I seems OK. I don't notice anything running slow and all services seem to be there. I'm tempted to call this solved and can notify you otherwise if something crops up. Not sure why it won't run ComboFix, etc., but I think the issue was probably in all those nasties Kaspersky got rid of.
Again, I must thank you for your time and effort on this one, PP!!!!
All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\SITEguard deleted successfully.
Registry value HKEY_USERS\S-1-5-21-1131580844-927001921-2767165888-1008\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_USERS\S-1-5-21-1131580844-927001921-2767165888-1008\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93}\ not found.
Registry value HKEY_USERS\S-1-5-21-1131580844-927001921-2767165888-1008\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ deleted successfully.
C:\WINDOWS\otihizajifoha.dll moved successfully.
C:\WINDOWS\oxikoziyequ.dll moved successfully.
C:\WINDOWS\uvipologo.dll moved successfully.
C:\WINDOWS\osixuzayahejozu.dll moved successfully.
C:\WINDOWS\ikocifal.dll moved successfully.
C:\WINDOWS\icehuroz.dll moved successfully.
C:\WINDOWS\abijofulohoqus.dll moved successfully.
C:\WINDOWS\awademad.dll moved successfully.
C:\WINDOWS\ayusezax.dll moved successfully.
C:\WINDOWS\urubalikoqatu.dll moved successfully.
C:\WINDOWS\icebovidog.dll moved successfully.
C:\WINDOWS\ajetepin.dll moved successfully.
C:\WINDOWS\uzoweweciqusolet.dll moved successfully.
C:\WINDOWS\igorixuqu.dll moved successfully.
C:\WINDOWS\itusoxebuxeyaki.dll moved successfully.
C:\WINDOWS\esabiritadumo.dll moved successfully.
C:\WINDOWS\upovidogosixaxet.dll moved successfully.
C:\WINDOWS\uxulidar.dll moved successfully.
C:\WINDOWS\izojanox.dll moved successfully.
C:\WINDOWS\aheminix.dll moved successfully.
C:\WINDOWS\ifukapakuka.dll moved successfully.
C:\WINDOWS\axavubeqo.dll moved successfully.
C:\WINDOWS\ivafomohuxe.dll moved successfully.
C:\WINDOWS\iwuqinicim.dll moved successfully.
C:\WINDOWS\ufaxonugidelubem.dll moved successfully.
C:\WINDOWS\azirujomura.dll moved successfully.
C:\WINDOWS\ijurugug.dll moved successfully.
C:\WINDOWS\ilinomozolocemu.dll moved successfully.
C:\WINDOWS\uketubali.dll moved successfully.
C:\WINDOWS\ibecoteziva.dll moved successfully.
C:\WINDOWS\uzupabus.dll moved successfully.
C:\WINDOWS\idutocedo.dll moved successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: All Users
User: BJ
->Temp folder emptied: 132463282 bytes
->Temporary Internet Files folder emptied: 53437243 bytes
->Java cache emptied: 173511870 bytes
->FireFox cache emptied: 60106190 bytes
->Flash cache emptied: 876559 bytes
User: bryan
->Temp folder emptied: …
As I was watching PE, there is a spike about every 25 seconds caused by Java Quick Start. Also, as I was typing another note to advise of this, CPU went to 100% - I looked and one of the svchosts was at ~98% and CPU was pegged for some seconds...when I moved the window another OTL log had popped up, strange because I had stopped OTL. Now that I've thought about it, that might have been avast! starting back up - I had stopped it for an hour. Here's the log:
OTL Extras logfile created on: 2/14/2011 5:26:23 AM - Run 1
OTL by OldTimer - Version 3.2.20.6 Folder = C:\Documents and Settings\BJ\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 68.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 93.00% Paging File free
Paging file location(s): C:\pagefile.sys 2000 4000 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 8.24 Gb Free Space | 22.13% Space Free | Partition Type: NTFS
Computer Name: BJONSON | User Name: BJ | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All …
OTL logfile created on: 2/14/2011 5:26:23 AM - Run 1
OTL by OldTimer - Version 3.2.20.6 Folder = C:\Documents and Settings\BJ\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 68.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 93.00% Paging File free
Paging file location(s): C:\pagefile.sys 2000 4000 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 8.24 Gb Free Space | 22.13% Space Free | Partition Type: NTFS
Computer Name: BJONSON | User Name: BJ | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - [2011/02/14 05:23:22 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\BJ\Desktop\OTL.exe
PRC - [2011/01/13 03:47:34 | 003,396,624 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2011/01/13 03:47:33 | 000,040,384 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2010/10/16 19:56:18 | 000,134,808 | ---- | M] (Google …
Well, since DDS is non-invasive, I ran it 3 times. It hangs the computer at the same place (number of :s) - I'm watching Task Mgr graph and the system just stops. No reports issued or found.
I'll try ComboFix again. I'll let it run from now at 5pm until tomorrow morning and report back - unless it runs.
OK. Don't know what was causing the CPU spikes....they seem to be gone and I didn't see extraordinary slow speeds when I began ComboFix.
I'm trying to watch progress with Process Explorer (thnx for that btw) but when ComboFix started up it stopped PE. CF asked me to close Avast! but other than that it proceeded normally until it got to the scan screen. It did not progress beyond that...similar to what happened the first time I ran it. no stages, no other activity. After some hours, giving it plenty of time, I tried to access PE again and the computer was hung...didn't even let me click the PE icon.
That's it currently except for: on reboot, everything seems to run at speed with no strange stuff happening while looking at Process Explorer. The complete startup until avast started running seemed a long wait but that may be my perception.
looks like a marathon on this one, thanks again for hanging in there...
Volume in drive C has no label.
Volume Serial Number is 6BB5-2493
Volume in drive C has no label.
Volume Serial Number is 6BB5-2493
Directory of C:\RECYCLER\S-1-5-21-1131580844-927001921-2767165888-1008\Dc10
08/31/2000 08:00 AM 141,312 ComboFix-Download.cfxxe
1 File(s) 141,312 bytes
Total Files Listed:
1 File(s) 141,312 bytes
0 Dir(s) 8,195,936,256 bytes free
hmmmmmmmmmm
in searching for combofix to delete, it's found 145 iterations so far and not finished searching.
I'll delete them all but thought that might influence the thinking on this? I'll wait before any actions just in case - up to 153 while I typed this.
Reg Query got the desired result.
Phillies.exe deleted
mbam ran clean.
I guess we're ready to run combofix?
OK, here's Peek - I did find all 4 files, am proceeding to delete them and run RunThis again. btw, PeekTemp folder was empty. Deleting these 4 files took forever due to the speed of the system...
I'm adding this after reboot: explorer.exe is there and runs!! we're making progress. There is definitely something running, Task Mgr performance curve is spiking up to 50% usage with no inputs. every 30 seconds or so.
Since I found explorer.exe and it runs, I'm going to wait for more input from you before trying anything else. Not even trying RunThis again, as I said above - I know you're in another time zone, so will run mbam and maybe Kaspersky to see if I can flush out what's running and post the reports.
Microsoft Windows XP [Version 5.1.2600]
Fri 02/11/2011
08:50 PM
### Current Winlogon Shell Value ###
Shell REG_SZ Phillies.exe
### Looking for nt.dll ###
!!!!File NOT Found!!!!
### Looking For C:\WINDOWS\system32\dll ###
!!!!File NOT Found!!!!
C:\WINDOWS\System32\winlogon.exe Everyone:(OI)(CI)F
Directory of C:\WINDOWS\$NtServicePackUninstall$
08/04/2004 03:00 AM 502,272 winlogon.exe
1 File(s) 502,272 bytes
Directory of C:\WINDOWS\ServicePackFiles\i386
04/13/2008 07:12 PM 507,904 winlogon.exe
1 File(s) 507,904 bytes
Directory of C:\WINDOWS\system32
04/13/2008 07:12 PM 507,904 winlogon.exe
1 File(s) 507,904 bytes
Total Files Listed:
3 File(s) 1,518,080 bytes
0 Dir(s) 8,198,746,112 bytes free
no log popped up. I can't copy what's in the DOS window so typing:
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
The operation completed successfully
The system cannot find the file specified.
File Not Found
The system cannot find the file specified.
File Not Found
what is the logfile called?
standing by....thanks!!
after getting ubuntu up and fixing winlogon, I rebooted. On the reboot, Kaspersky popped up and asked if wanted to continue where it left off. I did. it didn't find anything else and that's the report you saw.
