Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cyrptor removal help


  • This topic is locked This topic is locked
99 replies to this topic

#1 txretro

txretro

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta GA
  • Local time:03:44 AM

Posted 12 November 2009 - 04:42 PM

Referred from here: http://www.bleepingcomputer.com/forums/t/270297/security-tool-malware/ ~ OB

This all started Sunday 8 Nov 2009. I was on Rapid Share downloading files when AVG informed me I had "Security Tool" and to quarantine it. I did, but it was too late. Up popped the Security Tool window. Having dealt with it in the past on friends' computers, I googled it and came to Bleeping Computers looking for MWAB. Updated it and ran it. I think it found a dozen or so Trojans, worms, etc. All showed removed at the end of the process, but AVG9.0 (always stay current with updates, and do a daily scan around 0100 each night) keeps showing W32/Cryptor. I can't get rid of it. Any assistance would be greatly appreciated.

Below are the logs from Win32KDiag, Root repeal and DDS as well as the Attach.zip file.


From WIn32KDiag -
Running from: C:\Documents and Settings\Jack\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Jack\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!

And from Root Repeal -

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/11/10 19:22
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: giveio.sys
Image Path: giveio.sys
Address: 0xF7BD9000 Size: 1664 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB8CA3000 Size: 49152 File Visible: No Signed: -
Status: -

Name: speedfan.sys
Image Path: speedfan.sys
Address: 0xF7B16000 Size: 5248 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\$avg\$chjw\2dec7675-d222-499a-a987-35053b18b438
Status: Size mismatch (API: 991456, Raw: 987320)

Path: c:\$avg\$chjw\924bb4ad-5030-48ad-83c1-bae16657b4fe
Status: Size mismatch (API: 1119876, Raw: 1111620)

Path: C:\WINDOWS\Prefetch\ROOTREPEAL.EXE-053A1D30.pf
Status: Visible to the Windows API, but not on disk.

Stealth Objects
-------------------
Object: Hidden Handle [Index: 240, Type: Event]
Process: upsd.exe (PID: 2972) Address: 0x86556aa0 Size: -

Object: Hidden Handle [Index: 252, Type: File]
Process: upsd.exe (PID: 2972) Address: 0x8566a690 Size: -

==EOF==
From Log.txt -


Volume in drive C is WD 1
Volume Serial Number is 7C65-87C0

Directory of C:\WINDOWS\system32

04-Aug-04 03:56 180,224 scecli.dll

Directory of C:\WINDOWS\system32

04-Aug-04 03:56 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04-Aug-04 03:56 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\system32\dllcache

04-Aug-04 03:56 180,224 scecli.dll

Directory of C:\WINDOWS\system32\dllcache

04-Aug-04 03:56 407,040 netlogon.dll

Directory of C:\WINDOWS\system32\dllcache

04-Aug-04 03:56 55,808 eventlog.dll
3 File(s) 643,072 bytes

Total Files Listed:
6 File(s) 1,286,144 bytes
0 Dir(s) 4,471,099,392 bytes free

I have learned that I have the W32/cryptor trojan, but still cannot get rid of it.

