:07.0234 1676 Ql10wnt - ok

14:36:07.0234 1676 ql12160 - ok

14:36:07.0250 1676 ql1240 - ok

14:36:07.0250 1676 ql1280 - ok

14:36:07.0265 1676 RasAcd - ok

14:36:07.0265 1676 Rasl2tp - ok

14:36:07.0281 1676 RasPppoe - ok

14:36:07.0281 1676 Raspti - ok

14:36:07.0296 1676 Rdbss - ok

14:36:07.0296 1676 RDPCDD - ok

14:36:07.0312 1676 rdpdr - ok

14:36:07.0328 1676 RDPWD - ok

14:36:07.0328 1676 redbook - ok

14:36:07.0343 1676 RFCOMM - ok

14:36:07.0359 1676 ROOTMODEM - ok

14:36:07.0390 1676 SASDIFSV - ok

14:36:07.0390 1676 SASKUTIL - ok

14:36:07.0406 1676 sbbotdi - ok

14:36:07.0406 1676 Secdrv - ok

14:36:07.0421 1676 serenum - ok

14:36:07.0437 1676 Serial - ok

14:36:07.0468 1676 Sfloppy - ok

14:36:07.0484 1676 Simbad - ok

14:36:07.0484 1676 SLIP - ok

14:36:07.0500 1676 smwdm - ok

14:36:07.0515 1676 SONYPVU1 - ok

14:36:07.0515 1676 Sparrow - ok

14:36:07.0531 1676 splitter - ok

14:36:07.0546 1676 sptd - ok

14:36:07.0546 1676 sr - ok

14:36:07.0562 1676 Srv - ok

14:36:07.0578 1676 ssudmdm - ok

14:36:07.0578 1676 ssudobex - ok

14:36:07.0593 1676 streamip - ok

14:36:07.0593 1676 swenum - ok

14:36:07.0609 1676 swmidi - ok

14:36:07.0625 1676 symc810 - ok

14:36:07.0625 1676 symc8xx - ok

14:36:07.0625 1676 Symmpi - ok

14:36:07.0640 1676 sym_hi - ok

14:36:07.0640 1676 sym_u3 - ok

14:36:07.0656 1676 sysaudio - ok

14:36:07.0671 1676 Tcpip - ok

14:36:07.0671 1676 TDPIPE - ok

14:36:07.0687 1676 TDTCP - ok

14:36:07.0687 1676 TermDD - ok

14:36:07.0718 1676 TosIde - ok

14:36:07.0718 1676 TPkd - ok

14:36:07.0734 1676 Udfs - ok

14:36:07.0750 1676 ultra - ok

14:36:07.0750 1676 Update - ok

14:36:07.0765 1676 upperdev - ok

14:36:07.0781 1676 usbccgp - ok

14:36:07.0781 1676 usbehci - ok

14:36:07.0796 1676 usbhub - ok

14:36:07.0796 1676 usbser - ok

14:36:07.0812 1676 UsbserFilt - ok

14:36:07.0812 1676 USBSTOR - ok

14:36:07.0828 1676 usbuhci - ok

14:36:07.0828 1676 VComm - ok

14:36:07.0843 1676 VcommMgr - ok

14:36:07.0843 1676 VgaSave - ok

14:36:07.0859 1676 ViaIde - ok

14:36:07.0875 1676 VIAudio - ok

14:36:07.0890 1676 vmci - ok

14:36:07.0890 1676 vmkbd - ok

14:36:07.0906 1676 VMnetAdapter - ok

14:36:07.0906 1676 VMnetBridge - ok

14:36:07.0921 1676 VMnetuserif - ok

14:36:07.0921 1676 VMparport - ok

14:36:07.0937 1676 vmusb - ok

14:36:07.0953 1676 vmx86 - ok

14:36:07.0953 1676 VolSnap - ok

14:36:07.0968 1676 vstor2-ws60 - ok

14:36:07.0984 1676 Wanarp - ok

14:36:08.0000 1676 wanatw - ok

14:36:08.0015 1676 Wdf01000 - ok

14:36:08.0015 1676 WDICA - ok

14:36:08.0015 1676 wdmaud - ok

14:36:08.0046 1676 WinUSB - ok

14:36:08.0078 1676 WpdUsb - ok

14:36:08.0093 1676 WS2IFSL - ok

14:36:08.0109 1676 WSTCODEC - ok

14:36:08.0109 1676 WudfPf - ok

14:36:08.0125 1676 WudfRd - ok

14:36:08.0140 1676 ZSMC0305 - ok

14:36:08.0171 1676 {6080A529-897E-4629-A488-ABA0C29B635E} - ok

14:36:08.0187 1676 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} - ok

14:36:08.0218 1676 MBR (0x1B8) (587f1bf40479d66675a13b610e5e7f9e) \Device\Harddisk0\DR0

14:36:08.0250 1676 \Device\Harddisk0\DR0 - ok

14:36:08.0250 1676 Boot (0x1200) (653f1f0785dee913405173c812c1e01b) \Device\Harddisk0\DR0\Partition0

14:36:08.0250 1676 \Device\Harddisk0\DR0\Partition0 - ok

14:36:08.0265 1676 Boot (0x1200) (8fd413b8bdf94bdedcbcf3de6486d7c5) \Device\Harddisk0\DR0\Partition1

14:36:08.0265 1676 \Device\Harddisk0\DR0\Partition1 - ok

14:36:08.0265 1676 ============================================================

14:36:08.0265 1676 Scan finished

14:36:08.0265 1676 ============================================================

14:36:08.0281 0736 Detected object count: 0

14:36:08.0281 0736 Actual detected object count: 0

14:36:53.0218 1012 ============================================================

14:36:53.0218 1012 Scan started

14:36:53.0218 1012 Mode: Manual; SigCheck; TDLFS;

14:36:53.0218 1012 ============================================================

14:36:53.0234 1012 Abiosdsk - ok

14:36:53.0250 1012 abp480n5 - ok

14:36:53.0250 1012 ac97intc - ok

14:36:53.0265 1012 ACPI - ok

14:36:53.0265 1012 ACPIEC - ok

14:36:53.0281 1012 adpu160m - ok

14:36:53.0281 1012 adpu320 - ok

14:36:53.0296 1012 aeaudio - ok

14:36:53.0296 1012 aec - ok

14:36:53.0312 1012 AFD - ok

14:36:53.0312 1012 Aha154x - ok

14:36:53.0312 1012 aic78u2 - ok

14:36:53.0328 1012 aic78xx - ok

14:36:53.0343 1012 AliIde - ok

14:36:53.0343 1012 amsint - ok

14:36:53.0359 1012 asc - ok

14:36:53.0359 1012 asc3350p - ok

14:36:53.0375 1012 asc3550 - ok

14:36:53.0390 1012 ASPI32 - ok

14:36:53.0406 1012 AsyncMac - ok

14:36:53.0406 1012 atapi - ok

14:36:53.0406 1012 Atdisk - ok

14:36:53.0421 1012 Atmarpc - ok

14:36:53.0437 1012 audstub - ok

14:36:53.0453 1012 BdRawPr - ok

14:36:53.0453 1012 Beep - ok

14:36:53.0468 1012 BlueletAudio - ok

14:36:53.0468 1012 BlueletSCOAudio - ok

14:36:53.0484 1012 Bridge - ok

14:36:53.0484 1012 BridgeMP - ok

14:36:53.0500 1012 BT - ok

14:36:53.0515 1012 Btcsrusb - ok

14:36:53.0515 1012 BthEnum - ok

14:36:53.0531 1012 BTHidEnum - ok

14:36:53.0531 1012 BTHidMgr - ok

14:36:53.0531 1012 BTHMODEM - ok

14:36:53.0546 1012 BthPan - ok

14:36:53.0546 1012 BTHPORT - ok

14:36:53.0562 1012 BTHUSB - ok

14:36:53.0578 1012 catchme - ok

14:36:53.0578 1012 cbidf2k - ok

14:36:53.0593 1012 CCDECODE - ok

14:36:53.0593 1012 cd20xrnt - ok

14:36:53.0609 1012 CdaC15BA - ok

14:36:53.0609 1012 Cdaudio - ok

14:36:53.0625 1012 Cdfs - ok

14:36:53.0625 1012 Cdr4_xp - ok

14:36:53.0640 1012 Cdralw2k - ok

14:36:53.0640 1012 Cdrom - ok

14:36:53.0656 1012 Changer - ok

14:36:53.0671 1012 CmdIde - ok

14:36:53.0687 1012 Cpqarray - ok

14:36:53.0703 1012 CrystalSysInfo - ok

14:36:53.0718 1012 dac2w2k - ok

14:36:53.0718 1012 dac960nt - ok

14:36:53.0734 1012 dgderdrv - ok

14:36:53.0734 1012 dg_ssudbus - ok

14:36:53.0750 1012 Disk - ok

14:36:53.0765 1012 dmboot - ok

14:36:53.0765 1012 dmio - ok

14:36:53.0765 1012 dmload - ok

14:36:53.0781 1012 DMusic - ok

14:36:53.0796 1012 dpti2o - ok

14:36:53.0812 1012 drmkaud - ok

14:36:53.0812 1012 duse - ok

14:36:53.0812 1012 E100B - ok

14:36:53.0828 1012 EagleNT - ok

14:36:53.0843 1012 Ext2fs - ok

14:36:53.0859 1012 Fastfat - ok

14:36:53.0859 1012 Fdc - ok

14:36:53.0875 1012 Fips - ok

14:36:53.0890 1012 Flpydisk - ok

14:36:53.0890 1012 FltMgr - ok

14:36:53.0906 1012 Fs_Rec - ok

14:36:53.0906 1012 Ftdisk - ok

14:36:53.0921 1012 GarenaPEngine - ok

14:36:53.0921 1012 GGSAFERDriver - ok

14:36:53.0937 1012 Gpc - ok

14:36:53.0937 1012 hcmon - ok

14:36:53.0953 1012 HidUsb - ok

14:36:53.0968 1012 hpn - ok

14:36:53.0968 1012 HTTP - ok

14:36:53.0984 1012 i2omgmt - ok

14:36:53.0984 1012 i2omp - ok

14:36:54.0000 1012 i8042prt - ok

14:36:54.0000 1012 i81x - ok

14:36:54.0015 1012 iAimFP0 - ok

14:36:54.0015 1012 iAimFP1 - ok

14:36:54.0031 1012 iAimFP2 - ok

14:36:54.0031 1012 iAimFP3 - ok

14:36:54.0031 1012 iAimFP4 - ok

14:36:54.0046 1012 iAimFP5 - ok

14:36:54.0046 1012 iAimFP6 - ok

14:36:54.0062 1012 iAimFP7 - ok

14:36:54.0062 1012 iAimTV0 - ok

14:36:54.0078 1012 iAimTV1 - ok

14:36:54.0078 1012 iAimTV3 - ok

14:36:54.0093 1012 iAimTV4 - ok

14:36:54.0093 1012 iAimTV5 - ok

14:36:54.0109 1012 iAimTV6 - ok

14:36:54.0109 1012 ialm - ok

14:36:54.0125 1012 IfsMount - ok

14:36:54.0140 1012 Imapi - ok

14:36:54.0156 1012 ini910u - ok

14:36:54.0171 1012 IntelIde - ok

14:36:54.0171 1012 intelppm - ok

14:36:54.0187 1012 Ip6Fw - ok

14:36:54.0187 1012 IpFilterDriver - ok

14:36:54.0187 1012 IpInIp - ok

14:36:54.0203 1012 IpNat - ok

14:36:54.0203 1012 IPSec - ok

14:36:54.0218 1012 IRENUM - ok

14:36:54.0234 1012 isapnp - ok

14:36:54.0234 1012 Kbdclass - ok

14:36:54.0250 1012 kbfilter - ok

14:36:54.0250 1012 kmixer - ok

14:36:54.0265 1012 KSecDD - ok

14:36:54.0281 1012 lbrtfdc - ok

14:36:54.0296 1012 mnmdd - ok

14:36:54.0312 1012 Modem - ok

14:36:54.0328 1012 Mouclass - ok

14:36:54.0328 1012 moufiltr - ok

14:36:54.0343 1012 mouhid - ok

14:36:54.0343 1012 MountMgr - ok

14:36:54.0359 1012 mpfilt - ok

14:36:54.0359 1012 mraid35x - ok

14:36:54.0359 1012 MRxDAV - ok

14:36:54.0375 1012 MRxSmb - ok

14:36:54.0390 1012 Msfs - ok

14:36:54.0406 1012 MSKSSRV - ok

14:36:54.0406 1012 MSPCLOCK - ok

14:36:54.0421 1012 MSPQM - ok

14:36:54.0421 1012 mssmbios - ok

14:36:54.0437 1012 MSTEE - ok

14:36:54.0437 1012 Mup - ok

14:36:54.0453 1012 NABTSFEC - ok

14:36:54.0453 1012 NDIS - ok

14:36:54.0468 1012 NdisIP - ok

14:36:54.0468 1012 NdisTapi - ok

14:36:54.0468 1012 Ndisuio - ok

14:36:54.0484 1012 NdisWan - ok

14:36:54.0484 1012 NDProxy - ok

14:36:54.0500 1012 NetBIOS - ok

14:36:54.0515 1012 NetBT - ok

