Virtumonde

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Virtumonde, Spyware Removal

Options

light2au View Member Profile	May 19 2008, 09:21 AM Post #16
Member Group: Members Posts: 17 Joined: 12-May 08 From: Australia Member No.: 208,454	Hi Tea, Ran HikackThis again and only found this entry below O4 - HKLM\..\Run: [BM377323c5] Rundll32.exe "C:\WINDOWS\system32\alpwlmsr.dll",s Which I deleted and then rebooted and created CFScript Output below. ComboFix 08-05-11.1 - Administrator 2008-05-19 22:03:25.7 - FAT32x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.166 [GMT 10:00] Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt * Created a new restore point FILE :: C:\WINDOWS\BM377323c5.xml C:\WINDOWS\system32\alpwlmsr.dll C:\WINDOWS\system32\ctjmkhru.exe C:\WINDOWS\system32\iifcYOIx.dll C:\WINDOWS\system32\jhidrrel.dll C:\WINDOWS\system32\kywmcodw.dll C:\WINDOWS\system32\uhppdqmm.dll . ((((((((((((((((((((((((( Files Created from 2008-04-19 to 2008-05-19 ))))))))))))))))))))))))))))))) . 2008-05-19 21:54 . 2008-05-16 08:30 262,144 --a------ C:\Program Files\Uninstall Spy Blocker.dll 2008-05-16 00:44 . 2008-05-16 00:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier 2008-05-16 00:43 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll 2008-05-13 23:20 . 2008-05-13 23:20 <DIR> d-------- C:\Deckard 2008-05-13 20:03 . 2008-05-13 20:03 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2008-05-13 20:03 . 2008-05-13 20:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-05-12 20:53 . 2008-05-12 20:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-05-11 20:29 . 2008-05-11 20:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec 2008-05-11 14:54 . 2008-05-18 17:29 907 --a------ C:\WINDOWS\wininit.ini 2008-05-10 13:55 . 2008-05-10 13:55 <DIR> d-------- C:\WINDOWS\system32\DRVSTORE . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-08 13:20 300,345 ----a-w C:\WINDOWS\system32\ZBScreenSaver_5.scr 2008-04-08 13:20 300,345 ----a-w C:\WINDOWS\system32\ZBScreenSaver_4.scr 2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll 2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys 2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys 2008-03-01 08:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll 2008-02-29 08:55 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe 2008-02-29 08:55 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe 2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe 2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll 2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll 2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll 2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll 2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll 2007-04-22 14:41 81,920 ----a-w C:\Documents and Settings\Administrator\Application Data\ezpinst.exe 2007-04-22 14:41 47,360 ----a-w C:\Documents and Settings\Administrator\Application Data\pcouffin.sys . ((((((((((((((((((((((((((((( snapshot_2008-05-17_11.40.58.11 ))))))))))))))))))))))))))))))))))))))))) . - 2008-05-17 01:36:04 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-05-19 11:59:48 2,048 --s-a-w C:\WINDOWS\bootstat.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.VQC2"= vqdecode.dll "VIDC.VQC1"= vqdecode.dll "MSACM.CEGSM"= mobilev.acm [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" "SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe "HijackThis startup scan"=C:\Program Files\HijackThis\HijackThis.exe /startupscan [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "ATIPTA"=C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE "BMMLREF"=C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" "EverioService"="C:\Program Files\CyberLink\PCM4Everio\EverioService.exe" "SoundMAXPnP"=C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe "SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" "SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe "SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe "vptray"=C:\PROGRA~1\SYMANT~1\VPTray.exe "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" "SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autoclose [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "IBMconfig"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\CyberLink\\PCM4Everio\\PCM4Everio.exe"= "C:\\Program Files\\CyberLink\\PCM4Everio\\EverioService.exe"= "C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"= "C:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"= "C:\\Program Files\\AT&T Network Client\\NetClient.exe"= "C:\\Downloads\\utorrent.exe"= "C:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2005-04-20 01:38] R3 ABVPN2K;Net Firewall Miniport Interface;C:\WINDOWS\system32\DRIVERS\abvpn2k.sys [2004-06-03 17:47] R3 Astdi;Astdi;C:\Program Files\Aventail\Connect\asnttdi.sys [2003-12-07 18:15] R3 avpnnic;AGN Virtual Network Adapter;C:\WINDOWS\system32\DRIVERS\avpnnic.sys [2003-04-04 12:48] S3 Ascrypto;Ascrypto;C:\Program Files\Aventail\Connect\ascrypto.sys [2003-12-07 18:15] S3 DCamUSBLTN;Kodak DVC325 Digital Video Camera;C:\WINDOWS\system32\DRIVERS\dvc325.sys [2000-04-17 23:53] S3 gwiopm;gwiopm;C:\Program Files\wst\gwiopm.sys [] S3 IMWEB51;High Rate Wireless LAN Mini-PCI LAN Driver;C:\WINDOWS\system32\DRIVERS\IMWEBN51.sys [2003-06-04 15:33] S4 ISAMSvc;IBM Standard Asset Manager Service;C:\Program Files\C4ebreg\c4ebreg.exe [2006-12-15 07:17] . Contents of the 'Scheduled Tasks' folder "2007-08-12 11:54:50 C:\WINDOWS\Tasks\BMMTask.job" - C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-19 22:05:50 Windows 5.1.2600 Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-05-19 22:06:33 ComboFix-quarantined-files.txt 2008-05-19 12:06:28 ComboFix5.txt 2008-05-17 01:42:18 ComboFix4.txt 2008-05-17 02:41:00 ComboFix3.txt 2008-05-19 11:20:58 ComboFix2.txt 2008-05-19 11:49:40 Pre-Run: 15,201,927,168 bytes free Post-Run: 15,187,083,264 bytes free 129 --- E O F --- 2008-05-15 23:07:49 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:12:11 PM, on 19/05/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\ibmpmsvc.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Aventail\Connect\as32svc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\PROGRA~1\AT&TNE~1\NETCFGSV.EXE C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\explorer.exe C:\Program Files\HijackThis\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local> O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1145756151137 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Aventail Connect (As32Svc) - Aventail Corporation - C:\Program Files\Aventail\Connect\as32svc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: ISSI EZUpdate (ISSIMon) - Unknown owner - c:\sdwork\issimsvc.exe (file missing) O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TNE~1\NETCFGSV.EXE O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- End of file - 5871 bytes Still not running correctly, maybe time for some serious actions. Regards Alex.

teacup61 View Member Profile	May 19 2008, 05:11 PM Post #17
Bleepin' Texan! Group: HJT Team Posts: 6,504 Joined: 5-April 06 From: Planet Texas! Member No.: 62,846	Hi Alex, Tell me how it's behaving and what's wrong. Your HijackThis log looks good, so I'll have to rely on your description to see what we can do. Thanks, tea -------------------- Error reading poptart in Drive A: Delete kids y/n? If I've saved you time & money, please make a donation so I can keep helping people just like you! You can even use your credit card! Thank you!

light2au View Member Profile	May 20 2008, 08:15 AM Post #18
Member Group: Members Posts: 17 Joined: 12-May 08 From: Australia Member No.: 208,454	Hi Tea, I got a little drastic as I found next time I booted it was back again and HijackThis found a whole lot of entries in the System Restore area of the Hard Drive. At this stage I removed everything relating to Antivirus, Firewall & Spyware as this PC was not on LAN or Internet. I stopped System Restore and rebooted then installed the latest Symantec Antivirus 10.1.5.5000. Which found the following. Scan type: Manual Scan Event: Security Risk Found! Risk: Trojan.Vundo File: C:\QooBox\Quarantine\C\WINDOWS\system32\yeieewqq.dll.vir Location: C:\QooBox\Quarantine\C\WINDOWS\system32 Computer: IBM-OSJNTUO7I9X User: IBM-OSJNTUO7I9X\Administrator Action taken: Cleaned by Deletion Date found: Monday, 19 May 2008 11:28:34 PM Scan type: Manual Scan Event: Security Risk Found! Risk: Trojan.LowZones File: C:\QooBox\Quarantine\C\WINDOWS\system32\qvycgbfl.exe.vir Location: C:\QooBox\Quarantine\C\WINDOWS\system32 Computer: IBM-OSJNTUO7I9X User: IBM-OSJNTUO7I9X\Administrator Action taken: Cleaned by Deletion Date found: Monday, 19 May 2008 11:28:09 PM Scan type: Manual Scan Event: Security Risk Found! Risk: Trojan.Vundo File: C:\QooBox\Quarantine\C\WINDOWS\system32\aelitpob.dll.vir Location: C:\QooBox\Quarantine\C\WINDOWS\system32 Computer: IBM-OSJNTUO7I9X User: IBM-OSJNTUO7I9X\Administrator Action taken: Cleaned by Deletion Date found: Monday, 19 May 2008 11:27:48 PM After this I re Installed SpyBot S&D, Ad-aware 2007 and Spyware Terminator and its working like a dream. Thanks so much for all your assistance. This Laptop is now working 100% OK and we got to save all my Photos. BUT I could really do with some sound advise right now, they say things happen in three's. I'm waiting for number three as number two just ocured, biggest nightmare in my IT career Today my primary Laptop that has about 15 Years of Work info thats been transfered onto it over the Years has failed and is definately the most Important PC I own. Could you please help me with this Issue? Briefly, just out of the Blue, Windows XP Starts to Load then I get a Microsoft Visual Basic C++ Runtime Library Pane with the following error. Runtime Error Program :\??\D:\WINDOWS\System32\Winlogon.exe This Application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information. When I hit OK, it Blue Screens. I'm really really desperate, would you like me to open a new topic. can you assist with this one??? Your Faithfully Alex

teacup61 View Member Profile	May 20 2008, 04:15 PM Post #19
Bleepin' Texan! Group: HJT Team Posts: 6,504 Joined: 5-April 06 From: Planet Texas! Member No.: 62,846	Hi Alex, If you'll do the following, Symantec won't pick them up any more. Qoobox is ComboFix's "quarantine". So, please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer. Do you have the XP disk for the other computer? It'll give us more options if you do, and we'll see what we can do to save all your work. Regards, tea -------------------- Error reading poptart in Drive A: Delete kids y/n? If I've saved you time & money, please make a donation so I can keep helping people just like you! You can even use your credit card! Thank you!

light2au View Member Profile	May 20 2008, 06:20 PM Post #20
Member Group: Members Posts: 17 Joined: 12-May 08 From: Australia Member No.: 208,454	Hi Teacup QooBox Folder was already removed and this PC is working fine, Im using it to correspond now. My Primary Laptop is a IBM T60 with a 100GB Hard Drive. It only has one System Partition and a Hidden Partition for IBM Rescue Restore Utility, (Great help that was) Windows start to boot and then I get the message I posted earlier. Runtime Error Program :\??\D:\WINDOWS\System32\Winlogon.exe This Application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information. Once I hit OK, the following appears on the BSD Stop: C000021a {Fatal System Error} The Windows Logon Process system process terminated unexpectedly with a status of 0x00000003 (0x00000000 0x00000000). The System has been Shutdown. Once I managed to Boot of XP SP2 CDm I had to find and load SATA Drivers for Hard Drive to be seen. The very first time I actually saw 2 Partition in the Repair Menu that I had a choice to enter. 1: D:\Windows 2: C:\ MiniNT I loaded Windows and got into a DOS Prompt and could navigate around all my file Structures. After the first time if I now go back into XP Repair only 1: C:\Windows appears. Can't boot into Safe Mode or Last Known Good Configuration. Regards Alex

teacup61 View Member Profile	May 20 2008, 11:00 PM Post #21
Bleepin' Texan! Group: HJT Team Posts: 6,504 Joined: 5-April 06 From: Planet Texas! Member No.: 62,846	Hello, So you can get a DOS prompt? Bring it up and type in sfc /scannow (take note of the space between the "c" and the "/"). Scans all protected system files immediately and replaces incorrect versions with correct Microsoft versions. This command may require access to the Windows installation source files. If System File Checker discovers that a protected file has been overwritten, it retrieves the correct version of the file from the cache folder (%Systemroot%\System32\Dllcache) or the Windows installation source files, and then replaces the incorrect file. System File Checker also checks and repopulates the cache folder. http://support.microsoft.com/kb/310747 -------------------- Error reading poptart in Drive A: Delete kids y/n? If I've saved you time & money, please make a donation so I can keep helping people just like you! You can even use your credit card! Thank you!

light2au View Member Profile	May 21 2008, 01:07 AM Post #22
Member Group: Members Posts: 17 Joined: 12-May 08 From: Australia Member No.: 208,454	Hi TeaCup, I've Booted from the XP SP2 CD and selected repair. 1: C:\Windows Then I CD into system32 where I can clearly see the sfc.exe file. When I try to execute this command using either sfc /scannow or sfc.exe /scannow I get the following responce. "The command is not recognized Type HELP for a list of supported commands. I have found this XP Repair DOS shell does not contain all the usuall commands nor funcionality Regards Alex

teacup61 View Member Profile	May 21 2008, 01:21 AM Post #23
Bleepin' Texan! Group: HJT Team Posts: 6,504 Joined: 5-April 06 From: Planet Texas! Member No.: 62,846	Is there a similar command then? Can you get to the Recovery Console? http://support.microsoft.com/kb/307654 -------------------- Error reading poptart in Drive A: Delete kids y/n? If I've saved you time & money, please make a donation so I can keep helping people just like you! You can even use your credit card! Thank you!

light2au View Member Profile	May 21 2008, 01:45 AM Post #24
Member Group: Members Posts: 17 Joined: 12-May 08 From: Australia Member No.: 208,454	Hi TeaCup, Sorry for the confusion, I should use correct terminology. I am using the "Windows XP installation using Recovery Console". To get my files on the hard drive, so Yes I am in a Recovery Console and can see the commands listed in the Microsoft TIP307654. I can't execute the sfc command. Regards Alex

teacup61 View Member Profile	May 23 2008, 09:43 AM Post #25
Bleepin' Texan! Group: HJT Team Posts: 6,504 Joined: 5-April 06 From: Planet Texas! Member No.: 62,846	Hi Alex, Can you burn your files to disk, or transfer to a USB Flash Drive? If so, please do this now, just in case we can't bring this back to working order. I would feel bad forever if you lost it all and it could have been prevented. tea -------------------- Error reading poptart in Drive A: Delete kids y/n? If I've saved you time & money, please make a donation so I can keep helping people just like you! You can even use your credit card! Thank you!

light2au View Member Profile	May 26 2008, 08:43 AM Post #26
Member Group: Members Posts: 17 Joined: 12-May 08 From: Australia Member No.: 208,454	Hi TeaCup, I also did some research and it appears the SFC can't be executed in a Recovery Console. I did see FIXMBR & FIXBOOT Commands listed, but didn't believe it was a Master Boot Record issue as it does start to load OS from C:\ Partition, but at some stage tries to execute the Winlogon.exe file from a D:\WINDOWS\System32\Winlogon.exe. which does not exist. Either way I'd be happy for you to perform some of your magic if you have time. I have succesfully recovered 95% of all my Data. I purchased a External 2.5 Inch SATA/USB Case and a new 100GB Sata Hard Drive. I rebuilt Win XP on the new Drive and as many applications that I still had on CD's. Then I Transfered over the important Documents while the failed HDD was setup as an External Drive via USB Port. Like I said I can get to all the files, just can't get WinXP to boot. If you can be bothered, as it still puzzles me as to what went wrong with the original drive and I havn't changes its contents as yet. Its quite simple to remove from External Case and re install back into Thinkpad for further debugging. Regards Alex

« Next Oldest · HijackThis Logs and Malware Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Malware Removal Guides