Jump to content


Photo

Virtumonde, WIN32.Inject.bw maybe more


  • This topic is locked This topic is locked
41 replies to this topic

#1 msk

msk

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 04 March 2008 - 04:29 PM

I have read and I am following all instructions for the website.

(ISSUE WAS RESOLVED 0200 10 Mar 2008, would like someone to check my HT log at the end of the post, thx.
If you'd like to read about my issue, cool, it was not fun, so share my pain!!! =o) )

I am currently using a different PC. Infected PC is running extremely slow. I downloaded cell phone software to get some info off my wife's broken cell phone, when the HD started thrashing. I shut down the pc immediately. When I restarted my computer, I noticed two new shortcut icons on my desktop, Windows Update and Help and Support Center. I deleted them, and they respawned. I clicked on their properties and their target is a h ttp://storageprotector.com/....I clicked on properties\change icon and a information window popped up saying:

"Title - Change Icon (Yellow Triangle Black Exclamation mark) The file %SystemDrive%\DOCUME~1
\Michael\LOCALS~1\Temp\ico9CA.tmp contains no icons. Choose an icon from the list or specify a different
file."

Followed the path to the file above, deleted the file and it respawned.
I opened My Documents and find thousands of .tmp files (example pos1.tmp, many other variations).
Attempted to delete files and got an error stating:

"Title - Error Deleting File (Red Circle white x) The instruction at 0x01d62739 referenced memory at
0x02354e50. The file could not be deleted."

I I figured the reason its taking my pc so long to start is that all these files are being loaded into the
RAM at startup. Can't start the pc (even in safe mode) without these loading into memory. Also found the
.tmp files in c:\windows.

At start up I get a RUNDLL error stating:

"Title - RUNDLL (Red Circle White X) Error Loading c:\windows\system32\jbqhmecb.dll Specified module could not be found."

Through an earlier spybot run I found it was connected to vxufripa.dll. Of course I get that because I deleted the file and I also deleted the registry key, but looks like its respawning to, at least the registry key.

Also, when I start the PC I get one of two error windows that say:

"Title - Important-Potential Erors found in the system (Red Circle White X) During a scan of files at system startup, potential errors in the registry were found. p-07-0100 irql: 1f SYSVER 0xff00024 NT_Kernal error 1256 KMODE_EXCEPTION_NOT_HANDLED."

"Title - Your system could be come unstable (Red circle white x msg) A potential problem has been detected
and Windows has been shutdown buggy application to prevent damage to your computer. ****WXYZ.SYS - Address
F73120AE base at C00000, DateStamp 36b072A3 Kernal Debugger Using: COM2 (Port 0x28f, Baud rate 192000)."

I clicked Ok to get it off the screen. Periodically I get a flashing RED circle White X in my notification area in my taskbar with a pop up balloon pointing to the flashing icon that says:

"(Red circle White X) A Critical error could occur ***STOP: 0x000007B (0x00000, 0xCC034)*** Inaccessable handler or device. Click this balon to solve this problem."

When I click on the balloon it tries to take me to that h ttp://storageprotector.com[/url] website, but I'm offline so I dont go there.

D/L and ran FixVundo from symantec.com and no Vundo found.

Ran SuperAntispywareand it found:

Unfortunately I didnt install any update b/c the pc is offline.

Ran Spybot and it found Virtumonde.general and WIN32.Inject.bw.

WIN32.Inject.bw shown to be c:\windows\system32\windows. Found windows file (exe but no showing extension)
and deleted, but reappeared. Could not find the path in the registry. Starts periodically and when windows (exe) starts in the Task manager it uses 100% CPU and of course slows the pc considerably. I end process to get the pc to respond to my tasks.

As for the Virtumonde, in Registry Keys:
HKey_Users\S-1-5-21-56604596-3095290957-212901767-1006\Software\Microsoft\Windows\Current
Version\Ext\Stats\{A95B2816-1D7E-4561-A202-68C0D02353A}

HKey_Local_Machine\Software\Microsoft\Windows\Current Version\Explorer\Browser Objects\{A95B2816-1D7E-4561
-A202-68C0D02353A}

HKey_Classes_Root\CLSID\{A95B2816-1D7E-4561-A202-68C0D02353A}
HKey_Classes_Root\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}

Tried deleting and changing the registry keys, but the kept respwning the original ones or changing the keys to the original. Cannot remember where I saw it but I found a vxufripa.dll and a vxufripa.dllbox. I went through the registry and tried to delete the keys, but they kept respawning. The registry keys for the virtumonde correspond with the vxufripa files. Opened Internet Options and found the coresponding browser object and disabled it. Dont know if it helped or not. Like I said keeping that pc offline.

Most EXE in task manager are right, but i have multiple msiexec.exe that start well after pc is booted. I end their process.

I can start PC in Diagnostic mode through msconfig in which most messages do not pop up, but the suspect
files are still loaded into memory. If I start in safe mode the desktop is black with no taskbar. I can
access Windows Task Manager and the run cmd from there, but that is all in safe mode. PC starts in Normal
mode, just is slower than an skeeter in sap.

