Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBAM isn't working for me


  • This topic is locked This topic is locked
19 replies to this topic

#1 ttownfeen

ttownfeen

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 15 February 2009 - 11:12 PM

Hi I'm new to this website, but unfortunately not to this problem I'm having.

One of our computers has issues getting malware. It runs Windows XP SP2. Ever since about November, the computer has constantly been getting infected with malware. I found Malwarebytes' Anti-Malware program on the internet and it was the perfect solution to the problem. However, the computer's been infected with malware again.

This time however, MBAM won't start. However, I changed the name of the .exe file as I saw on the site and it worked in getting MBAM to start and do a scan. The scan caught the malware as usual and deletes them and says it needs to restart the computer. However, every time on restart the computer freezes up after reboot and after I can get it not freeze after a few reboots, the malware is still there.

Also, i can't change the file extension because "Folder Options" is completely gone from the computer; it's not even in the Control Panel anymore.

I don't know what to do. I would appreciate any kind of help I can get!

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:21 AM

Posted 16 February 2009 - 08:49 AM

Good morning

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

Then try updating and reruning Malwarebytes.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,608 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:21 AM

Posted 16 February 2009 - 09:23 AM

Click on the link below:
http://www.kellys-korner-xp.com/xp_tweaks.htm
Scroll down to #129 and click "Restore Folder Options Under Tools" in the left column. Go to File, choose "Save page as" All Files and save folderoptions.reg to your desktop. Double-click on that file and choose "Yes" to merge it into the registry when prompted. Once you get a successful message delete the file and reboot.

This step involves making changes in the registry. Always back up your registry before making any changes. If you are not familiar with working in the registry, then you should NOT attempt to make any changes on your own.

Edited by quietman7, 16 February 2009 - 09:25 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 ttownfeen

ttownfeen
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 22 February 2009 - 03:27 PM

Click on the link below:
http://www.kellys-korner-xp.com/xp_tweaks.htm
Scroll down to #129 and click "Restore Folder Options Under Tools" in the left column. Go to File, choose "Save page as" All Files and save folderoptions.reg to your desktop. Double-click on that file and choose "Yes" to merge it into the registry when prompted. Once you get a successful message delete the file and reboot.

This step involves making changes in the registry. Always back up your registry before making any changes. If you are not familiar with working in the registry, then you should NOT attempt to make any changes on your own.


When opening folderoptions.reg, I get a message. "Registry editing has been disabled by your administrator" I am the administrator though, so how do I enable registry editing?

#5 ttownfeen

ttownfeen
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 22 February 2009 - 03:42 PM

Good morning

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"

  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

Then try updating and reruning Malwarebytes.


Hello, thanks for your reply. I have placed SDFix on the affected computer, however it does not run when I double-click the it. I am pretty sure I am on an account with administrator privileges (I can open Administrator Tools in the Control Panel).

#6 ttownfeen

ttownfeen
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 22 February 2009 - 04:43 PM

Never mind! All I had to do was change the name of the file, and it ran. (Whatever's infected the system, it's smart.)

I'm running SDFix on the affected computer right now. I'll post the report once I have it.

Edited by ttownfeen, 22 February 2009 - 04:43 PM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,608 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:21 AM

Posted 22 February 2009 - 05:16 PM

I get a message. "Registry editing has been disabled by your administrator" I am the administrator though, so how do I enable registry editing?

Some malware infections target and place restrictions on files such as regedit.exe, cmd.exe, msconfig and taskmgr.exe. This error occurs if the DisableRegistryTools Policy is enabled. If using Windows XP, see "Registry Editing has been Disabled by your Administrator". Be sure to read the note:

Or you can download and use regtools.vbs fix by Doug Knox and follow the instructions provided on that page.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 ttownfeen

ttownfeen
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 22 February 2009 - 05:29 PM

Report.txt from SDFix for the affected system

SDFix: Version 1.240
Run by admin on Sun 02/22/2009 at 03:48 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
TDSSserv.sys

