WiredWX Hobby Weather ToolsLog in

 


Problems on my mom's computer

2 posters

descriptionProblems on my mom's computer - Page 2 EmptyRe: Problems on my mom's computer

more_horiz
Oy. I feel stupid. Sorry, i'll get right on it.

descriptionProblems on my mom's computer - Page 2 EmptyRe: Problems on my mom's computer

more_horiz
No worries 😉

descriptionProblems on my mom's computer - Page 2 EmptyRe: Problems on my mom's computer

more_horiz
Here is the Kaspersky scan report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, July 19, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, July 19, 2009 20:17:48
Records in database: 2496057
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 52566
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 00:30:14

No malware has been detected. The scan area is clean.

The selected area was scanned.

descriptionProblems on my mom's computer - Page 2 EmptyRe: Problems on my mom's computer

more_horiz
Please close all anti virus, anti malware and any other open programs/windows so they do not interfere with the running of RootRepeal.

  • Please download RootRepeal.zip from here.
  • Extract the program file to your Desktop.
  • Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.
    Problems on my mom's computer - Page 2 Ty87394lm6zwsm8gt

  • Select ALL of the checkboxes and then click OK and it will start scanning your system.
    Problems on my mom's computer - Page 2 Jzploa1hjbxcmszn3j35
  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  • When done, click on Save Report
  • Save it to the Desktop.
  • Please copy/paste the contents of the report in your next reply.

descriptionProblems on my mom's computer - Page 2 EmptyRe: Problems on my mom's computer

more_horiz
I'm in safe mode. I thought all of the antivirus things were closed. There's nothing in the system tray.

The rootrepeal link produces this:
"The bandwidth or page view limit for this site has been exceeded and the page cannot be viewed at this time. Once the site is below the limit, it will once again begin serving as normal. "

descriptionProblems on my mom's computer - Page 2 EmptyRe: Problems on my mom's computer

more_horiz
Here is the rootrepeal scan:
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/07/20 22:58
Program Version: Version 1.3.2.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF6F7D000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A8D000 Size: 8192 File Visible: No Signed: -
Status: -

Name: jpjuw.sys
Image Path: jpjuw.sys
Address: 0xF7565000 Size: 61440 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF68BD000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xF744D000 Size: 323584 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\documents and settings\liz\local settings\temp\etilqs_rj7llbccrahbluph9am7
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: c:\documents and settings\liz\application data\mozilla\firefox\profiles\3a49bh7j.default\sessionstore.js
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Documents and Settings\Liz\Application Data\Mozilla\Firefox\Profiles\3a49bh7j.default\sessionstore-1.js
Status: Visible to the Windows API, but not on disk.

Path: c:\documents and settings\liz\local settings\application data\mozilla\firefox\profiles\3a49bh7j.default\cache\_cache_001_
Status: Size mismatch (API: 463248, Raw: 387667)

Path: c:\documents and settings\liz\local settings\application data\mozilla\firefox\profiles\3a49bh7j.default\cache\_cache_002_
Status: Size mismatch (API: 307856, Raw: 281635)

Path: c:\documents and settings\liz\local settings\application data\mozilla\firefox\profiles\3a49bh7j.default\cache\_cache_003_
Status: Size mismatch (API: 610559, Raw: 503167)

Path: C:\Documents and Settings\Liz\Local Settings\Application Data\Mozilla\Firefox\Profiles\3a49bh7j.default\Cache\013E2B8Cd01
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Liz\Local Settings\Application Data\Mozilla\Firefox\Profiles\3a49bh7j.default\Cache\0B42B96Ad01
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Liz\Local Settings\Application Data\Mozilla\Firefox\Profiles\3a49bh7j.default\Cache\A7B9018Bd01
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Liz\Local Settings\Application Data\Mozilla\Firefox\Profiles\3a49bh7j.default\Cache\B581BA44d01
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Liz\Local Settings\Application Data\Mozilla\Firefox\Profiles\3a49bh7j.default\Cache\DED39251d01
Status: Visible to the Windows API, but not on disk.

Hidden Services
-------------------
Service Name: nchuneg
Image Pathsystem32\drivers\jpjuw.sys

==EOF==

descriptionProblems on my mom's computer - Page 2 EmptyRe: Problems on my mom's computer

more_horiz
I suggest you copy these instructions into a notepad file, because we need to use safe mode and you won't have internet access to read from here.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.

  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

descriptionProblems on my mom's computer - Page 2 EmptyRe: Problems on my mom's computer

more_horiz
Here is the SDfix log:


SDFix: Version 1.240
Run by Liz on Tue 07/21/2009 at 07:49 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-21 23:32:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Juno\\bin\\juno.exe"="C:\\Program Files\\Juno\\bin\\juno.exe:*:Enabled:Juno"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :


Finished!

descriptionProblems on my mom's computer - Page 2 EmptyRe: Problems on my mom's computer

more_horiz
Now open a new notepad file.
Input this into the notepad file:

DirLook:
c:\documents and settings\liz\local settings\temp\etilqs_rj7llbccrahbluph9am7


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:
Problems on my mom's computer - Page 2 Sfxdaw

This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

descriptionProblems on my mom's computer - Page 2 EmptyRe: Problems on my mom's computer

more_horiz
Ok so i did all that you told me to and the scan started up as per normal and i went away from the computer for ten minutes. when i came back it had the BLUESCREENOFERRORMESSAGE and the white text reading as follows:

STOP:C000007B{bad image}
The application or DLL [i dont know how to do forward slashes so I'll use the normal ones to tell you what it said]: ///?/C:/windows/system32/Sfcfiles.dll is not a valid windows image. Please check this against your installation diskette.

I turned the machine off and atempted a reboot in safe mode and no sooner did I choose "safemode" from the menu than it gave me the very same error message.

The computer had its hard drive replaced not too long ago. Does that have anything to do with this?

descriptionProblems on my mom's computer - Page 2 EmptyRe: Problems on my mom's computer

more_horiz
I can't use the computer now. Is in the perpetual blue screen of error message. What should I do?

descriptionProblems on my mom's computer - Page 2 EmptyRe: Problems on my mom's computer

more_horiz
So my dad just took a look at it and has managed to get it to boot normally but it refuses to connect to the internet in any way shape or form.

descriptionProblems on my mom's computer - Page 2 EmptyRe: Problems on my mom's computer

more_horiz
Please download WinSockFix here and see if it fixes your problem:

http://files.snapfiles.com/localdl834/WinsockxpFix.exe

Run it and see if you have internet connection.

descriptionProblems on my mom's computer - Page 2 EmptyRe: Problems on my mom's computer

more_horiz
I can't connect to the internet on that computer 8>/ What should I do?

descriptionProblems on my mom's computer - Page 2 EmptyRe: Problems on my mom's computer

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum