Suspected Virus - can't boot in windows xp professional

View previous topic View next topic Go down

Suspected Virus - can't boot in windows xp professional

Post by admzjp719 on Tue Dec 29, 2009 3:13 pm

Several days ago my Dell XPS 410 with winXP pro had some popups for 'virus protection' to remove malicious items from the PC. I tried to 'x' out of it, but I think it was too late. Mcafee picked it up as a trojan I believe, but it happened fairly quickly and I don't recall the name. Mcafee tried to delete it, but it kept coming back, with a red x icon in the sys tray. Eventually, task mgr and even system restore would not work. Even when I tried to boot in the safe mode, the icon was there and there were pop ups to download a removal tool and clean things off. Now, can't even boot up - safe mode or not. The PC looks like it tries to logon when a user is selected, then it just goes to saving files and logs off. Since I can't boot up, I cannot provide a HJT log. I am using another PC now to be able to post this question.

Thanks, any help will be appreciated.

admzjp719
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-12-29
Gender Gender : Male
OS OS : windows xp professional
Points Points : 25609
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspected Virus - can't boot in windows xp professional

Post by Belahzur on Tue Dec 29, 2009 5:44 pm

Hello.
Do you have your XP disc?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Suspected Virus - can't boot in windows xp professional

Post by admzjp719 on Tue Dec 29, 2009 6:47 pm

Hi Belahzur. Yes, I have my Windows XP Pro disc.

admzjp719
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-12-29
Gender Gender : Male
OS OS : windows xp professional
Points Points : 25609
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspected Virus - can't boot in windows xp professional

Post by Belahzur on Tue Dec 29, 2009 10:09 pm

Hello.
Okay, put your XP disc in and reboot the machine.

Lets try and perform a repair install, read here how to do a repair install.
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Suspected Virus - can't boot in windows xp professional

Post by admzjp719 on Tue Dec 29, 2009 11:10 pm

Thanks, I'll give it a shot. I'll report back what happens.

admzjp719
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-12-29
Gender Gender : Male
OS OS : windows xp professional
Points Points : 25609
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspected Virus - can't boot in windows xp professional

Post by admzjp719 on Tue Dec 29, 2009 11:29 pm

By the way, if there is a virus on the hard drive, as I suspect, do I do something after the winXP repair - if it works - to get rid of the virus? It seems my Mcafee did not do the trick the other day,

admzjp719
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-12-29
Gender Gender : Male
OS OS : windows xp professional
Points Points : 25609
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspected Virus - can't boot in windows xp professional

Post by Belahzur on Tue Dec 29, 2009 11:31 pm

Yes, we'll get rid of the malware once we can get the machine to at least login.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Suspected Virus - can't boot in windows xp professional

Post by admzjp719 on Wed Dec 30, 2009 12:20 am

Well, so far it did not work. Everything looked like it was going well, but one file did not load - I passed by it. All else went well and the install completed. When it went to the reboot after configuration, it will not go into windows. It tries for a second, then a BSOD flashes for micro-second and it goes into the windows did not load properly window and asks for a selection - safe mode, safe mode w/networking, etc. I tried all to no avail. The BSOD flashes briefly and it goes back to the Dell window. I'm trying once more to do a winxp repair - i'll note the file name if it fails again.

admzjp719
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-12-29
Gender Gender : Male
OS OS : windows xp professional
Points Points : 25609
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspected Virus - can't boot in windows xp professional

Post by Belahzur on Wed Dec 30, 2009 12:39 am

Hello.

Lets try using the Avira boot disc.

Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore.

  • Download The Avira AntiVir Rescue System from [You must be registered and logged in to see this link.].
  • Just double-click on the rescue system package to burn it to a CD/DVD.
  • Then please use that CD/DVD with Avira Rescue System to boot your computer.
You'll get a boot option to either boot from hard drive or AntiVir Rescue System.


Press the number 2 on your keyboard to boot into AntiVir Rescue System.

Please wait until drivers are loaded and Main menu shows. Then please select the second option “Scan your system with AntiVir” and hit Enter.


Under Configuration, please select Scan all files, Try to repair infected files and Rename files if they cannot be removed?.


Then please start the scan.

The Avira AntiVir Rescue System wil now

  • repair a damaged system,
  • rescue data,
  • scan the system for virus infections.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Suspected Virus - can't boot in windows xp professional

Post by admzjp719 on Wed Dec 30, 2009 12:41 am

UPDATE - I tried the install again and it found the same file missing -"IaStor.sys". I found it in the drivers folder and the install is continuing.
When I have another update, I'll let you know. If you read this before then and i'm doing something wrong, let me know. Thanks!

admzjp719
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-12-29
Gender Gender : Male
OS OS : windows xp professional
Points Points : 25609
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspected Virus - can't boot in windows xp professional

Post by admzjp719 on Wed Dec 30, 2009 12:43 am

Sorry - it looks like I was posting at the same time as you! It's in the middle of the XP install. As soon as it's done, i'll have the CD ready and try the Avira rescue CD.

admzjp719
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-12-29
Gender Gender : Male
OS OS : windows xp professional
Points Points : 25609
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspected Virus - can't boot in windows xp professional

Post by Belahzur on Wed Dec 30, 2009 12:44 am

Thanks for that, stop everything, that's why your machine can't boot, iastor.sys is a needed system file.

editing this post in a sec


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Suspected Virus - can't boot in windows xp professional

Post by Belahzur on Wed Dec 30, 2009 12:55 am

Okay, let the install carry on till it's finished, then try booting normally. If not, we may need to replace iastor.sys, sounds like the malware tried to destroy your OS there.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Suspected Virus - can't boot in windows xp professional

Post by admzjp719 on Wed Dec 30, 2009 12:58 am

Thanks. It's just finishing up. I'll let it go through with the install and reboot. I'll let you know what happens from there.

admzjp719
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-12-29
Gender Gender : Male
OS OS : windows xp professional
Points Points : 25609
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspected Virus - can't boot in windows xp professional

Post by admzjp719 on Wed Dec 30, 2009 1:37 am

Ok - it's finished and it actually let me boot up! I have not yet seen any of the pop ups from before either. It is not online yet - i have disconnected it from the ethernet.

admzjp719
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-12-29
Gender Gender : Male
OS OS : windows xp professional
Points Points : 25609
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspected Virus - can't boot in windows xp professional

Post by admzjp719 on Wed Dec 30, 2009 5:11 pm

Ok - here's the status. I've reloaded/repaired winxp and i'm in the PC. I did a full virus scan with McAfee and it was clean. I ran a full scan with Super Anti spyware and it's clean. I tried the Avira route, but when i boot to the cd, it allows the me the selection to scan, but I only get some images of penquins on the screen - linux logo? I've been able to access the internet and perform all of the micrsoft updates, including sp3 and IE8. Everything seems to be working well, except one pop up error on start up: Data Execution Prevention Generic Host Process for Win32 Services. I have an HP all in one (7400) and have uninstalled and reinstalled - still get the error. I guess that's it for now, any suggestions? Thanks!

admzjp719
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-12-29
Gender Gender : Male
OS OS : windows xp professional
Points Points : 25609
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspected Virus - can't boot in windows xp professional

Post by Belahzur on Wed Dec 30, 2009 8:24 pm

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Suspected Virus - can't boot in windows xp professional

Post by admzjp719 on Thu Dec 31, 2009 1:13 am

Hi,sorry it took so long - it's been a long day! Here's the HJT file:
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 8:11:55 PM, on 12/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\dumprep.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\winlogon86.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [McAfee Backup] "C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [hurinuvuzo] Rundll32.exe "C:\WINDOWS\system32\sizehawi.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [hurinuvuzo] Rundll32.exe "C:\WINDOWS\system32\sizehawi.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: Google Sidewiki... - [You must be registered and logged in to see this link.] Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {226ACC34-3194-40E2-9AE8-834FCFE9E80D} (CPlayFirstmsiControl Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {38AB6A6C-CC4C-4F9E-A3DD-3C5681EF18A1} (SonyOnlineInstallerX) - [You must be registered and logged in to see this link.]
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - [You must be registered and logged in to see this link.]
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.6.0_11) -
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - [You must be registered and logged in to see this link.]
O16 - DPF: {D40F5876-A494-4124-8161-82625BB28C06} (CPlayFirstChocolatieControl Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [You must be registered and logged in to see this link.]
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - [You must be registered and logged in to see this link.]
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL immqip.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Desktop Manager 5.9.911.3589 (GoogleDesktopManager-110309-193829) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1ca11889c538e8) (gupdate1ca11889c538e8) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 14600 bytes

admzjp719
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-12-29
Gender Gender : Male
OS OS : windows xp professional
Points Points : 25609
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspected Virus - can't boot in windows xp professional

