Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Help Cannot Run HijackThis (Resolved)

  1. #1
    Junior Member
    Join Date
    Aug 2009
    Posts
    11

    Default Help Cannot Run HijackThis (Resolved)

    Hi,

    I am trying to run HijackThis scan to start the process of posting my logs. I installed it but when I try running it nothing happens.

    When I try to run SpyBot scan, it opens but then quickly closes. If I rename the file, it opens and then closes right when I choose to run a scan.

    I am running Windows XP on a Tablet PC.

    Please help!

  2. #2
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Manchester UK
    Posts
    3,425

    Default

    Please note that all instructions given are customised for this computer only,
    the tools used may cause damage if used on a computer with different infections.

    If you think you have similar problems, please post a log in the HJT forum and wait for help.


    Hello and welcome to the forums

    My name is Katana and I will be helping you to remove any infection(s) that you may have.

    Please observe these rules while we work:
    1. Please Read All Instructions Carefully
    2. If you don't understand something, stop and ask! Don't keep going on.
    3. Please do not run any other tools or scans whilst I am helping you
    4. Failure to reply within 5 days will result in the topic being closed.
    5. Please continue to respond until I give you the "All Clear"
      (Just because you can't see a problem doesn't mean it isn't there)

    If you can do those few things, everything should go smoothly

    Some of the logs I request will be quite large, You may need to split them over a couple of replies.

    Please Note, your security programs may give warnings for some of the tools I will ask you to use.
    Be assured, any links I give are safe

    ----------------------------------------------------------------------------------------


    ----------------------------------------------------------------------------------------
    Step 1


    Create A Batch File
    Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.
    Save it as "All Files" and name it look.bat Please save it on your desktop.


    @Echo Off
    if exist "%Temp%\Katlog.txt" del /q "%Temp%\Katlog.txt"
    For /R "%AllUsersProfile%" %%G in (*) DO (
    @Echo Searching .. %%~nG
    Echo "%%~nG"|Findstr /R "[A-Za-z]" > nul || Echo "%%~nG"|Findstr /R "[0-9]">nul&& Echo "%%~pG"|findstr "%%~nG">nul&& if exist "%%~dpG\%%~nG.exe" echo "%%~dpG">> "%Temp%\Katlog.txt"
    CLS
    )
    If exist "%Temp%\Katlog.txt" Goto Finish
    @echo No Folders Found >>"%Temp%\Katlog.txt"
    :Finish
    Notepad "%Temp%\Katlog.txt"
    del /q %0
    Exit
    Double click on look.bat
    Please be patient, as this will search the entire disc

    Notepad will open, please copy/paste the results here.


    ----------------------------------------------------------------------------------------
    Step 2

    Please download the Win32kDiag.exe tool from the following location and save it to your desktop:

    http://download.bleepingcomputer.com...Win32kDiag.exe

    Once downloaded, double-click on the program and let it finish. When it states Finished! Press any key to exit..., you can press any key on your keyboard to close the program. On your desktop should now be a file called Win32kDiag.txt.

    Double-click on this file and post the contents as a reply to this topic.
    Microsoft MVP Consumer Security 2009 -2010
    If we have helped, please consider a donation
    THESE INSTRUCTIONS ARE FOR THIS USER ONLY

  3. #3
    Junior Member
    Join Date
    Aug 2009
    Posts
    11

    Default Unable to Even Start Windows

    Hi Katana,

    Thanks for your help

    Unfortunately now, I am even unable to start up windows. I get the windows screen with the progress bar and then the screen freezes. When I power off and restart I get the windows advance options to start in safe mode. I try safe mode, the screen begins to list a bunch of the drivers. But when it gets to:

    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS\System32\Drivers\Mup.sys

    it freezes.

    If I choose to restart to last known good configuration, I get the windows screen with the progress bar and then the screen turns black and freezes.

    Any suggestions?

  4. #4
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Manchester UK
    Posts
    3,425

    Default

    Quote Originally Posted by Mike S View Post
    Any suggestions?
    Not many for this situation I'm afraid :(

    Is there a Safe Mode With Networking option ? .. does that still work ?

    If not, then I'm afraid that you are probably looking at a repair install at the very least.

    Do you have an Install disc, or a recovery partition ?
    Microsoft MVP Consumer Security 2009 -2010
    If we have helped, please consider a donation
    THESE INSTRUCTIONS ARE FOR THIS USER ONLY

  5. #5
    Junior Member
    Join Date
    Aug 2009
    Posts
    11

    Default

    Yea the Safe Mode with Networking option produces the same result :(

    I also don't have the recovery CD. This computer was handed down. I might have to just purchase the recovery CD from Toshiba.

    Anyways I do have another question. So when the virus/malware infected the Toshiba laptop, somehow it also spread to my other Dell laptop through the network. So I started backing up all my files on the Toshiba and Dell to an external drive.

    And then I clean installed Windows on my dell. When I connected the Dell to my external hard drive, my Dell got infected again :(

    Is there a way for me to salvage the files on my external drive?

  6. #6
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Manchester UK
    Posts
    3,425

    Default

    I might have to just purchase the recovery CD from Toshiba.
    Unfortunately, I suspect this is the easiest, if not only, option.

    Is there a way for me to salvage the files on my external drive?
    On the Dell machine, please do the following ....


    ----------------------------------------------------------------------------------------
    Step 1

    USBNoRisk

    Please download USBNoRisk to your Desktop and run it by double-clicking the program's icon
    wait a couple of seconds for initial scan to be done
    connect all of the USB storage devices to the PC, one at a time, and keep each one connected at least for 10 seconds
    if there are more USB storage devices to scan, please take a note about the order in which these were connected
    after all the devices are scanned, choose "Save log" option from right-click menu on Monitor tab. That will open the log in Notepad. Please copy/paste the log to forum

    Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC, e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras, memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

    ----------------------------------------------------------------------------------------
    Step 2

    Make sure the your External drive is still connected.
    You can use the following scan to either scan your entire machine, or just the external drive. Your choice.

    Kaspersky Online Scanner .
    Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
    NOTE:- This scan is best done from IE (Internet Explorer)

    NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
    Go Here http://www.kaspersky.com/kos/eng/par...avwebscan.html

    Read the Requirements and limitations before you click Accept.
    Once the database has downloaded, click My Computer in the left pane
    Now go and put the kettle on !
    When the scan has completed, click Save Report As...
    Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


    **Note**

    To optimize scanning time and produce a more sensible report for review:
    • Close any open programs.
    • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

    Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

    Post the Kaspersky log, and then we can see what is causing the problem.
    Microsoft MVP Consumer Security 2009 -2010
    If we have helped, please consider a donation
    THESE INSTRUCTIONS ARE FOR THIS USER ONLY

  7. #7
    Junior Member
    Join Date
    Aug 2009
    Posts
    11

    Default

    Here is the log from USBNoRisk

    USBNoRisk 2.5 (26 July 2009) by bobby

    Started at 8/25/2009 5:09:55 PM

    Searching for connected USB Mass storage...
    ----------------------------------------
    ========================================

    Searching for other storage...
    ----------------------------------------
    C: {6a5eb844-8dd0-11de-b0af-806d6172696f}
    ========================================


    Scanning fixed storage...
    ----------------------------------------

    No blocked files found on C:
    No Autorun.inf files found on C:
    No mountpoint found for C:
    No mountpoint found for 6a5eb844-8dd0-11de-b0af-806d6172696f
    No Desktop.ini files found on C:
    ----------------------------------------

    ========================================
    Initial scan finished!
    ========================================


    New device connected at 8/25/2009 5:16:08 PM

    Scanning for connected USB mass storage...
    ----------------------------------------
    E: {4f837462-90f1-11de-a5d2-000f1f28070f}
    Added E:
    ========================================

    Scanning USB mass storage for files...
    ----------------------------------------
    No blocked files found on E:
    ----------------------------------------
    autorun.inf found on E:
    ----------------------------------------
    File E:\autorun.inf renamed successfully

    Content of E:\autorun.inf.blocked
    ----------------------------------------
    autorun]
    [autorun[
    autorun[
    [autorun
    :jmp8
    open=BOOTEX\thumbcache_131.exe
    :jmp3
    icon=%SystemDrive%\windowS\system32\SHELL32.dll,4
    :jmp3
    action=Open folder*to view files using*Windows*Explorer
    :jmp0
    shell\\\\open\command=.////BOOTEX/thumbcache_131.exe
    :jle7
    shell\\\\\\\explore\command=BOOTEX/thumbcache_131.exe
    useautoplay=1
    [AutoRun]
    :GOTO NULL
    ----------------------------------------

    No mountpoint found for E:
    Sanitized mountpoint for 4f837462-90f1-11de-a5d2-000f1f28070f
    ----------------------------------------

    ----------------------------------------
    Desktop.ini found at E:\BOOTEX\ contains interesting CLSID string
    ----------------------------------------
    [.ShellClassInfo]
    CLSID={645FF040-5081-101B-9F08-00AA002F954E}
    ----------------------------------------
    HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
    HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
    HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
    HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
    HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
    HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
    HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
    HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
    HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
    HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
    HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
    HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
    HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
    HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
    ----------------------------------------
    Desktop.ini found at E:\Recycled\ contains interesting CLSID string
    ----------------------------------------
    [.ShellClassInfo]
    CLSID={645FF040-5081-101B-9F08-00AA002F954E}
    ----------------------------------------
    HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
    HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
    HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
    HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
    HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
    HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
    HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
    HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
    HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
    HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
    HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
    HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
    HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
    HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
    ----------------------------------------

    No mimics found on drive E:
    ========================================

  8. #8
    Junior Member
    Join Date
    Aug 2009
    Posts
    11

    Default

    For Kaspersky Online Scanner I am using IE6 and am getting this alert on the website:

    Kaspersky Online Scanner 7.0 require Java framework version 1.5 or later.

  9. #9
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Manchester UK
    Posts
    3,425

    Default

    Quote Originally Posted by Mike S View Post
    I am using IE6
    You really need to update that.


    Active Scan
    Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
    NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
    Please go to this site Link >> ActiveScan << LINK
    • Click the Scan Now button
    • Follow the prompts to install the Active X if necessary
    • Go and make a cup of tea/coffee/beverage of your choice and watch some TV
    • When the scan is finished, a report will be generated
    • Next to Scan Details click the small export to notepad button and save the report to your desktop.
    • Please post the report in your reply.
    Microsoft MVP Consumer Security 2009 -2010
    If we have helped, please consider a donation
    THESE INSTRUCTIONS ARE FOR THIS USER ONLY

  10. #10
    Junior Member
    Join Date
    Aug 2009
    Posts
    11

    Default

    I should have the external drive connected during the ActiveScan scan correct?

    Btw just in case I didn't mention, after my Dell was infected when I connected to the external drive, I reformatted my Dell so it should not be infected with anything.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •