Power Point installation prompt

It happened in a laptop Compaq Presario. The installation prompt ask installer resource, but I couldn’t browse – no way to locate it. It come out everytime start Power Point. If I clicked “cancel”, then it went through and the Power Point could be opened; but of course that symptom was really disturbed. This problem wasn’t happened if I log in as administrator.

In the same computer, there another problem. The wireless doesn’t connect, even it shows “excellent” and “connected” signal. I have checked and did everything, except update the network driver. The wired connection was ok.

The Antivirus is AVIRA personal free, was out of date.

This is what I did; I uninstall the Microsoft Office Professional 2003, and reinstall. I uninstall Avira and install the newest version. Reboot, and as miracle, everything went well, include the wireless connection. I don’t know exactly what is the cause of the wireless problem. I had done rebooting, repair network, disable and enable – all had failed. Maybe there was a crash.

Computer doesn’t boot, stop in Motherboard’s wallpaper.

The computer doesn’t boot, it run shortly and stuck up to the Motherboard’s wallpaper in the screen. No beeb, nothing but death sign, even the power light is on.

It had four RAM PC2-4200, 256MB. I took out two of them and restart. Then the problem’s solved.

Immediately Log off after Login

The Windows boot and ask username + password. As it is entered, just flash the wall paper, then it log off, back to login window asking username & password. That’s the cycle, never able to open the windows.

The cause is definitely a malware.

Basically there are two possibilities errors (might be both also) created by the walware :

1. It deleted or changed the system file : userinit.exe; If this is the case, we can solve by :

1. Use Windows XP CD, through Recovery console, expand d:\i386\userinit.ex_ c:\windows\system32\userinit.exe Sometime you find access denied error, expand it to c:\ then copy to c:\windows\system32\
2. Use Knoppix Live CD, the computer will boot by CD. Copy the file userinit.exe from other computer that runs well.
3. Take out the Hard Disk and connect to other computer.
   I chose this one, since I could do Virus scan from the other computer.
   My Symantec (SEP) found “Trojan.Virantix” in the directories of Local Settings/Temp and System Restore.

2. It changed the registry related with winlogon; In my experience, the registry was deleted, so I had to add it. For this purpose, I use BartPE CD.

This is  what I did :

1. I prepare a BartPE CD. Go to the website to download the PE Builder and read the procedure.
2. Insert the BartPE CD and boot the problematic PC with the CD.
3. Left bottom, click “GO” and “Run..” Then type regedit.exe, press enter. (You can also run regedit.exe through command prompt)
4. Select “HKEY_USERS” hive, then click “File” menu, choose Load Hive, a dialog box will appear.
5. Browse to your Windows drive, in my case it is in C:\Windows\System32\Config; Take attention, since the dialog box in default will show the same folder but from the CD, not C:\ ;
6. Select the file named SOFTWARE (without extentions) and click Open.
7. Type a name for the hive, any name you can use, example MYHIVE
8. Now, select MYHIVE, and navigate to the location of : HKEY_USERS\MYHIVE\Microsoft\Windows NT\Current Version\Winlogon
9. You should see a value named Userinit and the data is C:|Windows\System32\Userinit.exe, (include the comma). If there is none, right click in the blank space in the right pane and choose “new” then “string value”. Type the name is Userinit and the value is C:|Windows\System32\Userinit.exe,
10. Last step, you have to unload the hive. Select MYHIVE then in the File menu, choose unload Hive. Make sure you select the correct one, MYHIVE.
11. Quit and restart Windows.

With those steps I solve most of the problem. Last step, I run Malwarebytes to cleanup once again. It still caught some malware. I like Malwarebytes because it also correct the Registry. The malware had changed some registry, particularly related with the active desktop and it also disabled Task Manager.

These were some registries were changed by the malware:

HKCU\Software\Microsoft\Windows\Current Version\Policies\System\disable Task Manager
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop

HKLM\Software\Microsoft\Windows\Current Version\Policies\Active Desktop\Nochanging wallpaper
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop

Create Joomla user through PHPMyAdmin

I was asked to manage a joomla website, I was given all password: CPanel and FTP, but not the administrator password to enter Joomla administrator panel. So, I have to create a Super Administrator user through either CPanel nor FFP. I was able to create through PHPMyAdmin by this steps:

1. Open PHPMyAdmin, find the database.
2. Browse table jos_users, click insert to add a new user :
   • id : put the last number plus one
   • For password, this is the MD5 password
     - admin = 433903e0a9d6a712e00251e44d29bf87:UJ0b9J5fufL3FKfCc0TLsYJBh2PFULvT
   • User type : Super Administrator
   • fill other fields: name, username, email, etc.
3. Browse table jos_core_acl_aro
• Insert a new row/data with aro_id = the last one + 1
• Field value = the id of jos_users
4. Browse table jos_core_acl_groups_aro_map
• Insert a new row/data with aro_id from table jos_core_acl_aro
• group id, find the code of Super Administrator in table jos_core_acl_aro_groups

Yeah, that’s all!! I go to www.myweb.com/administrator/ and entered the new Super Administrator account. Of course, then I changed the more secure password.

IE hang, Hijackthis can’t fix it.

The user complained that she couldn’t open the internet. The Internet Explorer hang.

It was difficult to close the stacked IE.  Task Manager couldn’t open, it was only shown as icon in the task bar. I have to push the power button to shut down the computer.

Fortunately it could start again. Soon I run hijackthis and I got this suspected entry : Startup: siszyd32.exe

I tried to fix it, but it couldn’t.  It didn’t work, the entry stayed.

I could run “search” to locate that file and delete it manually, but I prefer using Malwarebytes – hoping it would also fix the infected registries.

This is the log file showed after fixing:

C:\Documents and Settings\stefani\Start Menu\Programs\Startup\siszyd32.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\stefani\Application Data\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully.

After reboot, I check the file “siszyd32.exe”; It was still there. So I deleted it manually easily, then reboot again. Now everything works well.



Malwarebytes hang when removing the infections.

Microsoft Word doesn’t want to open;

Suspecting of virus, I run HijackThis, and clean up all nasty entries. Then I run Malwarebytes. It still found plenty of malwares, but it couldn’t take action -> but hang when I clicked button “Remove”

This is from the log file of Malwarebytes:
Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{2763e333-b168-41a0-a112-d35f96f410c0} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{38a7c9da-8db7-4d0f-a7b1-c4b1a305bddb} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{8d292ec0-6792-4a38-82ed-73a087e41ba6} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{621feacd-8857-43a6-ae26-451d670d5370} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{98635087-3f5d-418f-990c-b1efe0797a3b} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2eff3cf7-99c1-4c29-bc2b-68e057e22340} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3e720452-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7473d294-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-f3embed (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins\MyWebSearch.OutlookAddin (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins\MyWebSearch.OutlookAddin (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_DRV (Trojan.Agent) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources\f3popularscreensavers (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\funwebproducts (Adware.MyWebSearch) -> No action taken.

Files Infected:
C:\Program Files\Internet Explorer\msimg32.dll (Adware.MyWebSearch) -> No action taken.
C:\betinhaX.exe (Trojan.Downloader) -> No action taken.
C:\monkeyXplayer.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\f3PSSavr.scr (Adware.MyWebSearch) -> No action taken.
C:\WINDOWS\system32\bios_setup115.txt (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\logsvc.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\lnk_dados_1.dll (Malware.Trace) -> No action taken.

I run again Hijackthis and fixed the entry with “logsvc.exe”. After that, I run again Malwarebytes and this time it worked and was able to clean up all the malwares.

But I still have problem with the Word. I went to folder Documents and Settings/user/Application Data/Microsoft/Template and delete file “Normal.dot”.

I found that Excel has problem with opening, it tried to open a file “Power Translator.xlt” everytime I click Excel. With search facility in Windows Explorer, I located  the file is in Program Files/Microsoft Office/XLSTART; I just delete it.

Then the PC run well again.

Desktop doesn’t come out

If the desktop doesn’t come out in the start up, it’s caused by unworking explorer.exe; Click ctr+alt+del and open “Task Manager”. Click “New Task” and type explorer.exe -> ok; The desktop would open.

But if the problem always come in the start up, you must be aware; most possible your computer is infected by malwares.

In one of my friend’s computer, I use Hijackthis and found some suspected entries. I made sure with Malwarebytes, found plenty of infections, some of them which are in the system:

C/WINDOWS/system32/lowsec
C/WINDOWS/system32/lowsec/local.ds
C/WINDOWS/system32/lowsec/user.ds
C/WINDOWS/system32/lowsec/user.ds.lll

C/WINDOWS/system32/sdra64.exe
C/WINDOWS/system32/v0230cvw.dll
C/WINDOWS/system32/v0500cmon.exe
C/WINDOWS/system32/lowsec/Network/uid

also there are some infected registry entries…

Unfortunately Malwarebytes couldn’t delete the infections, it always went to stuck – it’s hang.
So I tried to do it manually, deleted the infected files & folders. I had to use “Unlocker” to delete it. You can download it here.

Once the infected files and folders had been deleted, the infected registry entries were easily deleted by Malwarebytes. Then the computer works well again.

Black screen

When I pushed the power button, the light went on also the light of HDD, but it was running and running, nothing came out in the monitor.

Booting by CD didn’t work too, still black screen.

I took out the BIOS battery, clean it and after few seconds I put it back.

The computer works well.

Symantec CMC Smc GUI error

It was a long story and struggle with my network. I have two servers with Small Business Windows Server 2003, protected with Microsoft ISA and Symantec End Point 11.

The problem started when I add the second server and reinstall the windows in the first server.

Every about ten days, the file sharing started being stuck, and I had to restart all server to refresh it. After several months it become worse, more frequent problem and need several times restart to run it well back. Then I tried to observe more detail. I suspected that it might be connected with Symantec since there were often symantec problem in the server or even in one workstation before the network stuck.  Usually the symantec in the server became “malfunction”, or in some cases the symantec scanning run continuously in a workstation PC – couldn’t be terminated. The eventview showed error : “PTS has generated an error code 14 description CAL failure”.

I almost frustrated with the problem, when it became worse and create an error “Symantec CMC SMC GUI” while the file sharing was blocked. Two times restart give the same error.

After searching in the net, I guess the Symantec is the culprit. Then I download the last edition of SEP – edition MR4, uninstall the old version and install the last one.

That was the solution!! Now, I have no problem at all with the network!!

“Generic Host Process Win32 Service” Error

The computer could start up, but after few minutes, an error alert of “Generic Host Process Win32 Service” came out, and after another few minutes, the computer shut down.

It is from malware attack. I run Hijackthis and it showed this suspected entry: ‘STARTUP: siszyd32.exe”; After fixed it, seems it was cured, but to make sure I run “malwarebytes” in safe mode and it caught a threat of “trace.malware” in folder “Document and Setting/Application Data/User/”

To complete the cleaning process I still run SuperAntiSpyware which caught only tracking cookies, and clean up with CCleaner.

Afterward, the PC works well again.