14:36:54.0531 1012 nm - ok

14:36:54.0546 1012 nmwcd - ok

14:36:54.0546 1012 nmwcdc - ok

14:36:54.0562 1012 NPF - ok

14:36:54.0562 1012 Npfs - ok

14:36:54.0578 1012 npkcrypt - ok

14:36:54.0578 1012 Ntfs - ok

14:36:54.0593 1012 NTProcDrv - ok

14:36:54.0609 1012 Null - ok

14:36:54.0609 1012 NwlnkFlt - ok

14:36:54.0625 1012 NwlnkFwd - ok

14:36:54.0640 1012 P3 - ok

14:36:54.0656 1012 Parport - ok

14:36:54.0656 1012 PartMgr - ok

14:36:54.0671 1012 ParVdm - ok

14:36:54.0671 1012 pccsmcfd - ok

14:36:54.0687 1012 PCI - ok

14:36:54.0687 1012 PCIDump - ok

14:36:54.0687 1012 PCIIde - ok

14:36:54.0703 1012 Pcmcia - ok

14:36:54.0703 1012 PDCOMP - ok

14:36:54.0718 1012 PDFRAME - ok

14:36:54.0718 1012 PDRELI - ok

14:36:54.0734 1012 PDRFRAME - ok

14:36:54.0734 1012 perc2 - ok

14:36:54.0750 1012 perc2hib - ok

14:36:54.0781 1012 PptpMiniport - ok

14:36:54.0781 1012 PSched - ok

14:36:54.0796 1012 Ptilink - ok

14:36:54.0796 1012 PxHelp20 - ok

14:36:54.0812 1012 ql1080 - ok

14:36:54.0812 1012 Ql10wnt - ok

14:36:54.0828 1012 ql12160 - ok

14:36:54.0828 1012 ql1240 - ok

14:36:54.0843 1012 ql1280 - ok

14:36:54.0843 1012 RasAcd - ok

14:36:54.0859 1012 Rasl2tp - ok

14:36:54.0875 1012 RasPppoe - ok

14:36:54.0875 1012 Raspti - ok

14:36:54.0875 1012 Rdbss - ok

14:36:54.0890 1012 RDPCDD - ok

14:36:54.0906 1012 rdpdr - ok

14:36:54.0906 1012 RDPWD - ok

14:36:54.0921 1012 redbook - ok

14:36:54.0937 1012 RFCOMM - ok

14:36:54.0937 1012 ROOTMODEM - ok

14:36:54.0968 1012 SASDIFSV - ok

14:36:54.0984 1012 SASKUTIL - ok

14:36:54.0984 1012 sbbotdi - ok

14:36:55.0000 1012 Secdrv - ok

14:36:55.0015 1012 serenum - ok

14:36:55.0031 1012 Serial - ok

14:36:55.0062 1012 Sfloppy - ok

14:36:55.0078 1012 Simbad - ok

14:36:55.0078 1012 SLIP - ok

14:36:55.0093 1012 smwdm - ok

14:36:55.0109 1012 SONYPVU1 - ok

14:36:55.0109 1012 Sparrow - ok

14:36:55.0109 1012 splitter - ok

14:36:55.0125 1012 sptd - ok

14:36:55.0140 1012 sr - ok

14:36:55.0156 1012 Srv - ok

14:36:55.0156 1012 ssudmdm - ok

14:36:55.0171 1012 ssudobex - ok

14:36:55.0187 1012 streamip - ok

14:36:55.0187 1012 swenum - ok

14:36:55.0203 1012 swmidi - ok

14:36:55.0203 1012 symc810 - ok

14:36:55.0218 1012 symc8xx - ok

14:36:55.0218 1012 Symmpi - ok

14:36:55.0234 1012 sym_hi - ok

14:36:55.0234 1012 sym_u3 - ok

14:36:55.0250 1012 sysaudio - ok

14:36:55.0265 1012 Tcpip - ok

14:36:55.0265 1012 TDPIPE - ok

14:36:55.0281 1012 TDTCP - ok

14:36:55.0281 1012 TermDD - ok

14:36:55.0296 1012 TosIde - ok

14:36:55.0312 1012 TPkd - ok

14:36:55.0328 1012 Udfs - ok

14:36:55.0328 1012 ultra - ok

14:36:55.0343 1012 Update - ok

14:36:55.0359 1012 upperdev - ok

14:36:55.0375 1012 usbccgp - ok

14:36:55.0375 1012 usbehci - ok

14:36:55.0390 1012 usbhub - ok

14:36:55.0390 1012 usbser - ok

