Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected system - unable to do most anything


  • This topic is locked This topic is locked
32 replies to this topic

#1 kimbly

kimbly

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:10:30 PM

Posted 05 November 2009 - 02:19 AM

http://www.bleepingcomputer.com/forums/ind...p;#entry1486329

With thanks to Budapest for the huge amount of support already offered!

I an unable to run dds
Three days ago, when the system was still mostly functional, I was able to run a Win32kDiag scan.
I am unable to copy and paste from the affected system.

I am typing the log file I got at that time (be gentle)

WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...
Found mount point : C:\WINDOWS\$hf_mig$\KB904706\KB904706
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168
Mount point destination : \Device\__max==>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566
Mount point destination : \Device\__max==>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143
Mount point destination : \Device\__max==>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653
Mount point destination : \Device\__max==>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB941568\KB914568
Mount point destination : \Device\__max==>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460
Mount point destination : \Device\__max==>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB976749-IE7\KB976749-IE7
Mount point destination : \Device\__max==>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2. 0. 50727_32\Temp\ZAP301.tmp\ZAP301.tmp
Mount point destination : \Device\__max==>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2. 0. 50727_32\Temp\ZAP30F.tmp\ZAP30F.tmp
Mount point destination : \Device\__max==>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2. 0. 50727_32\Temp\ZAP3C2.tmp\ZAP3C3.tmp
Mount point destination : \Device\__max==>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2. 0. 50727_32\Temp\ZAP43.tmp\ZAP43.tmp
Mount point destination : \Device\__max==>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2. 0. 50727_32\Temp\ZAP4A2.tmp\ZAP4A2.tmp
Mount point destination : \Device\__max==>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2. 0. 50727_32\Temp\ZAP4C4.tmp\ZAP4C4
Mount point destination : \Device\__max==>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2. 0. 50727_32\Temp\ZAP4D8.tmp\ZAP4D8
Mount point destination : \Device\__max==>\^
Found mount point : C:\WINDOWS\assembly\temp\temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Cache
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Config\Config
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d1\d1
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d2\d2
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d3\d3
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d4\d4
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d5\d5
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d6\d6
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d7\d7
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d8\d8
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ftpcache\ftpcache
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\chsime\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp98\imejp98
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\\ime\shared\res\res
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2. 30729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2 30729\2.2 30729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\java\classes\classes
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\java\trustlib\trustlib
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1. 0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1. 1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0 50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\msapps\msinfo\msinfo
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe


I honestly do appreciate any assistance ya'll can provide.

I should also post that RootRepeal will not run either.

BC AdBot (Login to Remove)

 


#2 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:30 AM

Posted 06 November 2009 - 08:15 AM

Hello kimbly, and welcome to BleepingComputer.com! I will be helping you to help you get cleaned up. :(

Please take note of some guidelines for this fix:
  • I will start working on your malware issues, this may or may not solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Refrain from making any changes to your computer including installing/uninstalling programs, deleting files, modifying the registry, and running extra scanners or fix programs not requested by me: doing so could change the results in the reports I request.
  • The process is not instant: even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I tell you your machine is clean. Just because a symptom disappears does not mean your system is clean. We do not want to clean you part-way, only to have the system re-infect itself.
  • If you do not understand any step(s) provided, please stop and ask your question(s) before proceeding with the fixes. I would much rather clarify instructions or explain them differently than have something important broken.
  • Please set aside enough time to complete all the steps in each post and follow the instructions in the order stated.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If for any reason you cannot complete instructions within that time, that's fine, but please let me know: just post back here so that I know you are still here. This is to ensure that your topic remains open and I don't close it to start a new post.
    NOTE: In the upper right hand corner of the topic you will see a button called Options. If you click on this button, a drop-down menu will expand. By choosing Track this topic and then choosing Immediate Email Notification, followed by clicking Proceed, you will be advised when I respond to your topic. This facilitates the cleaning procedure. The topics you are tracking can be found here.
  • Please reply to this thread using the Add Reply button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply.
  • Reviewing your log(s) requires an amount of research, so please be patient. However, if I have not posted back within 24 hours, feel free to send me a Personal Message (PM) with your topic link.


Now let's get to work.

Download and run a batch file (peek.bat):
  • Download peek.bat from the download link below and save it to your Desktop.
  • Double-click peek.bat to run it.A black Command Prompt window will appear shortly: the program is running.
  • Once it is finished, copy and paste the entire contents of the Log.txt file it creates as a reply to this post.

If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#3 kimbly

kimbly
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:10:30 PM

Posted 06 November 2009 - 08:28 AM

Thanks so much, htv8 for your help.

Just a bit of background - the infected system can no longer access the internet.
I also cannot copy and paste...so I am running files from disk.
When I tried to run the peek.bat file, I rec'd a message:
Windows cannot find 'Log.txt'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

I'm afraid things are pretty bad on this system.

Budapest had me run a Viper scan - it did run, but as far as I can tell it didn't save a log file that I can find anywhere.
The command prompt eventually shut itself down - no log.

I am sorry about the frustration.

#4 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:30 AM

Posted 06 November 2009 - 09:08 AM

Hello there. :(

I also cannot copy and paste...so I am running files from disk.

Could the problem be that the disk you're using isn't writable? Try running peek.bat from the Desktop please. If however that's not possible, then please instead try the instructions below.



Download and run a batch file (peek2.bat):
  • Download the attached peek2.bat from the download link below and save it.
    Attached File  peek2.bat   153bytes   20 downloads
  • Double-click peek2.bat to run it.
    • A black Command Prompt window will appear shortly: the program is running.
  • Once it is finished, copy and paste the entire contents of the Log2.txt file it creates as a reply to this post.
    NOTE: If needed, the log file can be found at C:\Log2.txt

If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#5 kimbly

kimbly
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:10:30 PM

Posted 06 November 2009 - 07:26 PM

htv8 -

Again, thanks for your help.
The log file is as follows


Volume in drive C has no label.
Volume Serial Number is 8439-C7DE

Directory of C:\WINDOWS\$NtUninstallKB968389$

08/10/2004 05:00 AM 407,040 netlogon.dll
1 File(s) 407,040 bytes

Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e

04/13/2008 06:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884a1d22f9e

04/13/2008 06:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e

04/13/2008 06:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

08/10/2004 05:00 AM 180,244 scecli.dll

Directory of C:\WINDOWS\system32

02/06/2009 12:46 PM 408,064 netlogon.dll

Directory of C:\WINDOWS\system32

08/10/2004 05:00 AM 61,952 eventlog.dll
3 File(s) 650,240 bytes

Directory of C:\WINDOWS\system21\dllcache

02/06/2009 12:46 PM 408,064 netlogon.dll
1 File(s) 408,064 bytes

Total Files Listed:
8 File(s) 2,109,952 bytes
0 Dir(s) 38,551,793,664 bytes free


Let me know if you need anything else...and thanks again!

Edited by kimbly, 06 November 2009 - 10:39 PM.


#6 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:30 AM

Posted 07 November 2009 - 02:43 AM

Hello again, kimbly! Now let's start cleaning that mess.



Before we begin, you should save these instructions in Notepad to your Desktop, or print them, for easy reference and to make sure you don't get lost.
Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If at any point you have questions, or are unsure of the instructions, do not hesitate to post here and ask for clarification before proceeding with the fixes.


:) Perform a file copy (from within Command Prompt):
  • Go to Start -> Run...
  • In the empty "Open:" box provided, type cmd and click OK (or press Enter).
    • This will launch a Command Prompt window (looks like DOS).
  • Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).
    copy C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll C:\ /y
  • In the Command Prompt window, paste the copied text by right-clicking and selecting Paste
  • Press EnterWhen the file copy was successful, you should get this message within the Command Prompt: "1 file(s) copied"
    NOTE: If you did not get this message, stop and tell me first as executing the script below with The Avenger won't work if the file copy was not successful!
  • Exit the Command Prompt window.
:) Execute a script with The Avenger:
  • WARNING to others reading this thread: The Avenger is a VERY POWERFUL program, and can easily be misused. Certain misuses of this program can prevent your system from ever starting again. For this reason, it is strongly recommended to use The Avenger only as directed and under qualified supervision. We can accept no responsibility for damage caused by misuse of the program!
    :(
  • Download The Avenger by Swandog46 from the download link below and save it to your Desktop.
  • Right-click the avenger.zip file and select Extract all...
  • Follow the prompts and extract the avenger folder to your Desktop.
  • Copy all the text contained in the CODE box below to the clipboard by highlighting it and pressing Ctrl+C (or, after highlighting, right-click and choose Copy). Do NOT copy the word "CODE" from the CODE box!
    Files to move:
    c:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll
    WARNING: The above script was written specifically for this infection on this person's computer. If you are not this user, do NOT follow these directions as they could damage the workings of your system!
  • Open the avenger folder and start The Avenger program by double-clicking its icon (avenger.exe).
  • Click OK to agree that in using the program, you do so at your own risk.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Right-click on the window under "Input script here:", and select Paste (alternatively, you can click on this window and press Ctrl+V to paste the contents of the clipboard).
  • Click the Execute button.
  • Answer Yes twice when prompted.
    • The Avenger will automatically do the following:
      • Restart your computer. (In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
      • On reboot, it will briefly open a black command window on your Desktop; this is normal.
      • After the restart, it creates a log file that should open with the results of its actions. (This log file can be found at C:\avenger.txt)
      • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip
  • Copy & paste the entire contents of the log file (C:\avenger.txt) into your next reply.
:( Download and run sUBs' ComboFix:
  • Please download ComboFix from any of the links below. * IMPORTANT! Save ComboFix.exe to your Desktop but rename it to kimbly.exe before saving it!
  • VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
  • Double-click kimbly.exe and follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    NOTE: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.Once installed, you should see a screen prompt that says: "The Recovery Console was successfully installed.".
  • Click Yes to allow ComboFix to continue scanning for malware.
    NOTE: Do NOT mouseclick ComboFix's window whilst it's running. That may cause your system to hang!
  • When finished, ComboFix shall produce a log for you (located at C:\ComboFix.txt). Post the entire contents of that report in your next reply for further review, along with the Add-Remove Programs.txt log which can be found at C:\Qoobox.

GENERAL WARNING: Do NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your Operating System such as preventing it from ever starting again. Also see ComboFix's disclaimer.

:) Run Win32kDiag's fix option:
  • Please delete any copy of Win32kDiag (Win32kDiag.exe) that you have.
  • Download a fresh version from any of the following locations and save it to your Desktop.
  • Go to Start -> Run...
  • In the empty "Open:" box, copy & paste the following command (the blue-colored text):
    "%userprofile%\desktop\win32kdiag.exe" -f -r
  • Click OK (or hit Enter).Win32kDiag will now run its fix.
  • When it's finished, double-click on the Win32kDiag.txt log file located on your Desktop and post the entire contents of that log as a reply to this topic.


So in your next post, please post the entire contents of:
  • C:\avenger.txt (The Avenger's log)
  • C:\ComboFix.txt (the ComboFix log)
  • C:\Qoobox\Add-Remove Programs.txt
  • Win32kDiag.txt

If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#7 kimbly

kimbly
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:10:30 PM

Posted 07 November 2009 - 10:36 AM

htv8 -

Combo Fix is giving me a message "This machine does not have the 'Microsoft Windows recovery console' installed. Without it, ComboFix shall not attempt the fixing of some serious infections.
Click 'Yes' to have ComboFix download/install it
NOTE: this requires an active internet connection

Unfortunately, the virii on this system have disabled my internet connection.
The immediate message that popped up after Combofix rebooted my system was:

Wireless Configuration
Notification.dll has not been registered, program will not work correctly

I have not proceeded.

Thanks again - and I am sorry for all the problems!

#8 kimbly

kimbly
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:10:30 PM

Posted 07 November 2009 - 01:48 PM

*panic mode on*

htv8

I established a LAN connection and attempted to proceed with ComboFix
It ran and created a logfile.
The top of the logfile stated that the Microsoft Recovery Console was not able to be installed.
My entire screen is blue.
I attempted to move the logfile and it minimized and disappeared.

I am terrified to do or move anything.

Is all hope lost?


Edited to add - task manager does work and I was able to bring the log file back up.
I won't be able to cut and paste the file, I don't believe....but I can type it up. Might take a bit but I'll start on it now, just in case.

Edited by kimbly, 07 November 2009 - 09:27 PM.


#9 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:30 AM

Posted 08 November 2009 - 02:55 AM

Hello again, kimbly!

So if I understand this correctly, you're still able to boot normally?
I don't think it's needed to type up the whole log. Can you attach it to your post? Instructions on how to do that can be found at the bottom of this post.

Edited by htv8, 08 November 2009 - 03:29 AM.

If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#10 kimbly

kimbly
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:10:30 PM

Posted 08 November 2009 - 09:59 AM

I haven't tried to boot it back up. Once ComboFix was through running, it came back to a blank blue screen.
No icons, no start menu.
I was able to start tast manager to locate the log file, but the desktop doesn't come back on.
I did not want to reboot without your say so.

The computer I am typing on now is not the same as the infected computer.
The infected computer apparently did not establish a LAN connection.
I am denied privileges when I do try to access many programs.
Including copying.

Edited by kimbly, 08 November 2009 - 10:01 AM.


#11 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:30 AM

Posted 08 November 2009 - 10:15 AM

Hello kimbly,

Can you try rebooting to see if the computer is able to boot normally? If the computer is able to load normally, please locate the ComboFix log file at C:\ComboFix.txt and attach it to your post using the instructions at the bottom of this post.

Let me know how it goes. :(
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#12 kimbly

kimbly
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:10:30 PM

Posted 08 November 2009 - 10:28 AM

htv8 -

Thanks for your help. I am really frustrated.

Okay...I don't think I'm relating information to you correctly.
I can not paste from the infected computer.
Control C and Control V - does not work.
I cannot move the ComboFix file - copy and paste/cut and paste does not work.
I tried sending the file to a thumb drive - also did not work.

Unless there's something I'm missing...the only way for you to SEE the ComboFix log is for me to type it out in a notepad file on my second computer?

I don't mean to be so difficult - I swear.

The computer does boot back up, however.

Edited by kimbly, 08 November 2009 - 10:35 AM.


#13 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:30 AM

Posted 08 November 2009 - 11:19 AM

Hello kimbly,

OK, I need some more information. Do you have a Windows XP Installation CD with you?

Please do this:
  • Press Ctrl+Alt+Delete to open up the Task Manager.
  • Within Task Manager, click File, then hold down Ctrl and left-click New Task (Run...)
    • A Command Prompt window will open.
  • In the Command Prompt window, type sc query rpcss and hit Enter
  • Please provide me the output that now appears in the black Command Prompt window in your next reply.

If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#14 kimbly

kimbly
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:10:30 PM

Posted 08 November 2009 - 11:33 AM

htv8 -

The command prompt box shuts down. I see it open, but it closes.
Which I have to assume is not a good thing.

Just to give you a bit more info, running in task manager is:
rundll32.exe
hnm_scv.exe
ati2evxx.exe
ati2evxx.exe
explorer.exe
NicConfigSvc.exe
FastNetSrv.exe
BCMWLTRY.EXE
WLTRYSVC.EXE
taskmgr.exe
lsass.exe
services.exe
winlogon.exe
csrss.exe
smss.exe
notepad.exe
ctfmon.exe
System
System Idle Process SYSTEM

I have been searching for my Windows XP Installation CD but as of yet have not been able to locate it.
:(

I know you have to be super frustrated with my NEVER ENDING set of problems.
I can do nothing but praise you for your patience and thank you for your help.

#15 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:30 AM

Posted 08 November 2009 - 12:10 PM

OK, let's try this then...
  • Press Ctrl+Alt+Delete to open up the Task Manager.
  • Within Task Manager, click File, then left-click New Task (Run...)
  • In the empty "Open:" box provided, type the following:
    regedit /e C:\export.txt HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rpcss
    NOTE the space between "regedit" and "/e", between "/e" and "C:\export.txt", and between "C:\export.txt" and "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rpcss"!
  • Hit Enter (or click OK).
  • Wait a couple of seconds.
  • Within Task Manager, click on File, and then left-click New Task (Run...) again.
  • In the empty "Open:" box provided, type the following:
    Notepad C:\export.txt
    NOTE the space between "Notepad" and "C:\export.txt"!
  • Hit Enter (or click OK).
    • A Notepad window showing some results will pop up.
  • Look under [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rpcss] and please tell me what numeric value you see after "Start". For example: "Start"=dword:00000002

If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users