Control Panel not appearing; HJT logfile enclosed

[Elmorell]

My Vista PC refuses to display icons in the control panel when I open, although I still have access to functions through my computer. In addition, Welcome Center and Windows games (like Minesweeper) will not run. I suspect this is malware, could somebody please review the attached HJT logfile?

 

[mflynn]

Hi Elmorell

It didn't get whacked by itself.

So do the below!

Do the TechSpot 8 steps: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

Mike

 

[Elmorell]

I ran through those steps--here are the requested logfiles from AntiMalware, Spyware thingy, and HJT.

 

[mflynn]

Yep you had'em!

Run HJT Scan only select and remove the below entries
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - (no file)
O23 - Service: Ati External Event Utility - Unknown owner - (no file)
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - (no file)
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - (no file)
O23 - Service: LiveUpdate Notice - Unknown owner - c:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - (no file)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - (no file)
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - (no file)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - (no file)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - (no file)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - (no file)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - (no file)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - (no file)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - (no file)
O23 - Service: XAudioService - Unknown owner - (no file)

Then UPDATE and run MBAM again attach new log, as it will likely find more that were not completely removed on the last scan and some that were exposed that the last scan never even saw.

Then...

Download ComboFix

NOTE: If you have had ComboFix more than a few days old delete and re-download.

Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall.

Mike

 

[Elmorell]

ComboFix gave me an error message saying it was not compatible with Windows Vista... is there a newer version?

Also the HJT lines you told me to delete reappear in the next scan after being deleted.

 

[mflynn]

No it does run in Vista.

Boot to Safe Mode Networking and instead of Dbl Click, Rt click and chose Run as Administrator.

Mike

 

[Elmorell]

Tried that, got the same error message. I should mention that this is 64-bit Vista...

 

[mflynn]

Yes that may be it! I will look into it.

Is the Control panel still kaput?

Meantime do the below.

Update then run SAS
Click Preferences-Repairs
Then counting down from top do the following entries
Click Preferences-Repairs

Numbers 6, 8, 11, 12, 13, 15,18, 19, 20, 21, 22, 24, 25, 26 and 27!

Download RootRepeal http://rootrepeal.googlepages.com/RootRepeal.rar

Make Folder on your Desktop name it RRepeal. Move the rar file there and extract.

Enter folder double click RootRepeal.exe.
Click the Report tab, then click Scan

It will ask what to include in the scan.

Check the following
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services
Then click OK

It wil ask which drive to scan.

Check C: (or your windows drive, if not C)
Click OK
The scan will begin will take a while.

When scan completes, click Save Report .

Name the log RRepeal.txt save it to your Documents folder (it should default there).

Attach log here.

Then..

Download Trojan Remover http://www.simplysuponline.com/downl...rjsetup675.exe
This is a fully working 30 day trial.

Run and attach log!

I think I will be comfortable without ComboFix if these come up clean.

Mike

 

[Elmorell]

Control panel still not appearing, and those HJT lines (as I mentioned) reappear, so hopefully these steps will take care of that; I'll let you know.

No repair options appear in SAS, I'm working on RRepair right now.

RRepeal gave me an error message while installing that said "Mismatch between kernel provided by Windows and one from hardware scan. Use Windows kernel?" I tried both yes and no and received an additional error, which aborted the install. Trojan Remover log is attached.

 

[mflynn]

Again it is likely Vista 64!

The reasons the HJT items come back is likely because the are 64 bit.

Look again I have never heard of the Preferences-Repairs being missing? Not run perhaps!
----------------------------------------------------------------------------------------------------------------------------------------------------
Boot to Safe Mode networking and do all below.

Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.

Then paste to the black screen of an open command prompt. All may not apply so ignore errors.

@echo off
cd\
:: Fix associations
ftype exefile="%1" %*
ftype batfile="%1" %*
ftype cmdfile="%1" %*
ftype comfile="%1" %*
ftype scrfile="%1" /S
ftype regfile="regedit.exe" "%1"
ftype piffile="%1" %*
ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*

assoc .exe=exefile
assoc .bat=batfile
assoc .cmd=cmdfile
assoc .com=comfile
assoc .scr=scrfile
assoc .reg=regfile
assoc .pif=piffile
assoc .lnk=lnkfile
assoc .inf=inffile
assoc .vbs=VBSFile
assoc .js=JSFile

sc stop TDSSserv.sys
sc delete TDSSserv.sys
:: Above sc commands first stops then deletes service if it exists
::
reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata"
reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\tdss"
::
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" /f
::The above reg commands first unloads the reg keys then deletes these keys.
::
Attrib -h -s -r tdss*.* /s
del  tdss*.* /f /q /s
:: The above two lines first clears protective attributes then 
:: deletes all files on Drive beginning with the name tdss

:: Remove AntiVirus2009
attrib -h -s -r "%UserProfile%\Desktop\Antivirus 2009.lnk"
attrib -h -s -r "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
attrib -h -s -r "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
attrib -h -s -r "%UserProfile%\Start Menu\Antivirus 2009\*.*"

del "%UserProfile%\Desktop\Antivirus 2009.lnk" /f /q
del "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk" /f /q
del "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll" /f /q
del "%UserProfile%\Start Menu\Antivirus 2009\*.*" /f /q

rd /s /q "%UserProfile%\Start Menu\Antivirus 2009"

attrib -h -s -r "c:\Program Files\Antivirus 2009\*.*"
rd /s/q "c:\Program Files\Antivirus 2009"

attrib -h -s -r c:\WINDOWS\system32\ieupdates.exe
attrib -h -s -r c:\WINDOWS\system32\scui.cpl
attrib -h -s -r c:\WINDOWS\system32\winsrc.dll

del c:\WINDOWS\system32\ieupdates.exe /f /q
del c:\WINDOWS\system32\scui.cpl /f /q
del c:\WINDOWS\system32\winsrc.dll /f /q

attrib -h -s -r c:\program files\xwdxqu.txt
attrib -h -s -r c:\windows\x
attrib -h -s -r c:\windows\SxsCaPendDel

del c:\program files\xwdxqu.txt  /f /q
del c:\windows\x  /f /q
del c:\windows\SxsCaPendDel  /f /q

reg delete HKLM\SOFTWARE\swearware /f
reg delete HKCU\Software\Wget /f
reg delete HKLM\Software\Classes\CLSID\{CD363BEC-7150-B887-530D-F3E2E0424EA} /f

:: rootkit gaopdxserv
attrib -h -s -r "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
attrib -h -s -r "c:\windows\system32\gaopdxqpqjwmyc.dll"
attrib -h -s -r "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"

sc stop gaopdxserv.sys.sys
sc delete gaopdxserv.sys.sys

del  /f /q "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
del  /f /q  "c:\windows\system32\gaopdxqpqjwmyc.dll"
del  /f /q  "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"

reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
reg delete "HKEY_LOCAL_MACHINE\Software\Classes\gaopdxvx" /f

reg delete "HKEY_CURRENT_USER\Software\75319611769193918898704537500611" /f
reg delete "HKEY_CLASSES_ROOT\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "75319611769193918898704537500611" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "ieupdate" /f
echo Finshed ripping out Antivirus 2008-9
:: Fix associations
ftype exefile="%1" %*
ftype batfile="%1" %*
ftype cmdfile="%1" %*
ftype comfile="%1" %*
ftype scrfile="%1" /S
ftype regfile="regedit.exe" "%1"
ftype piffile="%1" %*
ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*

assoc .exe=exefile
assoc .bat=batfile
assoc .cmd=cmdfile
assoc .com=comfile
assoc .scr=scrfile
assoc .reg=regfile
assoc .pif=piffile
assoc .lnk=lnkfile
assoc .inf=inffile
assoc .vbs=VBSFile
assoc .js=JSFile
exit
exit

This should run and exit!

It is a coverall and you may see a few errors related to it addressing something you do not need. This is normal ignore.
----------------------------------------------------------------------------------------------------------------------------------------------------
Try this again also in Safe Mode Networking.
Update then run SuperAntiSpyware

Then Click Preferences
then click Repairs

Then counting down from top do the following entries

Numbers 6, 8, 11, 12, 13, 15,18, 19, 20, 21, 22, 24, 25, 26 and 27!

Mike

 

[Elmorell]

I ran this in safe mode networking, and in safe mode the repair options appeared in SAS--I ran the ones you specified (including the control panel one). Afterwards, control panel appeared while in safe mode. However, when I booted into regular mode, control panel was still not there and repair options were missing as before.

 

[mflynn]

OK well that is good information.

Boot back to safe mode and see if Control panel is still populated.

If it is not there, then booting back to normal reset something.

If it is there then it is a setting that only gets set in Normal mode.

If it is there in Safe Mode then go to User Accounts and turn off UAC! Turn back on when finish with repair/cleaning

Boot back to normal!

Are you running under a full Admin level account?

Try to temporarily disable all protections of virus scanners and Resident Malware programs.

Then try the SAS repairs again. I think to get control panel back in full mode we need to run the repairs in full mode.

Mike

 

[Elmorell]

I am running an admin account. I booted to Safe Mode, and control panel was populated. I disabled UAC and rebooted to regular mode, and the repairs list was populated--however, running the control panel repair had no affect. control panel is still missing in regular mode.

I should mention, in case it helps with the root of the issue, that I think what's causing the absence of control panel is an inability to start the services Software Licensing and ReadyBoost--initially a Gateway representative had me try to start those, then recommended I restore to factory defaults, which I was disinclined to do for obvious reasons relating to my hard drive being wiped. In addition, my speakers are not powered on and not working despite being connected to each other and to power (this may just be really bad luck, and unrelated), and my WPN adapter will not connect to the Internet. The configuration wizard that came with the adapter will not start--clicking the icon results in a loading cursor for a few seconds, but it doesn't start.

Hopefully this helps.

 

[mflynn]

OK!

Then try this!

Run services.msc from a run command
Stop SLUNotify service
Stop Software Licensing service it will stop ReadyBoost also so ok it
Restart Software Licensing first then SLUNotify and readyBoost!

Now check the control panel!

Mike

 

[Elmorell]

SLUnotify is stopped and will not start because it is dependent on Software Licensing, which will not start because of Error3: Path not found (or something to that effect--the number is correct). ReadyBoost receives the same dependency error as SLUnotify.

To clarify, SLUnotify is stopped already.

 

[mflynn]

OK get back after a while I am going to eat!

Then I will work on getting it to start that is the problem!

Mike

 

[Elmorell]

OK thanks, let me know what the next step would be when you get a chance.

 

[mflynn]

Better look into this!

http://www.ngohq.com/news/12537-windows-vista-reduced-functionality-mode-hotfix.html#post56869

Mike

 

[Elmorell]

Both updates told me that they didn't apply to my system when I tried to install them.

 

[mflynn]

OK I just noticed you are using an ancient HJT!

Go back to the 8 Steps and get the newest the post new log.

With these issues with SLUNotify and Software Licensing service you should have other problems.

Does windows update work?

Is System Restore available?

Try this if it works it will pinpoint the Video driver as the culprit.

Reboot hit the F8, see if you have low video entry Enable Low Resolution Video 640+480.
If so chose this. This is not safe mode!

Now try the Control panel.

Control Panel there or not do the operation in post #14 above.

Then reboot back to normal check control panel and report results!

Mike

 

[kimsland]

OK I just noticed you are using an ancient HJT!

Also I note that the version of Malwarebytes' Anti-Malware 1.33 Database version: 1654, used. Was last updated in January.

Current database version is 1742

Best to run a full Malwarebytes scan too, but update it first

Elmorell, I think you may have caused a great deal of wasted time by using these outdated versions. As stated by member mflynn, you must follow the guide in full

It may be best for you to:
Uninstall your old version of HijackThis (it must be uninstalled)
Follow the guide in full (and update as requested)
Then provide all logs again (by the way I didn't check your SuperAntiSpyware version)

Doing the above will help you resolve this issue, and allow support to continue to help you

 

[mflynn]

10-4 to that!

Mike

 

[Elmorell]

I do not have access to System Restore--I receive an error message when trying to use it, and I haven't tried Windows Update. I'll update the programs and run again. Out of curiosity, what could the video driver be doing? I should mention the computer is brand new, video card is ATI Radeon HD 4850.

 

[mflynn]

Update what programs?

No need to run MBAM or SAS again. Just HJT new version and post new log.

Then do the Special boot in my last post and get me the results!

Mike

 

[Elmorell]

HJT is what I meant. I won't have access to the computer till this evening, though, so I'll let you know then how it turns out.

In low resolution video mode control panel was missing, and SLUnotify and Software licensing gave the same errors. New HJT log attached.