Path :
\systemroot\system32\drivers\TDSSmxst.sys

TDSSserv.sys - Deleted



Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\208739~1 - Deleted
C:\Documents and Settings\LocalService\Application Data\twain_32\user.ds - Deleted
C:\Documents and Settings\NetworkService\Application Data\twain_32\user.ds - Deleted
C:\DOCUME~1\admin\LOCALS~1\Temp\2.exe - Deleted
C:\DOCUME~1\admin\LOCALS~1\Temp\3.exe - Deleted
C:\DOCUME~1\admin\LOCALS~1\Temp\TMP35.tmp - Deleted
C:\DOCUME~1\admin\LOCALS~1\Temp\TMP3C.tmp - Deleted
C:\DOCUME~1\admin\LOCALS~1\Temp\TMP4D.tmp - Deleted
C:\DOCUME~1\admin\LOCALS~1\Temp\TMP70.tmp - Deleted
C:\DOCUME~1\admin\LOCALS~1\Temp\TMP71.tmp - Deleted
C:\DOCUME~1\admin\LOCALS~1\Temp\TMP72.tmp - Deleted
C:\DOCUME~1\admin\LOCALS~1\Temp\TMPB4.tmp - Deleted
C:\DOCUME~1\admin\LOCALS~1\Temp\TMPC8.tmp - Deleted
C:\DOCUME~1\admin\LOCALS~1\Temp\TMPC9.tmp - Deleted
C:\DOCUME~1\admin\LOCALS~1\Temp\TMPCC.tmp - Deleted
C:\DOCUME~1\admin\LOCALS~1\Temp\TMPD6.tmp - Deleted
C:\DOCUME~1\admin\LOCALS~1\Temp\TMPEE.tmp - Deleted
C:\DOCUME~1\admin\LOCALS~1\Temp\TMPF0.tmp - Deleted
C:\DOCUME~1\admin\LOCALS~1\Temp\TMPF6.tmp - Deleted
C:\WINDOWS\system32\7.tmp - Deleted
C:\WINDOWS\system32\1A.tmp - Deleted
C:\WINDOWS\system32\1B.tmp - Deleted
C:\WINDOWS\system32\1C.tmp - Deleted
C:\WINDOWS\system32\drivers\TDSSmxst.sys - Deleted
C:\WINDOWS\system32\TDSSmtve.dat - Deleted
C:\WINDOWS\SYSTEM32\TDSSMTVE.dat - Deleted



Folder C:\Documents and Settings\LocalService\Application Data\twain_32 - Removed
Folder C:\Documents and Settings\NetworkService\Application Data\twain_32 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-22 16:21:55
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOWS\system32\config\system, 0
scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software, 0
disk error: C:\Documents and Settings\admin\ntuser.dat, 0
scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"="C:\\Program Files\\Real\\RealOne Player\\realplay.exe:*:Disabled:RealPlayer"
"C:\\Program Files\\WS_FTP\\WS_FTP95.exe"="C:\\Program Files\\WS_FTP\\WS_FTP95.exe:*:Disabled:WS_FTP 95"
"C:\\Program Files\\Common Files\\X10\\Common\\rundll32.exe"="C:\\Program Files\\Common Files\\X10\\Common\\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"="C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE:*:Disabled:LEXPPS.EXE"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1158122205\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1158122205\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1158122205\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1158122205\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\Paltalk Messenger\\paltalk.exe"="C:\\Program Files\\Paltalk Messenger\\paltalk.exe:*:Enabled:Paltalk 9.0"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Documents and Settings\\admin\\Desktop\\utorrent.exe"="C:\\Documents and Settings\\admin\\Desktop\\utorrent.exe:*:Enabled:æTorrent"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe:*:Disabled:backWeb-8876480"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Peterson's\\GRE\\server\\data\\firebirdsql\\bin\\fbserver.exe"="C:\\Program Files\\Peterson's\\GRE\\server\\data\\firebirdsql\\bin\\fbserver.exe:*:Enabled:Firebird SQL Server"
"C:\\Program Files\\Peterson's\\GRE\\jre\\bin\\java.exe"="C:\\Program Files\\Peterson's\\GRE\\jre\\bin\\java.exe:*:Enabled:java"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Disabled:Firefox"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"%windir%\\system32\\drivers\\svchost.exe"="%windir%\\system32\\drivers\\svchost.exe:*:Enabled:svchost"
"\\??\\C:\\WINDOWS\\system32\\winlogon.exe"="\\??\\C:\\WINDOWS\\system32\\winlogon.exe:*:enabled:@shell32.dll,-1"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\system32\\drivers\\svchost.exe"="%windir%\\system32\\drivers\\svchost.exe:*:Enabled:svchost"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 13 Oct 2004 1,711,616 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Wed 4 Aug 2004 77,824 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Mon 26 Jan 2009 1,740,632 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 26 Jan 2009 5,365,592 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 26 Jan 2009 2,144,088 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 11 Aug 2004 25 ...H. --- "C:\WINDOWS\SYSTEM\CDROM96.DLL"
Thu 7 Dec 2000 68,096 A..H. --- "C:\WINDOWS\SYSTEM32\PackethSvc.exe"
Tue 1 Feb 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 6 Oct 2008 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Mon 6 Oct 2008 265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Fri 5 Jan 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Mon 17 Jul 2006 292 A..H. --- "C:\Program Files\Common Files\X10\Common\x10prod.sys"

Finished!



#9 ttownfeen

ttownfeen
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 22 February 2009 - 06:10 PM

I get a message. "Registry editing has been disabled by your administrator" I am the administrator though, so how do I enable registry editing?

Some malware infections target and place restrictions on files such as regedit.exe, cmd.exe, msconfig and taskmgr.exe. This error occurs if the DisableRegistryTools Policy is enabled. If using Windows XP, see "Registry Editing has been Disabled by your Administrator". Be sure to read the note:

Or you can download and use regtools.vbs fix by Doug Knox and follow the instructions provided on that page.


Thanks. After running SDFix, "Folder Options" has returned back to the computer.

#10 ttownfeen

ttownfeen
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 22 February 2009 - 06:13 PM

I still can't run MBAM.exe without either changing the name or the extension. I've tried updated MBAM multiple times but nothing happens after it's finished downloading the update and closing to install the new version.

I'm running MBAM multiple times to get rid of what I can. Spybot keeps catching something called Reader_S trying to make registry edits. I keep blocking it but it keeps trying to do it.

#11 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:21 AM

Posted 22 February 2009 - 06:25 PM

TDSSserv.sys - Deleted


IMPORTANT NOTE: One or more of the identified infections was related to a rootkit component. Rootkits and backdoor Trojan are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the rootkit has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

• "When should I re-format? How should I reinstall?"
• "Help: I Got Hacked. Now What Do I Do?"
• "Where to draw the line? When to recommend a format and reinstall?"

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful.

Let me know how you wish to proceed.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#12 ttownfeen

ttownfeen
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 22 February 2009 - 07:27 PM

The infected computer is not used for anything other than email, internet surfing, and chatting. It has photos and music files, but that's it. Credit cards have been used to make online purchases, that's it.

I don't have the back-up CDs, so a reformat is not possible, correct?

Where should I go from here?

#13 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:21 AM

Posted 22 February 2009 - 08:01 PM

Let's move forward with cleaning...

The best chance to clean you computer is in the HJT forum. They have more advanced tools to remove infections. Please follow this guide from step (6). Post a HJT log to the HJT forum and a Team member will be along to help you as soon as possible. You may wish to post a link back to this topic to see what was discussed thus far.

If you need any help with the guide, please let me know. Best wishes - you are in good hands...

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,608 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:21 AM

Posted 23 February 2009 - 10:41 AM

I don't have the back-up CDs, so a reformat is not possible, correct?

Note: If your using an IBM, HP, Compaq or Dell machine, you may not have an original XP CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific recovery disk or recovery partition for performing a clean "factory restore". See Technology Advisory Recovery Media

If you don't have a recover disk, then you may have a Recovery Partition. A recovery partition is used by some OEM manufacturers (Dell, HP, IBM, Gateway) instead of a recovery disk to store a complete copy of the hard disk's factory default contents for easy restoration. This consists of a hidden bootable partition containing various system recovery tools, including full recovery of the preinstalled Windows XP partition that will allow you to restore the computer to the state it was in when you first purchased it. The recovery software will then re-hide its own partition after creating a new partition and installing the software to it. You will lose all data and have to reinstall all programs that you added afterwards. This includes all security updates from Microsoft so you will need to download/install them again.

Recovery partitions may only work with a start-up floppy disk or the user may be prompted immediately after the "Out Of Box Experience" (OOBE) to create backup CD-R disks for the software on the hard drive image for future use. Once the CD's are made, the Operating System, Drivers, or Applications can be reinstalled using the files on the hard drive or the backup CDs. Before using a recovery partition make sure you back up all your data, photos, etc to another source such as a CD or external hard drive.

Some built in recovery partitions can be accessed by hitting Ctrl+F11, just F11 or F10 during bios startup. Others like those used by IBM Thinkpads will display a message at bootup instructing you to press F11 to boot from the recovery partition. For more information, see Understanding Partition recovery.

If you do a Google search on recovery partitions, you can find information specifically related to the manufacturer of your machine.

Your decision as to what action to take should be made by reading and asking yourself the questions presented in the "When should I re-format?" and What Do I Do? links I previously provided. As I already said, in some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but we cannot make that decision for you.

Should you decide not to reformat, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to follow rigel's directions for posting a DDS/HijackThis log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 ttownfeen

ttownfeen
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 28 February 2009 - 11:35 AM

I am having problems with SDFix causing the computer to crash. Windows will start up and SDFix will start its finishing process, which will cause the system to crash. I tried to remove it in Safe Mode, but I couldn't find it in Add/Remove Programs.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users