14:36:55.0406 1012 UsbserFilt - ok

14:36:55.0406 1012 USBSTOR - ok

14:36:55.0406 1012 usbuhci - ok

14:36:55.0421 1012 VComm - ok

14:36:55.0437 1012 VcommMgr - ok

14:36:55.0437 1012 VgaSave - ok

14:36:55.0453 1012 ViaIde - ok

14:36:55.0453 1012 VIAudio - ok

14:36:55.0468 1012 vmci - ok

14:36:55.0484 1012 vmkbd - ok

14:36:55.0484 1012 VMnetAdapter - ok

14:36:55.0500 1012 VMnetBridge - ok

14:36:55.0515 1012 VMnetuserif - ok

14:36:55.0515 1012 VMparport - ok

14:36:55.0531 1012 vmusb - ok

14:36:55.0531 1012 vmx86 - ok

14:36:55.0546 1012 VolSnap - ok

14:36:55.0562 1012 vstor2-ws60 - ok

14:36:55.0578 1012 Wanarp - ok

14:36:55.0578 1012 wanatw - ok

14:36:55.0593 1012 Wdf01000 - ok

14:36:55.0593 1012 WDICA - ok

14:36:55.0609 1012 wdmaud - ok

14:36:55.0640 1012 WinUSB - ok

14:36:55.0656 1012 WpdUsb - ok

14:36:55.0671 1012 WS2IFSL - ok

14:36:55.0687 1012 WSTCODEC - ok

14:36:55.0703 1012 WudfPf - ok

14:36:55.0703 1012 WudfRd - ok

14:36:55.0718 1012 ZSMC0305 - ok

14:36:55.0750 1012 {6080A529-897E-4629-A488-ABA0C29B635E} - ok

14:36:55.0765 1012 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} - ok

14:36:55.0796 1012 MBR (0x1B8) (587f1bf40479d66675a13b610e5e7f9e) \Device\Harddisk0\DR0

14:36:55.0890 1012 \Device\Harddisk0\DR0 - ok

14:36:55.0906 1012 Boot (0x1200) (653f1f0785dee913405173c812c1e01b) \Device\Harddisk0\DR0\Partition0

14:36:55.0906 1012 \Device\Harddisk0\DR0\Partition0 - ok

14:36:55.0921 1012 Boot (0x1200) (8fd413b8bdf94bdedcbcf3de6486d7c5) \Device\Harddisk0\DR0\Partition1

14:36:55.0921 1012 \Device\Harddisk0\DR0\Partition1 - ok

14:36:55.0921 1012 ============================================================

14:36:55.0921 1012 Scan finished

14:36:55.0921 1012 ============================================================

14:36:55.0937 0468 Detected object count: 0

14:36:55.0937 0468 Actual detected object count: 0


Attached File  MBR.zip   585bytes   0 downloads

Edited by vernel1008, 01 January 2012 - 05:13 AM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,933 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:07 AM

Posted 01 January 2012 - 10:06 AM

Logiciel : Erreur STOP Windows
Intitulé : INACCESSIBLE_BOOT_DEVICE


P.S.
I'm running a dual boot of Ubuntu to send this message so technically the computer is usable except the installation of XP. Any help would be very much appreciated. Thanks bleeping computer.


You have a dual boot computer.

Is XP the primary boot?

I'm not familiar with dual boot system. You may have to start a new topic in the XP forum and see what kind of help you can get there.
http://www.bleepingcomputer.com/forums/forum56.html

But for now can you try to run this tool.
Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===

Please post the log for my review.

