Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

desktop blanks white/cant access safe mode


  • This topic is locked This topic is locked
22 replies to this topic

#1 HLG

HLG

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 31 October 2013 - 11:08 AM

I am using windows xp on a computer with this problem.  My screen blanks out completely white.  I have tried to run virus removal software and/or restore system to an earlier date but nothing works.  The screen still blanks out white in safe mode with networking.  In regular safe mode, the computer just shuts off.  What actually happens is that the screen is black.  The words "safe mode" are in each of the four corners of the screen for a moment.  Before the safe mode screen is able to come up completely, a window pops up with some writing in it and the computer shuts off very quickly before I am able to read what is in the box.

 

I am able to run the computer in safe mode with command prompts.  I had a friend walk me through this to try to restore computer back to a date before infection, but after the system roll back was applied the computer still blanked out white.

 

Has anyone fixed this problem before? 



BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:32 PM

Posted 31 October 2013 - 06:34 PM

I'll report this topic to appropriate helpers.

1. Please let us know what Windows version you have and if it's 32- or 64-bit.
2. Is the computer bootable in any mode?

Hold on there....


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:07:32 PM

Posted 01 November 2013 - 02:50 PM

Hello HLG, and welcome to Bleeping Computer! :)

My name is bloopie and I'll be helping you with your problems as best I can! :thumbup2:

A few things to keep in mind while we are working together:
  • If you have since resolved the original problem you were having, I would appreciate it if you let me know.
  • If you are unsure about any of the steps just post what you can and I will guide you!
  • Please tell me if you have your original Windows CD/DVD available.
  • Please copy and paste all logs here unless otherwise instructed!
  • Upon completing the steps below I will review your topic an do my best to resolve your issues.
  • Please do not run any other tools without my instruction to do so!
==========

I have moved this topic to the Malware Removal Logs forum where it will stay and I will continue to assist you with this issue.

==========

Now...to business! You mention that you are able to access Safemode with Command Prompt, so let's do the following. You will need the use of a flash drive or removable USB device:

Step :step1:Note: You need to run the version compatible with your system. Your system should be 32-bit (but if your system can't run the 32 bit version, then please stop and try the other (64-bit) version! Only one version will run on your system. The one that runs will be your version.

Step :step2:
  • Plug the flashdrive into the infected PC.
  • Boot the infected machine into Safemode with Command Prompt.
Step :step3:

Once in the Command Prompt:
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "My Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your next reply.
bloopie

#4 HLG

HLG
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 07 November 2013 - 02:00 PM

Hello Bloopie and Broni,

 

My white out desk top still persists.

I have a 32 bit operating system running XP.  I do not the windows cd/dvd to reload onto my computer.  It boots in safe mode with command prompts only. 

 

Below are the results of an FRST scan.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 31-10-2013
Ran by Holl (administrator) on HOLLAND on 04-11-2013 16:18:56
Running from D:\
Microsoft Windows XP Home Edition Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Safe Mode (minimal)
 
