Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

Probably Phished; Avira scans incomplete; Winpatrol stalls while"verifying startup pr

This is a discussion on Probably Phished; Avira scans incomplete; Winpatrol stalls while"verifying startup pr within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hi there, E here. Probably got Phished while signing into redbox.com located via google search vice saved link :( Multiple


 
 
Thread Tools Search this Thread
Old 08-30-2011, 03:58 PM   #1
Registered Member
 
Join Date: Jan 2010
Posts: 38
OS: XP home sp3



Hi there, E here.
Probably got Phished while signing into redbox.com located via google search vice saved link :( Multiple Avira scans incomplete; Winpatrol stalls while "verifying startup programs" forcing reboot; linking attach.zip to post also froze pc requiring reboot. 2nd attempt at posting, will add zip file later.

Thanks in advance for your help!

Eric

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Main at 20:11:24 on 2011-08-29
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1420 [GMT -5:00]
.
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\DellTPad\HidFind.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://my.mdanderson.org/members/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hewlett-packard\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - c:\program files\wot\WOT.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hewlett-packard\digital imaging\smart web printing\hpswp_BHO.dll
TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - c:\program files\wot\WOT.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hewlett-packard\digital imaging\smart web printing\hpswp_bho.dll
uRun: [cdloader] "c:\documents and settings\main\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [magicJack USB Autorun] E:\autorun.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [<NO NAME>]
dRunOnce: [RunNarrator] Narrator.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hewlett-packard\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/56.12/uploader2.cab
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/e/36.24/KBTUZDFvTZs/uploader2.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.4.24.0.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} - hxxp://www.arkansashighways.com/road/acgm.cab
TCP: DhcpNameServer = 10.0.0.1
TCP: Interfaces\{91D30402-BB42-45C5-8797-ADE2562EC0BC} : DhcpNameServer = 10.0.0.1
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - c:\program files\wot\WOT.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\main\application data\mozilla\firefox\profiles\ytidgxj6.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-2-24 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-2-24 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-2-24 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-2-24 66616]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-2-19 106496]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2008-7-30 9049]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2008-7-6 48472]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2008-7-6 43480]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-28 135664]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2008-7-30 115008]
S3 actccid;ActivCard USB Reader V2;c:\windows\system32\drivers\actccid.sys [2002-8-2 47660]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-12-28 135664]
S3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\drivers\SCR3XX2K.sys [2007-6-21 56448]
.
=============== Created Last 30 ================
.
2011-08-19 18:44:24 -------- d-----w- c:\documents and settings\main\application data\HpUpdate
2011-08-19 18:44:22 -------- d-----w- c:\windows\Hewlett-Packard
2011-08-18 18:24:53 -------- d-----w- c:\documents and settings\all users\application data\WEBREG
2011-08-18 18:24:42 -------- d-----w- c:\documents and settings\main\local settings\application data\HP
2011-08-18 18:21:12 6784 ----a-w- c:\windows\system32\drivers\serscan.sys
2011-08-18 18:21:12 6784 ----a-w- c:\windows\system32\dllcache\serscan.sys
2011-08-18 18:19:07 316928 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpfpp092.dll
2011-08-18 18:19:07 122880 ----a-w- c:\windows\system32\hpf3l092.dll
2011-08-18 18:18:34 716288 ----a-r- c:\windows\system32\hpwwiax9.dll
2011-08-18 18:18:34 593920 ----a-r- c:\windows\system32\hpwtscl5.dll
2011-08-18 18:18:34 372736 ----a-r- c:\windows\system32\hppldcoi.dll
2011-08-18 18:18:34 315392 ----a-r- c:\windows\system32\hpwvst01.dll
2011-08-18 18:17:02 -------- d-----w- c:\program files\Yahoo!
2011-08-18 18:13:13 -------- d-----w- c:\program files\common files\HP
2011-08-18 18:13:11 -------- d-----w- c:\program files\common files\Hewlett-Packard
2011-08-18 18:12:52 -------- d-----w- c:\windows\hpoj4500g510n-z
2011-08-18 18:11:10 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2011-08-18 18:11:10 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2011-08-10 03:09:32 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 03:08:00 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-04 04:58:50 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-04 00:41:05 155648 ----a-w- c:\windows\system32\igfxCoIn_v5218.dll
2011-08-04 00:41:05 1498560 ----a-w- c:\windows\system32\igkrng400.bin
2011-08-04 00:39:34 -------- d-----w- C:\Intel
2011-08-04 00:36:44 -------- d-----w- c:\program files\SystemRequirementsLab
2011-08-02 16:07:43 -------- d-----w- c:\documents and settings\all users\application data\InstallMate
.
==================== Find3M ====================
.
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-28 21:11:04 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2010-02-24 22:04:57 3012768 ----a-w- c:\program files\spywareblastersetup42.exe
2010-02-24 20:48:22 30909992 ----a-w- c:\program files\avira_antivir_personal_en.exe
2008-08-07 04:08:22 263856409 -c--a-w- c:\program files\HP6940Default_Minimum_3A.exe
.
============= FINISH: 20:12:48.60 ===============