Post by Belahzur on Thu Dec 31, 2009 4:38 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\winlogon86.exe
    O2 - BHO: (no name) - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - (no file)
    O4 - HKUS\S-1-5-19\..\Run: [hurinuvuzo] Rundll32.exe "C:\WINDOWS\system32\sizehawi.dll",s (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [hurinuvuzo] Rundll32.exe "C:\WINDOWS\system32\sizehawi.dll",s (User 'NETWORK SERVICE')
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL immqip.dll


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Suspected Virus - can't boot in windows xp professional

Post by admzjp719 on Thu Dec 31, 2009 9:12 pm

Hi, performed the HJT procedure, loaded malawarebytes, ran the cleaning and here's the log.

Thanks!

Malwarebytes' Anti-Malware 1.43
Database version: 3463
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/31/2009 2:12:00 PM
mbam-log-2009-12-31 (14-11-59).txt

Scan type: Quick Scan
Objects scanned: 165461
Time elapsed: 11 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{0ed403e8-470a-4a8a-85a4-d7688cfe39a3} (Adware.Gamevance) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\AVR10.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

admzjp719
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-12-29
Gender Gender : Male
OS OS : windows xp professional
Points Points : 25609
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspected Virus - can't boot in windows xp professional

Post by admzjp719 on Thu Dec 31, 2009 9:15 pm

Also, just as an FYI, after I did the steps it rebooted. Upon reboot the popup for the DEP was still there. Not sure if it related to all of this or not.

admzjp719
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-12-29
Gender Gender : Male
OS OS : windows xp professional
Points Points : 25609
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspected Virus - can't boot in windows xp professional

Post by Belahzur on Thu Dec 31, 2009 9:26 pm

Hello.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste BOTH LOGS back here, use more than one post if needed.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Suspected Virus - can't boot in windows xp professional

Post by admzjp719 on Thu Dec 31, 2009 9:52 pm

Here's the dds.txt log:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Daddy-o at 16:48:15.34 on Thu 12/31/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1251 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Daddy-o\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
uDefault_Page_URL = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
mSearchAssistant = [You must be registered and logged in to see this link.]
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [Aim6]
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: []
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRunOnce: [RunNarrator] Narrator.exe
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
DPF: {226ACC34-3194-40E2-9AE8-834FCFE9E80D} - [You must be registered and logged in to see this link.]
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - [You must be registered and logged in to see this link.]
DPF: {38AB6A6C-CC4C-4F9E-A3DD-3C5681EF18A1} - [You must be registered and logged in to see this link.]
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - [You must be registered and logged in to see this link.]
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - [You must be registered and logged in to see this link.]
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - [You must be registered and logged in to see this link.]
DPF: {D40F5876-A494-4124-8161-82625BB28C06} - [You must be registered and logged in to see this link.]
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [You must be registered and logged in to see this link.]
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - [You must be registered and logged in to see this link.]
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli ndsero.dll
mASetup: {C97751B1-BF63-4867-87FB-49B72502DBCD} - c:\program files\microsoft office\office10\OfficeXPFirstRun.vbs
Hosts: 127.0.0.1 [You must be registered and logged in to see this link.]
Hosts: 192.168.1.112 HP0018715F181D

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\daddy-o\applic~1\mozilla\firefox\profiles\zeh2x2ra.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\daddy-o\application data\mozilla\firefox\profiles\zeh2x2ra.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\daddy-o\application data\move networks\plugins\npqmp071504000001.dll
FF - plugin: c:\documents and settings\daddy-o\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\rob\application data\idm\bin\flash\platform\winnt\plugins\npidmdcp.dll
FF - plugin: c:\progra~1\sonyon~1\npsoe.dll
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\nbc direct\npDirectPlayerMozilla.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - hȋdden: XUL Cache: {DCBB510C-D88F-4084-B59B-8D67D2E22D50} - c:\documents and settings\rob\local settings\application data\{DCBB510C-D88F-4084-B59B-8D67D2E22D50}
FF - hȋdden: XUL Cache: {F4B9C3EE-E997-4833-88AA-8384F5FFEC85} - c:\documents and settings\john\local settings\application data\{F4B9C3EE-E997-4833-88AA-8384F5FFEC85}
FF - hȋdden: XUL Cache: {082940C9-E66F-42F0-92E2-D52BE70CE600} - c:\documents and settings\donna\local settings\application data\{082940C9-E66F-42F0-92E2-D52BE70CE600}
FF - hȋdden: XUL Cache: {E144C95D-AEED-42B0-B535-2A5B77684897} - c:\documents and settings\daave\local settings\application data\{E144C95D-AEED-42B0-B535-2A5B77684897}
FF - hȋdden: XUL Cache: {7C83F2DC-B35A-4EF4-9046-A704EB4F6D9D} - c:\documents and settings\daddy-o\local settings\application data\{7C83F2DC-B35A-4EF4-9046-A704EB4F6D9D}
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - hȋdden: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - hȋdden: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - hȋdden: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - hȋdden: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - hȋdden: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - hȋdden: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-9-6 214664]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-9-6 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-9-6 144704]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-7-10 24652]
R3 athena;athena;c:\windows\system32\drivers\athena.sys [2007-9-6 107392]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-9-6 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-9-6 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-9-6 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-9-6 40552]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]
S2 gupdate1ca11889c538e8;Google Update Service (gupdate1ca11889c538e8);c:\program files\google\update\GoogleUpdate.exe [2009-7-30 133104]
S3 DCamUSBPremier;V3780s Digital Camera;c:\windows\system32\drivers\MPIXVID.SYS [2008-7-5 81921]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-9-6 30192]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-9-6 34248]

=============== Created Last 30 ================

2009-12-31 18:44:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-31 18:44:08 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 18:44:07 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-31 03:47:04 75776 -c----w- c:\windows\system32\dllcache\strmfilt.dll
2009-12-31 03:47:03 265728 -c----w- c:\windows\system32\dllcache\http.sys
2009-12-31 03:47:03 25088 -c----w- c:\windows\system32\dllcache\httpapi.dll
2009-12-31 01:10:46 0 d-----w- c:\program files\TrendMicro
2009-12-30 17:40:37 0 d-----w- c:\documents and settings\daddy-o\.SunDownloadManager
2009-12-30 16:20:08 649 ----a-w- c:\windows\hpntwksetup.ini
2009-12-30 07:35:07 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-12-30 07:35:07 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-12-30 07:34:40 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-12-30 07:34:07 0 dc-h--w- c:\windows\ie8
2009-12-30 07:02:02 0 d-----w- c:\program files\MSXML 6.0
2009-12-30 06:41:17 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
2009-12-30 06:41:17 1372672 -c----w- c:\windows\system32\dllcache\msxml6.dll
2009-12-30 06:40:57 81920 ------w- c:\windows\system32\ieencode.dll
2009-12-30 06:40:53 19569 ----a-w- c:\windows\003356_.tmp
2009-12-30 06:30:17 428 --sha-r- c:\documents and settings\daddy-o\ntuser.pol
2009-12-30 06:28:51 0 d--h--w- c:\windows\system32\GroupPolicy
2009-12-30 06:27:06 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2009-12-30 06:25:46 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2009-12-30 06:25:45 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2009-12-30 06:25:44 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-12-30 06:25:35 270336 -c----w- c:\windows\system32\dllcache\oakley.dll
2009-12-30 06:25:27 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-30 06:25:26 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-30 06:25:25 2066048 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-30 06:25:02 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-12-30 05:12:26 0 d-----w- c:\program files\CCleaner
2009-12-30 00:45:59 229439 -c--a-w- c:\windows\system32\dllcache\multibox.dll
2009-12-30 00:44:59 6144 -c--a-w- c:\windows\system32\dllcache\admxprox.dll
2009-12-30 00:44:59 5632 -c--a-w- c:\windows\system32\dllcache\EXCH_adsiisex.dll
2009-12-30 00:44:59 49664 -c--a-w- c:\windows\system32\dllcache\adrot.dll
2009-12-30 00:44:56 7168 -c--a-w- c:\windows\system32\dllcache\wamregps.dll
2009-12-30 00:44:49 7680 -c--a-w- c:\windows\system32\dllcache\inetmgr.exe
2009-12-30 00:44:49 6144 -c--a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2009-12-30 00:44:49 5632 -c--a-w- c:\windows\system32\dllcache\iisrstap.dll
2009-12-30 00:44:49 19968 -c--a-w- c:\windows\system32\dllcache\inetsloc.dll
2009-12-30 00:44:49 169984 -c--a-w- c:\windows\system32\dllcache\iisui.dll
2009-12-30 00:44:49 14336 -c--a-w- c:\windows\system32\dllcache\iisreset.exe
2009-12-30 00:44:46 94720 -c--a-w- c:\windows\system32\dllcache\certmap.ocx
2009-12-30 00:43:12 488 ---ha-r- c:\windows\system32\logonui.exe.manifest
2009-12-30 00:43:08 749 ---ha-r- c:\windows\WindowsShell.Manifest
2009-12-30 00:43:08 749 ---ha-r- c:\windows\system32\wuaucpl.cpl.manifest
2009-12-30 00:43:08 749 ---ha-r- c:\windows\system32\sapi.cpl.manifest
2009-12-30 00:43:08 749 ---ha-r- c:\windows\system32\nwc.cpl.manifest
2009-12-30 00:43:08 749 ---ha-r- c:\windows\system32\ncpa.cpl.manifest
2009-12-29 23:53:40 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2009-12-29 23:32:28 10559 ----a-r- c:\windows\SET15F.tmp
2009-12-29 23:32:27 7334 -c--a-w- c:\windows\system32\dllcache\wmerrenu.cat
2009-12-29 23:32:27 22339 ----a-r- c:\windows\SET15E.tmp
2009-12-29 23:32:24 13753 ----a-r- c:\windows\SET123.tmp
2009-12-29 23:32:22 1086058 ----a-r- c:\windows\SET117.tmp
2009-12-29 23:32:21 1042903 ----a-r- c:\windows\SET114.tmp
2009-12-29 18:24:27 0 d-----w- c:\windows\dell
2009-12-08 03:18:45 8 ----a-w- c:\windows\system32\nvModes.dat

==================== Find3M ====================

2009-12-30 17:43:13 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-30 00:42:08 23428 ----a-w- c:\windows\system32\emptyregdb.dat
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2007-11-07 22:44:59 774144 ----a-w- c:\program files\RngInterstitial.dll

============= FINISH: 16:49:14.17 ===============

admzjp719
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-12-29
Gender Gender : Male
OS OS : windows xp professional
Points Points : 25609
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspected Virus - can't boot in windows xp professional

Post by admzjp719 on Thu Dec 31, 2009 9:53 pm

Here's the attach log:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 12/29/2009 7:46:46 PM
System Uptime: 12/31/2009 2:13:35 PM (2 hours ago)

Motherboard: Dell Inc. | | 0CT017
Processor: Intel(R) Core(TM)2 Quad CPU @ 2.40GHz | Microprocessor | 2393/1066mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 295 GiB total, 188.133 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 12/29/2009 8:07:41 PM - System Checkpoint
RP2: 12/30/2009 12:49:08 AM - Removed Google Earth.
RP3: 12/30/2009 1:17:14 AM - Software Distribution Service 3.0
RP4: 12/30/2009 1:42:11 AM - Software Distribution Service 3.0
RP5: 12/30/2009 2:29:58 AM - Software Distribution Service 3.0
RP6: 12/30/2009 2:41:52 AM - Software Distribution Service 3.0
RP7: 12/30/2009 9:49:28 AM - Software Distribution Service 3.0
RP8: 12/30/2009 11:21:46 AM - Printer Driver HP Officejet 7400 series Installed
RP9: 12/30/2009 11:26:37 AM - Printer Driver HP Officejet 7400 series fax Installed
RP10: 12/30/2009 11:27:24 AM - Printer Driver HP remote printers Installed
RP11: 12/30/2009 12:42:47 PM - Removed Java(TM) 6 Update 11
RP12: 12/30/2009 12:43:07 PM - Installed Java(TM) 6 Update 17
RP13: 12/30/2009 8:10:45 PM - Installed HiJackThis
RP14: 12/31/2009 12:36:59 AM - Software Distribution Service 3.0
RP15: 12/31/2009 10:22:18 AM - Software Distribution Service 3.0