==================== Processes (Whitelisted) ===================
 
(Microsoft Corporation) c:\Program Files\Microsoft Security Client\MsMpEng.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
(Microsoft Corporation) C:\WINDOWS\system32\cmd.exe
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [Broadcom Wireless Manager UI] - C:\WINDOWS\system32\WLTRAY
HKLM\...\Run: [igfxhkcmd] - C:\WINDOWS\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [igfxpers] - C:\WINDOWS\system32\igfxpers.exe [118784 2005-11-03] (Intel Corporation)
HKLM\...\Run: [BJCFD] - C:\Program Files\BroadJump\Client Foundation\CFD.exe [368706 2002-09-10] (BroadJump, Inc.)
HKLM\...\Run: [Conime] - C:\WINDOWS\system32\conime.exe [27648 2008-04-14] (Microsoft Corporation)
HKLM\...\Run: [ContentTransferWMDetector.exe] - C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe [583016 2009-11-19] (Sony Corporation)
HKLM\...\Run: [Everything] - C:\Program Files\Everything\Everything.exe [602624 2009-03-12] ()
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [MSC] - C:\Program Files\Microsoft Security Client\msseces.exe [995176 2013-08-12] (Microsoft Corporation)
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [252848 2012-07-03] (Sun Microsystems, Inc.)
Winlogon\Notify\!SASWinLogon: C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
HKLM\...\Policies\Explorer: [LinkResolveIgnoreLinkInfo] 0
HKLM\...\Policies\Explorer: [NoResolveSearch] 1
HKCU\...\Run: [cdloader] - C:\Documents and Settings\Holl\Application Data\mjusbsp\cdloader2.exe [50592 2011-08-23] (magicJack L.P.)
HKCU\...\Run: [Skype] - C:\Program Files\Skype\Phone\Skype.exe [17418928 2012-07-13] (Skype Technologies S.A.)
HKCU\...\Winlogon: [Shell] explorer.exe,C:\Documents and Settings\Holl\Application Data\Other.res [98304 2010-12-09] () <==== ATTENTION 
HKCU\...\Policies\Explorer: [LinkResolveIgnoreLinkInfo] 0
AppInit_DLLs:   [ ] ()
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
ShortcutTarget: Secunia PSI Tray.lnk -> C:\Program Files\Secunia\PSI\psi_tray.exe (Secunia)
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
HKCU\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qwest.live.com
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www2.inbox.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=%tb_id&%language
HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
URLSearchHook: ATTENTION ==> Default URLSearchHook is missing.
URLSearchHook: HKCU - (No Name) - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} -  No File
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKCU - {0B4A10D1-FBD6-451d-BFDA-F03252B05984} URL = 
SearchScopes: HKCU - {B2289C67-57B8-4AAC-B2B8-AB8B82E12247} URL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Skype Browser Helper - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO: SimpleAdblock Class - {FFCB3198-32F3-4E8B-9539-4324694ED664} - C:\Program Files\Common Files\Simple Adblock\SimpleAdblock.dll (Simple Adblock)
Toolbar: HKCU - &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
Toolbar: HKCU - &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
Toolbar: HKCU - No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
Toolbar: HKCU - No Name - {472734EA-242A-422B-ADF8-83D1E48CC825} -  No File
Toolbar: HKCU - No Name - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} -  No File
Toolbar: HKCU - No Name - {0329E7D6-6F54-462D-93F6-F5C3118BADF2} -  No File
Toolbar: HKCU - No Name - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} -  No File
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} http://support.gateway.com/support/serialharvest/gwCID.CAB
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} 
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
ShellExecuteHooks: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [113024 2012-08-19] (SuperAdBlocker.com)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{DB005E69-5981-4499-BF42-21BE420F1CC6}: [NameServer]205.171.3.65,205.171.2.65
 
FireFox:
========
FF ProfilePath: C:\Documents and Settings\Holl\Application Data\Mozilla\Firefox\Profiles\6uxdrnji.default
FF user.js: detected! => C:\Documents and Settings\Holl\Application Data\Mozilla\Firefox\Profiles\6uxdrnji.default\user.js
FF NewTab: hxxp://search.babylon.com/?affID=109935&tt=010812_rbt_3112_2&babsrc=NT_ss&mntrId=c086060a00000000000000e0b891e166
FF DefaultSearchEngine: Search the web (Babylon)
FF SearchEngineOrder.1: Search the web (Babylon)
FF SelectedSearchEngine: Search the web (Babylon)
FF Homepage: www.google.com
FF Keyword.URL: hxxp://search.babylon.com/?affID=109935&tt=010812_rbt_3112_2&babsrc=KW_ss&mntrId=c086060a00000000000000e0b891e166&q=
FF Plugin: @checkpoint.com/FFApi - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll No File
FF Plugin: @java.com/DTPlugin,version=10.7.2 - C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.7.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @nosltd.com/getPlus+®,version=1.6.2.97 - C:\Program Files\NOS\bin\np_gp.dll (NOS Microsystems Ltd.)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.0.2 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: tdameritrade.com/thinkorswim - C:\Program Files\thinkorswim\npthinkorswim.dll (TD Ameritrade)
FF Plugin HKCU: tdameritrade.com/tossc - C:\Program Files\thinkorswim\nptossc.dll (TD Ameritrade)
FF SearchPlugin: C:\Documents and Settings\Holl\Application Data\Mozilla\Firefox\Profiles\6uxdrnji.default\searchplugins\aim-search.xml
FF SearchPlugin: C:\Documents and Settings\Holl\Application Data\Mozilla\Firefox\Profiles\6uxdrnji.default\searchplugins\speedbit.xml
FF SearchPlugin: C:\Documents and Settings\Holl\Application Data\Mozilla\Firefox\Profiles\6uxdrnji.default\searchplugins\zonealarm.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml
FF Extension: Microsoft .NET Framework Assistant - C:\Documents and Settings\Holl\Application Data\Mozilla\Firefox\Profiles\6uxdrnji.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF Extension: noscript - C:\Documents and Settings\Holl\Application Data\Mozilla\Firefox\Profiles\6uxdrnji.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
FF Extension: Skype Click to Call - C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF HKLM\...\Firefox\Extensions: [searchpredict@speedbit.com] - C:\Program Files\SearchPredict\PRFireFox
FF HKLM\...\Firefox\Extensions: [{0329E7D6-6F54-462D-93F6-F5C3118BADF2}] - C:\Program Files\SPEEDbit Video Downloader\SPFireFox
 
