Hello!

I have a laptop that would not boot correctly because... "driver unloaded without canceling pending operations". It associated this error with ndisio.sys.

I was able to delete this file but the computer is still having many problems.

Please instruct me on what to do! I think you may have had some success with this before.

Thanks so much.

Hello and welcome to

Please be advised, as I am still in training, all my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advise.
This may cause a delay, but I will do my best to keep it as short as possible.

You don't mention if you are now able to boot - do you have an internet connection or are you posting from another machine?

If you could please advise your present situation, then I can post back with further instructions.

Thank-you

could you please read the instructions given HERE
very carefully then post back into this thread with the HJT log

Yessir -

I will follow instructions and get back to you as soon as possible.

I am using another machine to chat with you.

However, I CAN boot on the other machine, and I think I can run a browser. When the infected machine starts, it is terribly slow, and "explorer" does not start automatically.

I have to CTL-ALT-DEL and use the "run" option from the toolbar in Task Manager in order to run "explorer" and see icons, etc.

Will reply with more information as soon as possible.

Thank you -

Matt

I cannot run "HiJackThis" on the infected computer, even in safe-mode. Here is the list of processes, via Task Manager:

AppleMobileDeviceService.exe
BCMWLTRY.EXE
ccSetMgr.exe
cmd.exe
csrss.exe
csrssc.exe
ctfmon.exe
DefWatch.exe
explorer.exe
GoogleUpdaterService.exe
iPodService.exe
iTunesHelper.exe
lsass.exe
mDNSResponder.exe
NicConfigSvc.exe
prunnet.exe
services.exe
services.exe
smss.exe
spoolsv.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
System
System Ide Process
taskmgr.exe
wdfmgr.exe
winlognn.exe
winlogon.exe
WLTRSVC.EXE
wmiprvse.exe

In safe mode there are less, but I still can't run anything. The one called "csrss.exe" has some CPU activity when I try to load another program.

Please let me know how to proceed.

Hi

Please try renaming Hijackthis.exe to HijackThis.com

Now see if it will run.

This did not work either.

I changed the file extension via the command prompt and it still will not run.

Hi mattwestfall,

Please follow these instructions EXACTLY.

If you cannot download on your machine, download on another that you have access to and transfer over via thumb drive or other media, try to disable your security programs, if they will not disable, run the program and allow to run if your security programs complain.

Do the following:

Please download ComboFix from Here or Here to your Desktop.
**Note:  In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

1. If you are using Firefox, make sure that your download settings are as follows:
   
   • Tools->Options->Main tab
   • Set to "Always ask me where to Save the files".
2. During the download, rename Combofix to Combo-Fix as follows:
   
   
   
   
   
3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
   -----------------------------------------------------------
   
   
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
     
     -----------------------------------------------------------
   
   
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
   
   
   -----------------------------------------------------------
7. Double click on combo-Fix.exe & follow the prompts.
8. When finished, it will produce a report for you.  
9. Please post the "C:\Combo-Fix.txt"

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

It produced "bug.txt" and here are the contents of that file:




Killing 'Nircmd.com'
"C:\32788R22FWJFW\nircmd.com" cmdwait 1500 exec hide "~$folder.system$\cmd.execf" /c 32788R22FWJFW\prep.cmd (4072)

PUSHD "C:\32788R22FWJFW"

IF NOT EXIST C:\WINDOWS\system32\cmd.exe GOTO Not_NT

VER 1>OsVer

"C:\WINDOWS\system32\Find.exe" "5.2." OsVer

IF -1073741819 == 0 GOTO Not_NT

"C:\WINDOWS\system32\Find.exe" "5.1.2" OsVer

IF -1073741819 == 0 GOTO NT

"C:\WINDOWS\system32\Find.exe" "5.00.2" OsVer

IF -1073741819 == 0 GOTO NT

GOTO Not_NT

IF NOT DEFINED RKEY_ GOTO :EOF

CLS

CHCP 1252
Active code page: 1252

START NIRCMD.com infobox "Incompatible OS. ComboFix only works for Windows 2000 and XP~n~nOS incompatible. ComboFix ne fonctionne que pour Windows 2000 et XP~n~nOS niet compatibel. ComboFix kan enkel gebruikt worden voor Windows 2000 en XP~n~nInkompatibles Betriebssystem. ComboFix läuft nur unter Windows 2000 und XP~n~nKäyttöjärjestelmä ei ole yhteensopiva. ComboFix toimii vain Windows 2000- ja XP-käyttöjärjestelmissä.~n~nSistema Operativo Incompat¡vel. ComboFix apenas funciona em Windows 2000 e XP~n~nSO. Incompatible. ComboFix funciona únicamente en Windows 2000 y XP~n~nOS Incompatibile. Combofix funziona solo su windows 2000 e XP" "Error - Win32 only"

EXIT

Hi Mattwestfall,

Combofix did not run correctly.

This scan has to be run from I.E.

Please do the following:

Go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   Spyware, Adware, Dialers, and other potentially dangerous programs
   Archives
   Mail databases
5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

Forgive me if I cannot perform this latest task as promptly as I would like.

This is very important to me, and I appreciate your help.

I will forward you the results as soon as I can.

Again, thank you and please leave this thread open. I can be contacted at for any reason.

Matt

This post has been edited by Rorschach112: Feb 24 2009, 07:19 PM

OK, Thanks for letting me know.

CB

Due to inactivity this topic will be closed.
If you need help please start a new thread and post a new HJT log

Reopened at user request.

Hi Mattwestfall, (note: please check "private messages" in your control panel before following these directions - Thank-you)

please do the following:


Download Dr.Web CureIt to the desktop:

• Doubleclick the drweb-cureit icon to start the program.
• press start
• Allow the program to run the initial express scan
• This will scan the files currently running in memory. If something is found, click the YES button when it asks you if you want to cure it. This is only a short scan.
  Note: A pop up may appear during this phase suggesting you purchase their program - click the X at the top right corner of this pop-up to close it.
  
• Once the short scan has finished, check the Complete scan box on the left side, even if nothing was found on the initial scan.
• Then click the small green arrow button on the right under the Dr.Web Antivirus picture to start the complete scan. (This scan will take several hours)
• During this complete scan - if Dr.Web finds an infection a window will pop up requesting your attention. Select the Cure button.
  Note:(If the file cannot be cured, Dr.Web will automatically delete the file)
• Once the scan is complete, on the menu bar, click file and choose report list.
• Save the report to your desktop. The report will be called DrWeb.csv
• Note:this report will need to be renamed to Dr.Web.txt in order to post it on the forum.
• Close Dr.Web Cureit.
• Please post the Dr.Web.txt report in your next reply

This post has been edited by CatByte: Mar 14 2009, 04:11 AM