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Reader 7.1.0
Adobe Shockwave Player 11
AGEIA PhysX Engines
AIM 7
AIM Toolbar
Angela Young Dream Adventure
Apple Software Update
CCleaner
Compatibility Pack for the 2007 Office system
Conexant D850 56K V.9x DFVc Modem
Coupon Printer for Windows
Dell CinePlayer
Dell DataSafe Online
Dell Driver Reset Tool
Dell Support Center (Support Software)
Dell System Restore
DellSupport
Dev-C++ 5 beta 9 release (4.9.9.2)
Digital Line Detect
Documentation & Support Launcher
Download Manager 2.3.7
Download Updater (AOL LLC)
EA Download Manager
Elizabeth Find M.D. Diagnosis Mystery
EQ2MAP Updater 1.1.2
EverQuest II
Farm Frenzy 3
Farm Frenzy Pizza Party
Free Realms Installer
Games, Music, & Photos Launcher
Google Desktop
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Intel(R) Matrix Storage Manager
Intel(R) PRO Network Connections 11.2.1.69
Internet Service Offers Launcher
Java(TM) 6 Update 17
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft ActiveSync
Microsoft Office Excel Viewer 2003
Microsoft Office XP Professional with FrontPage
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Modem Helper
Move Media Player
Mozilla Firefox (3.0.15)
MSN
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
NBC Direct
NetWaiting
NVIDIA Drivers
OGA Notifier 2.0.0048.0
Operation Mania
OPSWAT AntiVirus and Firewall Integration Libraries
Pando Media Booster
Paradise Quest
PICTUREKA! MUSEUM MAYHEM
Professor Fizzwizzle
QuickTime
Rhapsody Player Engine
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler
Roxio MyDVD DE
Roxio Update Manager
Samsung USB Driver (MCCI 4.34) WHQL v3.4
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB976325)
Sid Meier's Civilization 4 Demo
Sonic Activation Module
SPORE™
SUPERAntiSpyware Free Edition
System Requirements Lab
The Lord of the Rings Online™: Mines of Moria™ v02.01.03.4021
The Lost Inca Prophecy
Tri Peaks 2 Quest For The Ruby Ring
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows XP (KB951978)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
URL Assistant
V3780s Digital Camera Driver
Vanguard: Saga of Heroes
Ventrilo Client
Viewpoint Media Player
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Live installer
Windows Media Format 11 runtime
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Service Pack 3
WinRAR archiver
Womens Murder Club 2
Word Whomp( TM) Underground
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

12/30/2009 11:19:53 AM, error: PlugPlayManager [11] - The device Root\LEGACY_HPJMPR50\0000 disappeared from the system without first being prepared for removal.
12/29/2009 7:48:21 PM, error: Setup [60055] - Windows Setup encountered non-fatal errors during installation. Please check the setuperr.log found in your Windows directory for more information.
12/29/2009 7:43:40 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service SENS with arguments "" in order to run the server: {D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}
12/29/2009 6:20:11 PM, error: Service Control Manager [7024] - The Background Intelligent Transfer Service service terminated with service-specific error 2147952506 (0x8007277A).
12/29/2009 6:20:10 PM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: %%2147952506
12/29/2009 6:17:24 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the mcmscsvc service.

==== End Of File ===========================

admzjp719
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-12-29
Gender Gender : Male
OS OS : windows xp professional
Points Points : 25609
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspected Virus - can't boot in windows xp professional

Post by Belahzur on Thu Dec 31, 2009 9:57 pm

More malware hiding. Indifferent or Blank

Please download GooredFix from one of the locations below and save it to your Desktop
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Suspected Virus - can't boot in windows xp professional

Post by admzjp719 on Fri Jan 01, 2010 4:03 am

Thanks for your help, Belahzur and before I forget, I hope you have a very Happy and Prosperous New Year! Here is the latest log for whenever you get a chance to look at it.

GooredFix by jpshortstuff (28.12.09.1)
Log created at 22:54 on 31/12/2009 (Daddy-o)
Firefox version 3.0.15 (en-US)

========== GooredScan ==========

Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{DCBB510C-D88F-4084-B59B-8D67D2E22D50} -> Success!
Deleting C:\Documents and Settings\Rob\Local Settings\Application Data\{DCBB510C-D88F-4084-B59B-8D67D2E22D50} -> Success!
Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{F4B9C3EE-E997-4833-88AA-8384F5FFEC85} -> Success!
Deleting C:\Documents and Settings\John\Local Settings\Application Data\{F4B9C3EE-E997-4833-88AA-8384F5FFEC85} -> Success!
Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{082940C9-E66F-42F0-92E2-D52BE70CE600} -> Success!
Deleting C:\Documents and Settings\Donna\Local Settings\Application Data\{082940C9-E66F-42F0-92E2-D52BE70CE600} -> Success!
Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{E144C95D-AEED-42B0-B535-2A5B77684897} -> Success!
Deleting C:\Documents and Settings\Daave\Local Settings\Application Data\{E144C95D-AEED-42B0-B535-2A5B77684897} -> Success!
Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{7C83F2DC-B35A-4EF4-9046-A704EB4F6D9D} -> Success!
Deleting C:\Documents and Settings\Daddy-o\Local Settings\Application Data\{7C83F2DC-B35A-4EF4-9046-A704EB4F6D9D} -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [02:39 23/03/2008]
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [19:16 31/03/2008]
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [13:02 11/07/2008]
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [00:12 12/12/2008]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [02:27 19/04/2009]
{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [02:17 06/08/2009]
{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [17:43 30/12/2009]

C:\Documents and Settings\Daddy-o\Application Data\Mozilla\Firefox\Profiles\zeh2x2ra.default\extensions\
{20a82645-c095-46ed-80e3-08825760534b} [21:15 04/09/2009]
{3112ca9c-de6d-4884-a869-9855de68056c} [17:46 30/12/2009]
{77b819fa-95ad-4f2c-ac7c-486b356188a9} [04:19 04/06/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"flashplugin@idm"="C:\Documents and Settings\Rob\Application Data\IDM\bin\flash" [02:38 20/04/2009]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [03:19 16/08/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [17:43 30/12/2009]

-=E.O.F=-


Last edited by admzjp719 on Fri Jan 01, 2010 4:04 am; edited 1 time in total (Reason for editing : error in name)

admzjp719
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-12-29
Gender Gender : Male
OS OS : windows xp professional
Points Points : 25609
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspected Virus - can't boot in windows xp professional

Post by Belahzur on Fri Jan 01, 2010 3:54 pm

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Viewpoint Media Player

Please download [You must be registered and logged in to see this link.] and install it. It will install over version 3.0 you currently have installed, so you won't lose any bookmarked websites.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Suspected Virus - can't boot in windows xp professional

Post by admzjp719 on Fri Jan 01, 2010 5:56 pm

Hi - I deleted the Video Mgr and updated Firefox. The PC seems to run okay, but unfortunately, I still get the DEP pop up. Not sure about that one yet. The window is titled: "Data Execution Prevention - Microsoft Windows. It states to help protect your computer, windows has closed this programs. Name: Generic Host Process for win32 services. publisher Microsoft corporation." Everytime I colse it, in a few seconds it pops back up. Thanks again for your help.

admzjp719
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-12-29
Gender Gender : Male
OS OS : windows xp professional
Points Points : 25609
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspected Virus - can't boot in windows xp professional

Post by admzjp719 on Sun Jan 03, 2010 6:25 am

Hi - here's an update. I updated some drivers - directed by Dell - I guess having reinstalled xp caused me to have to update them, too. So far, and i'm crossing my fingers (!) the DEP popup has gone away. So far, so good. Thanks again for your help. By the way, do i have to delete or uninstall any of the things you had my use for cleaning/troubleshooting?

admzjp719
Novice
Novice

Posts Posts : 22
Joined Joined : 2009-12-29
Gender Gender : Male
OS OS : windows xp professional
Points Points : 25609
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Suspected Virus - can't boot in windows xp professional

Post by Belahzur on Sun Jan 03, 2010 9:34 pm

Delete DDS and Gooredfix, along with all the logs it made. Keep MBAM though, it's good for on demand scanning.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum