Jump to content


Photo

Service Pack 2. PC wont boot. In Loop with Blue Screen


  • This topic is locked This topic is locked
19 replies to this topic

#1 gramsay007

gramsay007

    Member

  • Full Member
  • Pip
  • 68 posts

Posted 06 December 2009 - 09:52 PM

Hello,

I am trouble-shooting someones PC who had a major virus problem.

Dell Dimension 4550

Windows XP - Home Edition

Service Pack 1

256 MB - RAM

Their virus was so bad, that Task Manager, "run/cmd", programs would crash.

I used System Restore to roll back to a date in October.

That seemed to work as the PC had no symptoms of a virus.

I decided to do Microsoft Updates which included Service Pack 2.

The download/installation of Service Pack 2, seemed to have froze and did not

complete.



Now the PC, wont boot.

The PC will power-up and after the Windows Splash-screen there is blue-screen

that displays briefly and mentions:

PAGE FAULT.



The PC, wont boot in all modes of Safe Mode.

I have a boot floppy for Windows 98-SE, but that doesnt seem to help.



Any suggestions, will be appreciated.



Peace,

GR   :cool:

Edited by gramsay007, 20 December 2009 - 04:36 PM.


#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,520 posts

Posted 09 December 2009 - 03:36 PM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.


[this is an automated reply]
This is an automated message. It does not count as help.

#3 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 17 December 2009 - 09:33 AM

Hi,

No the PC, wont boot.

The PC will power-up and after the Windows Splash-screen there is blue-screen

that displays briefly and mentions:

PAGE FAULT.


Please post the complete information about the Page Fault.

Some example of Page Fault.
http://aumha.org/a/stop.htm
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#4 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 31 December 2009 - 11:24 AM

Glad we could help. :)


[Reopened] Everyone else please begin a New Topic.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#5 gramsay007

gramsay007

    Member

  • Full Member
  • Pip
  • 68 posts

Posted 22 January 2010 - 04:56 PM

Hello,

Please reopen topic:

Service Pack 2. PC wont boot. In Loop with Blue Screen



I have more details.



http://www.spywarein...howtopic=126693



This problem occurred after removing Viruses, then

installing updates, including Service Pack-2.

The updates process did not complete and PC wont boot.




Dell Dimension 4550 / Windows XP Home Edition Service Pack 1

PC will not boot at all.

Safe Mode (stops at agp440.sys) and all other modes dont work.

A Blue Screen flashes for a second and wont boot .....





PAGE_FAULT_IN_NONPAGED_AREA




STOP:0x00000050: 





I have since tried the DELL Restoration CD.

* Select R for Repair

* chkdsk /r - stage #4 there were lots of bad clusters

* fixboot

PC still wont boot.




Remove 60GB drive from Dell Dimension 4550

* place in Dell Optiplex GX240 / Windows XP Pro as a slave drive

* boot GX240 ok.

* able to access and read 60GB drive

* execute disk cleanup ... McAfee antivirus on GX240 detected Trojan Virus.




Place 60GB drive into GX240 as Master drive

* 60GB drive does not boot

* still has: 

PAGE_FAULT_IN_NONPAGED_AREA / STOP:0x00000050: 

* Safe Mode still halts at agp440.sys and does not boot




Decide to BackUp 60GB data: 

-Documents and Settings

-Programs



* place in Dell Optiplex GX240 / Windows XP Pro as a slave drive

* Copy D:\Documents and Settings to GX240:C\

* Copy D:\Documents and Settings to CD drive [2 CDs]

* Execute Windows Easy Transfer

D:\Documents and Settings to CD drive


* Copy D:\Program Files to CD




At this point 60GB data has been backed up.




Next step is an elegant way to boot the 60Gb drive in the DELL 4550,

without the loss of data and not reinstall XP.

(Note: Two(2) calls were placed to Dell Technical Support. Their best solution was to Reinstall XP w/ Restoration CD ......  Or escalate this problem to their .. "Fee based" Tech Support)


Any suggestions are appreciated.


(Should this post be under : PC Troubleshooting ??)


Peace,

GR   :cool:

Edited by gramsay007, 22 January 2010 - 05:04 PM.


#6 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 22 January 2010 - 11:09 PM

Reopened at request of topic owner.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#7 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 23 January 2010 - 09:52 AM

Hi,

Can you submit a fresh HijackThis for my review?

Please download and install the latest version of HijackThis v2.0.2:

CLICK HERE to download the HijackThis Installer:
  • Save HJTInstall.exe to your desktop.
  • Double-click on HJTInstall.exe to run the program.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis.
  • Accept the license agreement by clicking the "I Accept" button.
  • Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
  • Click "Save log" to save the log file and then the log will open in Notepad.
  • Click on "Edit -> Select All" then click on "Edit -> Copy" to copy the entire contents of the log.
  • Come back here to this thread and paste the log in your next reply.
  • Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
Delete the older version once you have successfully downloaded and installed the latest version.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#8 gramsay007

gramsay007

    Member

  • Full Member
  • Pip
  • 68 posts

Posted 23 January 2010 - 04:43 PM

Hi,

Can you submit a fresh HijackThis for my review?

Please download and install the latest version of HijackThis v2.0.2:

CLICK HERE to download the HijackThis Installer:

  • Save HJTInstall.exe to your desktop.
  • Double-click on HJTInstall.exe to run the program.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis.
  • Accept the license agreement by clicking the "I Accept" button.
  • Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
  • Click "Save log" to save the log file and then the log will open in Notepad.
  • Click on "Edit -> Select All" then click on "Edit -> Copy" to copy the entire contents of the log.
  • Come back here to this thread and paste the log in your next reply.
  • Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
Delete the older version once you have successfully downloaded and installed the latest version.

Hello nasdaq,


Thanks for your reply.

HijackThis wont work since the PC - Dell Dimension 4550 will not boot in any modes, including Safe Mode.

I can only access the 60GB drive of Dell Dimens if I mount it as a slave in another PC.

I can access the 60GB drive as expected.

So far I have backed up:

60GB: 

D:\Documents and Settings 

D:\Programs




Is there a way to execute HiJackThis on the mounted 60GB drive ?

My concern is, Is there an elegant way to get the Dell Dimension 4550 (w/60GB) to boot ?

Peace,

GR   :cool:

#9 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 23 January 2010 - 04:48 PM

I suggest you contact Dell and get a boot disk.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#10 gramsay007

gramsay007

    Member

  • Full Member
  • Pip
  • 68 posts

Posted 23 January 2010 - 05:04 PM

I suggest you contact Dell and get a boot disk.

Hello nasdaq,


Thanks for your reply.I now have a Dell Reinstallation CD



Earlier I posted this:


"I have since tried the DELL Restoration CD.

* Select R for Repair

* chkdsk /r - stage #4 there were lots of bad clusters

* fixboot

PC still wont boot."


I have called Dell twice.

Since fixboot did not work their response was to re-install XP which means loosing data and programs.

I don't want to do that now.

That would be the last case scenario.

Dell's other response was to escalate my issue to their .. "Fee-based" Tech Support.

I'm trying to find an elegant way to get the Dell Dimension 4550 (w/60GB) to boot ?


Peace,

GR   :cool:

Edited by gramsay007, 23 January 2010 - 05:06 PM.


#11 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 24 January 2010 - 09:36 AM

If you can get to the Recovery console with the Dell CD try this.

XP: Repair or fix master boot record using recovery console
http://www.tech-reci...covery_console/

If that fails to fix the Master Boot Record and Dell is not able to help you can try this if you wish.
Not sure if it will work. In any event you are not able to do anything now.

Tutorial for Avira Rescue CD
http://forum.avira.c...&threadID=82163
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#12 gramsay007

gramsay007

    Member

  • Full Member
  • Pip
  • 68 posts

Posted 28 January 2010 - 11:16 PM

If you can get to the Recovery console with the Dell CD try this.

XP: Repair or fix master boot record using recovery console
http://www.tech-reci...covery_console/

If that fails to fix the Master Boot Record and Dell is not able to help you can try this if you wish.
Not sure if it will work. In any event you are not able to do anything now.

Tutorial for Avira Rescue CD
http://forum.avira.c...&threadID=82163

Hello,


Here is an update.

I tried the Avira Rescue CD which helped a bit but did not fix everything.

I used the DELL Restoration CD and selected "Upgrade".

That helped a lot and was able to retain user data and profile settings.

The latest problem is the virus that caused this issue in the first place:

  • Internet Security-2010
I used MBAM and HJT to try to remove that virus.

I have made some progress.

I now have:

  • Spyware Alert - Worm.win32.netdky
  • svchost.exe - Bad Image - C:\windows\system32\helper32.dll
  • PDP RPC Server Window: LMPDPSRV.exe - Bad Image
Here is the latest HJT log:




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:04:10 PM, on 1/28/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\program files\mcafee.com\vso\mcvsshld.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\McAfee.com\MPS\mscifapp.exe
C:\WINDOWS\system32\smss32.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\HJT\HiJackThis 2_0_2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon32.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] C:\Program Files\McAfee.com\MPS\mscifapp.exe /embedding
O4 - HKLM\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\helper32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\helper32.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee.com Personal Firewall Service (MpfService) - McAfee.com Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 6657 bytes



-----------------------------------------

Peace,

GR   :cool:

#13 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 29 January 2010 - 10:15 AM

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

Nice work.


Download LSPfix
Unzip the file to a folder on your desktop.
Double-click to run
Select: (Advanced) "I know what I'm doing"
Select: helper32.dll (left pane)
Click the right arrow to bring it to REMOVE (right pane).
Then click the FINISH button. Restart your computer.

On restart Open Windows Explorer, locate and delete:

C:\WINDOWS\system32\\helper32.dll <--this file


[*]Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon32.exe
O4 - HKLM\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe


Click on Fix Checked when finished and exit HijackThis.

Delete these files in bold.
C:\WINDOWS\system32\winlogon32.exe
C:\WINDOWS\system32\smss32.exe

Restart the computer again.
===

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Post back with the Malwarebytes Anti-Malware log once it's complete.
===

Please run this security check for my review.

Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Include a fresh HijackThis and the MBAM logs.

Let me know what problem persists.

p.s.
Please when replying use this Posted Image Add Reply button. I do not need to see my previous instructions.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#14 gramsay007

gramsay007

    Member

  • Full Member
  • Pip
  • 68 posts

Posted 31 January 2010 - 11:07 AM

Hello nasdaq,

Thanks for your help.

Here are the requested logs:

  • Malwarebytes Anti-Malware log

Malwarebytes' Anti-Malware 1.44
Database version: 3667
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180 1/31/2010 10:43:50 AM
mbam-log-2010-01-31 (10-43-50).txt

Scan type: Quick Scan
Objects scanned: 168830
Time elapsed: 11 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\IS15.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

----------------------------------------------------------------------------------------------------------


  • checkup.txt
Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 2
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
``````````````````````````````
Anti-malware/Other Utilities Check:

Yahoo! Anti-Spy
HijackThis 2.0.2
CCleaner
Adobe Flash Player 10
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent

Norton ccSvcHst.exe
``````````````````````````````
DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

----------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:58:44 AM, on 1/31/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Norton Security

Suite\Engine\3.5.2.11\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program

Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Norton Security

Suite\Engine\3.5.2.11\ccSvcHst.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\CCleaner\CCleaner.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HiJackThis 2_0_2.exe

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page = http://www.att.net/
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Bar =

http://red.clientapp.../ie/defaults/sb

/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 -

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = http://localhost
R3 - URLSearchHook: Yahoo! Toolbar -

{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper -

{02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program

Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: X1IEHook Class -

{52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program

Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: Symantec NCO BHO -

{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program

Files\Norton Security Suite\Engine\3.5.2.11\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention -

{6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program

Files\Norton Security Suite\Engine\3.5.2.11\IPSBHO.DLL
O2 - BHO: SingleInstance Class -

{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program

Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dl

l
O3 - Toolbar: ZeroBar -

{F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program

Files\NetZero\toolbar.dll
O3 - Toolbar: Yahoo! Toolbar -

{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Norton Toolbar -

{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program

Files\Norton Security Suite\Engine\3.5.2.11\coIEPlg.dll
O4 - HKLM\..\Run: [LMPDPSRV]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\FreeRAM

XP Pro\FreeRAM XP Pro.exe" -win
O4 - Global Startup: Lexmark X125 Settings Utility.lnk =

C:\Program Files\Lexmark X125\LEX125SU.exe
O8 - Extra context menu item: Display All Images with

Full Quality - res://C:\Program

Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full

Quality - res://C:\Program

Files\NetZero\qsacc\appres.dll/227
O9 - Extra button: Messenger -

{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program

Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -

{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program

Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Real.com -

{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB}

(YInstStarter Class) -

http://us.dl1.yimg.c.../dl/installs/yi

nst20040510.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000}

(YahooYMailTo Class) -

http://us.dl1.yimg.c.../dl/installs/ys

e/ymmapi_416.dll
O18 - Protocol: symres -

{AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program

Files\Norton Security Suite\Engine\3.5.2.11\coIEPlg.dll
O20 - Winlogon Notify: GoToAssist - C:\Program

Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL

LLC - C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
O23 - Service: GoToAssist - Citrix Online, a division of

Citrix Systems, Inc. - C:\Program

Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: McciCMService - Motive Communications,

Inc. - C:\Program Files\Common

Files\Motive\McciCMService.exe
O23 - Service: Norton Security Suite (N360) - Symantec

Corporation - C:\Program Files\Norton Security

Suite\Engine\3.5.2.11\ccSvcHst.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation

- C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: WAN Miniport (ATW) Service

(WANMiniportService) - America Online, Inc. -

C:\WINDOWS\wanmpsvc.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo!

Inc. - C:\Program

Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 5439 bytes
----------------------------------------------------------------------------------------------------

The PC is much more stable now.

Just want to remove viruses before I install MS Updates.

Peace,
GR

#15 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 01 February 2010 - 10:01 AM

ADOBE - Reader and Flash Players vulnerabilities.

Visit Link to ADOBE and download the latest version of Acrobat Reader.
Having the latest updates ensures there are no security vulnerabilities in your system.

Adobe has confirmed a critical vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions.
I suggest you install version 9.3
http://www.adobe.com....jsp?ftpID=4607

===

Security updates available for Adobe Flash Player.
http://www.adobe.com.../apsb09-19.html

Adobe recommends all users of Adobe Flash Player 10.0.32.18 and earlier versions upgrade to the newest version 10.0.42.34 by downloading it from the Flash Player Download Center or by using the auto-update mechanism within the product when prompted...
Adobe Flash Player version 10.0.42.34
http://get.adobe.com/flashplayer/
===

Please submit a fresh HijackThis log.
p.s.
Before you post your log remove the Word Wrap function from NotePad. You will find the setting under the Format menu.
This will eliminate the additional blank lines on your HijackThis log and make it easier to anyalyze.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#16 gramsay007

gramsay007

    Member

  • Full Member
  • Pip
  • 68 posts

Posted 02 February 2010 - 01:07 PM

Hello nasdaq,

Thanks for your help.

ADOBE - Reader and Flash Players were updated.

Here is the latest HiJackThis Log:

---------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:58 PM, on 2/2/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Norton Security Suite\Engine\3.5.2.11\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Norton Security Suite\Engine\3.5.2.11\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HiJackThis 2_0_2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\3.5.2.11\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\3.5.2.11\IPSBHO.DLL
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\3.5.2.11\coIEPlg.dll
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Security Suite\Engine\3.5.2.11\coIEPlg.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Norton Security Suite (N360) - Symantec Corporation - C:\Program Files\Norton Security Suite\Engine\3.5.2.11\ccSvcHst.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 5552 bytes

-------------------------------------------------

Thanks ...

Peace,
GR

#17 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 03 February 2010 - 09:29 AM

Nice Work your log is clean.

Please read this Prevention page with lots of info and tips how to prevent this in the future.
How did I get infected in the first place?
http://spywareinfofo...showtopic=60955
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#18 gramsay007

gramsay007

    Member

  • Full Member
  • Pip
  • 68 posts

Posted 03 February 2010 - 09:35 AM

Hello nasdaq,

Thats great to hear.




This was the most challenging PC problem I've

ever had.




My friend will be happy.




Peace,

GR   :cool:

#19 gramsay007

gramsay007

    Member

  • Full Member
  • Pip
  • 68 posts

Posted 08 February 2010 - 02:17 PM

Hello nasdaq,

Thats great to hear.

This was the most challenging PC problem I've ever had.

My friend will be happy.

Peace,

GR   :cool:


Dell Dimension 4550 PC problem has been resolved !

Thanks !

Peace,

GR   :cool:

#20 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 22 February 2010 - 10:40 AM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button