Chrome: 
=======
CHR HomePage: hxxp://search.babylon.com/?affID=109935&tt=010812_rbt_3112_2&babsrc=HP_ss&mntrId=c086060a00000000000000e0b891e166
CHR RestoreOnStartup: "hxxp://www.google.com/"
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\30.0.1599.66\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\30.0.1599.66\pdf.dll No File
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\30.0.1599.66\gcswf32.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll No File
CHR Plugin: (Java Deployment Toolkit 6.0.300.12) - C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll No File
CHR Plugin: (Java™ Platform SE 6 U30) - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll No File
CHR Plugin: (ActiveTouch General Plugin Container) - C:\Program Files\Mozilla Firefox\plugins\npatgpc.dll (Cisco WebEx LLC)
CHR Plugin: (downloadUpdater) - C:\Program Files\Mozilla Firefox\plugins\npdnu.dll (AOL LLC)
CHR Plugin: (downloadUpdater2) - C:\Program Files\Mozilla Firefox\plugins\npdnupdater2.dll (AOL LLC)
CHR Plugin: (Microsoft Office 2003) - C:\Program Files\Mozilla Firefox\plugins\NPOFFICE.DLL (Microsoft Corporation)
CHR Plugin: (getPlusPlus for Adobe 16297) - C:\Program Files\Mozilla Firefox\plugins\np_gp.dll (NOS Microsystems Ltd.)
CHR Plugin: (Microsoft DRM) - C:\Program Files\Windows Media Player\npdrmv2.dll (Microsoft Corporation)
CHR Plugin: (Microsoft DRM) - C:\Program Files\Windows Media Player\npwmsdrm.dll (Microsoft Corporation)
CHR Plugin: (Windows Media Player Plug-in Dynamic Link Library) - C:\Program Files\Windows Media Player\npdsplay.dll (Microsoft Corporation (written by Digital Renaissance Inc.))
CHR Plugin: (npFFApi) - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll No File
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll No File
CHR Plugin: (Windows Live Photo Gallery) - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll No File
CHR Plugin: (Windows Presentation Foundation) - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Extension: (YouTube) - C:\DOCUME~1\Holl\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0
CHR Extension: (Adblock Plus) - C:\DOCUME~1\Holl\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb\1.5.5_0
CHR Extension: (Adblock for Gmail\u2122) - C:\DOCUME~1\Holl\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\cobbaepnkejfnljmjgimdhoefifdhcak\0.2.0.3_0
CHR Extension: (Skype Click to Call) - C:\DOCUME~1\Holl\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\6.5.0.11422_0
CHR Extension: (Chrome In-App Payments service) - C:\DOCUME~1\Holl\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.4.11_0
CHR Extension: (Gmail) - C:\DOCUME~1\Holl\LOCALS~1\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1
CHR HKLM\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files\Skype\Toolbars\Skype for Chromium\skype_chrome_extension.crx
 
