Solved

XP computers logs in and then right back off

Posted on 2010-09-02
35
440 Views
Last Modified: 2012-05-10
I have a computer that logs in and right back off.  No options in safe mode (F8) will work.  I have pulled the hard drive and have it slaved to my computer via usb.  It does not have any viruses and there are no errors with chkdsk.  Any ideas ona  quick fix?  I prefer not to do a repair install if I can avoid it.
0
Comment
Question by:kim2vp
  • 18
  • 9
  • 4
  • +3
35 Comments
 
LVL 17

Expert Comment

by:Wakeup
ID: 33589904
Just curious what programs did you use to scan for infections?
You say no viruses....so did you only use an Antivirus program?  How about malware?  spyware?  rootkits?
0
 

Author Comment

by:kim2vp
ID: 33589914
I used VIPRE Enterprise 4.0, Malwarebytes and GMER.  All are clean.
0
 
LVL 17

Expert Comment

by:Wakeup
ID: 33589942
the problem you describe, usually is related to either an infection or perhaps a broken profile, however usually booting into safe mode you can log in and use the Administrator account and create new ones........
Just a thought.

And why would you prefer to not do a repair install?
If not, that perhaps a parallel install?
If you do a repair install, you won't lose any programs or anything like that....you may need to redo updates...but everything else should be fine.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 

Author Comment

by:kim2vp
ID: 33589956
You can't login under any user account and no safe mode option works.  

>the problem you describe, usually is related to either an infection or perhaps a broken profile, however usually booting into safe >mode you can log in and use the Administrator account and create new ones........
>Just a thought.
0
 
LVL 1

Expert Comment

by:ManoranjanSinha
ID: 33590009
Just repair your windows,you dont loose any program and datas.
0
 
LVL 23

Expert Comment

by:edbedb
ID: 33590086
it sounds like you will have to edit the userinit value in this registry key.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
It should = C:\WINDOWS\system32\userinit.exe,
If that's the case then a repair install will not help.
0
 
LVL 17

Expert Comment

by:Wakeup
ID: 33590097
Here's some info on how to repair the registry if your system is in the login/logout loop:

Taken from here: http://windowsxp.mvps.org/peboot.htm

Scenario - Incorrect registry value preventing you from logging on to your user account in Windows XP ?
In this example, a basic BartPE CD without any Plugins, has been used for illustration purposes. You may add as many Plugins as you want, depending upon your needs.

Verifying and fixing the Userinit value in the registry
If your PC is a victim of the Malware, and unable to login to your profile, then you'll need to fix the registry as discussed there. As you're unable to login, registry modification can only be done from a remote system, or via offline registry editing. This article discusses about offline registry editing.

Insert the BartPE CD into the drive, and boot the system from the CD. Once the file loading phase is over, the Bart PE desktop will be visible, as shown in Figure 1.
Type Regedit.exe in the prompt, and press Enter. Select the HKEY_USERS hive
From the File menu, choose the Load Hive option. Browse to your Windows installation drive, for example the following location:
C:\Windows\System32\Config\

Select the file named SOFTWARE (the file without any extensions), and click Open
Type a name for the hive that you've loaded now. (Example: MyXPHive)
Now the SOFTWARE hive is loaded, and present under the HKEY_USERS base hive.
In order to fix the Userinit value in the loaded hive, navigate to the following location:
HKEY_USERS \ MyXPHive \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon

Double-click Userinit and set it's value correctly. Example: Set it's data as follows:
C:\Windows\System32\Userinit.exe,

(Include the trailing comma also. The above assumes that Windows is installed in C:\Windows, and Userinit.exe file is actually present in the System32 folder. You may want to verify that as well.)

After entering the correct data, you MUST unload the Hive. To do so, select MyXPHive branch, and then in the File menu, choose Unload Hive. It's important to note that you'll need to select the MyXPHive branch first, before unloading it.
Quit BartPE and restart Windows. See if you're able to logon to your profile.

How to create a BartPE CD:
http://www.winhelponline.com/blog/create-bartpe-bootable-cd-using-pe-builder/

------------------------

Another approach to fixing login/logout problem:
Taken from here: http://www.winxptutor.com/wsaremove.htm

Here is the solution to the logon - logoff issue in Windows XP.

Enter the Recovery Console

Boot the system using the Windows XP CD-ROM. In the first screen when the Setup begins, read the instructions press "R" (in the first screen) enter the Recovery Console. Type-in the built-in Administrator password to enter the Console. You'll see the prompt reading C:\Windows (Or any other drive-letter where you've installed XP)

Type the following command and press Enter.

CD SYSTEM32
(If that does not work, try CHDIR SYSTEM32)

COPY USERINIT.EXE WSAUPDATER.EXE

Quit Recovery Console by typing EXIT and restart Windows.

You'll be able to login successfully as you've created the wsaupdater.exe file (now, a copy of userinit.exe)

Now, change the USERINIT value in the registry (see Phase II in this page) and change it accordingly.

0
 
LVL 5

Expert Comment

by:zzx999
ID: 33590138
Maybe you just have non activated windows which  just expired?
0
 

Author Comment

by:kim2vp
ID: 33590233
>Maybe you just have non activated windows which  just expired?

We have a volume license and I never received any popup asking for activation so I doubt that is it.
0
 
LVL 17

Expert Comment

by:Wakeup
ID: 33590413
Any luck yet with trying some of the other things suggested?

0
 

Author Comment

by:kim2vp
ID: 33591294
I started a repair about 250pm and it is still running-  it says 27 minutes left - it may be locked up.
0
 
LVL 23

Expert Comment

by:edbedb
ID: 33591322
A repair install was not the 1st thing you should have tried. I hope it works for you.
0
 

Author Comment

by:kim2vp
ID: 33591353
>A repair install was not the 1st thing you should have tried. I hope it works for you.

Maybe so but I started it before I got the other suggestions and figured since BOTH Wakeup and ManoranjanSi… suggested repair it was worth a try.

I'm guessing is locked up since it is still sitting at 27%
0
 

Author Comment

by:kim2vp
ID: 33591397
Now it says 14 minutes remaining, so maybe not locked up.
0
 

Author Comment

by:kim2vp
ID: 33591655
The repair install finished and I logged in as administrator and have the exact same issue.  I imaged my drive so I'm going to re-image from the backup and try one of the other solutions.  
0
 

Author Comment

by:kim2vp
ID: 33596458
So I've re-imaged the drive and have a BartPE CD.

1. I just tested the image and have the same issue with immediate logoff.
2. Load bartPE but I can run regedit but I can't Load the Hive, the "Load Hive" option is grayed out.

Type Regedit.exe in the prompt, and press Enter. Select the HKEY_USERS hive
From the File menu, choose the Load Hive option. Browse to your Windows installation drive, for example the following location:
C:\Windows\System32\Config\

3. I find this entry

userinit=x:\i386\system32\userinit.exe

I change it to:

userinit=c:\windows\system32\userinit.exe

I reboot and have the same issue.

4. I reload bartPE and notice the setting I changed is back to userinit=x:\i386\system32\userinit.exe

I also notice that since the drive was reimaged the C drive is not the backup drive and the D drive had the install files.

I reload bartPE and try:

userinit=c:\windows\system32\userinit.exe

no luck then

userinit=%systemroot%\windows\system32\userinit.exe

still no luck


So 1- How do I switch the c and d drives back?

and 2 - any other ideas?

Thanks.
0
 
LVL 23

Expert Comment

by:edbedb
ID: 33596526
To load the hive you should have the HKEY Local Machine key selected then the Load Hive won't be grayed out.
The key you edited is in the BART PE registry and is not saved.
You have to load the software hive in C:\Windows\System32\Config\ edit the key then unload the hive.

0
 

Author Comment

by:kim2vp
ID: 33596777
When I try to load it I get

Access is denied
0
 

Author Comment

by:kim2vp
ID: 33596847
I was loading wrong hive

So I loaded the hive and the setting for userinit is already correct
0
 
LVL 23

Expert Comment

by:edbedb
ID: 33596976
In that case it might be the file userinit.exe it self that needs to be replaced. I would try that.
0
 

Author Comment

by:kim2vp
ID: 33597179
I loaded the bartpe drive and followed instructions at microsoft kb223188 to switch the drive letters.  I rebooted and windows loads and gives this error:

One of the files contaiining the system registry data had to be recovered by use of a log or alternate copy. The recovery was successful.

Windows loads but is so slow its unusable.
0
 

Author Comment

by:kim2vp
ID: 33597233
I rebooted and ran a hardware test from the hp boot screen and had no errors.
0
 
LVL 1

Expert Comment

by:ManoranjanSinha
ID: 33597336
Then,I think you should prepare a fresh installation of window. It is not a hardware issue,
0
 
LVL 23

Expert Comment

by:edbedb
ID: 33597374
Did the hardware test run a thorough diagnostic on the hard drive?
0
 

Author Comment

by:kim2vp
ID: 33597424
Yes and I've tried two hard drives with the same image
0
 
LVL 23

Expert Comment

by:edbedb
ID: 33597465
You don't have both of them attached to the system now do you?
0
 

Author Comment

by:kim2vp
ID: 33597718
No just one is attached-i scanned the other one for problems or virus/malware and its clean
0
 

Author Comment

by:kim2vp
ID: 33597877
Despite not having any virus or malware infections found I found the something in the registry, see the image below.  Not sure if it's from a previous infection or something brand new that the scanner are not finding.

And the issue of the C and D drive being swapped does not appear to be from the imaging but is perhaps the initial root of this issue.


2010-09-03-11-38-14-40.jpg
0
 
LVL 23

Accepted Solution

by:
edbedb earned 500 total points
ID: 33597902
There has to be some kind of malware that is still alive and well in your system.
I would give ComboFix a try. Please follow the instructions carefully and include the ComboFix log in your next post.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix 
0
 

Author Comment

by:kim2vp
ID: 33599209
Here is the combofix log:

ComboFix 10-09-02.04 - glen 09/03/2010  13:11:54.1.3 - x86
Running from: D:\ComboFix.exe
FW: ActiveArmor Firewall *disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\glen\g2mdlhlpx.exe
c:\windows\counex.dll
c:\windows\patch.exe
c:\windows\system32\tmp2.tmp

.
(((((((((((((((((((((((((   Files Created from 2010-08-03 to 2010-09-03  )))))))))))))))))))))))))))))))
.

2010-09-03 16:22 . 2010-09-03 16:22      --------      d-----w-      c:\documents and settings\glen\Application Data\Malwarebytes
2010-09-03 16:21 . 2010-04-29 19:39      38224      ----a-w-      c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-03 16:21 . 2010-09-03 16:21      --------      d-----w-      c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-03 16:21 . 2010-04-29 19:39      20952      ----a-w-      c:\windows\system32\drivers\mbam.sys
2010-09-03 16:21 . 2010-09-03 16:21      --------      d-----w-      c:\program files\Malwarebytes' Anti-Malware
2010-09-01 21:03 . 2010-09-01 21:03      --------      d-sh--w-      c:\documents and settings\Administrator.POS\PrivacIE
2010-08-24 14:45 . 2010-08-24 14:45      --------      d-----w-      c:\documents and settings\glen\TOSHIBA

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-03 17:56 . 2010-04-08 13:44      --------      d-----w-      c:\documents and settings\All Users\Application Data\DIGStream
2010-09-03 17:31 . 2008-11-17 13:53      --------      d-----w-      c:\program files\ATI Technologies
2010-09-03 16:22 . 2010-09-03 16:22      664      ----a-w-      c:\windows\system32\d3d9caps.tmp
2010-09-03 15:08 . 2010-07-14 13:50      --------      d-----w-      c:\program files\DisplayLink Core Software
2010-09-01 21:02 . 2010-07-14 13:45      --------      d-----w-      c:\documents and settings\Administrator.POS\Application Data\LAIM
2010-08-12 07:10 . 2010-04-08 14:17      --------      d-----w-      c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-14 18:22 . 2010-07-14 18:22      44544      ----a-w-      c:\windows\system32\agremove.exe
2010-07-14 13:54 . 2010-07-14 13:54      --------      d-----w-      c:\documents and settings\All Users\Application Data\nView_Profiles
2010-07-14 13:46 . 2005-07-16 19:49      187912      ----a-w-      c:\documents and settings\Administrator.POS\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-14 13:45 . 2010-07-14 13:45      --------      d-----w-      c:\documents and settings\Administrator.POS\Application Data\Sunbelt
2010-07-14 13:45 . 2010-07-14 13:45      --------      d-----w-      c:\documents and settings\Administrator.POS\Application Data\ATI
2010-06-30 12:31 . 2008-04-14 09:42      149504      ----a-w-      c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2008-04-14 09:42      916480      ----a-w-      c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2008-04-14 05:00      1851904      ----a-w-      c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2008-04-14 04:45      354304      ----a-w-      c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2008-04-14 09:41      80384      ----a-w-      c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2008-05-20 21:36      744448      ----a-w-      c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2008-04-14 09:42      1172480      ----a-w-      c:\windows\system32\msxml3.dll
2008-04-07 06:59 . 2008-05-22 20:43      67696      ----a-w-      c:\program files\mozilla firefox\components\jar50.dll
2008-04-07 06:59 . 2008-05-22 20:43      54376      ----a-w-      c:\program files\mozilla firefox\components\jsd3250.dll
2008-04-07 06:59 . 2008-05-22 20:43      34952      ----a-w-      c:\program files\mozilla firefox\components\myspell.dll
2008-04-07 06:59 . 2008-05-22 20:43      46720      ----a-w-      c:\program files\mozilla firefox\components\spellchk.dll
2008-04-07 06:59 . 2008-05-22 20:43      172144      ----a-w-      c:\program files\mozilla firefox\components\xpinstal.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SBAMTray"="c:\program files\Sunbelt Software\SBEAgent\SBAMTray.exe" [2010-04-19 1275216]
"RTHDCPL"="RTHDCPL.EXE" [2009-02-03 18085888]
"nwiz"="nwiz.exe" [2007-12-05 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"Logitech Utility"="Logi_MwX.Exe" [2002-11-08 19968]
"laim"="c:\program files\AIM Lite\aimlite.exe" [2007-06-07 765952]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2002-10-16 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2002-10-16 114688]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-12-09 122880]
"DIGStream"="c:\program files\DIGStream\digstream.exe" [2005-05-18 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2003-4-17 315392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"HideShutdownScripts"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThumbnailCache"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2692797904-1396755957-3534047340-1131\Scripts\Logon\0\0]
"Script"=poslogin.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2692797904-1396755957-3534047340-500\Scripts\Logon\0\0]
"Script"=poslogin.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LiveUpdate"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [5/12/2010 12:38 PM 13400]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [10/13/2009 9:02 AM 95024]
R1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [9/28/2009 4:04 PM 204632]
R2 DisplayLinkService;DisplayLinkManager;c:\program files\DisplayLink Core Software\DisplayLinkManager.exe [1/27/2010 12:14 PM 4752744]
R2 SBAMSvc;VIPRE Enterprise Agent;c:\program files\Sunbelt Software\SBEAgent\SBAMSvc.exe [4/19/2010 1:48 PM 2726000]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [5/12/2010 12:39 PM 69720]
R2 SBPIMSvc;SB Recovery Service;c:\program files\Sunbelt Software\SBEAgent\SBPIMSvc.exe [4/19/2010 1:47 PM 181584]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/22/2009 1:11 PM 24652]
R3 DisplayLinkFilter;DisplayLinkFilter;c:\windows\system32\drivers\DisplayLinkFilter.sys [1/27/2010 12:15 PM 7040]
R3 DisplayLinkGA;DisplayLinkGA;c:\windows\system32\drivers\DisplayLinkGAport.sys [1/27/2010 12:15 PM 27776]
R3 DisplayLinkmirror;DisplayLinkmirror;c:\windows\system32\drivers\DisplayLinkmirrorport.sys [1/27/2010 12:15 PM 24320]
R3 DisplayLinkUsbPort;DisplayLink USB Device;c:\windows\system32\drivers\DisplayLinkUsbPort_5.2.23219.0.sys [1/27/2010 4:14 PM 21888]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [9/3/2010 12:21 PM 38224]
S4 sbhips;sbhips;c:\windows\system32\drivers\sbhips.sys [3/11/2010 10:53 AM 85080]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12      REG_MULTI_SZ         Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-09-03 c:\windows\Tasks\User_Feed_Synchronization-{2233F561-6A7A-4597-A4E1-E418CDC84D9E}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\glen\Application Data\Mozilla\Firefox\Profiles\zfcn50wg.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - HiddenExtension: XUL Cache: {1A41F3E0-2619-4F58-8922-32ED54D55743} - c:\documents and settings\glen\Local Settings\Application Data\{1A41F3E0-2619-4F58-8922-32ED54D55743}
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKLM-Run-PROMon.exe - PROMon.exe
Notify-AtiExtEvent - (no file)
AddRemove-HijackThis - f:\apps\HijackThis.exe
AddRemove-WinZip - c:\documents and settings\Glen\Desktop\Technical Support\WinZip\WINZIP32.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-03 13:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"="a"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@DACL=(02 0010)
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@DACL=(02 0010)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@DACL=(02 0010)
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(804)
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(196)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Google\Quick Search Box\bin\1.2.1151.245\qsb.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\DisplayLink Core Software\DisplayLinkUserAgent.exe
c:\program files\DisplayLink Core Software\DisplayLinkUI.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\windows\Logi_MwX.Exe
c:\program files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
c:\program files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
.
**************************************************************************
.
Completion time: 2010-09-03  14:00:27 - machine was rebooted
ComboFix-quarantined-files.txt  2010-09-03 18:00

Pre-Run: 462,975,627,264 bytes free
Post-Run: 463,359,074,304 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 72922AD18DB4038FAA4CD99B90313D94
0
 
LVL 23

Expert Comment

by:edbedb
ID: 33599549
Is it still running slow? Is it the same in safe mode?
0
 

Author Comment

by:kim2vp
ID: 33599580
It is not running slow anymore.  It does not look like combo fix did anything but now the system does seem back to normal.  
0
 
LVL 23

Expert Comment

by:edbedb
ID: 33599707
I am happy to hear that.
0
 
LVL 29

Expert Comment

by:Sudeep Sharma
ID: 33738204
>>>It is not running slow anymore.  It does not look like combo fix did anything but now the system does seem back to normal.  

Hi kim2vp,

Did you said that Combofix has not done anything? right.... then please look at the combofix logs again. I have pasted the one that you should emphasis on

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\glen\g2mdlhlpx.exe
c:\windows\counex.dll
c:\windows\patch.exe
c:\windows\system32\tmp2.tmp

- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKLM-Run-PROMon.exe - PROMon.exe
Notify-AtiExtEvent - (no file)
AddRemove-HijackThis - f:\apps\HijackThis.exe
AddRemove-WinZip - c:\documents and settings\Glen\Desktop\Technical Support\WinZip\WINZIP32.EXE
**************************************************************************
Also this file looks suspicious to me, so please remove it if it is still there:

c:\windows\system32\d3d9caps.tmp

Sudeep
0
 

Author Comment

by:kim2vp
ID: 33877770
After running fine for a few weeks this computer started locking up again, I decided to backup the data and do a reformat.  
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Sometimes people don't understand why download speed shows differently for Windows than Linux.Specially, this article covers and shows the solution for throughput difference for Windows than a Linux machine. For this, I arranged a test scenario.I…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question