I was asked to fix a Gateway laptop that would not boot into Windows. I found the system would start to load Windows and then would automatically reboot. I booted the system from a ERD Commander 2002 boot CD, which showed the system had Microsoft Windows XP Professional, Service Pack 2 installed on it. But the sticker on the underside of the laptop had the following on it.
Windows® XP Home Edition
GATEWAY
When I later booted the system, I saw the operating system was actually Windows XP Home Edition Service Pack 2.
Using ERD Commander, I modified the registry so that the system would halt
at a BSOD when it couldn't
boot, so that I could see the error message regarding the problem, rather
than have the system reboot before I could even read any information displayed
on the problem. I had to edit the key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl
I changed the value of Autoreboot from 1 to
0. I was then able to reboot and see the BSOD.
A problem has been detected and Windows has been shut down to prevent damage to your computer. SESSION3_INITIALIZATION FAILED If this is the first time you've seen this Stop error screen, restart your computer. If this screen appears again, follow these steps: Check to make sure any new hardware of software is properly installed. If this is a new installation, ask your hardware or softwar manufacturer for any Windows updates you might need. If problems continue, disable or remove any newly installed hardware or software. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer, press F8 to select Advanced Startup Options, and then select Safe Mode. Technical information: *** STOP: 0x0000006F (0xC0000034,0x00000000,0x00000000,0x00000000)
I ran a scan of the hard disk with QuickTech Professional 4.11, but found no problems.
HDD
Model #: Fujitsu MHV2060AT PL Serial #: NSA1T612A663 Firmware: 000000A0
I ran a scan of extended memory from 1 to 256 MB with QuickTech Professional 4.11. from Ultra-X, Inc. The scan indicated that memory from 1-32 MB was ok, but memory from 32-256 failed all tests but the "Stuck Low" and "Parity" tests. The testing showed every memory address in the 3-256 MB range had errors. I left the test running for several hours; it was still on the second loop when I stopped the testing.
I tested the processor with QuickTech Professional, also. QuickTech reported the processor is a "Pentium, 1396.50 MHz" processor. I left the CPU Test run for 276 passes with no errors found.
I then ran a memory test with Windows Memory Diagnostic Beta. I left the test run for an hour and 15 minutes. The test ran for 55 passes with no errors found.
I next booted the system from an Ultimate Boot CD Version 3.4 CD. I tested the system with Memtest86 V3.2.
Pentium M (0.09) 1396 Mhz
L1 Cache: 64 17239MB/s
L2 Cache: Unknown
Memory : 189M 6845MB/s
Chipset :
I left the program run for a WallTime of 40 minutes and 4 passes. It reported zero errors.
I then tested with Memtest86+ V1.65. I left it run for one pass with a WallTime of 11 minutes. It reported zero errors.
I rebooted and then ran DocMem RAM Diagnostic V2.1b. I ran the Quick Test first, but the program hung and didn't actually test memory. The same thing happened when I chose to run the DocMem RAM Diagnostic V1.45a. The TestMem4 test also failed to run, just giving me a screen with long jagged blue lines across the screen.
I ran another memory test with QuickTech Professional version 4.11. It was again showing memory errors. While looking for another diagnostic program, I found I had a later version of QuickTech Pro, version 4.52, on a floppy disk, so I attached a USB floppy drive to the system and booted from it. It also reported memory problems, though in the one pass I ran with it, it only showed the "Stuck Fault" and "Jump" tests failing and only the last block of memory (160-191 MB) with errors. But the PC powered itself off at about 80% of the way through pass 1, even though it was on wall outlet power, though perhaps the power cable wasn't firmly seated.
I then booted from a #1-TuffTEST-Pro 3.53 floppy disk and tested extended memory with the "Extensive Extended Memory Test". The system passed the "ALLZEROS" and "ALLONES" tests, but then appeared to hang on the "CHECKERBOARD" test; though it completed the other two tests within a few minutes, the "CHECKERBOARD" test was still showing "Testing" after about 2 hours and ESC wouldn't end the test as it should with the program.
EXTENSIVE TEST TEST RANGE 00100000-0BEFFFFF PASS 1
Memory Test Result Error Code Address
ALLZEROS Passed ALLONES Passed CHECKERBOARD Passed ADDRESS MARCHING ONES WALKING ONES
I had gone to a computer show in the area and picked up a replacement 512 MB memory module. I swapped it for the 256 MB module in the system.