========================== Services (Whitelisted) =================
 
R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [116608 2012-08-19] (SUPERAntiSpyware.com)
S3 getPlus® Helper; C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [31592 2008-06-26] (NOS Microsystems Ltd.)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22208 2013-08-12] (Microsoft Corporation)
S2 Secunia PSI Agent; C:\Program Files\Secunia\PSI\PSIA.exe [987704 2010-12-21] (Secunia)
S2 Secunia Update Agent; C:\Program Files\Secunia\PSI\sua.exe [399416 2010-12-21] (Secunia)
S2 Skype C2C Service; C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [3290896 2012-12-13] (Skype Technologies S.A.)
S2 wltrysvc; C:\Windows\System32\bcmwltry.exe [847983 2005-02-17] (Broadcom Corporation)
S2 JavaQuickStarterService; "C:\Program Files\Java\jre7\bin\jqs.exe" -service -config "C:\Program Files\Java\jre7\lib\deploy\jqs\jqs.conf"
S2 lxdu_device; C:\WINDOWS\system32\lxducoms.exe -service [x]
S3 SupportSoft RemoteAssist; C:\Program Files\Common Files\supportsoft\bin\ssrc.exe [x]
 
==================== Drivers (Whitelisted) ====================
 
S2 AegisP; C:\Windows\System32\DRIVERS\AegisP.sys [17801 2008-08-09] (Meetinghouse Data Communications)
S3 BCM43XX; C:\Windows\System32\DRIVERS\bcmwl5.sys [371712 2005-02-11] (Broadcom Corporation)
S3 BrScnUsb; C:\Windows\System32\DRIVERS\BrScnUsb.sys [15295 2004-10-14] (Brother Industries Ltd.)
S3 HSFHWICH; C:\Windows\System32\DRIVERS\HSFHWICH.sys [205696 2005-01-28] (Conexant Systems, Inc.)
S3 ialm; C:\Windows\System32\DRIVERS\ialmnt5.sys [1353820 2005-11-03] (Intel Corporation)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [211560 2013-06-18] (Microsoft Corporation)
S3 MREMP50; C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [19712 2008-01-28] (Printing Communications Assoc., Inc. (PCAUSA))
S3 MRESP50; C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [18304 2008-01-28] (Printing Communications Assoc., Inc. (PCAUSA))
S3 NuidFltr; C:\Windows\System32\DRIVERS\NuidFltr.sys [14736 2009-05-09] (Microsoft Corporation)
S3 PSI; C:\Windows\System32\DRIVERS\psi_mf.sys [15544 2010-09-01] (Secunia)
S1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2012-08-19] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2012-08-19] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 MREMP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS [x]
S3 MRESP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS [x]
U5 P3; C:\Windows\System32\Drivers\P3.sys [42752 2008-04-13] (Microsoft Corporation)
U5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
U5 Tcpip6; C:\Windows\System32\Drivers\Tcpip6.sys [226880 2010-02-11] (Microsoft Corporation)
S0 TfFsMon; system32\drivers\TfFsMon.sys [x]
S3 TfNetMon; \??\C:\WINDOWS\system32\drivers\TfNetMon.sys [x]
S0 TfSysMon; system32\drivers\TfSysMon.sys [x]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-11-04 16:18 - 2013-11-04 16:18 - 00000000 ___DC C:\FRST
2013-10-15 18:57 - 2013-10-29 23:38 - 00000384 ____H C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job
2013-10-11 11:23 - 2013-10-11 11:23 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2847311$
2013-10-11 08:50 - 2013-10-11 09:13 - 00000000 ____D C:\Documents and Settings\Holl\.thinkorswim
2013-10-11 08:46 - 2013-10-11 08:47 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2862335$
2013-10-11 08:45 - 2013-10-11 08:45 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2883150$
2013-10-10 21:37 - 2013-10-10 21:37 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2868038$
2013-10-10 21:32 - 2013-10-10 21:32 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2862330$
2013-10-10 21:27 - 2013-07-02 20:12 - 00025088 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\hidparse.sys
2013-10-10 21:15 - 2013-07-16 18:58 - 00123008 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\usbvideo.sys
2013-10-10 21:10 - 2013-08-08 18:55 - 00144128 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\usbport.sys
2013-10-10 21:10 - 2013-08-08 18:55 - 00005376 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\usbd.sys
2013-10-10 21:10 - 2009-03-18 05:02 - 00030336 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\usbehci.sys
 