Meanwhile, to be sure something wasn't lingering on startup, I ran kaspersky again with avast! and firewall turned off. It found this:
Autoscan: completed 10 hours ago (events: 15, objects: 3278, time: 00:03:07)
2/10/2011 6:46:17 AM Task completed
2/10/2011 6:43:10 AM Task started
2/9/2011 8:55:25 AM Task stopped
2/9/2011 8:54:39 AM Detected: Trojan.Win32.Patched.lk C:\WINDOWS\system32\winlogon.exe
2/9/2011 8:39:01 AM Deleted: Backdoor.Win32.Shiz.dfc C:\WINDOWS\system32\dll
2/9/2011 8:39:00 AM Deleted: Backdoor.Win32.Shiz.asi C:\WINDOWS\system32\nt.dll
2/9/2011 8:30:27 AM Detected: Backdoor.Win32.Shiz.asi C:\WINDOWS\system32\nt.dll
2/9/2011 8:29:35 AM Detected: Backdoor.Win32.Shiz.dfc C:\WINDOWS\system32\dll
2/9/2011 6:52:59 AM Deleted: HEUR:Trojan.Win32.Generic C:\Documents and Settings\BJ\My Documents\Downloads\install_flash_player(2).exe
2/9/2011 6:52:39 AM Deleted: Trojan-Downloader.Java.OpenStream.ad C:\Documents and Settings\BJ\Application Data\Sun\Java\Deployment\cache\6.0\60\4422213c-4808fbf3/myf/y/PayloadX.class
2/9/2011 6:52:32 AM Detected: Trojan-Downloader.Java.OpenStream.ad C:\Documents and Settings\BJ\Application Data\Sun\Java\Deployment\cache\6.0\60\4422213c-4808fbf3/myf/y/PayloadX.class
2/9/2011 6:52:32 AM Deleted: Exploit.Java.Agent.f C:\Documents and Settings\BJ\Application Data\Sun\Java\Deployment\cache\6.0\60\4422213c-4808fbf3/myf/y/AppletX.class
2/9/2011 6:44:28 AM Detected: HEUR:Trojan.Win32.Generic C:\Documents and Settings\BJ\My Documents\Downloads\install_flash_player(2).exe
2/9/2011 6:34:46 AM Detected: Exploit.Java.Agent.f C:\Documents and Settings\BJ\Application Data\Sun\Java\Deployment\cache\6.0\60\4422213c-4808fbf3/myf/y/AppletX.class
2/9/2011 5:56:54 AM Task started
Disinfect active threats: completed 1 day ago (events: 7, objects: 3198, time: 00:02:48)
2/9/2011 8:58:09 AM Task completed
2/9/2011 8:58:01 AM Will be deleted on system restart: Trojan.Win32.Patched.lk C:\WINDOWS\system32\winlogon.exe
2/9/2011 8:57:31 AM Detected: Trojan.Win32.Patched.lk C:\WINDOWS\system32\winlogon.exe
2/9/2011 8:55:27 AM Detected: Trojan.Win32.Patched.lk C:\WINDOWS\system32\winlogon.exe
On reboot, I resumed Kaspersky and it completed. Here is the report file:
Autoscan: completed 2 minutes ago (events: 15, objects: 3278, time: 00:03:07)
2/9/2011 5:56:54 AM Task started
2/9/2011 6:34:46 AM Detected: Exploit.Java.Agent.f C:\Documents and Settings\BJ\Application Data\Sun\Java\Deployment\cache\6.0\60\4422213c-4808fbf3/myf/y/AppletX.class
2/9/2011 6:44:28 AM Detected: HEUR:Trojan.Win32.Generic C:\Documents and Settings\BJ\My Documents\Downloads\install_flash_player(2).exe
2/9/2011 6:52:32 AM Deleted: Exploit.Java.Agent.f C:\Documents and Settings\BJ\Application Data\Sun\Java\Deployment\cache\6.0\60\4422213c-4808fbf3/myf/y/AppletX.class
2/9/2011 6:52:32 AM Detected: Trojan-Downloader.Java.OpenStream.ad C:\Documents and Settings\BJ\Application Data\Sun\Java\Deployment\cache\6.0\60\4422213c-4808fbf3/myf/y/PayloadX.class
2/9/2011 6:52:39 AM Deleted: Trojan-Downloader.Java.OpenStream.ad C:\Documents and Settings\BJ\Application Data\Sun\Java\Deployment\cache\6.0\60\4422213c-4808fbf3/myf/y/PayloadX.class
2/9/2011 6:52:59 AM Deleted: HEUR:Trojan.Win32.Generic C:\Documents and Settings\BJ\My Documents\Downloads\install_flash_player(2).exe
2/9/2011 8:29:35 AM Detected: Backdoor.Win32.Shiz.dfc C:\WINDOWS\system32\dll
2/9/2011 8:30:27 AM Detected: Backdoor.Win32.Shiz.asi C:\WINDOWS\system32\nt.dll
2/9/2011 8:39:00 AM Deleted: Backdoor.Win32.Shiz.asi C:\WINDOWS\system32\nt.dll
2/9/2011 8:39:01 AM Deleted: Backdoor.Win32.Shiz.dfc C:\WINDOWS\system32\dll
2/9/2011 8:54:39 AM Detected: Trojan.Win32.Patched.lk C:\WINDOWS\system32\winlogon.exe
2/9/2011 8:55:25 AM Task stopped
2/10/2011 6:43:10 AM Task started
2/10/2011 6:46:17 AM Task completed
Disinfect active threats: completed 21 hours ago (events: 7, objects: 3198, time: 00:02:48)
2/9/2011 8:55:22 AM Task started
2/9/2011 8:55:22 AM Detected: Trojan.Win32.Patched.lk C:\WINDOWS\system32\winlogon.exe
2/9/2011 8:55:25 AM Will be deleted on system restart: Trojan.Win32.Patched.lk C:\WINDOWS\system32\winlogon.exe
2/9/2011 8:55:27 AM Detected: Trojan.Win32.Patched.lk C:\WINDOWS\system32\winlogon.exe
2/9/2011 8:57:31 AM Detected: Trojan.Win32.Patched.lk C:\WINDOWS\system32\winlogon.exe
2/9/2011 8:58:01 AM Will be deleted on system restart: Trojan.Win32.Patched.lk C:\WINDOWS\system32\winlogon.exe
2/9/2011 8:58:09 AM Task completed
OK. Below the stars is the post I made from the infected machine. I want to add some observations so I'm editing the post from a working machine.
could not find a scanlog file on the desktop using IE. I am looking now at the c:\WINDOWS folder and there are two files names explorer, one has the MSDOS logo and a rollover says shortcut to MS-DOS program - properties says created 2/1/2011 which is surprising. size 2.78 KB and size on disk 5.00 KB. if that helps. cmd line C:\WINDOWS\explorer.exe this file is not present on the computer I'm working on so maybe that's part of the problem.
There is no explorer.exe file and, indeed, when I try to open explorer.exe from Task Mgr, the error box says "file cannot be found".
There is another explorer file and strangely a rollover gives no popup - doesn't on this machine either so I guess that's normal. just an observation. properties says it's Windows Explorer Command, 4.00 KB
Again, responses to mouse clicks is slower than normal.
I'm going to reboot the machine now and wait.
**********
so far so good! windows up and running again - kaspersky is still at the same place and there are two logs:
notes: computer running very slow. saved stopped scan report to flash drive and kaspersky report window hung. trying to save the other disinfect active threats report but cannot access report window and do not know …
writing from the ubuntu machine now.
I got plenty of "prompts for action" - deleted all of the bad files, etc. At one point, it said it could not get rid of, I think, the winlogon files and needed to reboot. Avast! had tried to do this also but the system hung each time it tried and had to be cold started.
I cannot locate the AVP scanlog. I don't see any Kaspersky folders or anything that looks like it could be AVP. Do you know where they should be?
winlogon.exe is there.
I don't a Windows CD - this is an HP machine, should be on the D: drive?
PP, you're gonna love it, I have a couple of machines running ubuntu and I've just loaded the live disk into the machine we're working on...and it's up and running. External monitor came on line with no problem.
disclaimer: I just started using ubuntu on my children's computers a couple weeks ago so my experience is limited...having some issues, for example, getting the network printer stabilized on one of them...
Looks like I'm going to learn a bit more....
This fixing process could get a bit dicey - we may end up making things a whole lot worse.PP
Yes. Kaspersky rebooted the computer (after deleting lots of trojans and other goodies along the way). The system is now stuck in a restart loop. The external monitor gets the startup signal but after 2 seconds goes black and get a "monitor going to sleep" box and amber power lamp.
I thought it might be OK but after about 20 cycles now, it's obvious....
I'll probably power down with the power button until I hear back....
Have flash drive, will travel!! thumbnet
Avast! found two baddies it said.
System32 Winlogin.exe. Win32:WinPatch - two iterations. If I remember, that's what it said before in the avast! popup. It won't let me put in virus chest or delete. Says it wants me to set up a startup scan to finish the remove. I did that and it hung....
Meanwhile, I'm on another XP machine but I can't hold my eyes open much longer, so I'll see what goodies you have for me in the morning. 'preciate you sticking with me!!
Gerbil - I looked in the avast! virus chest and explorer.exe is sitting in there. There are other files in there as well. I tried to copy the contents of the chest for you but it won't let me.
Interestingly, I ran a scan on the explorer.exe file in the chest and it returned nothing, just said it had been scanned. Latest version of home avast!
I'm going off to run avast!
Meanwhile, there is no c:\WINDOWS\explorer.exe there is a c:\WINDOWS\explorer
I see both on my other computer so I assume the file on this one is missing, which explains the message I get when I try to run it.
I'll post the Avast! log when it completes. And thanks again for your help here, I know you are very busy.
I can't run DDS. It hangs the machine after I get about half of those | characters across the DOS window. I have not run Combofix yet because I got what might be another clue while I was bringing up Firefox from the Quick Launch bar, something I have not been able to do for a while until the desktop started running.
Avast! came up with a message as firefox started:
Malware Blocked
Object C:WINDOWS\system32\winlogon.exe
Infection Win32:WinPatch
Don't know if it's significant.
OK, guys, we got a desktop!
Ran FixEx and rebooted. Got the Quick Launch bar and I thought no desktop...right click did not get me anything. But after some time, the white screen came up asking if I wanted to refresh the desktop. Could not refresh but was able to right click, get to properties, and restore.
explorer.exe still will not run (tried from quick launch Windows Explorer icon AND from Task Mgr) but I thought I'd report the desktop working before going further.
One note...on reboot, it takes a long time for everything to come up. However, I started excel and word and their startup times seem normal.
Thanks - here it is:
Microsoft Windows XP [Version 5.1.2600]
Mon 02/07/2011
02:14 PM
Volume in drive C has no label.
Volume Serial Number is 6BB5-2493
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"AutoRestartShell"=dword:00000001
"DefaultUserName"="BJ"
"LegalNoticeCaption"=""
"LegalNoticeText"=""
"PowerdownAfterShutdown"="0"
"ReportBootOk"="1"
"Shell"="Phillies.exe"
"ShutdownWithoutLogon"="0"
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"VmApplet"="rundll32 shell32,Control_RunDLL \"sysdm.cpl\""
"SfcQuota"=dword:ffffffff
"allocatecdroms"="0"
"allocatedasd"="0"
"allocatefloppies"="0"
"cachedlogonscount"="10"
"forceunlocklogon"=dword:00000000
"passwordexpirywarning"=dword:0000000e
"scremoveoption"="0"
"AllowMultipleTSSessions"=dword:00000001
"UIHost"=hex(2):6c,00,6f,00,67,00,6f,00,6e,00,75,00,69,00,2e,00,65,00,78,00,65,\
00,00,00
"LogonType"=dword:00000001
"Background"="0 0 0"
"DebugServerCommand"="no"
"SFCDisable"=dword:00000000
"WinStationsDisabled"="0"
"HibernationPreviouslyEnabled"=dword:00000001
"ShowLogonOptions"=dword:00000001
"AltDefaultUserName"="BJ"
"AltDefaultDomainName"="BJONSON"
"DefaultDomainName"="BJONSON"
"AutoAdminLogon"="0"
@=""
"ChangePasswordUseKerberos"=dword:00000001
"System"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
@="Wireless"
"ProcessGroupPolicy"="ProcessWIRELESSPolicy"
"DllName"=hex(2):67,00,70,00,74,00,65,00,78,00,74,00,2e,00,64,00,6c,00,6c,00,\
00,00
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
@="Folder Redirection"
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"DllName"=hex(2):66,00,64,00,65,00,70,00,6c,00,6f,00,79,00,2e,00,64,00,6c,00,\
6c,00,00,00
"NoMachinePolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"NoGPOListChanges"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"GenerateGroupPolicy"="GenerateGroupPolicy"
"EventSources"=hex(7):28,00,46,00,6f,00,6c,00,64,00,65,00,72,00,20,00,52,00,65,\
00,64,00,69,00,72,00,65,00,63,00,74,00,69,00,6f,00,6e,00,2c,00,41,00,70,00,\
70,00,6c,00,69,00,63,00,61,00,74,00,69,00,6f,00,6e,00,29,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@="Microsoft Disk Quota"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=hex(2):64,00,73,00,6b,00,71,00,75,00,6f,00,74,00,61,00,2e,00,64,00,\
6c,00,6c,00,00,00
"ProcessGroupPolicy"="ProcessGroupPolicy"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
@="QoS Packet Scheduler"
"ProcessGroupPolicy"="ProcessPSCHEDPolicy"
"DllName"=hex(2):67,00,70,00,74,00,65,00,78,00,74,00,2e,00,64,00,6c,00,6c,00,\
00,00
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]
@="Scripts"
"ProcessGroupPolicy"="ProcessScriptsGroupPolicy"
"ProcessGroupPolicyEx"="ProcessScriptsGroupPolicyEx"
"GenerateGroupPolicy"="GenerateScriptsGroupPolicy"
"DllName"=hex(2):67,00,70,00,74,00,65,00,78,00,74,00,2e,00,64,00,6c,00,6c,00,\
00,00
"NoSlowLink"=dword:00000001
"NoGPOListChanges"=dword:00000001
"NotifyLinkTransition"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@="Internet Explorer Zonemapping"
"DllName"=hex(2):69,00,65,00,64,00,6b,00,63,00,73,00,33,00,32,00,2e,00,64,00,\
6c,00,6c,00,00,00
"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
"NoGPOListChanges"=dword:00000001
"RequiresSucessfulRegistry"=dword:00000001
"DisplayName"=hex(2):40,00,69,00,65,00,64,00,6b,00,63,00,73,00,33,00,32,00,2e,\
00,64,00,6c,00,6c,00,2c,00,2d,00,33,00,30,00,35,00,31,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows …
also got a DOS window with:
1 file(s) copied>
The operation completed successfully
The system cannot find the file specified.
File Not Found
on reboot, still no desktop...
Microsoft Windows XP [Version 5.1.2600]
Mon 02/07/2011
06:00 AM
Volume in drive C has no label.
Volume Serial Number is 6BB5-2493
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"AutoRestartShell"=dword:00000001
"DefaultUserName"="BJ"
"LegalNoticeCaption"=""
"LegalNoticeText"=""
"PowerdownAfterShutdown"="0"
"ReportBootOk"="1"
"Shell"="Phillies.exe"
"ShutdownWithoutLogon"="0"
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"VmApplet"="rundll32 shell32,Control_RunDLL \"sysdm.cpl\""
"SfcQuota"=dword:ffffffff
"allocatecdroms"="0"
"allocatedasd"="0"
"allocatefloppies"="0"
"cachedlogonscount"="10"
"forceunlocklogon"=dword:00000000
"passwordexpirywarning"=dword:0000000e
"scremoveoption"="0"
"AllowMultipleTSSessions"=dword:00000001
"UIHost"=hex(2):6c,00,6f,00,67,00,6f,00,6e,00,75,00,69,00,2e,00,65,00,78,00,65,\
00,00,00
"LogonType"=dword:00000001
"Background"="0 0 0"
"DebugServerCommand"="no"
"SFCDisable"=dword:00000000
"WinStationsDisabled"="0"
"HibernationPreviouslyEnabled"=dword:00000001
"ShowLogonOptions"=dword:00000001
"AltDefaultUserName"="BJ"
"AltDefaultDomainName"="BJONSON"
"DefaultDomainName"="BJONSON"
"AutoAdminLogon"="0"
@=""
"ChangePasswordUseKerberos"=dword:00000001
"System"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
@="Wireless"
"ProcessGroupPolicy"="ProcessWIRELESSPolicy"
"DllName"=hex(2):67,00,70,00,74,00,65,00,78,00,74,00,2e,00,64,00,6c,00,6c,00,\
00,00
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
@="Folder Redirection"
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"DllName"=hex(2):66,00,64,00,65,00,70,00,6c,00,6f,00,79,00,2e,00,64,00,6c,00,\
6c,00,00,00
"NoMachinePolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"NoGPOListChanges"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"GenerateGroupPolicy"="GenerateGroupPolicy"
"EventSources"=hex(7):28,00,46,00,6f,00,6c,00,64,00,65,00,72,00,20,00,52,00,65,\
00,64,00,69,00,72,00,65,00,63,00,74,00,69,00,6f,00,6e,00,2c,00,41,00,70,00,\
70,00,6c,00,69,00,63,00,61,00,74,00,69,00,6f,00,6e,00,29,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@="Microsoft Disk Quota"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=hex(2):64,00,73,00,6b,00,71,00,75,00,6f,00,74,00,61,00,2e,00,64,00,\
6c,00,6c,00,00,00
"ProcessGroupPolicy"="ProcessGroupPolicy"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
@="QoS Packet Scheduler"
"ProcessGroupPolicy"="ProcessPSCHEDPolicy"
"DllName"=hex(2):67,00,70,00,74,00,65,00,78,00,74,00,2e,00,64,00,6c,00,6c,00,\
00,00
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]
@="Scripts"
"ProcessGroupPolicy"="ProcessScriptsGroupPolicy"
"ProcessGroupPolicyEx"="ProcessScriptsGroupPolicyEx"
"GenerateGroupPolicy"="GenerateScriptsGroupPolicy"
"DllName"=hex(2):67,00,70,00,74,00,65,00,78,00,74,00,2e,00,64,00,6c,00,6c,00,\
00,00
"NoSlowLink"=dword:00000001
"NoGPOListChanges"=dword:00000001
"NotifyLinkTransition"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@="Internet Explorer Zonemapping"
"DllName"=hex(2):69,00,65,00,64,00,6b,00,63,00,73,00,33,00,32,00,2e,00,64,00,\
6c,00,6c,00,00,00
"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
"NoGPOListChanges"=dword:00000001
"RequiresSucessfulRegistry"=dword:00000001
"DisplayName"=hex(2):40,00,69,00,65,00,64,00,6b,00,63,00,73,00,33,00,32,00,2e,\
00,64,00,6c,00,6c,00,2c,00,2d,00,33,00,30,00,35,00,31,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
…
sorry - I thought it didn't run completely because the firewall and avast! could not be shut down and so when I was able to shut them down, I reran.
Combofix never got far enough to produce a report. I've checked by browsing under Task Mgr and there is no ComboFix.txt.
Ran Combofix (could not close firewall and Avast!) and followed all the instructions to the letter. The program got to the scan step but never listed any progress stages. After letting it sit there for several hours, rebooted and found a desktop waiting for me. I was able to run windows explorer and see my files again......
So I was able to close Win Firewall and Avast! and ran Combofix again - actually ran it from explorer. This time it went directly to the scan and hung again with no progress stages listed (same spot as before maybe). After it sat at that point all night, I rebooted again and am back to no desktop. I'm running it again and it doesn't appear it's going to get past the same point. Something definitely happened that "corrected" on that first run....but I suspect the issue was reset on rebooting...maybe this is a hint on what the issue is?
The third run hung in the same place.....on reboot, no desktop.
Thanks, guys,
I'm still trying to get my hands around running things without the desktop so thanks for the patience. I can't run dds - it hangs the system - I suspect it's because Avast! is running and I can't shut it down. Tried both from Task Mgr and CodeStuffStarter.
mbam log:
Malwarebytes' Anti-Malware 1.50.1.1100
[url]www.malwarebytes.org[/url]
Database version: 5671
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11
2/3/2011 9:06:51 PM
mbam-log-2011-02-03 (21-06-51).txt
Scan type: Full scan (C:\|D:\|)
Objects scanned: 290155
Time elapsed: 1 hour(s), 12 minute(s), 30 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
[B]GMER One:[/B]
GMER 1.0.15.15530 - [url]http://www.gmer.net[/url]
Rootkit quick scan 2011-02-03 12:14:07
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 HTS541040G9AT00 rev.MB2OA56J
Running: rfiegdgt.exe; Driver: C:\DOCUME~1\BJ\LOCALS~1\Temp\kxldqpog.sys
---- System - GMER 1.0.15 ----
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xAA39C82E]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0xAA39C652]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0xAA39C78C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject
---- Devices - GMER …I ran HiJackThis and there seems to be a lot of Internet Explorer entries - I don't use IE and always use Firefox, perhaps I should get rid of IE altogether.
Here is the HiJackThis log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:10:10 AM, on 2/3/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17093)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PRTG Network Monitor\PRTG Server.exe
C:\Program Files\PRTG Network Monitor\PRTG Probe.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\BJ\My Documents\Downloads\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8075
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - …
Thanks but I cannot get into safe mode as I am running an old notebook with a broken screen. I've got a monitor hooked into it with a wireless mouse and keyboard. If I try to go into safe mode, startup doesn't get far enough to activate the second monitor.
I've narrowed things down to explorer.exe issues - but can't seem to shake this one. btw, I've tried to go back to an earlier version....for some reason there are no restore points earlier than this issue....might be a result of whatever bug caused this.
Hi guys,
I've been fighting this bug and could use some help.
Windows XP SP3 and I've lost the desktop. Not just icons, etc. No desktop at all. I can run from Task Manager and this is my second machine so I can do most anything I need for the moment except explorer.exe.
System tells me various things depending on from where I try to run explorer.exe
no permissions
missing explorer.exe
etc.
I've run all the suggested malware software and got rid of any problems there - haven't run GMER, etc. because I've nowhere to post the files. - you guys might have a suggestion on how to get this done and I will follow?
Will appreciate any assistance!!
Thanks,
Catalana
Thanks guys, this one turned out to be a bad processor. I'm thinking a heat issue, since the heat sink material seemed separated when a friend removed the assembly. We put another mother board in but there are few new XP motherboards floating around here so now am having issues with drivers...appreciate the help!!
As you suggested, the computer seems to be virus free at this point. Mbam ran again and the system is clean.
When I did a restart after the last time I ran mbam, surprise, the monitor came up. I thought it was fixed. However, it does not come up normally every time - indeed, most of the time, after restarting several times for a test.
I'm thinking it must be something in the bios? But I'm not knowledgeable enough to know what.
When the problem occurs, the system is restarted - right away, the fan starts and does not cut off, the monitor light turns on and then starts blinking and the system continues to reboot (I guess because I can't tell what is happening because the monitor seems to go into hibernation.
When it comes up normally, the fan starts and then stops - the monitor lights up and the flash screen shows up. then it goes dark normally and finally comes back with the windows is starting page.
thanks for taking a look!
I guess that does sound funny. I'll try for a better explanation.
When I do a restart, the computer acts as though I signaled for a shutdown. Just goes off and stays off. That is a problem when trying to do some activities like mbam. It wants to restart the computer but it doesn't come back up afterward.
Maybe that's the issue with the log. I did remove the issues mbam found.
Anyway, I came up in safe mode and will run mbam again and post the log.
Besides not being able to complete a restart, the other issue is the monitor not coming back up. I'll try it with another monitor and get back to you.
Thanks!!
Hello all,
I have a strange situation going on:
First, I cannot reboot the computer. Once rebooted the computer signs off and never comes on. Second, if I unplug the computer or turn it off, when I start it up, the monitor does not come on - I have to keep unplugging the computer and eventually it will restart the monitor, but not every time. This may be connected to the no reboot problem. Symptoms are the monitor, an LG W2061TQ, has the power button flashing. When I can get it all started, the monitor comes up normally.
Computer is an HP a1600n, XP Pro SP3, 1GB RAM, 3.06 BIOS, 2GB HD.
I ran the suggested diagnostics, etc., and here are the results:
Windows malicious software removal tool yields "no malicious software"
ATF-Cleaner removed everything
GMEROne:
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2010-12-03 06:35:12
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5 WDC_WD2000JS-60NCB1 rev.10.02E02
Running: kgv15mpx.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\pxldrpob.sys
---- Devices - GMER 1.0.15 ----
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 …
Can somebody tell me what AES is and if I need to set my network with it?
you need to start the machine with the windows CD...when you get the choice of startup location, choose the CD...there are diagnostics that you can run to see what happened.
If you have automatic updates set on your system, Service Pack Two might have been loaded and the update failed...you're going to have to do a system restore back to the checkpoint before the update.
and keep the password on a disk somewhere.
So a policeman says he'll shoot first and ask questions later? And he's talking about a child?
where can you get that?
Linksys has their own flavor of software for cameras, check out the web site.
Ethernet to all but one location. Would wireless work?
Does anybody know how much bandwidth network cameras require? I'm trying to decide if I can put them around my house. Thanks!
Goto Start, Run, and enter regedit. Being VERY careful about changing anything
that's an important warning!!
it's working now - thanks, zeroth!
Axis 214PTZ