Oldhynix 256MB R1x16 PC2-4200S-444-12 KOREA 08 HYMP532S64P6-C4 AA 0548N CNew
hynix 512MB 2Rx16 PC2-4200S-444-12 KOREA 07 HYMP564S64P6-C4 AA 0550N
I ran a test with QuickTech Professional 4.11 on the new module. It showed it also failing the extended memory test. At this point, though, I had some reservations regarding whether I could rely on the QuickTech Pro memory test results for this system.
I rebooted the system with the new memory module; the results were the
same as with the old memory module, i.e. a
BSOD screen with
SESSION3_INITIALIZATION FAILED displayed.
Since the new memory module didn't help, I put the old one back in. I then rebooted and hit F8 to get startup options. I picked "Last Known Good Configuration (your most recent settings that worked)". The system automaticaly rebooted, then gave me the BSOD screen again.
I copied smss.exe from a Windows XP Professional Service Pack 2
system to a floppy disk. I attached a USB floppy drive to the system and
booted from the ERD Commander 2002 CD again and ran
chkdsk /f c:. During the file system check I saw the following:
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
Windows has made corrections to the file system.At the end of the chkdsk process, I saw "An unspecified error occurred." I reran the command a second time to see if the same error message would occur at the end. The second time I saw "Windows has checked the file system and found no problems. The error message did not reappear at the end of the process.
I then wanted to copy the smss.exe file from the floppy
disk to C:\windows\system32, but when I tried in ERD Commander
2002, I kept getting the message below:
Error Copying
C:\WINDOWS\system32\smss.exe.
Error:The system cannot find the file specified.
I rebooted the system with a Slax Linux 5.1.8 LiveCD. It did not see any
files on the floppy disk, so I inserted a USB thumb drive with the file
in the laptop and copied it to the hard disk from it. The Windows partition
on the hard disk was mounted read-only, so I had to issue the command
mount -o remount rw /mnt/hda1 to mount it in read-write mode.
But I got the message "Could not write to /mnt/hda1/WINDOWS/system32/smss.exe"
when I tried copying the file to the hard disk.
When I checked /etc/mtab, I saw /mnt/hda1 listed as
being mounted rw, but when I tried copying the file from
a shell prompt, I got a message indicating that I was trying to copy
it to a "Read-only file system". I tried unmounting /mnt/hda1, but
I kept getting a message that it was busy and I couldn't unmount it.
So I then tried a Knoppix 5.0 LiveCD. When I tried mounting /dev/hda1, I got the message below:
Couldn't mount device '/dev/hda1' : Operation not permitted
Windows did not shut down properly. Try to mount volume in windows, shut down a
nd try again.
Mount failed.
I rebooted from the ERD Commander 2002 disc and ran chkdsk /f c:
again. Chkdsk did not find any problems. This time I was able to copy
smss.exe from the USB-attached floppy disk.
When I rebooted, Windows started normally and I was automatically logged into the system. I then saw a McAfee VirusScan warning that "Some components of ActiveShield are either missing or might not have been installed properly." I also saw an UltimateCleaner warning.
| WARNING!
UltimateCleaner has found 5493 useless and UNWANTED files on your computer! |
| 5202 of those items are considered critical privacy compromising content |
| 291 of those items are considered medium privacy threats |
| 0 of those items are considered to be junk content of low privacy threats |
Then an ad to "Get Your Free Diet Newsletter Now!" appeared and Internet
Explorer opened to http://advertazoord.com?fed=56&fullscreen=true
in fullscreen mode. Then an Internet Speed Monitor window opened with
"SAATCHI GALLERY" displayed in the window with a table below the heading
in the window with things like "Saatchi Online Artist", "Your Studio", "Links",
etc. within the table. Another Internet Explorer window then opened, but
as a very small window looking like a popup warning stating "Do you want
to block Junk Emails?". There was what looked like a button with "Yes" on
it within the window. There was no other option presented. The link was to
http://b.casalmedia.com/V2/46429/97919/2980.gif. Other Internet
Explorer windows opened with ads also.
