TechSpot

Control Panel not appearing; HJT logfile enclosed

By Elmorell
Feb 8, 2009
  1. My Vista PC refuses to display icons in the control panel when I open, although I still have access to functions through my computer. In addition, Welcome Center and Windows games (like Minesweeper) will not run. I suspect this is malware, could somebody please review the attached HJT logfile?
     
  2. mflynn

    mflynn TS Rookie Posts: 2,655

  3. Elmorell

    Elmorell TS Rookie Topic Starter Posts: 38

    I ran through those steps--here are the requested logfiles from AntiMalware, Spyware thingy, and HJT.
     
  4. mflynn

    mflynn TS Rookie Posts: 2,655

    Yep you had'em!

    Run HJT Scan only select and remove the below entries
    O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - (no file)
    O23 - Service: Ati External Event Utility - Unknown owner - (no file)
    O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - (no file)
    O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
    O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - (no file)
    O23 - Service: LiveUpdate Notice - Unknown owner - c:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - (no file)
    O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - (no file)
    O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - (no file)
    O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - (no file)
    O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - (no file)
    O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - (no file)
    O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - (no file)
    O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - (no file)
    O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - (no file)
    O23 - Service: XAudioService - Unknown owner - (no file)

    Then UPDATE and run MBAM again attach new log, as it will likely find more that were not completely removed on the last scan and some that were exposed that the last scan never even saw.

    Then...

    Download ComboFix

    NOTE: If you have had ComboFix more than a few days old delete and re-download.

    Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Or here: http://subs.geekstogo.com/ComboFix.exe

    Double click combofix.exe follow the prompts.

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: Do not click combofix's window while its running. That may cause it to stall.

    Mike
     
  5. Elmorell

    Elmorell TS Rookie Topic Starter Posts: 38

    ComboFix gave me an error message saying it was not compatible with Windows Vista... is there a newer version?

    Also the HJT lines you told me to delete reappear in the next scan after being deleted.
     
  6. mflynn

    mflynn TS Rookie Posts: 2,655

    No it does run in Vista.

    Boot to Safe Mode Networking and instead of Dbl Click, Rt click and chose Run as Administrator.

    Mike
     
  7. Elmorell

    Elmorell TS Rookie Topic Starter Posts: 38

    Tried that, got the same error message. I should mention that this is 64-bit Vista...
     
  8. mflynn

    mflynn TS Rookie Posts: 2,655

    Yes that may be it! I will look into it.

    Is the Control panel still kaput?

    Meantime do the below.

    Update then run SAS
    Click Preferences-Repairs
    Then counting down from top do the following entries
    Click Preferences-Repairs

    Numbers 6, 8, 11, 12, 13, 15,18, 19, 20, 21, 22, 24, 25, 26 and 27!

    Download RootRepeal http://rootrepeal.googlepages.com/RootRepeal.rar

    Make Folder on your Desktop name it RRepeal. Move the rar file there and extract.

    Enter folder double click RootRepeal.exe.
    Click the Report tab, then click Scan

    It will ask what to include in the scan.

    Check the following
    Drivers
    Files
    Processes
    SSDT
    Stealth Objects
    Hidden Services
    Then click OK

    It wil ask which drive to scan.

    Check C: (or your windows drive, if not C)
    Click OK
    The scan will begin will take a while.

    When scan completes, click Save Report .

    Name the log RRepeal.txt save it to your Documents folder (it should default there).

    Attach log here.

    Then..

    Download Trojan Remover http://www.simplysuponline.com/downl...rjsetup675.exe
    This is a fully working 30 day trial.

    Run and attach log!

    I think I will be comfortable without ComboFix if these come up clean.

    Mike
     
  9. Elmorell

    Elmorell TS Rookie Topic Starter Posts: 38

    Control panel still not appearing, and those HJT lines (as I mentioned) reappear, so hopefully these steps will take care of that; I'll let you know.

    No repair options appear in SAS, I'm working on RRepair right now.

    RRepeal gave me an error message while installing that said "Mismatch between kernel provided by Windows and one from hardware scan. Use Windows kernel?" I tried both yes and no and received an additional error, which aborted the install. Trojan Remover log is attached.
     
  10. mflynn

    mflynn TS Rookie Posts: 2,655

    Again it is likely Vista 64!

    The reasons the HJT items come back is likely because the are 64 bit.

    Look again I have never heard of the Preferences-Repairs being missing? Not run perhaps!
    ----------------------------------------------------------------------------------------------------------------------------------------------------
    Boot to Safe Mode networking and do all below.

    Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.

    Then paste to the black screen of an open command prompt. All may not apply so ignore errors.

    Code:
    @echo off
    cd\
    :: Fix associations
    ftype exefile="%1" %*
    ftype batfile="%1" %*
    ftype cmdfile="%1" %*
    ftype comfile="%1" %*
    ftype scrfile="%1" /S
    ftype regfile="regedit.exe" "%1"
    ftype piffile="%1" %*
    ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
    ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    
    assoc .exe=exefile
    assoc .bat=batfile
    assoc .cmd=cmdfile
    assoc .com=comfile
    assoc .scr=scrfile
    assoc .reg=regfile
    assoc .pif=piffile
    assoc .lnk=lnkfile
    assoc .inf=inffile
    assoc .vbs=VBSFile
    assoc .js=JSFile
    
    sc stop TDSSserv.sys
    sc delete TDSSserv.sys
    :: Above sc commands first stops then deletes service if it exists
    ::
    reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata"
    reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\tdss"
    ::
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" /f
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" /f
    ::The above reg commands first unloads the reg keys then deletes these keys.
    ::
    Attrib -h -s -r tdss*.* /s
    del  tdss*.* /f /q /s
    :: The above two lines first clears protective attributes then 
    :: deletes all files on Drive beginning with the name tdss
    
    :: Remove AntiVirus2009
    attrib -h -s -r "%UserProfile%\Desktop\Antivirus 2009.lnk"
    attrib -h -s -r "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
    attrib -h -s -r "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
    attrib -h -s -r "%UserProfile%\Start Menu\Antivirus 2009\*.*"
    
    del "%UserProfile%\Desktop\Antivirus 2009.lnk" /f /q
    del "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk" /f /q
    del "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll" /f /q
    del "%UserProfile%\Start Menu\Antivirus 2009\*.*" /f /q
    
    rd /s /q "%UserProfile%\Start Menu\Antivirus 2009"
    
    attrib -h -s -r "c:\Program Files\Antivirus 2009\*.*"
    rd /s/q "c:\Program Files\Antivirus 2009"
    
    attrib -h -s -r c:\WINDOWS\system32\ieupdates.exe
    attrib -h -s -r c:\WINDOWS\system32\scui.cpl
    attrib -h -s -r c:\WINDOWS\system32\winsrc.dll
    
    del c:\WINDOWS\system32\ieupdates.exe /f /q
    del c:\WINDOWS\system32\scui.cpl /f /q
    del c:\WINDOWS\system32\winsrc.dll /f /q
    
    attrib -h -s -r c:\program files\xwdxqu.txt
    attrib -h -s -r c:\windows\x
    attrib -h -s -r c:\windows\SxsCaPendDel
    
    del c:\program files\xwdxqu.txt  /f /q
    del c:\windows\x  /f /q
    del c:\windows\SxsCaPendDel  /f /q
    
    reg delete HKLM\SOFTWARE\swearware /f
    reg delete HKCU\Software\Wget /f
    reg delete HKLM\Software\Classes\CLSID\{CD363BEC-7150-B887-530D-F3E2E0424EA} /f
    
    :: rootkit gaopdxserv
    attrib -h -s -r "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
    attrib -h -s -r "c:\windows\system32\gaopdxqpqjwmyc.dll"
    attrib -h -s -r "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"
    
    sc stop gaopdxserv.sys.sys
    sc delete gaopdxserv.sys.sys
    
    del  /f /q "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
    del  /f /q  "c:\windows\system32\gaopdxqpqjwmyc.dll"
    del  /f /q  "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"
    
    reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
    reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
    reg delete "HKEY_LOCAL_MACHINE\Software\Classes\gaopdxvx" /f
    
    reg delete "HKEY_CURRENT_USER\Software\75319611769193918898704537500611" /f
    reg delete "HKEY_CLASSES_ROOT\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "75319611769193918898704537500611" /f
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "ieupdate" /f
    echo Finshed ripping out Antivirus 2008-9
    :: Fix associations
    ftype exefile="%1" %*
    ftype batfile="%1" %*
    ftype cmdfile="%1" %*
    ftype comfile="%1" %*
    ftype scrfile="%1" /S
    ftype regfile="regedit.exe" "%1"
    ftype piffile="%1" %*
    ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
    ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    
    assoc .exe=exefile
    assoc .bat=batfile
    assoc .cmd=cmdfile
    assoc .com=comfile
    assoc .scr=scrfile
    assoc .reg=regfile
    assoc .pif=piffile
    assoc .lnk=lnkfile
    assoc .inf=inffile
    assoc .vbs=VBSFile
    assoc .js=JSFile
    exit
    exit
    This should run and exit!

    It is a coverall and you may see a few errors related to it addressing something you do not need. This is normal ignore.
    ----------------------------------------------------------------------------------------------------------------------------------------------------
    Try this again also in Safe Mode Networking.
    Update then run SuperAntiSpyware

    Then Click Preferences
    then click Repairs

    Then counting down from top do the following entries

    Numbers 6, 8, 11, 12, 13, 15,18, 19, 20, 21, 22, 24, 25, 26 and 27!

    Mike
     
  11. Elmorell

    Elmorell TS Rookie Topic Starter Posts: 38

    I ran this in safe mode networking, and in safe mode the repair options appeared in SAS--I ran the ones you specified (including the control panel one). Afterwards, control panel appeared while in safe mode. However, when I booted into regular mode, control panel was still not there and repair options were missing as before.
     
  12. mflynn

    mflynn TS Rookie Posts: 2,655

    OK well that is good information.

    Boot back to safe mode and see if Control panel is still populated.

    If it is not there, then booting back to normal reset something.

    If it is there then it is a setting that only gets set in Normal mode.

    If it is there in Safe Mode then go to User Accounts and turn off UAC! Turn back on when finish with repair/cleaning

    Boot back to normal!

    Are you running under a full Admin level account?

    Try to temporarily disable all protections of virus scanners and Resident Malware programs.

    Then try the SAS repairs again. I think to get control panel back in full mode we need to run the repairs in full mode.

    Mike
     
  13. Elmorell

    Elmorell TS Rookie Topic Starter Posts: 38

    I am running an admin account. I booted to Safe Mode, and control panel was populated. I disabled UAC and rebooted to regular mode, and the repairs list was populated--however, running the control panel repair had no affect. control panel is still missing in regular mode.

    I should mention, in case it helps with the root of the issue, that I think what's causing the absence of control panel is an inability to start the services Software Licensing and ReadyBoost--initially a Gateway representative had me try to start those, then recommended I restore to factory defaults, which I was disinclined to do for obvious reasons relating to my hard drive being wiped. In addition, my speakers are not powered on and not working despite being connected to each other and to power (this may just be really bad luck, and unrelated), and my WPN adapter will not connect to the Internet. The configuration wizard that came with the adapter will not start--clicking the icon results in a loading cursor for a few seconds, but it doesn't start.

    Hopefully this helps.
     
  14. mflynn

    mflynn TS Rookie Posts: 2,655

    OK!

    Then try this!

    Run services.msc from a run command
    Stop SLUNotify service
    Stop Software Licensing service it will stop ReadyBoost also so ok it
    Restart Software Licensing first then SLUNotify and readyBoost!

    Now check the control panel!

    Mike
     
  15. Elmorell

    Elmorell TS Rookie Topic Starter Posts: 38

    SLUnotify is stopped and will not start because it is dependent on Software Licensing, which will not start because of Error3: Path not found (or something to that effect--the number is correct). ReadyBoost receives the same dependency error as SLUnotify.

    To clarify, SLUnotify is stopped already.
     
  16. mflynn

    mflynn TS Rookie Posts: 2,655

    OK get back after a while I am going to eat!

    Then I will work on getting it to start that is the problem!

    Mike
     
  17. Elmorell

    Elmorell TS Rookie Topic Starter Posts: 38

    OK thanks, let me know what the next step would be when you get a chance.
     
  18. mflynn

    mflynn TS Rookie Posts: 2,655

  19. Elmorell

    Elmorell TS Rookie Topic Starter Posts: 38

    Both updates told me that they didn't apply to my system when I tried to install them.
     
  20. mflynn

    mflynn TS Rookie Posts: 2,655

    OK I just noticed you are using an ancient HJT!

    Go back to the 8 Steps and get the newest the post new log.

    With these issues with SLUNotify and Software Licensing service you should have other problems.

    Does windows update work?

    Is System Restore available?

    Try this if it works it will pinpoint the Video driver as the culprit.

    Reboot hit the F8, see if you have low video entry Enable Low Resolution Video 640+480.
    If so chose this. This is not safe mode!

    Now try the Control panel.

    Control Panel there or not do the operation in post #14 above.

    Then reboot back to normal check control panel and report results!

    Mike
     
  21. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Also I note that the version of Malwarebytes' Anti-Malware 1.33 Database version: 1654, used. Was last updated in January.

    Current database version is 1742

    Best to run a full Malwarebytes scan too, but update it first

    Elmorell, I think you may have caused a great deal of wasted time by using these outdated versions. As stated by member mflynn, you must follow the guide in full

    It may be best for you to:
    Uninstall your old version of HijackThis (it must be uninstalled)
    Follow the guide in full (and update as requested)
    Then provide all logs again (by the way I didn't check your SuperAntiSpyware version)

    Doing the above will help you resolve this issue, and allow support to continue to help you
     
  22. mflynn

    mflynn TS Rookie Posts: 2,655

    10-4 to that!

    Mike
     
  23. Elmorell

    Elmorell TS Rookie Topic Starter Posts: 38

    I do not have access to System Restore--I receive an error message when trying to use it, and I haven't tried Windows Update. I'll update the programs and run again. Out of curiosity, what could the video driver be doing? I should mention the computer is brand new, video card is ATI Radeon HD 4850.
     
  24. mflynn

    mflynn TS Rookie Posts: 2,655

    Update what programs?

    No need to run MBAM or SAS again. Just HJT new version and post new log.

    Then do the Special boot in my last post and get me the results!

    Mike
     
  25. Elmorell

    Elmorell TS Rookie Topic Starter Posts: 38

    HJT is what I meant. I won't have access to the computer till this evening, though, so I'll let you know then how it turns out.

    In low resolution video mode control panel was missing, and SLUnotify and Software licensing gave the same errors. New HJT log attached.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...