DDS (Ver_09-10-26.01) - NTFSx86
Run by Jack at 16:20:05.79 on 12-Nov-09
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.529 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
D:\AVG 9\avgrsx.exe
E:\AdAware 2008\aawservice.exe
D:\AVG 9\avgcsrvx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
F:\@guard\iamapp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
D:\Tivo Desktop\TiVoNotify.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\Belkin Bulldog\MUPS.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\spoolsv.exe
f:\@guard\iamserv.exe
C:\WINDOWS\system32\nvsvc32.exe
F:\CompuPIc Pro\ScsiAccess.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
E:\Belkin Bulldog\upsd.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\System32\svchost.exe -k tapisrv
C:\WINDOWS\system32\wscntfy.exe
D:\AVG 9\avgchsvx.exe
D:\AVG 9\avgwdsvc.exe
D:\AVG 9\avgnsx.exe
D:\AVG 9\avgemc.exe
D:\AVG 9\avgcsrvx.exe
D:\AVG 9\avgtray.exe
C:\Documents and Settings\Jack\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.excite.com/
mURLSearchHooks: H - No File
mWinlogon: Shell=Explorer.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - d:\avg 9\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [TivoTransfer] "c:\program files\common files\tivo shared\transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
uRun: [TivoNotify] "d:\tivo desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
uRun: [TivoServer] "d:\tivo desktop\TiVoServer.exe" /service /registry
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
mRun: [iamapp] f:\@guard\iamapp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_02\bin\jusched.exe"
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [Adobe Reader Speed Launcher] "e:\adobe\reader\Reader_sl.exe"
mRun: []
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [AVG9_TRAY] d:\avg9~1\avgtray.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mups.lnk - e:\belkin bulldog\MUPS.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\myvita~1.lnk - e:\computer stuff\my vital agent\ins\vitalagent\program\VtlAgent.exe
IE: E&xport to Microsoft Excel - e:\msoffi~1\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\msoffi~1\office11\REFIEBAR.DLL
DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} - hxxp://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_5.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5370/mcfscan.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - d:\avg 9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: WBSrv - c:\progra~1\stardock\object~1\window~1\wbsrv.dll
AppInit_DLLs: wbsys.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-21 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-21 360584]
R1 Iamdrv;Iamdrv;f:\@guard\iamdrv.sys [2001-2-5 102976]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R2 0VsNdis08;VitalAgent Network Driver 8.1;e:\computer stuff\my vital agent\ins\vitalagent\program\VsNdis08.sys [2007-7-1 31671]
R2 avg9emc;AVG Free E-mail Scanner;d:\avg 9\avgemc.exe [2009-11-3 906520]
R2 avg9wd;AVG Free WatchDog;d:\avg 9\avgwdsvc.exe [2009-11-3 285392]
R2 iamServ;WRQ IAM;f:\@guard\iamserv.exe [2001-2-5 64000]
R2 StudioPro;StudioPro webcam;c:\windows\system32\drivers\StudioPro.sys [2008-10-31 120320]
R2 TivoBeacon2;TiVo Beacon;c:\program files\common files\tivo shared\beacon\TiVoBeacon.exe [2007-4-6 865280]
R3 0VsComm12;VitalAgent Serial Port Driver 12.4;e:\computer stuff\my vital agent\ins\vitalagent\program\VsComm12.sys [2007-7-1 15443]
R3 DNSFILT;DNSFILT;f:\@guard\dnsfilt.sys [2001-2-5 4960]
R3 EuMusDesignVirtualAudioCableWdm;StudioPro audio (WDM);c:\windows\system32\drivers\vrtaucbl.sys [2008-10-31 38784]
R3 FWFILT;FWFILT;f:\@guard\fwfilt.sys [2001-2-5 45632]
R3 HTTPFILT;HTTPFILT;f:\@guard\httpfilt.sys [2001-2-5 54848]
R3 NDISFILT;NDISFILT;f:\@guard\ndisfilt.sys [2001-2-5 20864]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-6-28 42512]

=============== Created Last 30 ================

2009-11-11 20:19:54 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-11-11 20:19:45 0 d-----w- c:\program files\SUPERAntiSpyware
2009-11-11 20:19:45 0 d-----w- c:\docume~1\jack\applic~1\SUPERAntiSpyware.com
2009-11-08 21:11:46 0 d-----w- c:\docume~1\jack\applic~1\Malwarebytes
2009-11-08 21:11:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-08 21:11:39 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-08 21:11:39 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-08 21:11:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-03 21:03:08 0 d--h--w- C:\$AVG
2009-11-03 21:02:36 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9

==================== Find3M ====================

2009-11-10 14:33:51 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-08 22:33:02 2359350 ----a-w- c:\windows\CPICWPPR.DAT
2009-11-03 21:03:02 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-03 21:02:51 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-22 20:00:19 256 ----a-w- c:\documents and settings\jack\pool.bin

============= FINISH: 16:20:44.78 ===============

Attached Files


Edited by Orange Blossom, 13 November 2009 - 12:37 PM.


BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:44 AM

Posted 20 November 2009 - 08:28 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 txretro

txretro
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta GA
  • Local time:03:44 AM

Posted 21 November 2009 - 03:25 PM

I have already ran DDS, it's results are in my initial post at the top of this thread. The only thing that has changed is the pc will no longer boot up, in safe mode or normally. Even using my XP cd. It's stuck in a loop. I'm in the process of installing a new hard drive in a older pc as I'm down to using my BlackBerry for internet and email. Hopefully I'll be able to clean and pull the data from the infected drive, via an usb enclosure. If you can still help, please let me know. I'm desperate.

#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:44 AM

Posted 21 November 2009 - 06:03 PM

I might be able to help. There is a chance I can get your sick PC booting again. There is a very high likelihood that I can help you recover your files.
  • Do you know what the last thing you did prior to encountering the boot loop?
  • Have you ever run Combofix?
  • Do you have the Recovery console installed on your pc?
  • Do you have a clean computer to download and burn specified programs to CD?
  • What happens when you try to boot from your XP CD?
Please do nothing except what I instruct in relation to the sick PC if you want my help.

Kind regards,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#5 txretro

txretro
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta GA
  • Local time:03:44 AM

Posted 22 November 2009 - 01:12 PM

While waiting for a solution, I was doing research on my end. I learned that Smitfraudfix could remove the virus, which I got when I d/l AVG 9. It had to be run in safe mode, but my pc wouldn't boot to anything other than normal. I went to msconfig and selected "bootsafe", then restarted. Now it's stuck in the loop. Called a local repair guy, he mentioned using the xp cd. That was no help. The cd runs, then I get a blue screen saying I need to run chkdsk on c before continuing. How can I run that when I can't even get a command prompt? No, I have not ran a combo fix yet. As for the old pc, it's not cooperating. I do have a co worker who said he'd loan me a spare pc if I meed it to get me running again, but I have not taken him up on that offer yet. I won't touch the infected pc until I hear from you.

Thanks for you assistance.

#6 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:44 AM

Posted 22 November 2009 - 05:44 PM

Alright.

Do this first....

Please go here and create a Recovery Console CD. Just click the link provided there to download the recovery_console_cd.zip and unzip that to your desktop.

Then inside the recovery_console_cd folder that created locate and click on the IE icon titled Readme. This will open a webpage, which will provide the simple steps you will need to follow, as well as a clickable link to go to the MS download page where you can select the BootDisk file download appropriate for your operating system. For example, for an XP SP2 Home Edition you would be downloading WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe.

For emergency boot disk uses, as well as to access the Recovery Console, the SP2 version can also be used on systems that have the SP3 upgrade.
  • Insert the CD-ROM into the CD-ROM drive, and then restart the computer.

  • If your PC is not booting from the CD, you need to change the boot order:
    • Restart your PC
    • As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
    • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
    • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
    • The tab should now show your current boot order.
      If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
    • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
  • Your PC should now boot from your CD.
    Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.

  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.

  • When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.

  • A command prompt will open
  • Type the green bolded one line at a time and press Enter after entering each line.
chkdsk /r
fixboot

ren C:\Boot.ini Boot.ini.bak
bootcfg /rebuild


The first prompt should ask Add installation to boot list? (Yes/No/All).

Type Y in response to this question and press Enter.


The next prompt asks you to Enter Load Identifier:

This is the name of the operating system, type Windows XP Home Edition or Windows XP Professional (it specifies such on your disc!!!!) and press Enter.

The final prompt asks you to Enter OS Load options:

Type /Fastdetect here and press Enter.


Type exit and press Enter.
Reboot.

Success?

Thanks,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#7 txretro

txretro
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta GA
  • Local time:03:44 AM

Posted 22 November 2009 - 06:11 PM

This may take a day or two, but I will give it a shot and reply when I'm done. Thank you!

#8 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:44 AM

Posted 22 November 2009 - 06:24 PM

:(
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#9 txretro

txretro
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta GA
  • Local time:03:44 AM

Posted 25 November 2009 - 09:14 AM

Just an update - the co worker that is going to loan me his spare pc will bring it to me the Monday after Thanksgiving. In the mean time, he's loaned me his copy of Windows Live and a Win98 boot floppy to see if I can get my box to boot up. If is does, I'll post that I'm in and ready to start the cleanup process.

#10 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:44 AM

Posted 25 November 2009 - 01:57 PM

I am surprised you can't get the XP CD to boot. Would you be willing to try it again. If your getting a chkdsk prompt it might be trying to boot from the hard drive not the CD. You might need to change the boot order in the Bios.

Do this....
  • Insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer.

  • If your PC is not booting from the CD, you need to change the boot order:
    • Restart your PC
    • As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
    • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
    • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
    • The tab should now show your current boot order.
      If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
    • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
  • Your PC should now boot from your XP-CD.
    Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.

  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.

  • When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.

  • A command prompt will open
  • Type the green bolded one line at a time and press Enter after entering each line.

    chkdsk /r
    fixboot
    ren C:\Boot.ini Boot.ini.bak
    bootcfg /rebuild


  • Type "Exit" to restart the computer.
  • As soon as the computer starts hit F8 every second to bring up the Advanced Options Menu.
  • Choose the Last Known Good Configuration.
  • Success?
Thanks,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#11 txretro

txretro
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta GA
  • Local time:03:44 AM

Posted 26 November 2009 - 04:38 PM

I set the first boot device to the cd, and got to startup. I don't get a 'welcome to setup', just a 'windows setup'. F2 starts automated recovery, but I don't have an XP system recovery disk,which it wants. I have a win 98 startup disk - since it has fdisk I figured it would help get me to a command prompt. I am running XP sp2, abit ib9 mobo, two 1 gb patriot ddr2 pc6400 modules and a intel core2duo 1.8ghz cpu. I built this system 4 May 07. When I started this process today, I'd get a long beep on post. Everything I've read pointed to ram, so I pulled one stick. While waiting for a response, I've been talking to my co worker. He thinks my current boot issues are ram related. Can best buy test ram modules? I bought the hardware at Fry's - it's my toy store - but they are about an hour away. I can pull them both and get them tested on my way home from work Friday. Any ideas? Happy turkey day, btw.

#12 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:44 AM

Posted 26 November 2009 - 09:51 PM

Reading through your prior posts it appears that you are/were infected. This would clearly explain your current issues. What makes you think that despite your current malware problem that you may now be experiencing hardware issues?

Here is the plan.

If you want my assistance then I ask that you follow my instructions and do nothing else without 1st discussing it with me. When I begin to institute fixes if your doing things behind the scenes that I am unaware of then it might make your situation worse.

So what is your decision? You want my help or are you gonna tackle this by another route?

Kind regards,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#13 txretro

txretro
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta GA
  • Local time:03:44 AM

Posted 27 November 2009 - 06:07 AM

I need your help. I won't do anything until you say so

#14 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:44 AM

Posted 27 November 2009 - 10:25 AM

Great! :(

I have a win 98 startup disk

This won't work.

Our options....
  • Borrow an XP install disc from a friend. You will not need the product key.
  • Borrow a friend computer to download and burn a Recovery Console CD that we can use on your sick computer. You do not need to move the computer. You will just sit down at their computer. Download the RC. Then burn it to CD. Would take about 10 minutes to create.
Which is most feasible?

Thanks,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#15 txretro

txretro
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta GA
  • Local time:03:44 AM

Posted 28 November 2009 - 02:20 PM

By XP install disk I'm guessing you are referring to the cd? If that's the case I think I'll go the Recovery Console route. When I get the RC cd I'll let you know before I start the process.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users