Unable to Run Malbytes/limited HiJackthis

[cmanser]

Good morning,

I am trying to 'fix' my friends computer and somehow he has broken everything...

Windows XP SP3

I cannot view the LAN adapter in Network Connections

There are 2 Network Connections in the Control Panel

I cannot install Avira (either get rctext.dll error or it just closes)

I cannot run MalwareBytes (Run-time erro '372' and vbalsgrid6.ocx)

I cannot use the search feature in windows.

I cannot click and drag.

I was only able to get HiJackThis working when I select the Diagnostic Startup option in MSCONFIG

file of Trend Micro HijackThis v2.0.2
Scan saved at 11:15:35 AM, on 12/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\sdra64.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wpabaln.exe
C:\Program Files\Trend Micro\HijackThis11\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1243842045671
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: DCOM Server Process Launcher (DcomLaunch) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Unknown owner - C:\WINDOWS\system32\svchost.exe

--
End of file - 3290 bytes

[cmanser]

Well, got rid of C:\WINDOWS\system32\sdra64.exe using the below method. I am still unable to get anything to work. (see above post)

Getting rid of the monster

So you

[sjpritch25]

Download Combofix from this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

• When finished, it will produce a report for you.
  
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
  

Note:

Do not mouseclick combofix's window while it's running. That may cause it to stall

[cmanser]

Finished ComboFix and attached the log. Going to see what is fixed.

log.txt

[sjpritch25]

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Fcopy::
c:\windows\$NtServicePackUninstall$\eventlog.dll | C:\Windows\system32\eventlog.dll
c:\windows\$NtServicePackUninstall$\svchost.exe | C:\Windows\system32\svchost.exe

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

How is everything running???

[cmanser]

I still have 2 Network Connection Icons in the Control Panel

No Ethernet adapters in Network Connections (ipconfig /all shows the NIC and it appears to be statically assigned to 192.168.1.1 (This comp needs to be statically configured with a different rage to access the internet))

No click and drag

Cant Run Avira (copys files and appears to start to install but just closes)

Cant Run Malbytes (Run-time error '372' and vbalsgrid6.ocx)

Thanks for the help.

ComboFix.txt

[cmanser]

HTJ log

hijackthisCF.txt

[sjpritch25]

Do me a favor and re-download ComboFix to your desktop. Thanks

It appears that you have an infected copy of svchost.exe. We will try to replace it with a good copy, but i need you to install the recovery console. Here are the instructions to allow ComboFix do it for you.

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

Note: If you have SP3, use the SP2 package.

---------------------------------------------------------------------

Transfer all files you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

• Drag the setup package onto ComboFix.exe and drop it.
  
• Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  
  
• At the next prompt, click 'Yes' to run the full ComboFix scan.
  
• When the tool is finished, it will produce a report for you.
  

Please post the C:\ComboFix.txt in your next reply.

[cmanser]

It installed the recovery console (I received the pop up) and now appears to be hanging after completing step 4. The mouse doesn't move either.

[sjpritch25]

give it a little time. Let me know if it still doesn't reboot the machine.

[cmanser]

I got scared that it wouldn't finish:

ComboFix.txt

[cmanser]

A lot of the features seem to be working. Click and drag etc

Malbytes opened (but I haven't run yet)

I still have 2 Network Connections in the CP and no access to the LAN Adapter (nothing shows up in the Network Connections window)

[sjpritch25]

did you go into msconfig and disable some services?

[cmanser]

My apologies. I was running the diagnostic start-up via msconfig. I switched to normal again and re-ran it.

Looks like its almost completely repaired. Except for:

2 Network Connections Icons in CP

No LAN Adapters in Network Connections Folder

ComboFixLog.txt

[sjpritch25]

Right-Click on My Computer ----> Click on Properties ---> Click on Hardware go to device manager

Under Network adapters

right click on the device and choose uninstall. Reboot your computer. You may need reconfigure how you get online if its not dhcp. Let me know though.

Otherwise we might have to rebuild your tcpip stack.

[cmanser]

That did the trick. It appears that everything is working normally again!

Thank you again for all your help and support.

[sjpritch25]

Before i send you off can you update your mbam's definitions and run a quick scan. Post the results afterwards. Thanks

[cmanser]

You are a wise sage. I just assumed it was good to go; however, it seems there may be some lingering issues. Some of which you may not be able to help resolve and I understand that.

Nevertheless, I get 2 pop-up when I start windows (see attached.) One mentions SQL database or server. I made sure the owned doesn't use or need a SQL database or server. The second is just a pop-up with no title or text...

The PC randomly freezes too. I could get thru a quickscan after you asked and had to reboot twice. It seems to be running longer now...

Lastly there are still 2 network connection icons in the control panel??

blank.bmp

hijackthis2.txt

mbam_log_2010_01_02__10_19_48_.txt

mbam_log_2010_01_02__11_16_12_.txt

mbam_log_2010_01_02__13_18_04_.txt

sql.bmp

[cmanser]

Just because I don't believe it myself, here is a pic of the double Network Connections...

cp.bmp

[sjpritch25]

do me a favor open My Computer

Click on My Network connnections

Please give a screenshot of that.

that mysql error we can just disable the service from startup.

[sjpritch25]

Go to start ---> run ---> type services.msc

look for this service

MSSQLSERVER

right-click on the service

choose properties

change it to disabled. Reboot and you should have the message anymore.

[cmanser]

No "My Network Connections" only "Places" See attached.

Just incase I included a pic of Network Connections.

mycomp.bmp

places.bmp

netconn.bmp

[cmanser]

That resolved the SQL pop-up.

I still have that titleless blank "OK" pop-up. Its 'Image Name' in the task manager is "sqlmangr_.exe"

[cmanser]

This may or may not be relevant but Avira just quarantined "TR/Vundo.Gen Trojan"

This was after I finished a complete scan with NO detections and with out running a new scan... Perhaps it detected it on the fly. (AntiVir Guard)

vundo.bmp

[sjpritch25]

Okay the network connections folder appears normal to me. Local connection and 1394 icon are all okay. The MSN looks like an old one for maybe dailup.

For the other problem

Navigate to here

C:\documents and settings\all users\start menu\startup\Service Manager.lnk

delete that and you shouldn't have that other sql popup at startup.

Go ahead and run a full scan with antivir.