156 replies to this topic

[MrCharlie]

NO, system restore seems to be corrupt.

You need more RAM installed on the system for it to function properly.


Please do this: Download and run HiJackThis:

http://www.trendmicr.../HijackThis.exe

Run HJT.exe
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad. Save the log to a convenient location.
Copy and paste it into your post.

MrC

[GRIVEN]

• I used a "HijackThis" which I had put on a week or so back but never got around to using for some reason or another.
  
• I hope there's no update problem since then. If so, please let me know.
  
• Here it is-
  
• //////////////////////////////////////////////////////////////////////////////
  
• Logfile of Trend Micro HijackThis v2.0.4
  Scan saved at 12:08:11 PM, on 5/6/2012
  Platform: Windows XP SP2 (WinNT 5.01.2600)
  MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
  Boot mode: Normal
  
• Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\spoolsv.exe
  C:\Program Files\Citrix\ICA Client\ssonsvr.exe
  C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
  C:\WINDOWS\Explorer.EXE
  C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
  C:\WINDOWS\system32\LEXBCES.EXE
  C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
  C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
  C:\Program Files\Real\RealPlayer\RealPlay.exe
  C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
  C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
  C:\Program Files\QuickTime\qttask.exe
  C:\Program Files\Spyware Doctor\pctsAuxs.exe
  C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
  C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
  C:\Program Files\Spyware Doctor\pctsTray.exe
  C:\Program Files\Messenger\msmsgs.exe
  C:\Program Files\Registry Mechanic\RegMech.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\wscntfy.exe
  C:\WINDOWS\system32\wuauclt.exe
  C:\Program Files\Spyware Doctor\pctsSvc.exe
  C:\Program Files\Spyware Doctor\Update.exe
  C:\Program Files\Spyware Doctor\upgrade.exe
  C:\Documents and Settings\donna\Desktop\ListParts.exe
  C:\Documents and Settings\donna\Desktop\HijackThis.exe
  
• R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hvaccess.com/members
  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://duckduckgo.com/
  R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hvaccess.com/members
  O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
  O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
  O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
  O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
  O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
  O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
  O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
  O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
  O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
  O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
  O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
  O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
  O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
  O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
  O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
  O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
  O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
  O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
  O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
  O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
  O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
  O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
  O4 - HKUS\S-1-5-21-3646499915-954458941-3890034720-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
  O4 - HKUS\S-1-5-21-3646499915-954458941-3890034720-500\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Administrator')
  O4 - HKUS\S-1-5-21-3646499915-954458941-3890034720-500\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10k_ActiveX.exe -update activex (User 'Administrator')
  O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
  O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
  O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
  O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
  O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
  O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://www.spywarest...es2/Install.cab
  O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
  O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
  O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
  O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
  O23 - Service: Browser Defender Update Service - Unknown owner - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
  O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
  O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
  O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
  O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
  O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
  
• --
  End of file - 6947 bytes

[MrCharlie]

Please create a folder and place HJT in there so back ups can be made and found.



[*]Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:


O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe


Click on Fix Checked when finished and exit HijackThis.


------------------------------------------------------------------

Reboot and see if you can run ComboFix:

Please download and run ComboFix.
The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Please include the C:\ComboFix.txt in your next reply for further review.

Note:
If you get the message Illegal operation attempted on registry key that has been marked for deletion. after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.
MrC

[GRIVEN]

Sorry for the delay but does Hijack This signal any indication of when it is finished?
I've checked the 3 boxes as ordered & clicked Fix. Everything disappeared from the
HJT list screen and I have been waiting for a notice that it is finished before preceeding to
the next step. In view of the precautions & the slowness of the computer's current
operations, I don't want to jump the gun before closing it.

[MrCharlie]

Just run another HJT scan and we'll see......MrC

[GRIVEN]

^{The three items were gone in the new scan. When I saved the log, a box came up saying
'"run-time error '326' Resource with identifer 'VERSION' not found" with an "OK" click
Does that sound right or is it a flag?}

[MrCharlie]

It's a flag. Like I said before...this system is so corrupt, I think the best idea is to reinstall the operating system and start fresh and I would also strongly suggest you add some memory to the system for it to operate properly .

MrC

[GRIVEN]

Since, as explained, we have no OS disk for it, can we try Combo-Fix or would that be worthless effort?

I've taken off Malwaresbyte for now, since it doesn't run anyway. Plus Registry Mechanic because I've caught
it freezing things in earlier attempts to treat the infections & it showed up in the HijackThis log.
Plus AVG tune-up because of the oddity that a balloon, seemingly MS, pops up at start-up and sometimes
at other odd moments, saying that AVG 2012 Anti-virus was out of date. Since I thought I had removed AVG
days ago because it was blocked from updating, I thought that message was fishy. After removing AVG PC tune-up &
rebooting, however, it still came up even though I believed everything AVG was removed.

Adding memory, I agree, is a good idea but also not an option at the moment.
Am I correct in assuming that without the OS disk, reinstall is not an option?

-Grivin

[GRIVEN]

By the way, since that last reboot things seem to be running more swiftly on that challenging computer
but I don't want to delude myself about progress.
The instructions for Combo-fix mentions that it sets its own restore point. Is this separate from the
failed Windows restore point?
I won't, of course, run anything without your approval.

[GRIVEN]

Mr.C,

You're not giving up on me, are you? Please don't tell me this is hopeless.
For the first time in weeks, her computer is running without a pronounced time lag.

[MrCharlie]

I'm still here. I wanted you to try and create a new system restore point.
Were you able to do this?

MrC

[GRIVEN]

_{I have gotten to the point of being ready to run Combo-Fix.
In reading their instructions, I noted that Combo-Fix sets its own Restore Point.
My question is if this is their own method, apart from Windows. If it depends on Windows Restore, will it work
or fail like the XP attempts?
I didn't want to proceed without your nod...}

[MrCharlie]

No, it won't work.

You can try to turn system restore off, reboot and then turn it back on.
This will clear out all the restore points and reset it.
It may fix it.

Let me know, MrC

[GRIVEN]

How do I turn off Restore? If you recall, when I go to System Tools through Acessories, the next step just says "empty"
Is there another approach in Windows to control that function?

[MrCharlie]

Please run unhide and post the log.

http://www.bleepingc...opic405109.html

MrC

[GRIVEN]

<sup>First try at running Unhide drew a "Windows No Disk" notice which said
" Exception Processing Message c00000 Parameters 75b6bf9c 4 76b6bf9c 75b6bf9c "
Below were options which included "Retry" (same result) and "Continue"
The latter option resulted in the log pasted below.
I mention this detail in case the prolog message is an indication that the scan was about to be compromised in some way.
//////////////////////////////////////////////////////////
Unhide by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Unhide.exe can be found at this link:
http://www.bleepingc...opic405109.html
Program started at: 05/07/2012 09:22:28 AM
Windows Version: Windows XP
Please be patient while your files are made visible again.
Processing the A:\ drive
Finished processing the A:\ drive. 0 files processed.
Processing the C:\ drive
Finished processing the C:\ drive. 66332 files processed.
Restoring the Start Menu.
* 0 Shortcuts and Desktop items were restored.

Searching for Windows Registry changes made by FakeHDD rogues.
- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
No registry changes detected.

Restarting Explorer.exe in order to apply changes.
Program finished at: 05/07/2012 09:31:29 AM
Execution time: 0 hours(s), 9 minute(s), and 0 seconds(s)
///////////////////////////////////////////////////////
NOTE: When I brought the flashdrive back to my own computer to send this, AVG threat warning opened</sup>
with this news- g:\7zip_Set.up.exe Adware Generic 5DHX
this apparently is one of the programs I ferried to the infected computer
to "treat" it (although it may not have been used)
I sent it to the vault.
(also trying to adjust the font size in the post box, pardon the shift, please)
-Griven

[MrCharlie]

Quote

when I go to System Tools through Acessories, the next step just says "empty"
Is there another approach in Windows to control that function?

Looks like nothing was retored, is it still empty?

Try something for me regarding system restore.......

Disable all your anti-virus and anti-malware programs and try using system restore again, sometimes these programs interfere with it.

MrC

[GRIVEN]

MrC,
Early in my bumbling attempted defense of this system, after it had been hit by SMART HDD, I ran Unhide and
recovered an ability to see files. (I used the same exe already on the Desktop for this run) Could that be why
it found nothing this time?
The System Tools path still reads "Empty."?
To recap: I was able to get into Restore before by placing %SystemRoot%\System32\restore\rstrui.exe in the Run
box but the 2 emboldened restore points prior to the infection would not take. After that I removed an inoperable
Malwaresbyte (and had previously removed AVG) so they wouldn't interfere with a pending deployment of
ComboFix (which was not run). So, as far as I can tell, that system is presently without an active anti-virus or
anti-malware program.
If I use the above mentioned method to get into restore again, is there an option in there to turn it off, as
requested, even though it's not "officially" recognized by the System Tools category? And, if so, is this still
advisable?
-Griven

[MrCharlie]

OK, here it is:
http://support.microsoft.com/kb/310405

MrC

[GRIVEN]

I went back into Restore Point & tried again to set one but there are no longer any dates available
prior to infection.
So, I followed the MS Guide & turned Restore off.
What's next?