31 replies to this topic

[killthecpu]

Laptop is giving me hell
I thought this was a memory issue, but then I...

Issues:
Firefox stopped working
Tried to install Mbam. gets all the way to extracting files and then sits.
An older version of Mbam found a couple of things and deleted them.
IE will not let f-secure website activeX scanning begin.

I had Charter security suite from f-secure
but, I guess it missed something

After reading for hours through the forums, I decided not to press my luck and attempt to clean/fix this myself.


Here's the log from HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:05:29 PM, on 9/8/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {076169AA-8C3D-4CFC-AC23-3ACA88FC21B5} (F-Secure Online Scanner Launcher) - http://download.sp.f-secure.com/ols/f-secu.../fslauncher.cab
O16 - DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} (CamfrogWEB Advanced Unicode Control) - http://activex.camfrogweb.com/advanced/2.0..._instmodule.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Crypkey License - Unknown owner - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3732 bytes


Please Help, I don't really want to reformat

[killthecpu]

Update:
Tried RootRepeal. It just hung like Mbam.

It gave me a crash report..

ROOTREPEAL CRASH REPORT
-------------------------
Windows Version: Windows XP SP2
Exception Code: 0xc0000005
Exception Address: 0x00464699
Attempt to read from address: 0x00000000

[sjpritch25]

Welcome to Malwarebytes!!!!


Please download Win32kDiag.exe by AD to your Desktop.
Double-click on Win32kDiag.exe.
It will create Win32kDiag.txt on your Desktop.
In your next reply, please include the log. Thanks

[killthecpu]

sjpritch25, on Sep 9 2009, 04:15 PM, said:

Welcome to Malwarebytes!!!!


Please download Win32kDiag.exe by AD to your Desktop.
Double-click on Win32kDiag.exe.
It will create Win32kDiag.txt on your Desktop.
In your next reply, please include the log. Thanks

Thanks sjpritch25 for the help.

Heres the log;

Log file is located at: C:\Documents and Settings\User1\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!





Not much compared to what i've seen around?!

Thanks again

[sjpritch25]

Lets try something else.


Download Combofix from this webpage: http://www.bleepingc...to-use-combofix

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

[killthecpu]

sjpritch25, on Sep 9 2009, 11:14 PM, said:

Lets try something else.


Download Combofix from this webpage: http://www.bleepingc...to-use-combofix

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Ok,
Downloaded and placed on d/top
combofix runs until it "attempts to create a restore point", then it does nothing.

all antivirus/adware/windows were closed prior to starting
thx

[sjpritch25]

Are you sure you disabled Avg and Lavasoft Ad-watch. Avg does affect the running of ComboFix.

[killthecpu]

sjpritch25, on Sep 10 2009, 05:04 PM, said:

Are you sure you disabled Avg and Lavasoft Ad-watch. Avg does affect the running of ComboFix.

yes,
right-clicked on icon next to clock and exit both of them.

[sjpritch25]

how long did it hang? Please try it one more time. If it still doesn't work

go to Start ---> Run ---> Type "%userprofile%\desktop\ComboFix.exe" /killall followed by enter.

[killthecpu]

sjpritch25, on Sep 10 2009, 06:36 PM, said:

how long did it hang? Please try it one more time. If it still doesn't work

go to Start ---> Run ---> Type "%userprofile%\desktop\ComboFix.exe" /killall followed by enter.

when I ran it the first time, I let it sit for 1.5-2 hrs
I didnt see hdd light coming on after it got hung

my taskbar wouldnt come down, mouse doesnt move
windows was unresponsive
so i cant get to "start - run"

Only way out was a cold boot

[sjpritch25]

so you have no desktop. Is that what your saying? Just a blank screen?

You may need to actually open up avg and adaware and turn them off that way. Or just uninstall them and re-install those two program after your clean.

[killthecpu]

sjpritch25, on Sep 10 2009, 07:39 PM, said:

so you have no desktop. Is that what your saying? Just a blank screen?

You may need to actually open up avg and adaware and turn them off that way. Or just uninstall them and re-install those two program after your clean.

no, desktop is there, computer locks up
cant use hot keys or ctl-alt-dlt

should i go ahead and uninstall both a/v & ad and rerun?

[sjpritch25]

yes if you can

[killthecpu]

sjpritch25, on Sep 10 2009, 07:52 PM, said:

yes if you can

ok,
ad-aware uninstalled w/o a problem
AVG didnt want to uninstall.
went to the AVG website saw their "avgremover.exe" uninstaller under the tools section.
it removed AVG w/o a problem
rebooted twice & double checked to make sure AVG was removed. it was gone

Then I ran Conbofix in normal mode - same result as the first time (locked up)
rebooted into safe mode, tried again - same result

This is what I see-
when i start c/f, the dos window pops up, "preparing to run..."
the dos window will go out of "focus", like another window is supposed to come up, but doesn't.
thats where it gets stuck

On http://www.bleepingcomputer.com/combofix/h...se-combofix#use

I never see the "ComboFix is backing up the Windows Registry" window
I seen the "Combofix Disclaimer" the first time I ran it, but not this time.

I hope this makes sense.

[sjpritch25]

Let me check with the developer. Something is not right.

[sjpritch25]

i need you to run Combofix again. When it fails press the following keys at the same time Ctrl Alt Delete and windows task manager should appear. look for the following process
cfxxe.exe


let me know if that process is not found. Thanks

[killthecpu]

sjpritch25, on Sep 11 2009, 10:10 PM, said:

i need you to run Combofix again. When it fails press the following keys at the same time Ctrl Alt Delete and windows task manager should appear. look for the following process
cfxxe.exe


let me know if that process is not found. Thanks

Every time combofix runs, it locks up.
ctl-alt-delete does not work (the task manager will not appear)
computer doesn't respond at all, (except when I move the mouse).

[sjpritch25]

Do you see a folder located here
C:\ComboFix ?


Let me know.


Also please download the attached file Junction.zip

Extract the folder Junction to your desktop. Double-Click on Junction.bat, in your next reply, please post the log.

Attached Files

•  Junction.zip   45.28K   12 downloads

[killthecpu]

sjpritch25, on Sep 11 2009, 11:39 PM, said:

Do you see a folder located here
C:\ComboFix ?


Let me know.


Also please download the attached file Junction.zip

Extract the folder Junction to your desktop. Double-Click on Junction.bat, in your next reply, please post the log.

Do you see a folder located here
C:\ComboFix ?
Yes, I do, through explorer.
But when i double click on it, it seems to loop me around to "C:\" again?!
Like "C:\combofix" is a mirror of "C:\"

anyway...
the junction bat work here is its log:


Junction v1.05 - Windows junction creator and reparse point viewer
Copyright © 2000-2007 Mark Russinovich
Systems Internals - http://www.sysinternals.com


Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\System Volume Information: Access is denied.


...

...

...

...

...

...

...

...

...

..\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

.

...

...

...

...

...

..

Let me know if you want me to attach the actual file.

Thx

[sjpritch25]

okay the junction.bat showed one area that's clean


Please visit this link and upload the following file there C:\bug.txt