I rebooted the system with a Norton Ghost 2003 boot CD and attempted to backup the system to an external disk drive. Unfortunately, after I specified the backup location to be the external drive and started the backup, the backup would hang without backing up any files. I tried several different boot CDs, some with USB 1.1 and others with USB 2.0 support, but none worked. I was able to backup the partion on which Windows resides using PING (Partimage Is Not Ghost), however.
When I rebooted the system, the UltimateCleaner window appeared again. This time there was no wireless network connectivity available, so I didn't see other advertisement windows open. I did see the McAfee VirusScan window again stating "Some components of ActiveShield are either missing or might not have been installed properly.
I noticed a shortcut on the desktop labelled "Click to Find and Fix Errors"
that pointed to http://ad.outerinfo.com/reficon?bd=1970&pid=1600&oid=5&fid=99001552.
I also "Free Casino Bonus", "Sportsbook Football" and "Video Game Rentals -
Try for Free" shortcuts that pointed to ad.outerinfo.com,
also. There was also a shortcut labelled "Free Online Dating" pointing to
http://search2find.biz/search.php?q=dating and "Go to Casino"
and "Find Spyware Remover" shorcuts pointing to the same site. I removed all
of those.
I attempted to remove Internet Speed Monitor through Add or Remove
Programs. I saw ISM and ISM2 folders under
C:\Program Files before I attempted to remove the software. The
uninstall routine appeared to run, yet the software remained listed under
Add or Remove Programs and the files in the ISM and
ISM2 directories remained. I then tried removing it by
clicking on the Uninstall shortcut in the Internet Speed
Monitor under group All Programs. That resulted in the software no
longer being listed under Add or Remove Programs and the ISM
directory disappeared, but the ISM2 one remained.
I was prompted to reboot after the uninstall, which I did. I deleted
the ISM2 directory after rebooting.
I saw a shortcut for Ultimate Cleaner 2007 on the desktop, which pointed to
C:\Program Files\Ultimate Cleaner\Ultimate Cleaner.exe. I removed
that software through Add or Remove Programs, also, since
it is on the
Spyware Warrior: Rogue/Suspect Anti-Spyware Products & Web Sites list
where it is listed as adware-supported. It disappeared from Add or Remove
Programs and the files in C:\Program Files\Ultimate Cleaner
were gone, except C:\Program Files\Ultimate Cleaner\com\ucsecuredelete.dll
. I couldn't manually delete the Ultimate Cleaner, because the
ucsecuredelete.dll file was still in use by some process. Even
after rebooting I couldn't delete it for that reason, so it obviously didn't
completely remove itself from the system when I chose to uninstall it.
I noticed a ucleaner_setup.exe file in C:\Program Files
dated 09/20/2007 04:05 PM. When I right-clicked on it and chose Properties
then Digital Signatures, I saw the name of the signer
listed as Nous Tech Solutions Ltd. There was no email address listed for
the company. I deleted the file.
I noticed the time and date were incorrect. The system time was showing as 8:10 AM on December 11, 2007 when the actual time was 12:10 AM on December 13, 2007. I set the time and date to the correct values.
Outerinfo was listed under Add or Remove Programs. According
to
How to remove Outerinfo pop-ups (aka PurityScan or OIN), this comes
with other malware and is also known as PurityScan, Oinadserver or OIN. When
I looked in the C:\Program Files\Outerinfo directory there was
only a Terms.rtf file there. When I viewed the contents of
the file I saw the following text within it
As a result of installing the Company's Software, you will see occasional banner ads, pop-up, or pup-under ads, or other types of ads selected based on your online activites.
So they are clearly stating in their EULA that they will spy on users' Internet activites and send them targeted ads based on what they learn of users' online habits. The EULA goes on to state that they may update the software whenever they wish without asking users.
When I clicked on Outerinfo for support information in Add or Remove Programs, I saw the publisher listed as Outerinfo and the version listed as 5.2.99001552. When I tried to remove it by clicking on the Remove button, I saw a window titled "Yazzle Uninstall" with "Download of uninstaller failed: resolving hostname. Please download and run the uninstaller from http://www.outerinfo.com/OiUninstaller.exe.
I tried installing Spybot Search & Destroy on the system. But the installation process would die within seconds of staring it, as if some other process was killing it - perhaps it is being killed by some malware process trying to prevent its own removal. I tried several times to install Spybot, but the installation window always disappeared within seconds, though sometimes I got farther into the installation process than others. I wonder if the same malware is blocking the Spybot installation that may have disabled the McAfee protection. When I open the McAfee Security Center, I see the following:
VirusScan Not installed Personal Firewall Plus Not installed Privacy Service Not installed SpamKiller Not installed
I installed BitDefender Free Edition version 10 on the system. I updated the virus definitions using a December 8 weekly update file and started a scan on the system. I left the scan running overnight. When I checked the system the next morning, I saw only a black background with the white mouse pointer on it. I could not get anything else to appear on the screen. I tried Alt-tab, Esc, and Ctrl-Alt-Del, but none had any noticeable effect. I had to power the system off and on again.
When I rebooted, the taskbar area at the bottom of the screen was 1/2 its normal height and nothing was appearing there. I could not stretch it to make it larger even after unlocking the taskbar. Nor could I move the taskbard elsewhere on the screen. The start button wasn't visible on it.
I was able to bring up the Task Manager with Ctrl-Alt-Del. I killed the Explorer process and restarted it, but that didn't help, so I rebooted the system into Safe Mode and logged in under the Administrator account. I encountered the same taskbar problem in Safe Mode..
I was able to bring up the Task Manager. It showed CPU utilitization at
100% with csrss.exe taking up almost all the CPU cycles.
I was unable to kill it. When I tried the Task Manager informed me
"This is a critical process. Task Manager cannot end this process."
I also saw an IEXPLORE.EXE process running that I suspected
might actually be malware, but I couldn't kill it either. Every time
I selected it and tried to click on the End Process button, the
button would gray out. I was able to kill it by getting a command
prompt, making the working directory \Windows\system32 and running
tskill IEXPLORE.EXE, but that didn't help the situation. And
it reappeared in the Task Manager. When I opted to have the Task Manager
display the PID column, I found the PID for IEXPLORE.EXE
constantly changing, as if the process was dying, but then continually
being resuscitated.
I ran regedit and looked in
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
I saw runner1, which had value data pointing
to C:\WINDOWS\retadpu72.exe. I removed the key from the
registry. Prevx identifies as
belonging to Downloader.Generic5.DUR. I didn't see
retadpu72.exe in the Windows directory, however.
I also saw the following key:
Value name: Windows Workstation Service
Value data: explore.exe
At Windows Workstation Service, I found this listed as a key added by unknown malware. I removed the key.
I also saw a key for avp.
Value name: avp
Value data: C:\WINDOWS\avp.exe
Though avp.exe may be a file that comes with Kapersky
AntiVirus, that antivirus software was not installed on the system,
so I suspected it was malware also. At
AVP.EXE - Trojan.Downloader-Gen/AVP.Process, it is listed
as being associated with malware. I removed the key and rebooted. The
system appeared to be in the same state as before, however.
When I ran BitDefender and checked the Quarantine Folder, I found a tremendous number of exe files listed as being quarantined from the C:\Docuemtns and Settings\Larissa's Computer\Shared folder. They were all 229 KB in size with names linking them to software that someone might search for with a P2P program and then download. E.g. I saw "Wolf Creek 2005.exe" "Wondershare Photo Collage Studio Pro 2.4.0.exe, "Wondershare Photo Collage Studio v1.3.9.exe", etc. All were marked as infected by Win32.Worm.VB.Ymeak.A.
Since those were the only files listed as quarantined by BitDefender, I didn't understand why running a BitDefender scan put the system in its current state. And, since BitDefender doesn't even run in Safe Mode, I don't know why I would have problems still when I booted into Safe Mode, if the problem was due to BitDefender running now.
I was able to install Spybot while booted into Normal mode at this point using the Task Manager. I updated its definitions from an "includes" file and scanned the system. It found evidence of the following malwae on the system along with a plethora of advertising cookies:
BraveSentry
DSSAgent
FunWeb
FunWebProducts
MagicAntiSpy
MyWay.MyWebSearch
MyWebSearch
Nous-Tech UCleaner
Search2Find
StarWare
TNS-Search
Virtumonde
Win32.Agent.afy
Xorpix.a
Yazzle
I had Spybot remove everything it found. I saw a message at the end of the fix process that "Some problems couldn't be fixed; the reason could be that the asociated files are still in use (in memory) This could be fixed after a restart. May Spybot S&D run on your next system startup?" I selected "Yes" and rebooted after running Spybot's "Immunize" function. Spybot ran again on startup; it reported "No immediate threats were found." But the system was in the same state as before with nothing show on the taskbar, which was about 1/2 its normal size. There was no way to access the Start button.
I rebooted the system into Safe Mode and ran another Spybot check. Nothing was found.
I then installed Bazooka Adware and Spyware Scanner and FreeFixer from Kephyr.
I also downloaded and installed CWShredder. CWShredder did not report any variants of the Cool Web Search malware on the system. However, when I clicked on the Create Report button and viewed the report created, I saw the following under "Browser Helper Objects":
BHO: [BndDrive2 BHO Class] C:\Program Files\ISM\BndDrive3.dll
The DLL file is assocated with the Internet Speed Monitor malware I previously tried removing through Add or Remove Programs I ran Spybot again, switched to Advanced Mode and selected BHOs under Tools. I then used it to remove the BHO.
The CWShredder report and Spybot also listed a BHO associated with C:\WINDOWS\system32\cacudbcp.dll. It looked suspicious, but since I wasn't sure about it, I left it for the moment. The creation date listed for it in Spybot was 9/12/2007 at 9:54:40. There was no name associated with it. The filesize was listed at 60,928 bytes.
I also looked at the ActiveX applications and the Winsock LSPs with Spybot, but saw nothing suspicious. I looked at the System Startup items as well. There were some items I was unsure about, but nothing that was identified in red as malware. There were several items in yellow, but most of those were innocous.
I installed VundoFix as well. When I tried running it in Safe Mode, I received the message below:
Run-time error '-2147023174 (800706ba)':
System Error &H800706BA (-2147023174). The RPC server is unavailable.
I next ran
FreeFixer
and looked for anything thad appeared to be associated with malware. Under
the "Registry Startups" section, I found a registry value of
HKLM..\RunServices,Windows Workstation Service with a
command line value of explore.exe (file is missing).
I had previously removed a registry entry for this file under
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Run.
I had FreeFixer remove the
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices entry
for Windows Workstation Service.
Name: Windows Workstation Service
Type: REG_SZ
Data: explore.exe
I next ran Bazooka 1.13.03. It found the following:
Both had registry entries under
HKLM\Software\Microsoft\Windows\Current\Version\Run.
Value name: DSS
Type: Reg_SZ
Value data: C:\WINDOWS\BBStore\DSS\dssagent.exe
Value name: csrss
Type: Reg_SZ
Value data: C:\WINDOWS\system32\wbem\csrss.exe
I deleted both registry entries. There was a C:\WINDOWS\BBSTore
directory, but no DSS directory within it.
When I scanned again, Bazooka reported "Nothing detected." I then rebooted the system to see if it would behave normally now. Unfortunately, the results were the same as before with the same taskbar problem. I could still not stretch the taskbar and there was nothing on the 1/2 height taskbar I saw on the system.
When I plugged a network cable into the
LAN port and ran ipconfig
, I saw all zeros for the address. I tried ipconfig /renew
and then saw the following:
WIndows IP Configuration No operation can be performed on Wireless Network Connection while it has its me dia disconnected. An error occurred while renewing interface Local Area Connection : The RPC serve r is unavailable.
I ran another BitDefender scan. It relisted all of the files it found
previously, which it had moved to C:\Documents and Settings\All Users\Application Data\BitDefender\Desktop\Quarantine. It also identified one
more file in
C:\Documents and Settings\Larissa's Computer\Shared\_\. Like the
ones it found previously, it identified this as one as infected with
Win32.Worm.VB.Ymeak.A. But it also quarantined some
files from C:\WINDOWS\Temp. All the files had a name that was 9 or
10 digits followed by ".exe". The numbers appeared to be random. E.g.
one file was named 1696950553.exe. These files were
identified as infected with
BehavesLive:Win32.Explorer.Hijack.
In examining the BitDefender report, I noticed the system's time was off. It was showing the time as 12/14/2007 8:50 AM, while the time was actually 12/13/2007 8:50 PM. I set the time to the correct value. I may have incorrectly set it before so that it was 12 hours off.
I tried the ipconfig command again. The IP address and subnet
mask were still showing as 0.0.0.0.
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 0.0.0.0
Subnet Mask . . . . . . . . . . . : 0.0.0.0
IP Address. . . . . . . . . . . . : fe80::203::25ff::fe2f::b25%5
Default Gateway . . . . . . . . . :
Running ipconfig /renew still produced the message "The RPC
server is unavailable." I issued the command services.msc, but
the services list did not open. I was able to open the Control Panel
by issuing the command control at a command prompt. When I
looked under the Standard tab, I saw that Remote Procedure
Call (RPC) was supposed to start automatically, but was not started.
The Remote Procedure Call (RPC) Locator was set to "Manual"
and was not running. I clicked on Remote Procedure Call (RPC)
to select it and then selected Action and Start, but
then got the error below:
Could not start the Remote Procedure Call (RPC) service on Local Computer.
Error 2: The system cannot find the file specified.When I tried starting the RPC Locator, I got the message "Error 1068: The dependency service or group failed to start."
Following the instructions at Router Not working, where a similar
problem was reported, I tried sfc /scannow. The Windows
File Protection utility, which verifies that all protected WIndows files are
intact and in their orginal version, then ran. When I checked the system
afterwards the sfc window had closed and there was no
indication it found any problems.
While looking through the registry keys in
HKCU\Software\Microsoft\Windows\CurrentVersion\Run, I found
some very odd keys.
| Name | Type | Data |
|---|---|---|
| autoload | REG_SZ | C:\WINDOWS\system32\drivers\smss.exe... |
| autorun | REG_SZ | C:\Documents and Settings\Larissa's Computer\smss.exe... |
| Cpue | REG_SZ | C:\DOCUME~1\LARISS~1\APPLIC~1\SKS~1\taskmgr.exe" -vt yazb |
The three dots at the end of "smss.exe" looked odd. They weren't there
because the column wasn't wide enough to show further data. And I didn't
see them, if I double-clicked on the values to open an Edit String
window; perhaps there were some characters at the end that weren't visible
when I had the Edit String windows open. When I right-clicked
on the value and chose Modify Binary Data, I did see null
characters, i.e. 00, after the ".exe".
And why would smss.exe be in the user's directory.
And a missing smss.exe file was what caused the system
to reboot continually when I first started working on the system and
was what caused the BSOD
when I modified the registry to have the system halt when a BSOD occurred.
And why would taskmgr.exe be running from the user's folder.
There is a taskmgr.exe file in the C:\WINDOWS\system32
directory and the C:\WINDOWS\system32\dllcache directory. Both
are 135,680 bytes with a date of 08/04/2004 and a time of 02:00 PM. Another
very suspicious sign regarding the registry entry for taskmgr.exe
is that, from a command prompt, I see
C:\Documents and Settings\Larissa's Computer\Application Data with
a ??sks directory. If I make the working directory that directory
with a cd command, I see another ??sks directory
within it. I can go down to
C:\Documents and Settings\Larissa's Computer\Application Data\??sks\??sks,
where a dir command shows nothing in the directory. I do see the
C:\Documents and Settings\Larissa's Computer\Application Data\??sks\taskmgr.exe
file. I don't see it with a dir command, only with dir
/ah or dir /as. It is 72,704 bytes with a timestamp of
09/08/2007 10:04 AM. I was able to copy it to a USB thumb drive for
later analysis with xcopy /h * f:\. I then turned off the
hidden and system attribute for the file with attrib -h -s f:\taskmgr.exe
.
I moved the file to another system and then uploaded it to Jotti's Online Malware Scan for analysis. Ten of the twenty-one scanners used by that site to identify malware identified it as malware.
I deleted the Cpue registry key and deleted the ??sks
directory. I had to use attrib -r taskmgr.exe to also reset
the read-only attribute for the taskmgr.exe file first.
I installed RootkitRevealer v1.71 and scanned the system with it.
I did not see the C:\Documents and Settings\Larissa's Computer\smss.exe file on the system.
I scanned the system again with Bazooka and Spybot, but they did not report any malware on the system.
At this point, the system still had problems even after I had checked the system with the following antivirus and antispyware programs:
At this point, the taskbar was inaccessible and the only way I could install additional software was to bring up the Task Manager and go to File and select New Task (Run...). So I decided to purchase AVG Rescue CD, so that I could boot from a Windows boot CD and condcut a full scan without worrying about any more possibly corrupted or missing critical Windows components or malware hiding from antispyware and antivirus programs by insinutating itself eary in the Windows boot process blocking antispyware and antivirus software from detecting and removing it.
The AVG Rescue CD is basically a portable variant of AVG based on the Windows PE platform. It is distributed as a bootable CD intended for operating system recovery in such an event where the system cannot be loaded in the regular way . for example due to substantial virus infection. The AVG Rescue CD incorporates the full scanning power of AVG Anti-Malware, offering extended protection to your personal computer due to the Anti-Virus and the Anti-Spyware components. Enabling you to fully scan and heal infections on your inoperable computer.
After booting from the AVG Rescue CD and having it download updates for itself over the network, I received a message that the update was unsuccessful and saw the following window.
| Windows - Out of Virtual Memory |
| Your system is low on virutal memory. To
ensure that Windows runs properly, increase the size of your virtual memory paging file. For more information, see Help.
|
I replaced the 256 MB memory module in the system with a 512 MB module. I was then able to successfully update the malware definitions. When I scanned the system with the AVG Rescue CD, the scan ran for an hour and a half and then reported the following:
| File | Result/Infection | Path | Status |
|---|---|---|---|
| E7.tmp | Trojan horse Downloader.Generic6.BZG | C:\E7.tmp | Infected |
| U.exe | Trojan horse Downloader.Generic6.BYQ | C:\U.exe | Infected |
| Carry it Easy... | Trojan horse Dropper.Generic.DZD | C:\Documents and Setings\Larissa's Computer\Shared\_\Carry it Easy... | Infected |
| lbkcv.dll | Trojan horse Proxy.BFJ | C:\WINDOWS\system32\wbkcv.dll | Infected |
| wnscpicomsv32.exe | Trojan.Small | C:\WINDOWS|system32\wnscpicomsv32.exe | Infected |
| 474349766.Evt | Troja horse Generic9.ADTE | C:\WINDOWS\system32\config\474349766.Evt | Infected |
| SAV.SAV | Trojan horse Generic8.CXG | C:\WINDOWS\system32\config\SAM.SAV | Infected |
| bot80F5.tmp | Trojan horse Proxy.TXQ | C:\WINDOWS\Temp\bot80F5.tmp | Infected |
| bot8CF1.tmp | Trojan horse Proxy.TYE | C:\WINDOWS\Temp\bot8CF1.tmp | Infected |
| botF268.tmp | Virus found I-WormNulprot | C:\WINDOWS\Temp\botF268.tmp | Infected |
| botF884.tmp | Trojan horse Proxy.TYE | C:\WINDOWS\Temp\botF884.tmp | Infected |
| hd10.tmp | Virus found I-WormNulprot | C:\WINDOWS\Temp\hd10.tmp | Infected |
| hd219.tmp | Trojan horse Agent.HVM | C:\WINDOWS\Temp\hd219.tmp | Infected |
| hd26.tmp | Trojan horse Agent.LOR | C:\WINDOWS\Temp\hd26.tmp | Infected |
| NDrv.dll | Adware Generic2.VAB | C:\Documents and Settings\Larissa's Computer\Local Settings\Temp\NDrv.dll | Potentially Unwanted Program |
| ?ttrib.exe | Adware Generic2.PCS | C:\Program Files\Common Files\?racle\?ttrib.exe | Potentially Unwanted Program |
| cacudbcp.dll | Adware Generic2.PFY | C:\WINDOWS\system32\cacudbcp.dll | Potentially Unwanted Program |
An .evt file is a Windows Event Viewer Log File, so that struck me as likely a false positive. Using the event logs in Event Viewer, you can gather information about hardware, software, and system problems. You can also monitor Windows XP security events.
I also suspected that the SAM.SAV entry was a false positive.
I found a Hijack This log someone else had posted where C:\WINDOWS\TEMP\bot80F5.tmp was a running process on his system.
At the end of the scan NDRV.dll was listed in the
Spyware found list where it was classified as
Adware Generic2.VAB.
After "Carry it Easy" there were a lot of non-english characters. The
?ttrib.exe program was using up in Task Manager's process
list, when I was booted into Windows, as attrib.exe. The
directory associated with it was Oracle, which had looked
suspicious, since the 13-year old owner of the laptop was unlikely
to be using Oracle database software.
The entry for ?ttrib.exe was listed in the Spyware found
list, rather than the Virus results list.
I had AVG Rescue CD move everything it found to the "vault" and rebooted. The system was in the same state as before when I rebooted. The taskbar was a 1/2 height tasbar that I couldn't adjust, there didn't appear to be any system tray entries, and there was no Start button.
The Task Manager showd attrib.exe running while
Sysinternal's Process Explorer showed the same Procees ID (PID) associated with
?ttrib.exe running from C:\Program Files\Comon Files\?racle
. Killing the process didn't help with the taskbar problem.
Using regedit, I searched the registry for "ttrib.exe". I found
it in HKCU\SOftware\Microsoft\Windows\CurrentVersion\Run
Name: Qsbv
Type: REG_SZ
Value data: "C:\Program Files\Common Files\Oracle\attrib.exe"
I removed the value from the registry along with another suspicious one I had seen earlier, but not removed.
Name: autorun
Type: REG_SZ
Value data: C:\Documents and Settings\Larissa's Computer\smss.exe
I also checked on
Qdrmodule9 and found it linked to
Trojan.Downloader-Gen/QDRModule.Process, so I removed the following
value as well from
HKCU\SOftware\Microsoft\Windows\CurrentVersion\Run, though
I didn't see a C:\Program Files\QdrModule directory on the
system. At
qdrmodule9.exe, the application as a "Trojan/Backdoor".
Name: QdrModule9
Type: REG_SZ
Value data: "C:\Program Files\QdrModule\QdrModule9.exe"
I rebooted, but the system didn't appear to be any healthier. I logged off the "Larissa's Computer" account, for which I had been logged in automatically, and logged into the Guest account. The problem existed there, too.
I've found helpful information for other problems at Ask Leo! by Leo Notenboom before. He has an article on dealing with the type of problem this system has been experiencing at My Taskbar is missing and I have no Start button - what do I do?. However, in this case, Ctrl-Esc won't make the taskbar visible, the Explorer process is running already, and rerunning it doesn't help. I did find a link to a taskbar repair utility, Taskbar Repair Tool Plus!. I ran that and for the Taskbar Problems option, I picked "Taskbar is Missing". I didn't select any other options and clicked in Repair. I then saw the following window:
| Taskbar ToolProject |
| Run-time error '462': The remote server machine does not exist or is unavailable
|
I checked the running services again and found that the Remote Procedure Call (RPC) service was not running. I tried starting it, but got the message below:
| Services |
| Could not start the Remote Procedure Call
(RPC) service on Local Computer. Error 2: The system cannot find the file specified.
|
I ran regedit and checked
HKLM\SYSTEM\CurrentControlSet\Services\RpcSs. I saw the following
value:
Value Name: ImagePath
Type: REG_EXPAND_SZ
Value Data: %SystemRoot%\system32\svchost -k rpcss
But, when I looked in C:\Windows\system32\, there was no
svchost.exe file. I copied one from
the C:\Windows\system32 directory on a Windows XP Professional
SP2 system and placed in C:\Windows\system32 on this system.
I then entered the command net start "Remote Procedure Call (RPC)"
from a command prompt, but was notified that "The requeted service has already
been started." When I looked under the Extended Services tab
in Services, I now saw entries listed, whereas before I didn't
see anything there. I was only seeing services under the Standard
tab.
I rebooted and that fixed the problem with the taskbar and I also had network connectivity again. Yeah! But what deleted the file in the first place. I checked BitDefender's Quarantine listing, but didn't see it there, so it didn't seem like a BitDefender scan deleted it.
I looked under Add or Remove Programs for any suspicious software, but found none.
I checked for updates for the following programs and then scanned the system with them.
References: