Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

google redirects


  • This topic is locked This topic is locked
32 replies to this topic

#1 lugnuts100

lugnuts100

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 01 October 2009 - 11:21 PM

picked up some kind of virus thats redirects google and yahoo search engines.Malwarebytes deletes them but there still on computer.I will also show a log of malwarebytes.Please Help.....


DDS (Ver_09-09-29.01) - NTFSx86
Run by Owner at 23:29:10.57 on Thu 10/01/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1150.534 [GMT -4:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\SPAMfighter\sfus.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\combofix\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = 208.74.174.142%20:3128
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [Bar] c:\documents and settings\owner\local settings\temporary internet files\content.ie5\kvskyu8g\MediaPass_License[1].exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
IE: &Search
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
DPF: Microsoft XML Parser for Java
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1180804346545
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-11-28 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-28 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-11-28 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-11-28 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-4-30 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-15 297752]
R2 avgfws8;AVG8 Firewall;c:\progra~1\avg\avg8\avgfws8.exe [2009-4-30 1370488]
R2 DLPORTIO;DLPORTIO;c:\windows\Dlportio.sys [2008-11-25 3584]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 SPAMfighter Update Service;SPAMfighter Update Service;c:\program files\spamfighter\sfus.exe [2008-7-29 184968]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2008-11-28 29208]
S2 MyWebSearchService;My Web Search Service;c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe --> c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe [?]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2008-11-28 29208]

=============== Created Last 30 ================

2009-10-01 22:47 <DIR> --d----- c:\program files\Trend Micro
2009-10-01 22:21 160,272 a------- c:\windows\system32\drivers\tmcomm.sys
2009-10-01 22:03 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-01 22:03 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-01 22:03 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-01 20:52 <DIR> a-dshr-- C:\cmdcons
2009-10-01 20:49 229,888 a------- c:\windows\PEV.exe
2009-10-01 20:49 161,792 a------- c:\windows\SWREG.exe
2009-10-01 20:49 98,816 a------- c:\windows\sed.exe
2009-10-01 20:48 <DIR> --ds---- C:\ComboFix
2009-10-01 20:48 389,120 a------- c:\windows\system32\CF22138.exe
2009-10-01 14:14 389,120 a------- c:\windows\system32\CF8408.exe
2009-10-01 13:22 389,120 a------- c:\windows\system32\CF17879.exe
2009-10-01 13:02 389,120 a------- c:\windows\system32\CF17021.exe
2009-10-01 11:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Simply Super Software
2009-09-29 14:06 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-09-29 14:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-29 09:12 <DIR> --dsh--- c:\documents and settings\owner\IECompatCache
2009-09-29 09:10 <DIR> --dsh--- c:\documents and settings\owner\PrivacIE
2009-09-29 09:07 <DIR> --dsh--- c:\documents and settings\owner\IETldCache
2009-09-29 09:05 100,352 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-09-29 09:05 <DIR> --d----- c:\windows\ie8updates
2009-09-29 09:03 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-09-29 09:03 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-09-29 09:01 <DIR> -cd-h--- c:\windows\ie8
2009-09-09 07:50 153,088 -c------ c:\windows\system32\dllcache\triedit.dll
2009-09-08 11:41 <DIR> --d----- c:\program files\LizardTech

==================== Find3M ====================

2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-30 10:00 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\wmpdxm.dll
2009-02-24 21:46 87,608 ac------ c:\docume~1\owner\applic~1\inst.exe
2009-02-24 21:46 47,360 ac------ c:\docume~1\owner\applic~1\pcouffin.sys
2008-08-30 18:08 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008083020080831\index.dat
2009-01-10 09:23 16,384 ac-sh--- c:\windows\temp\cookies\index.dat
2009-01-10 09:23 16,384 ac-sh--- c:\windows\temp\history\history.ie5\index.dat
2009-01-10 09:23 32,768 ac-sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 23:32:24.26 ===============



Here is Malewarebytes log.....


Malwarebytes' Anti-Malware 1.41
Database version: 2890
Windows 5.1.2600 Service Pack 3

10/1/2009 10:18:52 PM
mbam-log-2009-10-01 (22-18-52).txt

Scan type: Quick Scan
Objects scanned: 98617
Time elapsed: 12 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\Device\Ide\IdePort1\xncvbese\xncvbese\tdlwsp.dll (Rootkit.TDSS) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\Device\Ide\IdePort1\xncvbese\xncvbese\tdlwsp.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:58 PM

Posted 02 October 2009 - 04:37 PM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 lugnuts100

lugnuts100
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 03 October 2009 - 08:20 AM

Hello sam,thxs for helping me.
unfortunately i cannot get combofix to produce a log file,it will get to the stage where it says it is scanning files for infections and thats as far as it will run.It shows no other prompts.I have let it run for a couple of hrs.Avg is disabled...Again thxs for your help.

Edited by lugnuts100, 03 October 2009 - 08:28 AM.


#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:58 PM

Posted 03 October 2009 - 09:37 AM

Download this file to your desktop. Double-click on it. A black window should show up that asks you to "Enter the link to query". Type the following bolded text into that window:
\Device\Ide\IdePort0
Then, hit Enter. The program will generate a file on your desktop called DirQuery.txt. Please post it here.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 lugnuts100

lugnuts100
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 03 October 2009 - 11:16 AM

Here you go

Running from: C:\Documents and Settings\Owner\Desktop\DirQuery.exe

Log file at : C:\Documents and Settings\Owner\Desktop\DirQuery.txt

The driver that owns the link:

\Device\Ide\Ideport0

is located at:

atapi.sys

and the device link is:

\Driver\atapi

The path to the driver from the registry is:

System32\DRIVERS\atapi.sys

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:58 PM

Posted 03 October 2009 - 04:31 PM

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    atapi.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 lugnuts100

lugnuts100
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 04 October 2009 - 12:38 AM

Here's the log sam

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 01:30 on 04/10/2009 by Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [14:31 30/08/2008] [02:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ServicePackFiles\i386\atapi.sys -----c 96512 bytes [20:05 05/06/2007] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys --a--- 96512 bytes [13:41 04/06/2007] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys --a--c 86656 bytes [13:41 04/06/2007] [12:00 18/08/2001] A64013E98426E1877CB653685C5C0009

-=End Of File=-

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:58 PM

Posted 04 October 2009 - 09:44 AM

Please disable your antivirus program.
  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.

    Files to move:
    C:\WINDOWS\$NtServicePackUninstall$\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).

Please run a new scan with Malwarebytes and post the resulting log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 lugnuts100

lugnuts100
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 04 October 2009 - 02:37 PM

Hello again Sam
Unfortunately something bad has happened.I Ran avenger and everything went well,computer rebooted and saved the log file.I did not have time to run malwarebytes because i had to run my daughter to cheerleading practice,so i shutdown computer and when i got back and turned the computer on it will not boot up.It goes to the screen where it ask you if you want to boot windows normally,or safe mode,etc....I leave it on boot windows normally and hit enter and it boots back to the same screen.I also tried fo boot in safe mode and it also boots to the same screen....I hope i didnt screw up.

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:58 PM

Posted 05 October 2009 - 07:33 AM

What other options do you have besides normally or safe mode?

Do you have your Windows XP disc?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 lugnuts100

lugnuts100
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 05 October 2009 - 08:27 AM

Hello Sam
Other options are Safe mode with networking,safe mode with command prompt,Last known good configuration[your most recent settings that worked]....However all these does the same thing.I can hit the F2,F8,F12 buttons and these will boot to a different setup screen....For examp[e when pressing F12 it will give me these options.....
Boot device menu

1.normal
2.diskeete drive
3.Hard disk drive c:
4.ide cd rom device
5.system setup
6.ide drive diagnostics
7.Boot to utility partion

enter choice

I think F2 takes me to the Bios screen and F8 takes me to a screen similiar to the one when it first boots up but with a few more options like
Enable boot logging
enable vga mode
Directory services restore mode
disable automatic restart on system failure
debugging mode

Im still looking for windows xp cd but so far i cannot find it,really panicking over the cd....lol.....
Also i can get to the windows recovery console that combo fix downloaded.

Edited by lugnuts100, 05 October 2009 - 03:18 PM.


#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:58 PM

Posted 05 October 2009 - 06:10 PM

Go to the Recovery Console and type in FIXBOOT at the prompt.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 lugnuts100

lugnuts100
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 06 October 2009 - 07:57 AM

Hello again sam,really appreciate the help....
I typed in FIXBOOT and heres what is asks,

C:\WINDOWS>FIXBOOT
The target partition is C:
Are you sure you want to write a new bootsector to the partition C: ?

Do i go ahead and type Y and hit enter,Just want to make sure.....

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:58 PM

Posted 06 October 2009 - 08:40 AM

Yes
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 lugnuts100

lugnuts100
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 06 October 2009 - 08:57 AM

Okay,says
The file system on the startup partition is NTFS
Fixboot is writing a new boot sector.
The new bootsector was successfully written.

C:\Windows>

Will wait for next post for instructions

Edited by lugnuts100, 06 October 2009 - 09:15 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users