Ran Hijack this 2.0.2 (x2), AVG Anti Spyware, and SUPERAntiSpyware. Logs below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:49:11 AM, on 3/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PSDiagnosticM] "C:\Program Files\Linksys Wireless-G Print Server\PSDiagnosticM.exe"
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [Netscape] C:\Program Files\Common Files\ISPCOMP\InstallService.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [BM8b33da07] Rundll32.exe "C:\WINDOWS\system32\jbqhmecb.dll",s
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Uase] C:\Documents and Settings\Michael\Application Data\rmso.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: Shortcut to patience.txt.lnk = C:\Documents and Settings\Michael\My Documents\Misc\patience.txt
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5312 bytes

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:22:24 PM 3/4/2008

+ Scan result:



HKLM\SOFTWARE\ShudderLTD -> Adware.PSGuard : Ignored.
HKLM\SOFTWARE\ShudderLTD\PSGuard -> Adware.PSGuard : Ignored.
HKLM\SOFTWARE\ShudderLTD\PSGuard\PSGuard -> Adware.PSGuard : Ignored.
HKLM\SOFTWARE\ShudderLTD\PSGuard\PSGuard\License -> Adware.PSGuard : Ignored.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A8FB8EB3-183B-4598-924D-86F0E5E37085} -> Adware.WhyPPC : Ignored.
HKU\S-1-5-21-56604596-3095290957-2122901767-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A8FB8EB3-183B-4598-924D-86F0E5E37085} -> Adware.WhyPPC : Ignored.


::Report end

I'm not sure if this report has all the info you need, but let me know if you need more from this one and how to get it. I look under browser objects and saw a few other things.





SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/04/2008 at 03:44 PM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 01:02:56

Memory items scanned : 285
Memory threats detected : 1
Registry items scanned : 5392
Registry threats detected : 4
File items scanned : 39550
File threats detected : 1

Trojan.WinFixer
C:\WINDOWS\SYSTEM32\FCYAW.DLL
C:\WINDOWS\SYSTEM32\FCYAW.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11335BEE-2135-4F61-ADB9-642FD1870C88}
HKCR\CLSID\{11335BEE-2135-4F61-ADB9-642FD1870C88}
HKCR\CLSID\{11335BEE-2135-4F61-ADB9-642FD1870C88}\InprocServer32
HKCR\CLSID\{11335BEE-2135-4F61-ADB9-642FD1870C88}\InprocServer32#ThreadingModel

I went ahead and removed these, tried the Kaspersky online virus scan (failed that), then ran Hijack This again after reboot. The log is below.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:39:12 PM, on 3/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
C:\Program Files\Linksys Wireless-G Print Server\PSDiagnosticM.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PSDiagnosticM] "C:\Program Files\Linksys Wireless-G Print Server\PSDiagnosticM.exe"
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [Netscape] C:\Program Files\Common Files\ISPCOMP\InstallService.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BM8b33da07] Rundll32.exe "C:\WINDOWS\system32\vdkbkxpg.dll",s
O4 - HKLM\..\Run: [8800e99b] rundll32.exe "C:\WINDOWS\system32\oronspki.dll",b
O4 - HKCU\..\Run: [Uase] C:\Documents and Settings\Michael\Application Data\rmso.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: Shortcut to patience.txt.lnk = C:\Documents and Settings\Michael\My Documents\Misc\patience.txt
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows

--
End of file - 6326 bytes


I have been trying to run the online virus scanners (Kaspersky online), but the pc is running so slow, they pretty much timeout.

Okay, well, I believe I've finally got rid of this thing, I just would like someone to look at my HT log and tell me if I can get rid of these BHO with no file or no name. I did some pretty unconventional things to get rid of it.

That vxufripa.dll was a tough one, and I do not recommend to anyone to do it like this, lol. First I set up one antispyware proggie at a time to run when windows started. vxufripa was running with in an svchost shell so I ended them (svchost) one at a time and finally deleted the file before XP rebooted, then pulled the power out of my pc. I know, I know, but it worked. Spybot was able to remove the file b/c it was no longer in memory. After I got that thing off, the rest was pretty much just tracking down the registry keys and deleting them. I got the infected pc back online so I updated my anti spyware (AVG, Spybot, Superantispyware, and Ad-Aware 2007). Its funny, the AVG didnt recognize the problem, but superantispyware did. I have a list of files, registry keys and logs and of what they found before I deleted them from the system, if anyone wants a look. Anywho, ran the anti spyware post malicious files departure, and 'twas clean (least as far as I and the proggies can tell). Ran registry booster for errors, defragged registry, then defragged HD and i'll be doing a check disk next.

But, here's the log from my last HT scan, if anyone can take a look and let me know if i can delete the BHO with no name and no file I'd appreciate it. Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:04:05 AM, on 3/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1A82B27E-4745-41F6-B02B-9DFB87C6C635} - (no file)
O2 - BHO: (no name) - {725FE32C-B3BB-4538-B58F-7B998E3186D3} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {9347B5A3-0B3C-406C-B793-10F8B0F3CE60} - (no file)
O2 - BHO: (no name) - {A45965DE-0DBD-4AD2-89B3-C396A636B617} - (no file)
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 2471 bytes

Edited by msk, 10 March 2008 - 12:29 PM.


#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,490 posts

Posted 08 March 2008 - 09:02 PM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,805 posts

Posted 10 March 2008 - 09:45 PM

Hello msk, and welcome to SWI.

My apologies for the delay. We're all volunteers, and we've been swamped.


Good work on trying to get rid of the problem on your own. :thumbup:


Let's check to see if there's anything you missed. :)


We'll begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingc...to-use-combofix
  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.


-screen317

Please consider donating to help support the continued prompt and excellent services of this site.