#7 vernel1008

vernel1008
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 PM

Posted 03 January 2012 - 10:56 AM

Hi nasdaq. Thank you for your continuous support.


As I've said earlier, I already run combofix last 12-17-2011 since MBAM and SuperAntiSpyware hasn't seen any malware.

Is XP the primary boot?


Yes XP is my primary boot. I usually don't use Ubuntu except for this kind of occasions wherein I cannot use XP. Before this problem, my last use of Ubuntu was January or February last year so probably it won't be a factor about this problem which only started last December.


I shall attach the 12-17-2011 logs of combofix I hope it can help pinpoint the problem since it detected another system32 folder within the system32 folder.

If you will see also, during the time of 12-04-2011 until 12-16-2011, the date were changed back to 2001. The battery of my CMOS got drained completely, so time were set to default during those times. I replaced it last 12-16-2011. I don't know if this is a factor for some Malware to attack my box.


A day or two before 12-16-2011, my pc were running fine. I was even playing Warcraft3 and some minor surfing on the internet. The next day I was surprised that all of the services were disabled so I thought the caused of the problem was the drained CMOS batt so I rushed and buy a new one. After my CMOS installation, everything was still the same. So I tried to go to SafeMode but I was halted at NostKrnl *can't remember the exact name of the file but the screen was still dark and checking for some file before letting you choose if you'll proceed to safe mode or LKGConfig*

Then I tried to repair the whole installation so I run the installation CD that I have. It stops on the error I provided earlier.
0x000007B (0xF898D524, 0XC0000034n 0X00000000, 0X00000000)



Thanks again nasdaq. Your help is greatly appreciated.





Here is the 12-17-2011 Combofix Log
Attached File  ComboFix12172011.txt   372.44KB   1 downloads

Here is the 01-03-2012 Combofix Log
Attached File  ComboFix01032012.txt   24.33KB   1 downloads

#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,933 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:07 AM

Posted 03 January 2012 - 06:40 PM

Then I tried to repair the whole installation so I run the installation CD that I have. It stops on the error I provided earlier.
0x000007B (0xF898D524, 0XC0000034n 0X00000000, 0X00000000)


This error is known as "INACCESSIBLE_BOOT_DEVICE"

Googling INACCESSIBLE_BOOT_DEVICE I found this interesting article.
http://pcsupport.about.com/od/findbyerrormessage/a/stop0x0000007b.htm

But before we go any further lets check if your partition has been modified by the virus.
===

Execute the following attentively. If at any time you need help please ask.

You will need two new CD to complete the task.

Preferably from a clean computer, I need you to download: gparted-live-0.10.0-3.iso (115.1 MB) and
Windows XP Recovery Console rc.iso

Create a bootable CD, 1 for Gparted and 1 for the Windows XP Recovery Console, from the ISO images. You can use ImgBurn do this.

This may help burning the iso image(s) to a CD.
http://www.imgburn.com/index.php?act=screenshots#isowrite
===


Now boot off of the newly created Gparted CD.

Posted Image
You should be here...
Press ENTER

Posted Image
By default, "do not touch keymap" is highlighted. Leave this setting alone and just press ENTER.

Posted Image
Choose your language and press ENTER. English is default [33]

Posted Image
Once again, at this prompt, press ENTER

You will now be taken to the main GUI screen below
Posted Image

I would like to see that last screen.

To do print screen follow these steps:

* Press Alt and Print Screen button on your keyboard
* Open Paint program
* From the menu choose Edit then Paste
* Now save the picture and attach it here for me to review.

Exit all programs.

#9 vernel1008

vernel1008
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 PM

Posted 04 January 2012 - 11:48 AM

I'm sorry nasdaq but I cannot clearly see the images.
It says
http://imageshack.us/img/blocked_login.jpg

I think I shall just follow your instructions.

I shall do your instructions as soon as I arrive home. I'm at the office right now.


Thank you very much for your help.



Always,
Vernel

#10 vernel1008

vernel1008
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:07 PM

Posted 06 January 2012 - 09:16 PM

Hi Nasdaq,


Would you think it is better if I do a format of my PC?
Since I cannot go to Windows Installation Set-up, should I reformat the Window partition using Ubuntu and retry Installation?


Thank you very much.

#11 nasdaq

nasdaq

  • Malware Response Team
  • 38,933 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:07 AM

Posted 07 January 2012 - 10:35 AM

Your call.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users