Alrighty. Here's the attach.zip :)

Thanks again,

Eric
Attached Files
File Type: zip Attach.zip.zip (6.7 KB, 62 views)
ebernheisel is offline  
Sponsored Links
Advertisement
 
Old 09-02-2011, 07:22 AM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

A guide and tutorial on using ComboFix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Please post the C:\ComboFix.txt in your next reply for further review.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 09-02-2011, 08:10 AM   #3
Registered Member
 
Join Date: Jan 2010
Posts: 38
OS: XP home sp3



Thanks.
Update: purchased hp officejet 4500 2.5 weeks ago, loaded all software. Deleted HP products from Winpatrol startup menu. PC no longer freezes - not sure why. 9/1 Ran avira scan successfully, detected TR/Dldr.OpenConnection.KR.5; quarantined same. Continuing with your recommendations, downloading combo fix now.
ebernheisel is offline  
Sponsored Links
Advertisement
 
Old 09-02-2011, 11:56 AM   #4
Registered Member
 
Join Date: Jan 2010
Posts: 38
OS: XP home sp3



ComboFix log attached.
Thanks
Eric

ComboFix 11-09-01.03 - Main 09/02/2011 13:44:59.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1296 [GMT -5:00]
Running from: c:\documents and settings\Main\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((( Files Created from 2011-08-02 to 2011-09-02 )))))))))))))))))))))))))))))))
.
.
2011-08-19 18:44 . 2011-08-26 21:53 -------- d-----w- c:\documents and settings\Main\Application Data\HpUpdate
2011-08-19 18:44 . 2011-08-19 18:44 -------- d-----w- c:\windows\Hewlett-Packard
2011-08-18 18:24 . 2011-08-18 18:24 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG
2011-08-18 18:24 . 2011-08-26 01:59 -------- d-----w- c:\documents and settings\Main\Application Data\HP
2011-08-18 18:24 . 2011-08-18 18:24 -------- d-----w- c:\documents and settings\Main\Local Settings\Application Data\HP
2011-08-18 18:21 . 2001-08-17 20:53 6784 ----a-w- c:\windows\system32\drivers\serscan.sys
2011-08-18 18:21 . 2001-08-17 20:53 6784 ----a-w- c:\windows\system32\dllcache\serscan.sys
2011-08-18 18:19 . 2009-06-09 08:43 122880 ----a-w- c:\windows\system32\hpf3l092.dll
2011-08-18 18:19 . 2009-06-09 08:43 316928 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpfpp092.dll
2011-08-18 18:18 . 2009-05-26 17:32 716288 ----a-r- c:\windows\system32\hpwwiax9.dll
2011-08-18 18:18 . 2009-05-26 17:32 593920 ----a-r- c:\windows\system32\hpwtscl5.dll
2011-08-18 18:18 . 2009-05-26 17:32 315392 ----a-r- c:\windows\system32\hpwvst01.dll
2011-08-18 18:18 . 2009-05-18 21:49 372736 ----a-r- c:\windows\system32\hppldcoi.dll
2011-08-18 18:17 . 2011-08-18 18:17 -------- d-----w- c:\documents and settings\Main\Application Data\Yahoo!
2011-08-18 18:17 . 2011-08-20 12:47 -------- d-----w- c:\program files\Yahoo!
2011-08-18 18:15 . 2011-08-18 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2011-08-18 18:13 . 2011-08-18 18:13 -------- d-----w- c:\program files\Common Files\HP
2011-08-18 18:13 . 2011-08-18 18:13 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2011-08-18 18:12 . 2011-08-18 18:12 -------- d-----w- c:\windows\hpoj4500g510n-z
2011-08-18 18:11 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2011-08-18 18:11 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2011-08-10 03:09 . 2011-06-24 14:10 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 03:08 . 2011-07-08 14:02 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-04 04:58 . 2011-08-18 00:23 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-04 00:41 . 2010-01-13 19:28 155648 ----a-w- c:\windows\system32\igfxCoIn_v5218.dll
2011-08-04 00:41 . 2010-01-13 19:18 1498560 ----a-w- c:\windows\system32\igkrng400.bin
2011-08-04 00:39 . 2011-08-04 00:39 -------- d-----w- C:\Intel
2011-08-04 00:36 . 2011-08-04 00:36 -------- d-----w- c:\program files\SystemRequirementsLab
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-15 13:29 . 2004-08-10 17:51 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2004-08-10 17:51 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-28 21:11 . 2010-02-24 20:53 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-06-28 21:11 . 2010-02-24 20:53 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-06-24 14:10 . 2004-08-10 18:01 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2004-08-10 17:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2004-08-10 17:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-08-10 17:51 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2004-08-10 17:51 293376 ----a-w- c:\windows\system32\winsrv.dll
2010-02-24 22:04 . 2010-02-24 22:04 3012768 ----a-w- c:\program files\spywareblastersetup42.exe
2010-02-24 20:48 . 2010-02-24 20:48 30909992 ----a-w- c:\program files\avira_antivir_personal_en.exe
2008-08-07 04:08 . 2008-08-07 04:07 263856409 -c--a-w- c:\program files\HP6940Default_Minimum_3A.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\Main\Application Data\mjusbsp\cdloader2.exe" [2011-05-16 50592]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-02-21 159744]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-05-27 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2011-05-15 325512]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-01-13 134656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-01-13 166912]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-01-13 135680]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WD Anywhere Backup Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WD Anywhere Backup Launcher.lnk
backup=c:\windows\pss\WD Anywhere Backup Launcher.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Main^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Main\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-05-27 21:52 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-02-21 19:21 69632 ----a-w- c:\windows\ALCMTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
2011-05-16 12:50 50592 ----a-w- c:\documents and settings\Main\Application Data\mjusbsp\cdloader2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter]
2009-05-21 18:13 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2008-03-11 17:44 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 18:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
c:\program files\HP\HP Software Update\HPWuSchd2.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2008-02-26 15:57 128296 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-02-21 19:21 16855552 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Drive Manager]
2008-02-19 09:13 438272 ----a-w- c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=2 (0x2)
"sprtsvc_dellsupportcenter"=2 (0x2)
"SNAC"=2 (0x2)
"SmcService"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Documents and Settings\\Main\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1700:TCP"= 1700:TCP:MioNet Remote Drive Access 0
"1701:TCP"= 1701:TCP:MioNet Remote Drive Access 1
"1702:TCP"= 1702:TCP:MioNet Remote Drive Access 2
"1703:TCP"= 1703:TCP:MioNet Remote Drive Access 3
"1704:TCP"= 1704:TCP:MioNet Remote Drive Access 4
"1705:TCP"= 1705:TCP:MioNet Remote Drive Access 5
"1706:TCP"= 1706:TCP:MioNet Remote Drive Access 6
"1707:TCP"= 1707:TCP:MioNet Remote Drive Access 7
"1708:TCP"= 1708:TCP:MioNet Remote Drive Access 8
"1709:TCP"= 1709:TCP:MioNet Remote Drive Access 9
"1641:TCP"= 1641:TCP:MioNet Remote Drive Verification
"1647:TCP"= 1647:TCP:MioNet Storage Device Configuration
"5432:UDP"= 5432:UDP:MioNet Storage Device Discovery
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2/24/2010 3:53 PM 136360]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [2/19/2008 4:15 AM 106496]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [7/30/2008 8:33 PM 9049]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [7/6/2008 11:11 PM 48472]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [7/6/2008 11:11 PM 43480]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/28/2009 9:49 AM 135664]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [7/30/2008 8:33 PM 115008]
S3 actccid;ActivCard USB Reader V2;c:\windows\system32\drivers\actccid.sys [8/2/2002 4:41 PM 47660]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 1:58 PM 11336]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/28/2009 9:49 AM 135664]
S3 SCR3XX2K;SCR3xx USB SmartCardReader;c:\windows\system32\drivers\SCR3XX2K.sys [6/21/2007 6:40 AM 56448]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-06 14:36]
.
.
------- Supplementary Scan -------
.
uStart Page = https://my.mdanderson.org/members/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Main\Application Data\Mozilla\Firefox\Profiles\ytidgxj6.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-09-02 13:49
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2676)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-09-02 13:50:45
ComboFix-quarantined-files.txt 2011-09-02 18:50
ComboFix2.txt 2011-09-02 15:59
.
Pre-Run: 101,564,063,744 bytes free
Post-Run: 101,548,294,144 bytes free
.
- - End Of File - - C13CEC141C67EE8CC63F15A67AFE766E
Attached Files
File Type: zip combofixlog.zip (4.6 KB, 61 views)
ebernheisel is offline  
Old 09-02-2011, 02:13 PM   #5
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello Eric. Let me know if the machine is still behaving OK.

No need to attach logs going forward. Just copy/paste them directly into the Reply to Thread window. Thanks.

------------------------------------------------------

Please download Malwarebytes' Anti-Malware and Save it to your Desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Under the Scanner tab, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad and you may be prompted to Restart your computer.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy/Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


------------------------------------------------------

Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan.

Go here and click 'ESET Online Scanner'.
  • If you are not using Internet Explorer, double-click esetsmartinstaller_enu.exe to install it, then click 'Run'.
  • Turn off the real-time scanner of any existing antivirus program while performing the online scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • If using Internet Explorer, allow the ActiveX control to install when asked.
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Next to 'Current scan targets: Operating memory, Local drives', click the Change.. button.
  • Tick all the boxes that correspond to your external/inserted drives.
  • Click Start
  • Wait for the scan to finish, then click 'Finish'.
  • Use Notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Copy/paste that log as a reply to this topic.
------------------------------------------------------

Please post the following in your next reply:

MBAM log
ESET report
report on system behavior
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 09-02-2011, 05:45 PM   #6
Registered Member
 
Join Date: Jan 2010
Posts: 38
OS: XP home sp3



Hope your weekend was good.

Malwarebytes' Anti-Malware 1.51.1.1800
Malwarebytes : Free anti-malware, anti-virus and spyware removal download

Database version: 7639

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/2/2011 4:54:48 PM
mbam-log-2011-09-02 (16-54-48).txt

Scan type: Quick scan
Objects scanned: 181439
Time elapsed: 5 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


[email protected] as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=af49765ce5eac44784b62641b1507e4a
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-09-03 12:16:12
# local_time=2011-09-02 07:16:12 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16775141 100 94 0 80371490 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=14585
# found=0
# cleaned=0
# scan_time=475

PC acts normally - no lockups have happened, no reboots needed. WinPatrol seems to be working fine. Avira might not be auto-updating; but it did complete scan. Note: combofix log too large to post, tried spliting it in two, still to large so zipped it. I might be missing something there. Been leery about opening outlook, just did without email for a few days...no biggy for me at this time. Is that just silly? Hoped to prevent spam/re-infect of my address book. Thanks again for all of your help. This is my second helping at the TSF table...whats the average donation? Eric
ebernheisel is offline  
Old 09-02-2011, 09:01 PM   #7
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Eric. You're welcome. Our donation link is down for now.

Let me know if Avira doesn't auto-update. Use Outlook and let me know.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 09-06-2011, 09:00 AM   #8
Registered Member
 
Join Date: Jan 2010
Posts: 38
OS: XP home sp3



Spoke to soon! After my last post laptop froze on shutdown; had to turn it off using the on/off button. On restart pc hung when trying to boot. Tried normal; last good config; and safe-mode with networking to now avail. Yikes! Currently using pc at MD anderson cancer center... Will switch my TFS profile email to my wifes and use her blackberry to communicate with you. Unfortunately cant access TSF with her BB; browser is "outdated". Dont have windows disc. Do have recent system restore point. Thanks again!

E
ebernheisel is offline  
Old 09-06-2011, 09:01 AM   #9
Registered Member
 
Join Date: Jan 2010
Posts: 38
OS: XP home sp3



Woops should of spell checked: "tried normal boot mode;last good config; and safe-mode with networking to NO (not now) avail".
ebernheisel is offline  
Old 09-06-2011, 12:40 PM   #10
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Eric. Try System Restore in Safe Mode with Command Prompt:
  • Restart your computer.
  • After hearing your computer beep once during startup, but before the Windows icon appears, start pressing the F8 key.
  • In some systems, this may be the F5 key.
  • Instead of Windows loading as normal, a menu should appear.
  • Use the up arrow key to highlight Safe Mode with Command Prompt and press 'Enter'.
  • Login on your usual account.
------------------------------------------------------

At the command prompt, type the following then press 'Enter':

%systemroot%\system32\restore\rstrui.exe

Follow the prompts to restore to a previous restore point. Try one before the latest one.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 09-08-2011, 10:03 AM   #11
Registered Member
 
Join Date: Jan 2010
Posts: 38
OS: XP home sp3



After hitting F8 and selecting safemode with command prompt I am asked to select either "windows xp home edition OS or windows recovery console which has the warning "do not select, [debugger enabled].

Selecting windows xp home edition results in a screen full of white type:
multi(0)disk(0)rdisk(0)partition920\windows\system32\drivers\battc.sys"

Thinking I should select windows recovery console despite the "do not select [debugger enabled]" warning, but wanted to check with you 1st.

Thanks
E
ebernheisel is offline  
Old 09-08-2011, 12:34 PM   #12
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Try it again. Select Windows XP Home Edition and see if it finally loads, then try the above instructions for System Restore. If it stalls at the screen with white type again(give it a few minutes), let me know.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 09-09-2011, 06:35 PM   #13
Registered Member
 
Join Date: Jan 2010
Posts: 38
OS: XP home sp3



No joy,after f8, safe mode with command prompt, MS Win XP selected pc stall's with screen full of white text. Tks E
ebernheisel is offline  
Old 09-09-2011, 07:31 PM   #14
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Eric.

Print out these instructions to use while in the Recovery Console or read off another computer:
  • Restart your computer.
  • After hearing your computer beep once during startup, but before the Windows icon appears, start pressing the F8 key.
  • In some systems, this may be the F5 key.
  • Instead of Windows loading as normal, a menu should appear.
  • Use the up arrow key to highlight Return to OS Choices Menu and press 'Enter'.
  • Use the up arrow key to highlight Microsoft Windows Recovery Console and press 'Enter'.
  • You must enter which Windows installation to log onto. Type 1 and press 'Enter'.
  • When prompted for Administrator password, enter it and press 'Enter', or if no password, just press 'Enter'.
  • At the C:\Windows prompt, type fixboot and press 'Enter'.
  • When prompted "Are you sure you want to write a new bootsector" type y and press 'Enter'.
  • You should get the message 'The new bootsector was successfully written.'
  • Type exit and press 'Enter'.
  • Your computer should reboot. Are you able to load Windows now?
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 09-10-2011, 07:31 AM   #15
Registered Member
 
Join Date: Jan 2010
Posts: 38
OS: XP home sp3



Nope,followed instructions (don't think I have a admin password set which is highly upseting) got a screen full of white text when loading safemode with command promp, and endless stall when loading XP. Thanks for sticking with me, E
ebernheisel is offline  
Old 09-10-2011, 07:55 AM   #16
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



The last instructions didn't reference Safe Mode with Command Prompt. You were supposed to boot up in the Recovery Console.

Please explain what you saw when following the previous instructions.

Also, what model Dell is your laptop?
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 09-10-2011, 04:13 PM   #17
Registered Member
 
Join Date: Jan 2010
Posts: 38
OS: XP home sp3



Hi Chemist. Sorry, I mispoke in my last post. I booted up in the recovery console as requested. After following all the fixboot instructions and typing exit I got the "apologies for the inconveince but windows did not start normally" with options for safe mode ect. I selected safe mode with command prompt, got the wht text screen. Powered off and back up, got the same sorry for the inconvienence screen, let it time out at 25 seconds and start XP normally. Dell vostro 1510 then hung at the win xp boot screen. E
ebernheisel is offline  
Old 09-10-2011, 05:46 PM   #18
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Eric. Was your laptop purchased before or after May 26, 2009?

Did you make recovery backups when or since you purchased your laptop?

Do you have access to a CD/DVD burner?

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 09-10-2011, 07:55 PM   #19
Registered Member
 
Join Date: Jan 2010
Posts: 38
OS: XP home sp3



Hi Chemist, purchased laptop before april 26 2009, have only backed up data with a western digital passport external drive - 2 weeks ago - no recovery discs - just a system restore point. Might have access to a burner at the cancer center business office. Will find out and let you know soonest. Thanks much E
ebernheisel is offline  
Old 09-10-2011, 10:01 PM   #20
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Eric. Your computer may have a hidden recovery partition, allowing you to restore your computer back to factory condition.

Would you be interested in that option, or would you like to continue to try and fix it?

------------------------------------------------------

If you want to continue...
  • Download recovery_console_cd.zip to your desktop.
  • Extract it to its own folder(Next > Next > Finish).
  • Next, go to this Microsoft link to download the floppy disk setup package XP Home and save it to your desktop.
  • Right-click the floppy disk setup package and rename it to Bootdisk.exe then drag it into the recovery_console_cd folder.
  • Double-click the RecoveryCD.bat file and follow the prompts to burn a CD that will allow you to boot to the recovery console.
  • You'll be given a DOS window. Press any key then click 'Start'.
  • Let me know when you have created the CD.
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Slow Windows XP Splash Screen
My problem is that in the middle of having some virus problems, my computer suddenly started booting significantly slower. It never took very long to boot before, like 10 seconds, but now it takes over a minute on the splash screen. I've already been through the Virus/Trojan/Spyware Help forum's...
aphtershox Windows XP Support 50 09-05-2011 05:00 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 11:27 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts