Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

All downloads stop at 30-40Kb


  • Please log in to reply
14 replies to this topic

#1 hrhoden

hrhoden

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 02 October 2014 - 04:27 PM

I have an xp sp3 machine.

It had some malware on it but has been cleaned to the best of my ability.

I have scanned with Malwarebytes, SpybotSD, Superantispyware and several others.

The last few scans have found nothing.

When I start a download it will go to around 40KB then slow down to nothing.

If I start the download in firefox, I can pause it then it will go another 20-40K when I unpause it.

also restored winsock settings and files.

DDS.txt

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.51.2
Run by JoEllen at 16:17:21 on 2014-10-02
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2020.1316 [GMT -5:00]
.
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\wanmpsvc.exe
C:\pvsw\bin\w3dbsmgr.exe
C:\Program Files\Common Files\AOL\1187458830\ee\AOLSoftware.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\TOSHIBA\TOSHIBA e-STUDIO Client\GLDocMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\JoEllen\My Documents\Downloads\LSPFix.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.aol.com/?mtmhp=hyplogusaolp00000092
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = about:blank
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s%s
uURLSearchHooks: <No Name>:  - LocalServer32 - <no file>
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27B4851A-3207-45A2-B947-BE8AFE6163AB} -
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: AOL Toolbar: {BA00B7B1-0351-477A-B948-23E3EE5A73D4} -
TB: AOL Toolbar: {ba00b7b1-0351-477a-b948-23e3ee5a73d4} -
uRun: [ToshibaGLDocMon] "c:\program files\toshiba\toshiba e-studio client\GLDocMon.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [HostManager] c:\program files\common files\aol\1187458830\ee\AOLSoftware.exe
mRun: [PeachtreePrefetcher.exe] c:\progra~1\sage\peacht~1\PeachtreePrefetcher.exe /configfile:peachtreeprefetcher.winstart.config
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [StartUp This] "c:\program files\laplink\pcmover\LaunchSt.exe"
dRunOnce: [PCmover CookieMerge] "c:\program files\laplink\pcmover\cookiemerge.exe" "c:\windows\system32\config\systemprofile\local settings\application data\laplink\pcmover\Cookies"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {05317530-B882-449D-9421-18D94FA3ED34} - hxxp://www.sis.com/ocis/OSInfo.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - hxxp://download.ebay.com/turbo_lister/US/install.cab
DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} - hxxp://aolsvc.aol.com/onlinegames/trydinerdash2/DinerDash2.1.0.0.67.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232984428718
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232984422296
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37859.5419212963
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-delicious-deluxe/zylomgamesplayer.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F7DCDA8B-7A96-4306-B45A-315B436DD4B7} - hxxps://72.4.203.162/web/EmulatorX.ocx
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{6CAD9857-35E1-43BC-8C52-41514413AA2B} : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{F8EA7FE3-D2CF-40D4-B875-FDB2062CEB31} : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{F8EA7FE3-D2CF-40D4-B875-FDB2062CEB31} : DHCPNameServer = 192.168.0.1
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\37.0.2062.124\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\joellen\application data\mozilla\firefox\profiles\3ijq3ls5.default\
FF - prefs.js: browser.search.selectedEngine - AOL Search
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/?mtmhp=hyplogusaolp00000093
FF - plugin: c:\documents and settings\joellen\application data\mozilla\plugins\npoff.dll
FF - plugin: c:\documents and settings\joellen\application data\mozilla\plugins\npwbe.dll
FF - plugin: c:\documents and settings\joellen\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\google\update\1.3.24.15\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.30514.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_8_800_94.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [2010-2-24 54776]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2014-7-22 142648]
R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\pvsw\bin\w3dbsmgr.exe -service -srde --> c:\pvsw\bin\w3dbsmgr.exe -service -srde [?]
R3 ITE;ITE;c:\windows\system32\drivers\ITE.SYS [2009-2-10 34820]
R3 WDMTwinax;WDMTwinax;c:\windows\system32\drivers\nltwinax.sys [2012-10-27 44996]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 BSTwxCmn;BSTwxCmn;c:\windows\system32\drivers\BSTWXCMN.SYS [2009-2-10 31008]
S3 BSTwxMac;BSTwxMac;c:\windows\system32\drivers\BSTWXMAC.SYS [2009-2-10 95712]
S3 Peachtree SmartPosting 2011;Peachtree SmartPosting 2011;c:\peach 2011\SmartPostingService2011.exe [2011-10-26 44400]
S3 Sage 50 SmartPosting 2014;Sage 50 SmartPosting 2014;c:\program files\sage\peachtree\SmartPostingService2014.exe [2013-6-4 335664]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
S4 035d80ae;Performance Optimizer;c:\windows\system32\rundll32.exe [2008-4-14 33280]
S4 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2012-8-23 13672]
S4 MOBKbackup;McAfee Online Backup;c:\program files\mcafee online backup\MOBKbackup.exe [2010-2-5 229688]
S4 ReimageRealTimeProtector;Reimage Real Time Protector;c:\program files\reimage\reimage protector\reiguard.exe --> c:\program files\reimage\reimage protector\ReiGuard.exe [?]
S4 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\spybot - search & destroy 2\SDFSSvc.exe [2014-7-26 1738168]
S4 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\spybot - search & destroy 2\SDUpdSvc.exe [2014-7-26 2088408]
S4 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\spybot - search & destroy 2\SDWSCSvc.exe [2014-7-26 171928]
.
=============== Created Last 30 ================
.
2014-10-02 19:44:25    388096    ----a-r-    c:\documents and settings\joellen\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2014-10-02 19:44:24    --------    d-----w-    c:\program files\Trend Micro
2014-10-02 19:18:09    536576    ----a-w-    c:\windows\system32\sqlite3.dll
2014-10-02 19:17:13    --------    d-----w-    C:\AdwCleaner
2014-09-30 20:51:03    --------    d-----w-    c:\documents and settings\all users\application data\Reimage Protector
2014-09-30 20:50:54    --------    d-----w-    C:\rei
2014-09-30 15:30:10    --------    d-----w-    c:\documents and settings\joellen\local settings\application data\NeoSmart_Technologies
2014-09-30 15:28:42    --------    d-----w-    c:\program files\AOL Desktop 9.7b
2014-09-30 15:23:54    --------    d-----w-    c:\windows\ERUNT
2014-09-30 15:23:25    --------    d-----w-    c:\program files\NeoSmart Technologies
2014-09-25 18:16:01    --------    d-----w-    c:\program files\AOL Desktop 9.7a
2014-09-11 18:43:06    110296    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-09-11 18:42:48    53208    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-09-11 18:42:48    --------    d-----w-    c:\program files\Malwarebytes Anti-Malware
2014-09-10 20:23:08    --------    d-----w-    C:\ERDNT
.
==================== Find3M  ====================
.
2014-09-30 15:23:42    71344    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-09-30 15:23:42    701104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-08-19 19:40:48    58696    ----a-w-    c:\windows\system32\AOLParconLink.exe
2014-08-19 18:34:17    348160    ----a-w-    c:\windows\system32\msvcr71.dll
2014-08-19 18:34:16    499712    ----a-w-    c:\windows\system32\msvcp71.dll
.
=================== ROOTKIT  ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD5000AACS-00ZUB0 rev.01.01B01 -> Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-19
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
1 ntkrnlpa!IofCallDriver[0x804EF200] -> \Device\Harddisk1\DR1[0x8A595AB8]
3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EF200] -> \Device\0000006c[0x8A5C3948]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF200] -> \Device\Ide\IdeDeviceP2T0L0-19[0x8A5BFD98]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a;  }
detected disk devices:
\Device\Parallel2.5 -> \??\LPTENUM#IMGVP0#6&326fc6cb&0&LPT3.5#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
.
============= FINISH: 16:18:14.46 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 hrhoden

hrhoden
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 03 October 2014 - 09:30 AM

At first if I booted into safe mode with networking everything would work ok. Downloads would do fine.

Now  downloads only work when you first start the computer. They will stall after windows has been up 1-2 minutes as it loads startup programs and drivers.



#3 hrhoden

hrhoden
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 06 October 2014 - 09:32 AM

anyone with any ideas?



#4 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:01 AM

Posted 06 October 2014 - 05:11 PM

Hi hrhodn,

 

Are you using a download manager, disable it if so.   Disable any FF addons and try a download, last:

Reset FF back to its defaults:

 

with FF open go to Help>Troubleshooting information> Reset FireFox.

 

See if those help any.

 

 


How Can I Reduce My Risk to Malware?


#5 hrhoden

hrhoden
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 07 October 2014 - 09:11 AM

I tried resetting FireFox. it did not help. It does the same in all browsers. It all started with a malware infection that was contantly opening computer repair sites.



#6 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:01 AM

Posted 07 October 2014 - 05:14 PM

ok, Lets go with FRST and see if it can dig anything up.  You said the downloads work ok in safe mode with networking?

 

Please download Farbar Recovery Scan Tool and save it to your Desktop.

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.

    Right-click FRST then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
    When the tool opens
When the tool opens click Yes to disclaimer.
    Press the Scan button.
    When finished, it will produce a log called FRST.txt in the same directory the tool was run from.
    Please copy and paste the log in your next reply.

The first time the tool is run it generates another log (Addition.txt - also located in the same directory the tool was run from). Please also paste that, along with the FRST.txt into your next reply.


How Can I Reduce My Risk to Malware?


#7 hrhoden

hrhoden
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 08 October 2014 - 09:24 AM

It no longer can download files in safe mode with networking. it could when the problem first started, but no longer.

here are your logs

Attached Files



#8 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:01 AM

Posted 08 October 2014 - 05:25 PM

ok. We will use FRST again:

 

Open notepad. Please copy the contents of the code box below into notepad.

Save it on the Desktop as fixlist.txt

Run FRST from the desktop and this time press the Fix button just once and wait. Machine may reboot to complete the fix
The tool will make a log on the desktop after reboot (Fixlog.txt)--- please post it to your reply

S4 035d80ae; "C:\WINDOWS\system32\rundll32.exe" "c:\docume~1\alluse~1\applic~1\perfor~1\PerformanceOptimizerSvc.dll",service
c:\docume~1\alluse~1\applic~1\perfor~1\PerformanceOptimizerSvc.dll",service
HKLM\...\Run: [HostManager] => C:\Program Files\Common Files\AOL\1187458830\ee\AOLSoftware.exe [41800 2010-03-08] (AOL Inc.)
URLSearchHook: HKCU - Default Value = {CFBFAE00-17A6-11D0-99CB-00C04FD64497}
SearchScopes: HKLM - {AF082C2B-E3F4-4BA9-A1C6-181DEE1D49ED} URL = http://search.aol.com/aol/search?q={searchTerms}&s_it=clireset-ie
SearchScopes: HKCU - DefaultScope {AF082C2B-E3F4-4BA9-A1C6-181DEE1D49ED} URL = 
SearchScopes: HKCU - B20572D19D9548B4B54FC71419E43544 URL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
SearchScopes: HKCU - {12760384-FE8B-4CD9-9319-150E89FB2977} URL = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
SearchScopes: HKCU - {392544C6-D624-4A2B-AD68-4C7DBC98EA6A} URL = http://search.aol.com/aol/search?q={searchTerms}&s_it=clireset-ie
SearchScopes: HKCU - {3E71F2CF-FE5E-4532-8BE3-B46C641B7386} URL = https://search.yahoo.com/search?fr=mcafee&type=A011US0&p={SearchTerms}
SearchScopes: HKCU - {8C6497DE-B23B-440C-AD7A-E18283A307B7} URL = 
SearchScopes: HKCU - {a17cc547-016c-4a35-a95b-de64acafa170} URL = 
Toolbar: HKLM - AOL Toolbar - {ba00b7b1-0351-477a-b948-23e3ee5a73d4} - C:\Program Files\AOL Toolbar\aoltb.dll No File
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKCU - AOL Toolbar - {BA00B7B1-0351-477A-B948-23E3EE5A73D4} - C:\Program Files\AOL Toolbar\aoltb.dll No File

How Can I Reduce My Risk to Malware?


#9 hrhoden

hrhoden
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 09 October 2014 - 09:33 AM

Ok now it will not load windows. I get a blank desktop with a mouse pointewr and nothing else. no icons, start button, tack bar, nothing.

It thankfully did load in safe mode with networking,

here is the fixlog.

Attached Files



#10 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:01 AM

Posted 09 October 2014 - 04:31 PM

Can you bring up task manager from the blank screen? Hit ctrl-alt-delete keys togeather and see if task manager comes up. If so under the process tab click on the new task button and type in explorer.exe and click ok and see if Windows shell loads up.


How Can I Reduce My Risk to Malware?


#11 hrhoden

hrhoden
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 09 October 2014 - 04:37 PM

it will not bring up task manager or anything else in normal mode.

it is up and mostly operational in safe mode with networking



#12 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:01 AM

Posted 09 October 2014 - 07:53 PM

you can check your boot .ini file:

 

Click Start, Run and type MSCONFIG

Select the Boot.ini tab

If you have dual-boot setup, select the appropriate entry under [operating systems]

In the Boot Options section at the bottom, uncheck /SAFEBOOT option if it happens to be checked

Click OK

Restart Windows

 

and/or

 

Do you have a Windows installaton CD? If so you can boot into safe mode go Start > Run > type in the box:  sfc /scannow  and insert the Windows CD. note there is a space after the c and before the /

 

Have you recently installed any software or drivers or have updated a driver?


How Can I Reduce My Risk to Malware?


#13 hrhoden

hrhoden
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 10 October 2014 - 09:09 AM

safeboot is not checked.I have not made any driver or hardware changes recently.

I have removed some potentially unwanted programs with anti malware software but its been a few days.

it loaded windows fine just downloads stopped until i ran the fixlist in FRST



#14 hrhoden

hrhoden
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 10 October 2014 - 02:55 PM

this time it did let me load task manager. Explorer.exe was already running. when i started as a new task it did nothing, but when i killed the one already running then windows loaded



#15 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:01 AM

Posted 10 October 2014 - 05:20 PM

I dont see anything in the fixlist.txt that would keep windows from booting up normally. 

If you see  explorer.exe running in task manager then you would see your normal desktop.

If you kill the process-- then the desktop is gone, just a blank screen pretty much. Starting a new explorer.exe process would bring the desktop backup.

That dosnt sound like your experience though. 

 

If you manage to bring it back up do a search on your machine for explorer.exe, right click start>search I think it is. Explorer in XP should be in the C:Windows dir.


How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users