==================== One Month Modified Files and Folders =======
 
2013-11-04 16:20 - 2008-08-09 06:38 - 00513916 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2013-11-04 16:18 - 2013-11-04 16:18 - 00000000 ___DC C:\FRST
2013-11-04 16:15 - 2008-08-09 10:49 - 01329287 _____ C:\WINDOWS\WindowsUpdate.log
2013-11-04 16:15 - 2006-02-28 06:00 - 00013646 _____ C:\WINDOWS\system32\wpa.dbl
2013-10-29 23:53 - 2008-08-09 10:56 - 00000278 ___SH C:\Documents and Settings\Holl\ntuser.ini
2013-10-29 23:53 - 2008-08-09 10:56 - 00000000 ____D C:\Documents and Settings\Holl
2013-10-29 23:53 - 2008-08-09 10:54 - 00032650 _____ C:\WINDOWS\SchedLgU.Txt
2013-10-29 23:53 - 2008-08-09 10:54 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2013-10-29 23:53 - 2008-08-09 06:41 - 00000216 _____ C:\WINDOWS\wiadebug.log
2013-10-29 23:53 - 2008-08-09 06:41 - 00000050 _____ C:\WINDOWS\wiaservc.log
2013-10-29 23:51 - 2012-07-10 15:23 - 00000878 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2013-10-29 23:38 - 2013-10-15 18:57 - 00000384 ____H C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job
2013-10-29 23:37 - 2008-08-09 10:47 - 00000000 ____D C:\WINDOWS\system32\Restore
2013-10-29 09:14 - 2013-10-02 14:41 - 00000664 _____ C:\WINDOWS\system32\d3d9caps.dat
2013-10-28 22:30 - 2012-07-10 15:23 - 00000882 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2013-10-28 22:01 - 2012-06-07 11:16 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2013-10-23 18:29 - 2012-08-19 19:26 - 00000000 ____D C:\Documents and Settings\Holl\Application Data\Simple Adblock
2013-10-15 19:17 - 2009-08-25 09:15 - 00000000 ____D C:\WINDOWS\Microsoft.NET
2013-10-14 16:18 - 2012-08-19 01:13 - 00001945 _____ C:\WINDOWS\epplauncher.mif
2013-10-14 16:18 - 2012-08-19 01:12 - 00001698 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Security Essentials.lnk
2013-10-14 16:17 - 2012-08-19 01:11 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-10-14 14:23 - 2008-08-11 22:26 - 00000000 __SHD C:\Documents and Settings\Holl\UserData
2013-10-11 15:47 - 2008-08-09 06:37 - 00142032 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2013-10-11 11:23 - 2013-10-11 11:23 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2847311$
2013-10-11 09:13 - 2013-10-11 08:50 - 00000000 ____D C:\Documents and Settings\Holl\.thinkorswim
2013-10-11 08:57 - 2008-10-17 10:25 - 00000000 ____D C:\Program Files\thinkorswim
2013-10-11 08:47 - 2013-10-11 08:46 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2862335$
2013-10-11 08:45 - 2013-10-11 08:45 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2883150$
2013-10-10 21:37 - 2013-10-10 21:37 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2868038$
2013-10-10 21:32 - 2013-10-10 21:32 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2862330$
2013-10-10 21:32 - 2009-08-26 22:34 - 00000000 ____D C:\WINDOWS\ie8updates
2013-10-09 21:09 - 2012-06-07 11:16 - 00692616 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2013-10-09 21:09 - 2012-03-11 23:14 - 00071048 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2013-10-06 15:33 - 2012-08-03 13:46 - 00000000 ____D C:\Program Files\Everything
2013-10-05 14:43 - 2009-07-26 20:18 - 00000000 ____D C:\Documents and Settings\Holl\Application Data\vlc
 
Some content of TEMP:
====================
C:\Documents and Settings\Holl\Local Settings\Temp\8m6Spbz.exe
C:\Documents and Settings\Holl\Local Settings\Temp\8m6Spbz0.exe
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== End Of Log ============================


#5 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:07:32 PM

Posted 07 November 2013 - 07:02 PM

Hello again,

Thanks for the log, and I'll get to it as soon as I can!

I may not be able to reply tonight, but if not, I certainly will tomorrow! Glad you're still here! :)

bloopie

#6 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:07:32 PM

Posted 09 November 2013 - 11:40 AM

Hello again,

Sorry again for the delay, I promise I'm not usually missing my users this much!! I'm not getting my notifications correctly right now...

I'll be very responsive from here on out! If I don't respond to you in 24 hours from here out, please send me a PM!

==========

Okay let's run this fix:

From a working computer, download attached Attached File  fixlist.txt   1.53KB   13 downloads and save it to the Flashdrive.

NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now insert the flashdrive into the sick computer and run FRST just as you did before, but this time press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

==========

In addition to the fixlog, please let me know if the system boots normally now!

bloopie



#7 HLG

HLG
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 11 November 2013 - 06:28 PM

Hi Bloopie,

 

This is not working out as easy as the first time we talked.   Am I suppose to click of fixlist.txt below and down load two files?  There was no attachment in the in the email I recieved. I clicked the link and I think I got two files: fixlist.txt and FRST.exe.  In safe mode all I pull up is coding on the note pad.  There are no buttons to click to fix or run anything.



#8 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:07:32 PM

Posted 11 November 2013 - 09:15 PM

Hello HLG,
 

From a working computer, download attached attachicon.giffixlist.txt and save it to the Flashdrive.

The fixlist is a text file that is embedded in the sentence above (you can tell by the color and you'll also see how many times the file has been downloaded). All you need do is (from the clean computer), click and download the file to the flashdrive as mentioned.

Once the fixlist.txt is now downloaded onto the flashdrive, then follow the exact same instructions as in post #3 , but this time, begin with step :step2: and press the Fix button this time around...instead of the Scan button.

 

Once the tool finishes, it will generate a log on the flashdrive called Fixlog.txt.

Please copy and paste that log here in your next reply (you may do this from the clean computer or the sick one if it boots normally now)!

 

Does that make sense? If not, please let me know!

 

bloopie



#9 HLG

HLG
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 11 November 2013 - 10:14 PM

Hello Bloopie,

 

Desk top is back to normal.  Computer seems to be fully functional so far.  Thank you.

 

Here is my fixlog:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 31-10-2013
Ran by Holl at 2013-11-11 20:06:56 Run:1
Running from D:\
Boot Mode: Safe Mode (minimal)
 
==============================================
 
Content of fixlist:
*****************
HKCU\...\Winlogon: [Shell] explorer.exe,C:\Documents and Settings\Holl\Application Data\Other.res [98304 2010-12-09] () <==== ATTENTION 
C:\Documents and Settings\Holl\Application Data\Other.res
URLSearchHook: ATTENTION ==> Default URLSearchHook is missing.
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKCU - {0B4A10D1-FBD6-451d-BFDA-F03252B05984} URL = 
SearchScopes: HKCU - {B2289C67-57B8-4AAC-B2B8-AB8B82E12247} URL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
FF ProfilePath: C:\Documents and Settings\Holl\Application Data\Mozilla\Firefox\Profiles\6uxdrnji.default
FF user.js: detected! => C:\Documents and Settings\Holl\Application Data\Mozilla\Firefox\Profiles\6uxdrnji.default\user.js
FF NewTab: hxxp://search.babylon.com/?affID=109935&tt=010812_rbt_3112_2&babsrc=NT_ss&mntrId=c086060a00000000000000e0b891e166
FF DefaultSearchEngine: Search the web (Babylon)
FF SearchEngineOrder.1: Search the web (Babylon)
FF SelectedSearchEngine: Search the web (Babylon)
C:\Documents and Settings\Holl\Local Settings\Temp\8m6Spbz.exe
C:\Documents and Settings\Holl\Local Settings\Temp\8m6Spbz*.exe
*****************
 
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
C:\Documents and Settings\Holl\Application Data\Other.res => Moved successfully.
Default URLSearchHook was restored successfully .
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0B4A10D1-FBD6-451d-BFDA-F03252B05984} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{0B4A10D1-FBD6-451d-BFDA-F03252B05984} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0B4A10D1-FBD6-451d-BFDA-F03252B05984} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{0B4A10D1-FBD6-451d-BFDA-F03252B05984} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B2289C67-57B8-4AAC-B2B8-AB8B82E12247} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{B2289C67-57B8-4AAC-B2B8-AB8B82E12247} => Key not found.
C:\Documents and Settings\Holl\Application Data\Other.res => Should not be moved.
C:\Documents and Settings\Holl\Application Data\Mozilla\Firefox\Profiles\6uxdrnji.default\user.js => Moved successfully.
Firefox newtab deleted successfully.
Firefox DefaultSearchEngine deleted successfully.
Firefox SearchEngineOrder.1 deleted successfully.
Firefox SelectedSearchEngine deleted successfully.
C:\Documents and Settings\Holl\Local Settings\Temp\8m6Spbz.exe => Moved successfully.
C:\Documents and Settings\Holl\Local Settings\Temp\8m6Spbz*.exe => Moved successfully.
 
==== End of Fixlog ====


#10 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:07:32 PM

Posted 12 November 2013 - 09:00 AM

Hello again,
 
Excellent! :) Now let's get a log from another tool:
 
You can do this from normal mode on the computer with the issue!

Run Combofix

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out here or here

Combofix may need to reboot your computer more than once to do its job...this is normal.

You can download Combofix from one of these links.
  • Close any open browsers or any other programs that are open.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you C:\Combofix.txt. Please include that in your next reply.
Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

bloopie

#11 HLG

HLG
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 13 November 2013 - 11:33 PM

Hi Bloopie,

 

I am running Microsoft Security Center on XP.  I disabled it.  The Service status says: STOPPED.

 

I started to run Combofix and got a pop up window that says: Combofix has detected the following real time scanner(s) to be active:

 

antivirus:  Microsoft Security Essentials...............

 

I have tried to turn this off twice.  Combofix said that MSE was still on but that Combofix would run anyway and that it could damage my computer.  I do not know how to make it stop, so I just hit the power button and turned my computer off.



#12 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:07:32 PM

Posted 14 November 2013 - 09:11 AM

Hello again,

 

That's okay, just make sure you turned off MSE:

 

  • Click the "Settings" tab
  • Click "Real-Time Protection" on the left
  • Make sure the "Turn on Real Time Protection" box is unchecked
  • Then click Save Changes

 

If Combofix still gives you the warning, then ignore it and let Combofix run anyway.

 

Please post me the log when finished.

 

bloopie



#13 HLG

HLG
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 16 November 2013 - 03:20 PM

From the control panel I click on security center.  I see.  three items
listed:fire wall, automatic update, and virus protection.  And listed under
manage security settings is: Internet options, automatic updates, and

window fire wall.


The fire wall is turned off.  I have found no tabs for setting or real time
protection or any thing like that.



#14 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:07:32 PM

Posted 16 November 2013 - 04:45 PM

Hello again,

 

The below is not to be done from the Windows control panel, but from Microsoft Security Essentials. Open up MSE either by the start menu, or by right-clicking the MSE icon on the lower right of the screen. Then with MSE open, follow the below:

 

 


  • Click the "Settings" tab
  • Click "Real-Time Protection" on the left
  • Make sure the "Turn on Real Time Protection" box is unchecked
  • Then click Save Changes

 

Does that make sense?

 

bloopie



#15 HLG

HLG
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 21 November 2013 - 02:56 PM

Hello Bloopie,

 

Thank you for your patience.  Your directions to turn off MSE does not make sense.  I actually am not positive that it is on my computer.  I have no icon for it in the systems tray.  What I have is is a red shield it is for Window Security Center.  I have Comodo Fire Wall.  Last I new I was running Avast but some how it is not in the systems tray anymore either.  None of the tabs that you say I need to go to turn off stuff seem to exist.  It is the Combo Fix software that says I need to turn off MSE.


Edited by HLG, 21 November 2013 - 02:57 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users