105 replies to this topic

[Rappy]

I was working on a malware/virus removal with LDTate here and he suggested I start a thread here as he was out of ideas. Before doing his suggestions, I was able to reboot with no problem, although the login process took quite a lot longer than preferred (1-3 mins on average). We have removed a LOT of programs starting up on windows reboot to no avail. Windows boots up, shows up the wallpaper (with no icons), programs show up in task manager, but don't seem to initialize, after about 3-5 mins the icons show up, the wallpaper disappears and programs magically run as if the system just reboot. The system appears to be stable, programs seem to run correctly (although I haven't 'tested' it's versitility) and would like to resolve this issue.

Last HJT log follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:35:43, on 1/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

HJT Log removed:

I know it may be a few days before this gets answered... if anything changes before then I will edit this, but it doesn't seem likely.

-Rappy

[appleoddity]

I have not looked at your HJT log yet, but typically, (nearly always) you will see this type of problem caused because a service is hanging up on startup. Sometimes multiple services. You need to click start -> run -> type 'eventvwr' and press ENTER. Look in your SYSTEM log for errors pertaining to services hanging on startup and services timing out. This will clarify exactly what services are failing and causing the long delay on startup. Please report back here with any information you find and I will assist you further. I will examine your HJT log a little later to see if I find anything. But, I would like to ask one more favor, please send me a bootlog. In order to create a bootlog you need to use the F8 key during startup to get to the windows XP startup menu (before windows boots), and select "Enable boot logging." Now, go ahead and choose the your operating system form the list (usually only one choice) and boot windows. After windows is booted, open My Computer and navigate to C:\windows. Find the file called ntbtlog.txt and open it in notepad. Scroll all the way to the bottom of the file and then move up one line at a time until you find the first occurence (from the bottom of the file) that says "Service Pack x...". I want you to copy from that line to the bottom of the file and post it here at the forum. I will come back a little later to examine all of this and I'm sure we can come up with a resolution to your problem. Please be patient as we need to follow a clear path of troubleshooting and if you move forward without my assistance you could make it quite a bit more difficult for me. I believe the shutdown problem is related to a driver issue and your bootlog will help clarify things as well as identify any other malicious activity possibly missed earlier.

[Rappy]

Yes, you are right, consistently there is a service timing out, and from the looks of the logs has been doing so for days. Timeout (30000 milliseconds) waiting for the Roxio Hard Drive Watcher 9 service to connect. another error listed was ... The ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## service failed to start due to the following error: The system cannot find the path specified. I will run the bootlog here shortly. -Rappy

[Rappy]

Windows actually rebooted that time with no problems, still hung on login. Wallpaper shows up, 2-3 mins later icons do, then wallpaper disappears. In Display properties, desktop is set to web content with a .html as the item. All I see is a black screen with the icons. Here's the bootlog: Service Pack 2 1 9 2009 23:35:48.375 Loaded driver \WINDOWS\system32\ntkrnlpa.exe Loaded driver \WINDOWS\system32\hal.dll Loaded driver \WINDOWS\system32\KDCOM.DLL Loaded driver \WINDOWS\system32\BOOTVID.dll Loaded driver ACPI.sys Loaded driver \WINDOWS\system32\DRIVERS\WMILIB.SYS Loaded driver pci.sys Loaded driver isapnp.sys Loaded driver ohci1394.sys Loaded driver \WINDOWS\system32\DRIVERS\1394BUS.SYS Loaded driver pciide.sys Loaded driver \WINDOWS\system32\DRIVERS\PCIIDEX.SYS Loaded driver MountMgr.sys Loaded driver ftdisk.sys Loaded driver dmload.sys Loaded driver dmio.sys Loaded driver PartMgr.sys Loaded driver VolSnap.sys Loaded driver atapi.sys Loaded driver disk.sys Loaded driver \WINDOWS\system32\DRIVERS\CLASSPNP.SYS Loaded driver fltMgr.sys Loaded driver sr.sys Loaded driver PxHelp20.sys Loaded driver KSecDD.sys Loaded driver Ntfs.sys Loaded driver NDIS.sys Loaded driver Mup.sys Loaded driver \SystemRoot\system32\DRIVERS\intelppm.sys Loaded driver \SystemRoot\system32\DRIVERS\nv4_mini.sys Loaded driver \SystemRoot\System32\drivers\pivot.sys Loaded driver \SystemRoot\system32\DRIVERS\HECI.sys Loaded driver \SystemRoot\system32\DRIVERS\e1e5132.sys Loaded driver \SystemRoot\system32\DRIVERS\usbuhci.sys Loaded driver \SystemRoot\system32\DRIVERS\usbehci.sys Loaded driver \SystemRoot\system32\DRIVERS\HDAudBus.sys Loaded driver \SystemRoot\system32\DRIVERS\nic1394.sys Loaded driver \SystemRoot\system32\DRIVERS\parport.sys Loaded driver \SystemRoot\system32\DRIVERS\i8042prt.sys Loaded driver \SystemRoot\system32\DRIVERS\kbdclass.sys Loaded driver \SystemRoot\system32\DRIVERS\serial.sys Loaded driver \SystemRoot\system32\DRIVERS\serenum.sys Loaded driver \SystemRoot\system32\DRIVERS\imapi.sys Loaded driver \SystemRoot\system32\DRIVERS\cdrom.sys Loaded driver \SystemRoot\system32\DRIVERS\redbook.sys Loaded driver \SystemRoot\system32\drivers\lvusbsta.sys Loaded driver \SystemRoot\system32\DRIVERS\audstub.sys Loaded driver \SystemRoot\system32\drivers\lvusbsta.sys Loaded driver \SystemRoot\system32\drivers\lvusbsta.sys Loaded driver \SystemRoot\system32\drivers\lvusbsta.sys Loaded driver \SystemRoot\system32\drivers\lvusbsta.sys Loaded driver \SystemRoot\System32\Drivers\RootMdm.sys Loaded driver \SystemRoot\System32\Drivers\Modem.SYS Loaded driver \SystemRoot\system32\DRIVERS\rasl2tp.sys Loaded driver \SystemRoot\system32\DRIVERS\ndistapi.sys Loaded driver \SystemRoot\system32\DRIVERS\ndiswan.sys Loaded driver \SystemRoot\system32\DRIVERS\raspppoe.sys Loaded driver \SystemRoot\system32\DRIVERS\raspptp.sys Loaded driver \SystemRoot\system32\DRIVERS\msgpc.sys Loaded driver \SystemRoot\system32\DRIVERS\psched.sys Loaded driver \SystemRoot\system32\DRIVERS\ptilink.sys Loaded driver \SystemRoot\system32\DRIVERS\raspti.sys Loaded driver \SystemRoot\System32\Drivers\PdiPorts.sys Loaded driver \SystemRoot\system32\DRIVERS\RimSerial.sys Loaded driver \SystemRoot\system32\DRIVERS\rdpdr.sys Loaded driver \SystemRoot\system32\DRIVERS\termdd.sys Loaded driver \SystemRoot\system32\DRIVERS\mouclass.sys Loaded driver \SystemRoot\system32\DRIVERS\swenum.sys Loaded driver \SystemRoot\system32\DRIVERS\update.sys Loaded driver \SystemRoot\system32\DRIVERS\mssmbios.sys Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS Loaded driver \SystemRoot\system32\DRIVERS\usbhub.sys Loaded driver \SystemRoot\system32\drivers\lvusbsta.sys Loaded driver \SystemRoot\system32\drivers\sthda.sys Loaded driver \SystemRoot\system32\drivers\sfng32.sys Did not load driver \SystemRoot\system32\drivers\sfng32.sys Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS Did not load driver \SystemRoot\System32\Drivers\Flpydisk.SYS Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS Did not load driver \SystemRoot\System32\Drivers\i2omgmt.SYS Did not load driver \SystemRoot\System32\Drivers\Changer.SYS Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS Loaded driver \SystemRoot\System32\Drivers\Null.SYS Loaded driver \SystemRoot\System32\Drivers\Beep.SYS Did not load driver \SystemRoot\system32\DRIVERS\kbdhid.sys Loaded driver \SystemRoot\System32\drivers\vga.sys Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS Loaded driver \SystemRoot\system32\DRIVERS\rasacd.sys Loaded driver \SystemRoot\system32\DRIVERS\ipsec.sys Loaded driver \SystemRoot\system32\DRIVERS\tcpip.sys Loaded driver \SystemRoot\system32\DRIVERS\ipnat.sys Loaded driver \SystemRoot\system32\DRIVERS\wanarp.sys Loaded driver \SystemRoot\system32\DRIVERS\netbt.sys Loaded driver \SystemRoot\system32\DRIVERS\arp1394.sys Loaded driver \SystemRoot\System32\drivers\ws2ifsl.sys Loaded driver \SystemRoot\System32\drivers\afd.sys Loaded driver \SystemRoot\system32\DRIVERS\netbios.sys Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS Loaded driver \SystemRoot\System32\Drivers\SCDEmu.SYS Loaded driver \SystemRoot\system32\DRIVERS\rdbss.sys Loaded driver \SystemRoot\System32\Drivers\PQNTDrv.SYS Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb.sys Loaded driver \SystemRoot\system32\DRIVERS\usbccgp.sys Loaded driver \SystemRoot\System32\Drivers\Fips.SYS Loaded driver \SystemRoot\System32\Drivers\BANTExt.sys Loaded driver \SystemRoot\System32\Drivers\avgmfx86.sys Loaded driver \SystemRoot\system32\drivers\lvusbsta.sys Loaded driver \SystemRoot\system32\DRIVERS\LV302AV.SYS Loaded driver \SystemRoot\system32\drivers\usbaudio.sys Loaded driver \SystemRoot\system32\DRIVERS\hidusb.sys Loaded driver \SystemRoot\system32\DRIVERS\kbdhid.sys Loaded driver \SystemRoot\system32\DRIVERS\mouhid.sys Loaded driver \??\C:\WINDOWS\System32\drivers\pivotmou.sys Loaded driver \SystemRoot\System32\Drivers\avgldx86.sys Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS Loaded driver \SystemRoot\system32\DRIVERS\ndisuio.sys Did not load driver \SystemRoot\system32\DRIVERS\rdbss.sys Did not load driver \SystemRoot\system32\DRIVERS\mrxsmb.sys Loaded driver \SystemRoot\system32\drivers\wdmaud.sys Loaded driver \SystemRoot\system32\drivers\sysaudio.sys Loaded driver \SystemRoot\system32\drivers\splitter.sys Loaded driver \SystemRoot\system32\drivers\aec.sys Loaded driver \SystemRoot\system32\drivers\swmidi.sys Loaded driver \SystemRoot\system32\drivers\DMusic.sys Loaded driver \SystemRoot\system32\drivers\kmixer.sys Loaded driver \SystemRoot\system32\drivers\drmkaud.sys Loaded driver \SystemRoot\system32\DRIVERS\mrxdav.sys Loaded driver \SystemRoot\System32\Drivers\ParVdm.SYS Loaded driver \SystemRoot\System32\Drivers\avgtdix.sys Loaded driver \SystemRoot\system32\DRIVERS\srv.sys Loaded driver \SystemRoot\system32\drivers\kmixer.sys Did not load driver \SystemRoot\system32\DRIVERS\ipnat.sys Loaded driver \??\C:\WINDOWS\nvoclock.sys Loaded driver \SystemRoot\System32\Drivers\HTTP.sys -Rappy

[appleoddity]

Thank you for the info. The logs look clean although there is a lot that can be done to tune the system up and help it to perform better. How much physical RAM do you have? In task manager, click the "performance" tab and tell me how much memory total you have and how much memory is available. The black desktop sounds like a remnant of the malware removal. Did you have a problem with your desktop being plastered with a "You're INFECTED!" warning? Go into control panel -> display -> desktop tab. Click "customize desktop" and then click the "web" tab. Delete everything in the "web pages" window except for My Current Homepage (which you can't delete) then uncheck everything on the page. Click OK, then APPLY. Your regular desktop image should show back up, if it isn't what you would like it to be choose a different background at this time. Now, lets find out if that failing service has anything to do with your long startup times. Click start -> run -> type 'msconfig' and press ENTER. Click the "Services" tab, and check "Hide all microsoft services." Now, click "Disable all." Click the "Startup" tab, click "Disable all." Click "OK" and reboot when requested to do so. See if your startup times improve. Reboot a few times to see also if you have problems shutting down still. Please be sure to let your system fully startup before trying to shut down (in other words, wait for the hard drive light to cease continuous activity for a while). If you restart too soon, you are sure to start seeing programs hangup and error messages. Report back here with your results.

[Rappy]

Ok, physical ram is 2gig on this machine, before I changed anything in msconfig, I had a little under 1.5gig avail. After a little over 1.5. Booting is faster, although, it sits at the "Windows is starting up" screen, (the blue one, not the black one) before letting me choose my windows profile longer than I would like (almost up to a minute after rebooting several times) Issue seems to be gone with the shutdown, and the wallpaper is fine... yes I did have a "You're INFECTED!" wallpaper, but after MWB got rid of it, the black desktop wasn't an issue... it wasn't until I started getting help from here, that the black screen came up as an issue. -Rappy

[appleoddity]

Ok.. So did the wallpaper fix itself, or did you use the instructions to remove the "web" settings from display in control panel? I noticed something strange involving your logitech webcam in the bootlog. Please unplug this logitech webcam and see if it improves your boot time. I understand that at this point several of your programs are disabled due to our diagnostic testing with msconfig. Please be patient so we can figure everything out. I would suggest at this point to go back into msconfig and under the services tab, and the startup tab, enable anything associated with AVG so that your anti-virus is functioning properly for the time being. I'm off to bed, I'll follow up in the morning.

Edited by appleoddity, 10 January 2009 - 12:59 AM.

[Rappy]

Ok. There was no web content there, just an html as the wallpaper. I have it set to a default wallpaper now and it's staying. I will unplug the camera for now, but be advised, I do use it often as I web chat all the time. AVG will be back up when I reboot. See you in the morning. -Rappy

[LDTate]

HJT logs are not allowed in the Tech forums.
appleoddity,
You haven't completed any malware Classroom training here.
Please refrain from posting any advice as to removal of such.


Rappy,
This is what you said your issues were after removing infections.

Windows still refuses to shut down and reboot... Requires a reset button.
Still takes over 5 mins for the computer to boot up from the User select screen.

I think I've done as much as I can. It's clean of any spyware/malware that I can see.

I suggest you start a new topic post the above qouted here:

[appleoddity]

I do apologize for violating any rules here. Would not a hijackthis log be useful for other purposes other than removing malware? It would've been great to assist this user in also tuning up his PC from so many services/startup items running. There is also a service or other item that appears to be making the system take so long to start, the HJT log also showed that. The purpose of the HJT log was not for me to assist in malware removal, but it certainly was helpful in diagnosing his problem. I'd just like an understanding so I am not violating forum rules. Thank you. To the original poster, what were the results of unplugging your webcam and rebooting last night? Did the 1 minute welcome screen wait improve?

[Rappy]

I required use of my camera first thing in the morning and had to go back an enable all in msconfig in order to use it, as I was also without sound last night. I am leery about unplugging the cam, because last time I did, it took about 3 days to get the finicky thing working again. -Rappy

[appleoddity]

That would probably explain some of the peculiarities in the bootlog. Nothing done in msconfig should've stopped your sound, so that is a little odd. However, I'll be unable to assist you with your problem if you aren't willing to go on an adventure with me. I would like for you to put the system back the way it should be if you hadn't went back into msconfig, and then unplug the webcam for now to see if your system still hangs at the welcome screen for so long. Thank you. If anything should happen, I follow through with my support. You have nothing to fear.

[Rappy]

Are you available now for a few hours to do this? As I would like to get the cam back and working ASAP if I start now. -Rappy

[appleoddity]

I will be available off and on all day. I will check periodically.

[Rappy]

Ok, so go back to bare minimum in msconfig, unplug camera and reboot? -Rappy