†Gospodine, smiluj se nama†


#4 msk

msk

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 12 March 2008 - 01:17 PM

I'm military so I understand the delay and it's not a problem. :thumbup:
Here are the HT and CF logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:31 AM, on 3/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1A82B27E-4745-41F6-B02B-9DFB87C6C635} - (no file)
O2 - BHO: (no name) - {725FE32C-B3BB-4538-B58F-7B998E3186D3} - (no file)
O2 - BHO: (no name) - {9347B5A3-0B3C-406C-B793-10F8B0F3CE60} - (no file)
O2 - BHO: (no name) - {A45965DE-0DBD-4AD2-89B3-C396A636B617} - (no file)
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 2466 bytes



ComboFix 08-03-10.1 - Michael 2008-03-12 10:47:21.1 - NTFSx86
Running from: C:\Documents and Settings\Michael\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\o.exe
C:\WINDOWS\pskt.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\LEGACY_IPRIP
-------\Iprip
-------\nm


((((((((((((((((((((((((( Files Created from 2008-02-12 to 2008-03-12 )))))))))))))))))))))))))))))))
.

2008-03-09 17:22 . 2008-03-10 00:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-09 01:37 . 2008-03-09 01:37 127,676 --a------ C:\WINDOWS\Layout3.ini
2008-03-06 14:49 . 2008-03-06 14:49 32 --a------ C:\WINDOWS\SYSTEM32\thxcfg.ini
2008-03-06 14:48 . 2008-03-06 15:53 <DIR> d-------- C:\Program Files\TrojanHunter 4.6
2008-03-04 11:55 . 2008-03-04 11:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-04 11:47 . 2008-03-04 11:47 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-02 16:13 . 2008-03-03 15:23 <DIR> d-------- C:\Program Files\Cell Phone Manager
2008-03-02 16:11 . 2008-03-02 16:11 0 --ah----- C:\WINDOWS\SYSTEM32\DRIVERS\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-03-02 16:11 . 2008-03-02 16:11 0 --ah----- C:\WINDOWS\SYSTEM32\DRIVERS\Msft_Kernel_motmodem_01005.Wdf
2008-03-02 16:07 . 2006-11-13 14:45 1,419,232 --a------ C:\WINDOWS\SYSTEM32\wdfcoinstaller01005.dll
2008-03-02 16:07 . 2006-12-13 17:52 20,992 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\motmodem.sys
2008-03-02 16:05 . 2008-03-02 16:05 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared
2008-03-02 11:49 . 2008-03-02 11:49 <DIR> d-------- C:\Documents and Settings\Michael\Application Data\Walgreens
2008-02-23 15:22 . 2008-02-23 15:22 <DIR> d-------- C:\Program Files\ffdshow
2008-02-23 12:35 . 2006-10-04 07:06 1,197,294 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\sysmain.sdb
2008-02-23 12:35 . 2006-10-04 07:06 764,868 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\apph_sp.sdb
2008-02-23 12:35 . 2006-10-04 07:06 217,118 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\apphelp.sdb
2008-02-23 12:33 . 2008-02-23 12:33 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-02-23 12:25 . 2008-02-23 12:29 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\UMDF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-10 08:01 --------- d-----w C:\Program Files\Java
2008-03-10 07:54 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-10 00:09 --------- d-----w C:\Documents and Settings\Michael\Application Data\Lavasoft
2008-03-08 01:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-06 23:38 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-01 19:46 --------- d-----w C:\Program Files\Warcraft III
2008-03-01 19:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-15 15:34 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-06 21:25 --------- d-----w C:\Program Files\QuickTime
2008-02-06 21:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-24 04:03 --------- d-----w C:\Program Files\PDF995
2008-01-24 04:03 --------- d-----w C:\Documents and Settings\Michael\Application Data\TaxCut
2008-01-24 04:02 --------- d-----w C:\Program Files\TaxCut07
2008-01-24 03:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\TaxCut
2007-10-17 22:01 66,936 --sha-w C:\WINDOWS\dlinfo_0.drv
2005-02-27 07:37 10,856 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1A82B27E-4745-41F6-B02B-9DFB87C6C635}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{725FE32C-B3BB-4538-B58F-7B998E3186D3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9347B5A3-0B3C-406C-B793-10F8B0F3CE60}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A45965DE-0DBD-4AD2-89B3-C396A636B617}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless-G Notebook Adapter.lnk]
backup=C:\WINDOWS\pss\Wireless-G Notebook Adapter.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]
-ra------ 2006-03-28 14:48 622592 C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2003-10-02 11:37 155648 C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2003-10-21 15:07 229376 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
--a------ 2005-03-17 13:25 57393 C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSDiagnosticM]
--a------ 2007-02-27 15:29 315392 C:\Program Files\Linksys Wireless-G Print Server\PSDiagnosticM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
--a------ 2005-01-26 17:02 49152 C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2002-04-01 13:50 528384 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a------ 2002-04-01 13:52 118784 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SPTISRV"=3 (0x3)
"AOL ACS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Linksys Wireless-G Print Server\\PSDiagnosticM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

R3 lknuhst;Linksys Network USB Host Controller;C:\WINDOWS\system32\DRIVERS\lknuhst.sys [2006-10-18 17:32]
R3 LKNUHUB;Linksys Network USB Root Hub;C:\WINDOWS\system32\DRIVERS\lknuhub.sys [2006-10-18 17:32]
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 11:50]
S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\system32\Drivers\BW2NDIS5.sys []
S3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\CBTNDIS5.SYS [2003-07-16 21:28]
S3 Ich;Ich;C:\WINDOWS\system32\DRIVERS\Ich.sys [2002-01-13 14:25]
S3 LKNUCMP;Linksys Network USB Composite Device;C:\WINDOWS\system32\DRIVERS\lknucmp.sys [2006-10-18 17:32]
S3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM4.sys [2004-09-24 22:36]
S3 P1130VID;Creative WebCam NX Pro;C:\WINDOWS\system32\DRIVERS\P1130Vid.sys [2003-06-11 13:00]
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys [2001-08-18 05:00]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-09 22:32:01 C:\WINDOWS\Tasks\feb27.job"
- C:\Documents and Settings\Michael\My Documents\feb27.txt
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-12 10:58:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-12 11:05:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-12 18:05:24

Thanks again for your help.

Edited by msk, 12 March 2008 - 05:19 PM.


#5 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,805 posts

Posted 14 March 2008 - 12:56 AM

Hi msk,


Please open HijackThis, and select Do a system scan only.

Place a checkmark next to the following entries:


O2 - BHO: (no name) - {1A82B27E-4745-41F6-B02B-9DFB87C6C635} - (no file)
O2 - BHO: (no name) - {725FE32C-B3BB-4538-B58F-7B998E3186D3} - (no file)
O2 - BHO: (no name) - {9347B5A3-0B3C-406C-B793-10F8B0F3CE60} - (no file)
O2 - BHO: (no name) - {A45965DE-0DBD-4AD2-89B3-C396A636B617} - (no file)


If you or an administrator did not set the following restriction, place a checkmark next to it as well:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Then, close all other open windows, leaving only HijackThis open, and select Fix checked.


Next, please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
Posted Image
Posted Image
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

Also post a fresh HijackThis log.

-screen317

Please consider donating to help support the continued prompt and excellent services of this site.


†Gospodine, smiluj se nama†


#6 msk

msk

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 14 March 2008 - 06:33 PM

Hello again :thumbup:

I hope I got the Kasp scan right. I was wondering if you could tell me what this is:

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

Here are the current logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:17:26 PM, on 3/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 2203 bytes


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, March 14, 2008 4:12:52 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 14/03/2008
Kaspersky Anti-Virus database records: 630142
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 54954
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 01:22:12

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Documents\DESKTOP.INI Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Desktop.ini Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\MUSIC.ASX Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\MUSIC.BMP Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\MUSIC.WMA Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Music\DESKTOP.INI Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Desktop.ini Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\DESKTOP.INI Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Thumbs.db Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Michael\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Michael\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Michael\ntuser.dat Object is locked skipped
C:\Documents and Settings\Michael\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP10\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB823559$\kb823559.cat Object is locked skipped
C:\WINDOWS\$NtUninstallQ329048$\q329048.cat Object is locked skipped
C:\WINDOWS\$NtUninstallQ329048$\zipfldr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ329115$\crypt32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ329115$\q329115.cat Object is locked skipped
C:\WINDOWS\$NtUninstallQ329170$\q329170.cat Object is locked skipped
C:\WINDOWS\$NtUninstallQ329170$\srv.sys Object is locked skipped
C:\WINDOWS\$NtUninstallQ329390$\q329390.cat Object is locked skipped
C:\WINDOWS\$NtUninstallQ329390$\shmedia.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ329441$\q329441.cat Object is locked skipped
C:\WINDOWS\$NtUninstallQ329834$\q329834.cat Object is locked skipped
C:\WINDOWS\$NtUninstallQ329834$\raspptp.sys Object is locked skipped
C:\WINDOWS\$NtUninstallQ810577$\mrxsmb.sys Object is locked skipped
C:\WINDOWS\$NtUninstallQ810577$\q810577.cat Object is locked skipped
C:\WINDOWS\$NtUninstallQ810833$\locator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ815021$\ntdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ815021$\q815021.cat Object is locked skipped
C:\WINDOWS\$NtUninstallQ817606$\q817606.cat Object is locked skipped
C:\WINDOWS\$NtUninstallQ817606$\srv.sys Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Thanks again. Have a good weekend.

#7 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,805 posts

Posted 16 March 2008 - 03:18 AM

Hi msk,

I was wondering if you could tell me what this is:

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

It's a legitimate entry relating to the Microsoft Client Services for Netware. It shows up in my HijackThis log too.


Navigate to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /u

This uninstalls all of ComboFix's components.


Aside from that, good work. Your log appears to be clean!

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) It is vital that you have a firewall. The one that comes with Windows XP is not sufficient in that it only checks incoming data. I recommend selecting one of the following free firewalls. Be sure to only install one.

Comodo
Kerio
Outpost

2) It is imperative that you have an antivirus. You are basically asking for infection without one. :lol:
All of the following are excellent free antiviruses. Be sure to only install one.

AVG
AntiVir
avast!.

3) Download and install Spybot-Search & Destroy, which has great features (specifically Immunization and TeaTimer) that help prevent malware from getting on your computer. Also a great scanner for weekly checks of the health of your system.

4)Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

5) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.

6) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

7) Be sure to update your Antivirus and Antispyware programs often!


Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?




Safe surfing,

-screen317

Edited by screen317, 16 March 2008 - 03:18 AM.

Please consider donating to help support the continued prompt and excellent services of this site.


†Gospodine, smiluj se nama†


#8 msk

msk

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 16 March 2008 - 03:33 AM

Thanks for all your help. I really appreciate it. Would you recommed using a third party browser like firefox as well as the other tips in the last post?

Also, do you or any of your associates recommend any tech support sites for troubleshooting the installation of WIN XP software? Having major issues with formating on my gaming pc and I've been at it for weeks.

Thanks again and have a good, safe weekend. :thumbup:

#9 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,805 posts

Posted 16 March 2008 - 03:39 AM

Hi msk :wave:

You're very welcome. :)

Yes, I would definitely recommend using Firefox as an alternative to Internet Explorer; it is much safer for you. :)


Also, do you or any of your associates recommend any tech support sites for troubleshooting the installation of WIN XP software? Having major issues with formating on my gaming pc and I've been at it for weeks.

Microsoft has a good write-up on how to format. Perhaps it's something I can assist you with?

-screen317

Please consider donating to help support the continued prompt and excellent services of this site.


†Gospodine, smiluj se nama†


#10 msk

msk

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 16 March 2008 - 11:10 AM

Ive looked at most of the MS info on this particular issue and done most of what they say will "fix" the issue but with no success. :techsupport:

I would be greatful for the assistance, shall we continue in this forum or move to another? :thumbup:

#11 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,805 posts

Posted 16 March 2008 - 01:36 PM

We can stay in this topic. :)

Please consider donating to help support the continued prompt and excellent services of this site.


†Gospodine, smiluj se nama†


#12 msk

msk

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 18 March 2008 - 03:33 PM

Sorry its taken so long to get back to you. Here are my system specs (let me know if you need more info).

AMD Athlon XP 1700+ (o/c to 1.9 Mhz)
Asus A7V266-C Jumper free DDR DRAM 266 Mhz FSB AGP x4 Socket A
VIA KT266A chipset, VIA VT8233A chipset
786 MB DDR RAM
GeForce 4 Ti 4200 64 MB
Western Digital 250 GB ATA HD
Maxtor 20 GB ATA HD
24x10x40 CD-RW drive
3.5 Floppy

I'll try to make this as short as possible. Trying to reinstall WIN XP SP2 from CD (2002) on WD HD. At first I had two HD in the system, WD plus a 20GB Maxtor. Maxtor had WIN 98 and WD had XP SP2 on it. One fine day, received

"NTLDR is missing. Press CTRL+ALT+DEL to Restart computer." :techsupport:

So i did and got the same error msg. Time and time again. So I checked the hardware first. Things were okay, cables in the right places, HD jumpers set to cable select. Tried again, with same result. Loaded the XP CD in the drive and booted from CD drive into windows. Did not go into recovery, b/c didnt know how to do it, so went into XP installation. Saw both partitions, FAT 32 and NFTS. Tried to reformat WD with NFTS to reload XP, but came back with an error stating that WIN XP could not perform the format b/c the partition is damaged. Load of crap, but okay, so I went online and D/Led the Data Life Guard Diagnostic tools from WD. Ran the extended test and came back with no errors. Restarted pc with WIN XP CD, went into Recovery. Used some tips from MS website loading the boot.ini, NTLDR and NTDETECT.com. Anyhow, went into recovery and tried to copy the files from the floppy to the C:\ and got a blue screen error saying:

"An error has been detected and windows has been shut down to prevent damage to your computer.

BAD_POOL_HEADER..." :techsupport:

DOH, so I took out the Maxtor HD and tried to install again. Tried to reformat WD with NFTS to load a fresh XP, but came back with an error stating that WIN XP could not perform the format b/c the partition is damaged. Next bought new ULTRA cables. Realized that the old cable was detaching from the 80 pin molding. Installed the new ultra cable and left the Maxtor HD out of the equation. Using the WD software, checked the disk again for errors, and used the quick format. Tried to reformat WD with NFTS to load a fresh XP, but came back this time with an error stating that the HD had a non-Windows partiton. Okay, so rezeroized the drive with the WD Software, then put in then WD CD software (HD drivers) again. (Tried it when I successfully first loaded XP, but the disk didnt work.) CD loaded the Caldera DR-DOS 7.05 and loaded the IDE CD-ROM driver. Began following test with following results:

"Int 13 Level Communications:
Attempting Int 13 IO to drive 80 (after about a minute) No Response :techsupport:

ATA Level Communications:
Attempting PM ATA Identify (flashing cursor for indefinite period of time or until I restart pc)" :techsupport:

Eventually just restarted the PC. Reloaded the DataLife Software and wrote zeros again. Full erase. Loaded the XP CD and abra cadabra, whaadu-know XP loads no problem. Cool, I think I've solved the issue, wrong, lol. Registered XP, went online with firewall active and autoupdates. XP begins to update. Restarts pc, autoupdates again the 86 files. good. one doesn't load. XP restarts, updates last update (one that didn't load b4) and all is happy in silicon ville. Then start loading the MoBo drivers (VIA Integrated 4 in 1 Driver for v4.34V) first like I always do and pc restarts while the drivers are loading and ...BOOM...

"NTLDR is missing. Press CRTL+ALT+DEL to restart pc." :techsupport:

I accomplished the above steps again with the exact same results only now XP doesnt recognize the formats, now I continually get the Non-Windows partition error, but there is no partition to delete or raw data to create a partition. Only shows "238246 MB". When I hit "C" window comes up saying the error about a non-windows partition. So, slightly upset no, b/c my achievements are slipping constantly away, I D/Led Darik's Boot and Nuke. and Did that to start with a clean slate. Took like 4 hrs to write zeros to the drive, but now I am constantly receiving the same non-windows partition error even wen there is no partition on the disk. Help. :wtf:

So I tried an idea. Install WIN 98 on the Maxtor, then install XP on the Maxtor. 98 installed wonderfully. I then tried to load XP from WIN 98 GUI and it looked like the install was going well. XP was loading, went through the setup stage in WIN98 GUI. Then I needed to restart the pc, and it took me into the XP CD install. Tried to load XP through the setup and it came back to the blue setup screen. Would not let me partition the drive for the NTFS setup. I deleted the FAT32 partition, and tried to create another partition, but it would only go back to the create partition screen with no partition created. Restarted the pc from the WIN XP CD. At the install page, tried to create a partition and it said that the HD couldn't create a partition b/c the disk had a non-windows partition on it. Go figure. :wtf:

Edited by msk, 18 March 2008 - 10:37 PM.


#13 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,805 posts

Posted 19 March 2008 - 01:08 AM

Hi msk,


I'm going to have a word with the experts of the forum, and see what they can come up with. :)

Please consider donating to help support the continued prompt and excellent services of this site.


†Gospodine, smiluj se nama†


#14 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,805 posts

Posted 22 March 2008 - 06:36 PM

Hi msk,

Didn't mean for you to wait this long. My apologies.


The results of your testing seem to indicate that your drive may be dying.

Since there is no essential data on this drive, I would recommend purchasing a new hard drive.

This article gives some good information on drive purchasing know-how.


Let me know how it goes.



-screen317

Please consider donating to help support the continued prompt and excellent services of this site.


†Gospodine, smiluj se nama†


#15 msk

msk

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 25 March 2008 - 12:37 PM

Well the tests all came back with no errors. I really don't think the drive is bad as I have loaded XP on it twice. It just keeps going back to the NTLDR is missing. Other than getting a new drive, money is tight, is there anything else we might be able to try? I've had the drive for only about 6 months, so its past the return policy from the store and I dont want to pay WD anything to "fix" it or replace it. Like burning money ya know. Thanks for the help, and dont worry about the lag time, I've been busy as well.

Scratch everything above. I have an idea. I want to install WIN XP on my Maxtor 20 GB HD. Then I will mount the WD 250GB HD. Lets do it this way, step by step. I have WIN 98 already installed on it and ran a scandisk with no errors. What do I need to do to install XP?

Edited by msk, 25 March 2008 - 03:30 PM.


#16 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,805 posts

Posted 27 March 2008 - 11:45 PM

Hi msk,


I found this article recently. Take a look and see if there are any possible solutions that you haven't tried yet.


I have WIN 98 already installed on it and ran a scandisk with no errors. What do I need to do to install XP?

This Microsoft article looks like it explains that very well. Take a look.



Let me know how it goes.


-screen317

Please consider donating to help support the continued prompt and excellent services of this site.


†Gospodine, smiluj se nama†


#17 msk

msk

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 31 March 2008 - 05:56 PM

Hey Scr,

I've done the clean install of XP before and it got no where. I'll tell you what. I have WIN98 loaded. I'm going to try and install XP from the CD. Boot from the CD. Then I'll post a screenshot of the error I get and we go from there. I'll be doing this through the day so I'll just update this post after each try. I need to find a free place to post the pics. Wish me luck.... :scratchhead:

Okay, entered the CD. Went into BIOS and changed to CD-ROM as primary boot device.

Booted up the system and here is the first sequence and result.

{website goes here}

And as I said, I do not believe the result b/c WIN98 is installed on the disk and I have run the Life data tools scan disk a number of times and it comes back with no errors.....

More tests to come.....

Edited by msk, 31 March 2008 - 09:03 PM.


#18 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,805 posts

Posted 03 April 2008 - 01:17 AM

Hi msk,

You can use www.imageshack.us or www.photobucket.com to upload your pictures.

Edited by screen317, 03 April 2008 - 01:17 AM.

Please consider donating to help support the continued prompt and excellent services of this site.


†Gospodine, smiluj se nama†


#19 msk

msk

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 03 April 2008 - 06:04 PM

Okay I have them loaded on photo bucket. Just wanted to repost the last one with it. Thanks again.

Hey Scr,

I've done the clean install of XP before and it got no where. I'll tell you what. I have WIN98 loaded. I'm going to try and install XP from the CD. Boot from the CD. Then I'll post a screenshot of the error I get and we go from there. I'll be doing this through the day so I'll just update this post after each try. I need to find a free place to post the pics. Wish me luck.... headscratch.gif

Okay, entered the CD. Went into BIOS and changed to CD-ROM as primary boot device.

Booted up the system and here is the first sequence and result.

http://s296.photobuc...e... problem 1/

And as I said, I do not believe the result b/c WIN98 is installed on the disk and I have run the Life data tools scan disk a number of times and it comes back with no errors.....

More tests to come.....

#20 msk

msk

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 03 April 2008 - 06:05 PM

oops double post sorry.. :rolleyes:

Edited by msk, 03 April 2008 - 06:07 PM.


#21 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,805 posts

Posted 05 April 2008 - 02:15 PM

Hi msk,


I reviewed your images.

Notice what it says in image six6:

Windows XP can use FAT or NTFS, but converting this drive to NTFS will make this drive unusable by other operating systems installed on this computer

I believe this may be what corrupted the WIN98 install you currently have on there, thus explaining why in image eight, you get:

Setup has determined that drive C: is corrupted and cannot be repaired.



My suggestion is to do the following (if you have done this already, please provide an image of the error you get).


In the step at image five, select the following:

Format the partition using the FAT file system





I have a question too. If you selected "Leave the current file system intact (no changes)," why does image six indicate that you selected "Convert the partition to NTFS"?

Please consider donating to help support the continued prompt and excellent services of this site.


†Gospodine, smiluj se nama†


#22 msk

msk

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 06 April 2008 - 12:07 PM

I will go ahead and at step 5 select "Format the partition using the FAT file system". As for your question, lol, I have in the past selected to keep the current file system intact. What usually happens after the XP install starts, it will load all the files and restart the pc. Then it will boot from the CD and go back to the Blue Windows setup screen. When it gets to the partition screen, it only shows unpartitioned space. I'm sure we will get to this problem eventually, lol. As for now, I'll format the drive using fat. I haven't touched the pc since the last try so I'm not sure it will still show a partition. That seems to be an ongoing issue. If there is no partition, I will not reinstall WIN98, just go ahead and try to load XP and i'll get the screen shots of that too. Thanks so much for all your help, I really appreciate it.

FYI - time is really tight over here and not a factor to me. I'm not concerned about how long it takes to fix it or troubleshoot extensively until we run out of options.

By the way I am using the 20 GB Maxtor HD. Never had problems with it before this. :thumbup:

#23 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,805 posts

Posted 08 April 2008 - 07:00 PM

That seems to be an ongoing issue. If there is no partition, I will not reinstall WIN98, just go ahead and try to load XP and i'll get the screen shots of that too. Thanks so much for all your help, I really appreciate it.

Okay. I'll be automatically notified when you reply, so reply at your leisure. :wave:

Please consider donating to help support the continued prompt and excellent services of this site.


†Gospodine, smiluj se nama†


#24 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,805 posts

Posted 10 April 2008 - 10:08 PM

Hi msk,


If you are able to return back to the scenario where you had "NTLDR is missing. Press CTRL+ALT+DEL to Restart computer," please do so, as I may have found a solution for you.


Let me know if you are able to do so.

Please consider donating to help support the continued prompt and excellent services of this site.


†Gospodine, smiluj se nama†


#25 msk

msk

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 14 April 2008 - 07:07 PM

Well, I decided to "try" something. I unconnected the 20GB Maxtor HD and connected the 250GB Western Digital HDD. I set the jumper on my 250 GB Western Digital HD to Master w/ Slave. Set the Bios to load from CD. At restart, the pc was said "Primary drive failure", as expected since I set the jumper to M w/ S. "Press F1 to continue" I pressed F1 and windows loaded from the CD (blue screens from previous try). Went to the partition screen, and formatted the drive using NFTS. Left the pc to go get my son from school. When I got home, the pc was said "Primary drive failure", as expected since I set the jumper to M w/ S. Went into the BIOS and changed the boot sequence to 1. HDD, 2. CD-ROM. and restarted PC. After restart, went to the Windows XP screen with the blue horizontal scroll bar on the screen. PC then restarted itself and went the "Primary drive failure" and I pressed F1 to continue. To my joy, i got "NTLDR is Missing Press CTRL+ALT+DEL to restart". :thumbup:

So I got to where you wanted me to be.

Whats next chief?

#26 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,805 posts

Posted 14 April 2008 - 10:16 PM

Hi msk,

Before we continue, I need to ask a couple things for preparation:


1) Does this computer have a floppy drive?
2) Do you have access to another computer? If yes to #1, does this other computer have a floppy drive as well?
3) Do you have a USB flashdrive?

-screen317

Please consider donating to help support the continued prompt and excellent services of this site.


†Gospodine, smiluj se nama†


#27 msk

msk

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 16 April 2008 - 08:26 PM

Yes to all. :thumbup:

By flash drive, you mean a USB thumb drive correct?

#28 pomp

pomp

    Forum Deity

  • Helper
  • PipPipPipPipPip
  • 1,163 posts

Posted 17 April 2008 - 09:57 PM

Hello,

screen317 has asked me to post.

Let's see what we can do here.

You do have spare floppy disks right? And the other computer you have access to, is windows xp right?

If Yes, to both of those questions, boot up your other computer.

Do the following to Show hidden files


In C:\ you should see "ntldr" ...

Make sure you have your floppy drive in the drive.

Right click the "ntldr" file..send to..3 1/2 floppy A:.

In the computer that is having the booting problem, put the xp disc in the cdrom drive. Restart your computer.

Tap the 'del' key until the BIOS shows up.. You should see a 'boot sequence' option in the BIOS .. Make sure the CDROM drive is on the top of that list so it's the first one to boot.. Save the changes and exit the BIOS. Your computer restarts and the xp disc loads. ..

You should see 'To repair a Windows XP installation using recovery console, press R" .. So press R.

A black screen with white text should come up.

Put your floppy disk that you saved the ntldr file onto, into the computer having the problem.

In the command prompt, type "A:" (without quotes).

It should show that you are in the A: directory. (A:>)

type in the following: "copy ntldr C:" (without quotes)

It should say that it was copied.

If so, type 'exit'.

Take the floppy and cd rom out of the drive.


Go back into your BIOS and change the boot sequence to boot from the Hard Drive first. Then save changes and restart computer.

Windows should now boot successfully!


Please post back with how everything went.

Edited by pomp, 17 April 2008 - 10:00 PM.





PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD

#29 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,805 posts

Posted 08 May 2008 - 06:51 PM

Still with us msk...?

Please consider donating to help support the continued prompt and excellent services of this site.


†Gospodine, smiluj se nama†


#30 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,805 posts

Posted 17 May 2008 - 08:31 PM

Due to the lack of feedback this Topic is closed.

[Reopened]

Everyone else please begin a New Topic.

Please consider donating to help support the continued prompt and excellent services of this site.


†Gospodine, smiluj se nama†


#31 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,268 posts

Posted 23 May 2008 - 08:44 PM

Reopened at request of topic owner.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#32 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,805 posts

Posted 23 May 2008 - 11:00 PM

Hi msk,

Update me on the current situation.

Please consider donating to help support the continued prompt and excellent services of this site.


†Gospodine, smiluj se nama†


#33 msk

msk

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 24 May 2008 - 12:41 AM

Sorry its taken so long. Been busy at work and wife's a little ill. :unsure:

Okay, here's what happened after following your last instructions for the ntldr file:

after i hit enter for A:\copy ntldr c:

:evilgrin: [BLUE SCREEN] :evilgrin:

A problem has been detected and windows has been shut down to prevent damage to your computer.

BAD_POOL_HEADER

If this is the first time you have seen this stop error screen, restart your computer. If this screen appears again follow these steps:

Check to make sure any new hardware or software is properly installed. If this is a new installation, ask your hardware or software manufacturer for any windows updates you might need.

If problems continue, disable or remove any newly installed hardware or software. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer, Press F8 to select advanced Startup options and then select Safe Mode.

Technical information:
***STOP: 0x00000019 (0x00000020, 0xe10eag90, 0xe10eage8, 0x0c0b0810).

:evilgrin: [BLUE SCREEN] :evilgrin:

So I tried it again and received the same error message above. Prior to beginning the entire process, I disconnected all hardware except for the USB mouse and USB keyboard. As far as I can tell, the BIOS does not have any caching or shadowing enables. Of course I cannot use Safe Mode because as soon as the PC is past the initial diagnostic screen (RAM check and storage device loading) I get the "NTLDR is Missing Press CTRL+ALT+DEL" error message. Also, because this happened before XP finished loading, I have not loaded any other software.

Should I try to hook up a regular keyboard and mouse and try it again?

I did check with Western Digital website and the HD has a 3 yr warranty. I just want to exhaust all possibilities before waiting weeks on end for them to send me a replacement.

Thanks again for your patience. I really appreciate all the work your putting into this for me. I'll try to not have you hanging on for so long again. :thumbup:

#34 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,805 posts

Posted 25 May 2008 - 02:41 AM

Hi msk,


I found this article which may help fix the NTLDR is missing message:

http://www.techsuppo...e/Tips/157.html

Scroll down to the Windows XP steps, and let me know if it works.

-screen317

Please consider donating to help support the continued prompt and excellent services of this site.


†Gospodine, smiluj se nama†


#35 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,805 posts

Posted 07 June 2008 - 03:42 AM

Still with us msk?

Please consider donating to help support the continued prompt and excellent services of this site.


†Gospodine, smiluj se nama†


#36 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,805 posts

Posted 15 June 2008 - 11:49 PM

Due to the lack of feedback this Topic is closed.

[Reopened]

Everyone else please begin a New Topic.

Please consider donating to help support the continued prompt and excellent services of this site.


†Gospodine, smiluj se nama†


#37 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,268 posts

Posted 19 June 2008 - 01:34 PM

Reopened at request of topic owner.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#38 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,805 posts

Posted 19 June 2008 - 01:39 PM

Hi msk,

Let me know what's going on.

Please consider donating to help support the continued prompt and excellent services of this site.


†Gospodine, smiluj se nama†


#39 msk

msk

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 20 June 2008 - 07:57 PM

Sorry it took so long to get back. I'll get back to you quicker from now on. Okay, so I did this:

* Insert the Windows® XP CD into the computer.
* When prompted to press any key to boot from the CD, press Any key.
* Once in the Windows® XP Setup Menu press the R key to repair Windows.
* Log into your Windows installation by pressing the 1 key then, Enter.
* You may be prompted for your Administrator Password, enter that password. (If there is no password just leave it blank and press Enter)
* Copy the two files, ntldr and ntdetect.com to the root directory of the primary hard disk by typing the following commands.

In this example it is presumed that the CD-ROM Drive is E:; however, it will be necessary to type in the correct Letter for the corresponding Drive.

copy e:i386ntldr c: (ENTER)

Then it went to the BAD_POOL_HEADER Blue Screen again so I never got to try the next step:

copy e:i386ntdetect.com c: (ENTER).

After that I tried this:

Corrupted boot.ini File (Step 2 Fix)

* Insert the Windows® XP CD into the computer.
* When prompted to press any key to boot from the CD, press Any key.
* Once in the Windows XP Setup Menu press the R key to repair Windows.
* Log into the Windows® installation by pressing the 1 key and pressing enter.
* You will then be prompted for your Administrator Password, enter that password. (If there is no password just press Enter)

At the command prompt type in the following commands:

chkdsk /r (Please note the space after chkdsk and the /r) (ENTER)

It said, "There are one or more unrecoverable problems with your harddrive."

Then I went ahead with the next step:
fixboot (ENTER)

It said that the boot sequence was corrupt and replaced it.

Then I did:
exit (ENTER)

And restarted the pc, but still nothing happened. I restarted from the XP CD-ROM but got the same message:

"There are one or more unrecoverable problems with your harddrive."

Then I shut it down and left. Any more ideas? It seems the fix is usually finding a way to reload the ntldr files, but it doesnt work for mine. I will probably just go and buy a new one and return this one to WD so they can send me a replacement. But if you can think of anything else, let me know. Thanks a bunch! :thumbup:

#40 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,805 posts

Posted 22 June 2008 - 04:53 PM

Hi msk,


Unfortunately, by the looks of things, it seems as though your hard drive is corrupted beyond repair. :(

I recommend returning that one to WD and getting a new one, as we've exhausted all steps we could come up with.

Sorry that we couldn't get through this one.


Any other questions or concerns?


-screen317

Please consider donating to help support the continued prompt and excellent services of this site.


†Gospodine, smiluj se nama†


#41 msk

msk

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 22 June 2008 - 07:54 PM

No more Q's at all. I figured we were headed in that direction. Thanks for all your help, I really appreciate it. Take care, and I'll be back if I have any other issues. :thumbup:

MSK

#42 screen317

screen317

    SWI Sentinel

  • Global Moderator
  • PipPipPipPipPip
  • 8,805 posts

Posted 24 June 2008 - 03:19 PM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Please consider donating to help support the continued prompt and excellent services of this site.


†Gospodine, smiluj se nama†





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button