Help Please

Hi all,

I’m working on a machine which has shown some weird behaviour, but I can’t nail which bug is at work here. I’ve run through the standard process and attached appropriate logs, but there’s some extra info which might be helpful here:

(System is a Toshiba lappy running WinXP Pro SP3.)

  1. Initially the DVD wasn’t working, showing an exclamation in device manager.

  2. ASWMBR reported Alureon-FZ in atapi.sys, and seems to have fixed it. The DVD is now working, however…

  3. If I insert a Huawei E173 USB modem the system becomes unusable. There is a CDFS partition on this device which contains the software and driver. Once this device is removed the system responds normally again.

  4. The list of drivers for the internal DVD is quite long, apparently each burning and media player software installs its own:

C:\Windows\system32\drivers\GEARAspiWDM.sys GEAR Software
C:\Windows\system32\drivers\imapi.sys Microsoft
C:\Windows\system32\drivers\incdrm.sys Ahead Software
C:\Windows\system32\drivers\PxHelp20.sys Sonic Solutions
C:\Windows\system32\drivers\redbook.sys Microsoft
C:\Windows\system32\storprop.dll Microsoft

This may all seem OT, but I provide this info as backdrop to the following:

  1. A registry key is being removed by something, this is apparent when msconfig and Help Centre won’t run… the key is

    HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\

I restored this key from the initial registry backup yesterday, but it’s been removed again. Currently the only entries are those of new programs installed today (Avast and MBAM).

MBAM log is below, ASWMBR log attached, OTL log to follow. Thanks in advance, mbouy.


Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.23.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 7.0.5730.13
Kath :: BARCLAY [administrator]

23/08/2012 3:03:03 PM
mbam-log-2012-08-23 (15-03-03).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 301627
Time elapsed: 13 minute(s), 16 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Downloads\setupwavtomp3-c.exe (PUP.Installer.WH) → Quarantined and deleted successfully.
C:\Documents and Settings\Kath\Local Settings\Temporary Internet Files\Content.IE5\GAUSHS3P\Anvir_5457[1].exe (PUP.Adware.Agent) → Quarantined and deleted successfully.

(end)

Attached is the OTL log.

Could you let me know what problems remain on completion

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL
DRV - File not found [Kernel | System | Unknown] -- C:\WINDOWS\TEMP\oCEIQ1wS.sys -- (oCEIQ1wS.sys)
O3 - HKU\S-1-5-21-789336058-746137067-725345543-1003\..\Toolbar\WebBrowser: (no name) - {EEE6C35B-6118-11DC-9C72-001320C79847} - No CLSID value found.

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Hi and thanks for your help.

OTL and combofix logs are attached. OTL ran fine, but combofix wanted to install the Recovery Console. I didn’t do this but proceeded without it, which seemed to be fine.

I then tried to install the recovery console directly, but this fails when it’s unable to copy file txtsetup.sif to c:, reporting the file is missing - it isn’t. I tried again with Avast disabled but it made no difference.

The USB modem still impacts the system - any programs started before inserting the modem continue to work, but anything I try to launch after just won’t start until the modem is removed. The modem’s virtual CD-ROM appears in My Computer but appears ‘empty’, not showing a label which shows on other systems. Attempting to open this cdrom just locks the system until the modem is removed. The sounds of usb devices being removed happens at that time, but sometimes also 2 mins later (approx). Possibly unrelated, under device manager there are 2 non-working hidden devices, Parport and Serial.

The regkey App Paths is still present and has a few more entries than when I last checked, including msconfig and Help Centre, but it’s not a full list.

Regards,
mbouy

Why did you not want Combofix to install the recovery console ?

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
Driver:: zenpaip
Save this as [b]CFScript.txt[/b], in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Hi,

2nd combofix log is attached.

Shutting down via the start menu was a very slow process, but is now very responsive. Otherwise there’s no obvious change - the registry key is the same and the USB modem still locks the system.

I directed combofix to install the recovery console this time but it failed, unable to connect to source. When I was prompted the first time it caught me by surprise and I had a fear it would mess with the recovery partitions ( it was 4 am and I wasn’t thinking straight).

Thanks

Could you insert the Modem into a different USB slot, i.e. if you are using the front slot then put it on the back one

Hi there,

there’s 3 ports, and the behaviour is the same with the modem in each one.

I just tried to use msconfig to launch in a diagnostic startup and got an ‘access denied’ error on one of the services (not named). There was a lot of disk activity prior to the message, I’m now wondering if there’s physical damage to the disk.

Could you run check disc … Details here http://forums.whatthetech.com/index.php?showtopic=102348

hi,

Chkdsk came up clean - no issues to report.

Checking file system on C:
The type of the file system is NTFS.

A disk check has been scheduled.
Windows will now check the disk.
Cleaning up minor inconsistencies on the drive.
Cleaning up 1 unused index entries from index $SII of file 0x9.
Cleaning up 1 unused index entries from index $SDH of file 0x9.
Cleaning up 1 unused security descriptors.
CHKDSK is verifying Usn Journal…
Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)…
File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)…
Free space verification is complete.

234291199 KB total disk space.
130212892 KB in 71181 files.
31828 KB in 10604 indexes.
0 KB in bad sectors.
221403 KB in use by the system.
65536 KB occupied by the log file.
103825076 KB available on disk.

  4096 bytes in each allocation unit.

58572799 total allocation units on disk.
25956269 allocation units available on disk.

I’ve just run through the initial scans again and I can’t see anything obviously malware related ( MBAM clean, nothing red in aswmbr), I’m still resolving DVD issues but this may have nothing to do with malware and everything to do with a 4 year old install of WinXP.

I removed the upper & lower filters in the registry (at location HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class{4D36E965-E325-11CE-BFC1-08002BE10318} ) and then removed the DVD in device manager before rebooting. This reduced the driver list back to MS drivers, and the USB modem now works fine.

I thought that might be the end of it, but the DVD is now not recognised as a burner - I’ve probably messed up the ASPI layer but I’m working on that. I’ve had the DVD drop out once with an error that a driver could not be loaded (not sure which one), but uninstall and re-detect fixed that.

The system is sometimes very slow to shutdown if initiated from the start menu - but sometimes very quick.

Any advice at this point?

Thanks,
mbouy

I found when I was running XP that a re-install on at least an annual basis was a good thing to do for speed and stability.

But you will need to slipstream your CD to cutr down the reinstall time