Solved

XP computers logs in and then right back off

Posted on 2010-09-02
35
436 Views
Last Modified: 2012-05-10
I have a computer that logs in and right back off.  No options in safe mode (F8) will work.  I have pulled the hard drive and have it slaved to my computer via usb.  It does not have any viruses and there are no errors with chkdsk.  Any ideas ona  quick fix?  I prefer not to do a repair install if I can avoid it.
0
Comment
Question by:kim2vp
  • 18
  • 9
  • 4
  • +3
35 Comments
 
LVL 17

Expert Comment

by:Wakeup
Comment Utility
Just curious what programs did you use to scan for infections?
You say no viruses....so did you only use an Antivirus program?  How about malware?  spyware?  rootkits?
0
 

Author Comment

by:kim2vp
Comment Utility
I used VIPRE Enterprise 4.0, Malwarebytes and GMER.  All are clean.
0
 
LVL 17

Expert Comment

by:Wakeup
Comment Utility
the problem you describe, usually is related to either an infection or perhaps a broken profile, however usually booting into safe mode you can log in and use the Administrator account and create new ones........
Just a thought.

And why would you prefer to not do a repair install?
If not, that perhaps a parallel install?
If you do a repair install, you won't lose any programs or anything like that....you may need to redo updates...but everything else should be fine.
0
 

Author Comment

by:kim2vp
Comment Utility
You can't login under any user account and no safe mode option works.  

>the problem you describe, usually is related to either an infection or perhaps a broken profile, however usually booting into safe >mode you can log in and use the Administrator account and create new ones........
>Just a thought.
0
 
LVL 1

Expert Comment

by:ManoranjanSinha
Comment Utility
Just repair your windows,you dont loose any program and datas.
0
 
LVL 23

Expert Comment

by:edbedb
Comment Utility
it sounds like you will have to edit the userinit value in this registry key.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
It should = C:\WINDOWS\system32\userinit.exe,
If that's the case then a repair install will not help.
0
 
LVL 17

Expert Comment

by:Wakeup
Comment Utility
Here's some info on how to repair the registry if your system is in the login/logout loop:

Taken from here: http://windowsxp.mvps.org/peboot.htm

Scenario - Incorrect registry value preventing you from logging on to your user account in Windows XP ?
In this example, a basic BartPE CD without any Plugins, has been used for illustration purposes. You may add as many Plugins as you want, depending upon your needs.

Verifying and fixing the Userinit value in the registry
If your PC is a victim of the Malware, and unable to login to your profile, then you'll need to fix the registry as discussed there. As you're unable to login, registry modification can only be done from a remote system, or via offline registry editing. This article discusses about offline registry editing.

Insert the BartPE CD into the drive, and boot the system from the CD. Once the file loading phase is over, the Bart PE desktop will be visible, as shown in Figure 1.
Type Regedit.exe in the prompt, and press Enter. Select the HKEY_USERS hive
From the File menu, choose the Load Hive option. Browse to your Windows installation drive, for example the following location:
C:\Windows\System32\Config\

Select the file named SOFTWARE (the file without any extensions), and click Open
Type a name for the hive that you've loaded now. (Example: MyXPHive)
Now the SOFTWARE hive is loaded, and present under the HKEY_USERS base hive.
In order to fix the Userinit value in the loaded hive, navigate to the following location:
HKEY_USERS \ MyXPHive \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon

Double-click Userinit and set it's value correctly. Example: Set it's data as follows:
C:\Windows\System32\Userinit.exe,

(Include the trailing comma also. The above assumes that Windows is installed in C:\Windows, and Userinit.exe file is actually present in the System32 folder. You may want to verify that as well.)

After entering the correct data, you MUST unload the Hive. To do so, select MyXPHive branch, and then in the File menu, choose Unload Hive. It's important to note that you'll need to select the MyXPHive branch first, before unloading it.
Quit BartPE and restart Windows. See if you're able to logon to your profile.

How to create a BartPE CD:
http://www.winhelponline.com/blog/create-bartpe-bootable-cd-using-pe-builder/

------------------------

Another approach to fixing login/logout problem:
Taken from here: http://www.winxptutor.com/wsaremove.htm

Here is the solution to the logon - logoff issue in Windows XP.

Enter the Recovery Console

Boot the system using the Windows XP CD-ROM. In the first screen when the Setup begins, read the instructions press "R" (in the first screen) enter the Recovery Console. Type-in the built-in Administrator password to enter the Console. You'll see the prompt reading C:\Windows (Or any other drive-letter where you've installed XP)

Type the following command and press Enter.

CD SYSTEM32
(If that does not work, try CHDIR SYSTEM32)

COPY USERINIT.EXE WSAUPDATER.EXE

Quit Recovery Console by typing EXIT and restart Windows.

You'll be able to login successfully as you've created the wsaupdater.exe file (now, a copy of userinit.exe)

Now, change the USERINIT value in the registry (see Phase II in this page) and change it accordingly.

0
 
LVL 5

Expert Comment

by:zzx999
Comment Utility
Maybe you just have non activated windows which  just expired?
0
 

Author Comment

by:kim2vp
Comment Utility
>Maybe you just have non activated windows which  just expired?

We have a volume license and I never received any popup asking for activation so I doubt that is it.
0
 
LVL 17

Expert Comment

by:Wakeup
Comment Utility
Any luck yet with trying some of the other things suggested?

0
 

Author Comment

by:kim2vp
Comment Utility
I started a repair about 250pm and it is still running-  it says 27 minutes left - it may be locked up.
0
 
LVL 23

Expert Comment

by:edbedb
Comment Utility
A repair install was not the 1st thing you should have tried. I hope it works for you.
0
 

Author Comment

by:kim2vp
Comment Utility
>A repair install was not the 1st thing you should have tried. I hope it works for you.

Maybe so but I started it before I got the other suggestions and figured since BOTH Wakeup and ManoranjanSi… suggested repair it was worth a try.

I'm guessing is locked up since it is still sitting at 27%
0
 

Author Comment

by:kim2vp
Comment Utility
Now it says 14 minutes remaining, so maybe not locked up.
0
 

Author Comment

by:kim2vp
Comment Utility
The repair install finished and I logged in as administrator and have the exact same issue.  I imaged my drive so I'm going to re-image from the backup and try one of the other solutions.  
0
 

Author Comment

by:kim2vp
Comment Utility
So I've re-imaged the drive and have a BartPE CD.

1. I just tested the image and have the same issue with immediate logoff.
2. Load bartPE but I can run regedit but I can't Load the Hive, the "Load Hive" option is grayed out.

Type Regedit.exe in the prompt, and press Enter. Select the HKEY_USERS hive
From the File menu, choose the Load Hive option. Browse to your Windows installation drive, for example the following location:
C:\Windows\System32\Config\

3. I find this entry

userinit=x:\i386\system32\userinit.exe

I change it to:

userinit=c:\windows\system32\userinit.exe

I reboot and have the same issue.

4. I reload bartPE and notice the setting I changed is back to userinit=x:\i386\system32\userinit.exe

I also notice that since the drive was reimaged the C drive is not the backup drive and the D drive had the install files.

I reload bartPE and try:

userinit=c:\windows\system32\userinit.exe

no luck then

userinit=%systemroot%\windows\system32\userinit.exe

still no luck


So 1- How do I switch the c and d drives back?

and 2 - any other ideas?

Thanks.
0
 
LVL 23

Expert Comment

by:edbedb
Comment Utility
To load the hive you should have the HKEY Local Machine key selected then the Load Hive won't be grayed out.
The key you edited is in the BART PE registry and is not saved.
You have to load the software hive in C:\Windows\System32\Config\ edit the key then unload the hive.

0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 

Author Comment

by:kim2vp
Comment Utility
When I try to load it I get

Access is denied
0
 

Author Comment

by:kim2vp
Comment Utility
I was loading wrong hive

So I loaded the hive and the setting for userinit is already correct
0
 
LVL 23

Expert Comment

by:edbedb
Comment Utility
In that case it might be the file userinit.exe it self that needs to be replaced. I would try that.
0
 

Author Comment

by:kim2vp
Comment Utility
I loaded the bartpe drive and followed instructions at microsoft kb223188 to switch the drive letters.  I rebooted and windows loads and gives this error:

One of the files contaiining the system registry data had to be recovered by use of a log or alternate copy. The recovery was successful.

Windows loads but is so slow its unusable.
0
 

Author Comment

by:kim2vp
Comment Utility
I rebooted and ran a hardware test from the hp boot screen and had no errors.
0
 
LVL 1

Expert Comment

by:ManoranjanSinha
Comment Utility
Then,I think you should prepare a fresh installation of window. It is not a hardware issue,
0
 
LVL 23

Expert Comment

by:edbedb
Comment Utility
Did the hardware test run a thorough diagnostic on the hard drive?
0
 

Author Comment

by:kim2vp
Comment Utility
Yes and I've tried two hard drives with the same image
0
 
LVL 23

Expert Comment

by:edbedb
Comment Utility
You don't have both of them attached to the system now do you?
0
 

Author Comment

by:kim2vp
Comment Utility
No just one is attached-i scanned the other one for problems or virus/malware and its clean
0
 

Author Comment

by:kim2vp
Comment Utility
Despite not having any virus or malware infections found I found the something in the registry, see the image below.  Not sure if it's from a previous infection or something brand new that the scanner are not finding.

And the issue of the C and D drive being swapped does not appear to be from the imaging but is perhaps the initial root of this issue.


2010-09-03-11-38-14-40.jpg
0
 
LVL 23

Accepted Solution

by:
edbedb earned 500 total points
Comment Utility
There has to be some kind of malware that is still alive and well in your system.
I would give ComboFix a try. Please follow the instructions carefully and include the ComboFix log in your next post.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
 

Author Comment

by:kim2vp
Comment Utility
Here is the combofix log:

ComboFix 10-09-02.04 - glen 09/03/2010  13:11:54.1.3 - x86
Running from: D:\ComboFix.exe
FW: ActiveArmor Firewall *disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\glen\g2mdlhlpx.exe
c:\windows\counex.dll
c:\windows\patch.exe
c:\windows\system32\tmp2.tmp

.
(((((((((((((((((((((((((   Files Created from 2010-08-03 to 2010-09-03  )))))))))))))))))))))))))))))))
.

2010-09-03 16:22 . 2010-09-03 16:22      --------      d-----w-      c:\documents and settings\glen\Application Data\Malwarebytes
2010-09-03 16:21 . 2010-04-29 19:39      38224      ----a-w-      c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-03 16:21 . 2010-09-03 16:21      --------      d-----w-      c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-03 16:21 . 2010-04-29 19:39      20952      ----a-w-      c:\windows\system32\drivers\mbam.sys
2010-09-03 16:21 . 2010-09-03 16:21      --------      d-----w-      c:\program files\Malwarebytes' Anti-Malware
2010-09-01 21:03 . 2010-09-01 21:03      --------      d-sh--w-      c:\documents and settings\Administrator.POS\PrivacIE
2010-08-24 14:45 . 2010-08-24 14:45      --------      d-----w-      c:\documents and settings\glen\TOSHIBA

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-03 17:56 . 2010-04-08 13:44      --------      d-----w-      c:\documents and settings\All Users\Application Data\DIGStream
2010-09-03 17:31 . 2008-11-17 13:53      --------      d-----w-      c:\program files\ATI Technologies
2010-09-03 16:22 . 2010-09-03 16:22      664      ----a-w-      c:\windows\system32\d3d9caps.tmp
2010-09-03 15:08 . 2010-07-14 13:50      --------      d-----w-      c:\program files\DisplayLink Core Software
2010-09-01 21:02 . 2010-07-14 13:45      --------      d-----w-      c:\documents and settings\Administrator.POS\Application Data\LAIM
2010-08-12 07:10 . 2010-04-08 14:17      --------      d-----w-      c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-14 18:22 . 2010-07-14 18:22      44544      ----a-w-      c:\windows\system32\agremove.exe
2010-07-14 13:54 . 2010-07-14 13:54      --------      d-----w-      c:\documents and settings\All Users\Application Data\nView_Profiles
2010-07-14 13:46 . 2005-07-16 19:49      187912      ----a-w-      c:\documents and settings\Administrator.POS\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-14 13:45 . 2010-07-14 13:45      --------      d-----w-      c:\documents and settings\Administrator.POS\Application Data\Sunbelt
2010-07-14 13:45 . 2010-07-14 13:45      --------      d-----w-      c:\documents and settings\Administrator.POS\Application Data\ATI
2010-06-30 12:31 . 2008-04-14 09:42      149504      ----a-w-      c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2008-04-14 09:42      916480      ----a-w-      c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2008-04-14 05:00      1851904      ----a-w-      c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2008-04-14 04:45      354304      ----a-w-      c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2008-04-14 09:41      80384      ----a-w-      c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2008-05-20 21:36      744448      ----a-w-      c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2008-04-14 09:42      1172480      ----a-w-      c:\windows\system32\msxml3.dll
2008-04-07 06:59 . 2008-05-22 20:43      67696      ----a-w-      c:\program files\mozilla firefox\components\jar50.dll
2008-04-07 06:59 . 2008-05-22 20:43      54376      ----a-w-      c:\program files\mozilla firefox\components\jsd3250.dll
2008-04-07 06:59 . 2008-05-22 20:43      34952      ----a-w-      c:\program files\mozilla firefox\components\myspell.dll
2008-04-07 06:59 . 2008-05-22 20:43      46720      ----a-w-      c:\program files\mozilla firefox\components\spellchk.dll
2008-04-07 06:59 . 2008-05-22 20:43      172144      ----a-w-      c:\program files\mozilla firefox\components\xpinstal.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SBAMTray"="c:\program files\Sunbelt Software\SBEAgent\SBAMTray.exe" [2010-04-19 1275216]
"RTHDCPL"="RTHDCPL.EXE" [2009-02-03 18085888]
"nwiz"="nwiz.exe" [2007-12-05 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"Logitech Utility"="Logi_MwX.Exe" [2002-11-08 19968]
"laim"="c:\program files\AIM Lite\aimlite.exe" [2007-06-07 765952]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2002-10-16 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2002-10-16 114688]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-12-09 122880]
"DIGStream"="c:\program files\DIGStream\digstream.exe" [2005-05-18 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2003-4-17 315392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"HideShutdownScripts"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThumbnailCache"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2692797904-1396755957-3534047340-1131\Scripts\Logon\0\0]
"Script"=poslogin.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2692797904-1396755957-3534047340-500\Scripts\Logon\0\0]
"Script"=poslogin.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LiveUpdate"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [5/12/2010 12:38 PM 13400]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [10/13/2009 9:02 AM 95024]
R1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [9/28/2009 4:04 PM 204632]
R2 DisplayLinkService;DisplayLinkManager;c:\program files\DisplayLink Core Software\DisplayLinkManager.exe [1/27/2010 12:14 PM 4752744]
R2 SBAMSvc;VIPRE Enterprise Agent;c:\program files\Sunbelt Software\SBEAgent\SBAMSvc.exe [4/19/2010 1:48 PM 2726000]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [5/12/2010 12:39 PM 69720]
R2 SBPIMSvc;SB Recovery Service;c:\program files\Sunbelt Software\SBEAgent\SBPIMSvc.exe [4/19/2010 1:47 PM 181584]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/22/2009 1:11 PM 24652]
R3 DisplayLinkFilter;DisplayLinkFilter;c:\windows\system32\drivers\DisplayLinkFilter.sys [1/27/2010 12:15 PM 7040]
R3 DisplayLinkGA;DisplayLinkGA;c:\windows\system32\drivers\DisplayLinkGAport.sys [1/27/2010 12:15 PM 27776]
R3 DisplayLinkmirror;DisplayLinkmirror;c:\windows\system32\drivers\DisplayLinkmirrorport.sys [1/27/2010 12:15 PM 24320]
R3 DisplayLinkUsbPort;DisplayLink USB Device;c:\windows\system32\drivers\DisplayLinkUsbPort_5.2.23219.0.sys [1/27/2010 4:14 PM 21888]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [9/3/2010 12:21 PM 38224]
S4 sbhips;sbhips;c:\windows\system32\drivers\sbhips.sys [3/11/2010 10:53 AM 85080]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12      REG_MULTI_SZ         Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-09-03 c:\windows\Tasks\User_Feed_Synchronization-{2233F561-6A7A-4597-A4E1-E418CDC84D9E}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\glen\Application Data\Mozilla\Firefox\Profiles\zfcn50wg.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - HiddenExtension: XUL Cache: {1A41F3E0-2619-4F58-8922-32ED54D55743} - c:\documents and settings\glen\Local Settings\Application Data\{1A41F3E0-2619-4F58-8922-32ED54D55743}
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKLM-Run-PROMon.exe - PROMon.exe
Notify-AtiExtEvent - (no file)
AddRemove-HijackThis - f:\apps\HijackThis.exe
AddRemove-WinZip - c:\documents and settings\Glen\Desktop\Technical Support\WinZip\WINZIP32.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-03 13:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"="a"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@DACL=(02 0010)
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@DACL=(02 0010)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@DACL=(02 0010)
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(804)
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(196)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Google\Quick Search Box\bin\1.2.1151.245\qsb.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\DisplayLink Core Software\DisplayLinkUserAgent.exe
c:\program files\DisplayLink Core Software\DisplayLinkUI.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\windows\Logi_MwX.Exe
c:\program files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
c:\program files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
.
**************************************************************************
.
Completion time: 2010-09-03  14:00:27 - machine was rebooted
ComboFix-quarantined-files.txt  2010-09-03 18:00

Pre-Run: 462,975,627,264 bytes free
Post-Run: 463,359,074,304 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 72922AD18DB4038FAA4CD99B90313D94
0
 
LVL 23

Expert Comment

by:edbedb
Comment Utility
Is it still running slow? Is it the same in safe mode?
0
 

Author Comment

by:kim2vp
Comment Utility
It is not running slow anymore.  It does not look like combo fix did anything but now the system does seem back to normal.  
0
 
LVL 23

Expert Comment

by:edbedb
Comment Utility
I am happy to hear that.
0
 
LVL 29

Expert Comment

by:Sudeep Sharma
Comment Utility
>>>It is not running slow anymore.  It does not look like combo fix did anything but now the system does seem back to normal.  

Hi kim2vp,

Did you said that Combofix has not done anything? right.... then please look at the combofix logs again. I have pasted the one that you should emphasis on

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\glen\g2mdlhlpx.exe
c:\windows\counex.dll
c:\windows\patch.exe
c:\windows\system32\tmp2.tmp

- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKLM-Run-PROMon.exe - PROMon.exe
Notify-AtiExtEvent - (no file)
AddRemove-HijackThis - f:\apps\HijackThis.exe
AddRemove-WinZip - c:\documents and settings\Glen\Desktop\Technical Support\WinZip\WINZIP32.EXE
**************************************************************************
Also this file looks suspicious to me, so please remove it if it is still there:

c:\windows\system32\d3d9caps.tmp

Sudeep
0
 

Author Comment

by:kim2vp
Comment Utility
After running fine for a few weeks this computer started locking up again, I decided to backup the data and do a reformat.  
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Issue: Unstable cursor in Windows XP and Windows runs extremely slow in that any click will bring up the Hour glass (sometimes for several seconds before giving you what you want) . Troubleshooting Process and the FINAL FIX: This issue see…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now