Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

It looks like there is a rootkit variant in this log


  • This topic is locked This topic is locked
79 replies to this topic

#31 toe

toe
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 26 December 2009 - 11:23 AM

Here is the zipped attach text file

Attached Files



BC AdBot (Login to Remove)

 


#32 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:09 PM

Posted 26 December 2009 - 11:46 AM

Hello.

Yes. Those are the logs.

Delete your copy of Combofix and run it again with the instructions below...

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

--
Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it. (If you are using Vista, please right-click and select run as administartor)
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy and Paste the content of the following codebox into the main textfield under "File":
    :filefind
    atapi*
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
  • Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#33 toe

toe
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 26 December 2009 - 12:39 PM

I followed your instructions for combofix. It completed and I copied the log to post here. Commected to network and tried to open IE to reply to your last communication and i get a message "Illegal operation attempted on a registry key that has been marked for deletion. I tried to paste in notepad and MS Word and get the same message. I tried going into control panel but get the same meesage their as well.

#34 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:09 PM

Posted 26 December 2009 - 01:01 PM

Hello.

Please reboot your computer.

Now run Combofix again and continue with the rest of the instructions and let me know how it goes.

~EB
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#35 toe

toe
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 26 December 2009 - 01:29 PM

I left my computer while Combofix was running and when I came back it was rebooting?

#36 toe

toe
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 26 December 2009 - 02:45 PM

Here's the combofix report. I'll now try to get the other.

ComboFix 09-12-25.05 - TO 12/26/2009 13:07:50.13.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2038.1041 [GMT -6:00]
Running from: c:\users\TO\Desktop\ComboFix.exe
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\System32\autochk.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-11-26 to 2009-12-26 )))))))))))))))))))))))))))))))
.

2009-12-26 19:19 . 2009-12-26 19:22 -------- d-----w- c:\users\TO\AppData\Local\temp
2009-12-26 19:19 . 2009-12-26 19:19 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-12-26 19:19 . 2009-12-26 19:19 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-23 02:53 . 2009-12-23 02:53 93056 ----a-w- C:\pxldipoc.sys
2009-12-19 01:03 . 2009-12-19 01:03 -------- d-----w- c:\programdata\McAfee Security Scan
2009-12-19 01:03 . 2009-12-19 01:03 -------- d-----w- c:\program files\McAfee Security Scan
2009-12-12 21:59 . 2009-11-09 12:31 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-12 21:59 . 2009-11-09 12:30 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-12 21:59 . 2009-11-09 10:36 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-10 00:15 . 2009-10-27 14:11 834048 ----a-w- c:\windows\system32\wininet.dll
2009-12-10 00:15 . 2009-10-27 13:16 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-12-10 00:14 . 2009-08-24 11:36 377344 ----a-w- c:\windows\system32\winhttp.dll
2009-12-09 12:11 . 2009-10-07 11:36 243712 ----a-w- c:\windows\system32\rastls.dll
2009-12-08 22:30 . 2009-12-03 22:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-08 22:30 . 2009-12-08 22:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-08 22:30 . 2009-12-03 22:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-07 19:39 . 2009-12-07 19:39 -------- d-----w- c:\users\TO\AppData\Local\Roxio
2009-12-01 13:25 . 2009-12-01 13:25 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-30 19:39 . 2009-11-30 19:39 0 ----a-w- c:\windows\nsreg.dat
2009-11-30 19:39 . 2009-11-30 19:39 -------- d-----w- c:\users\TO\AppData\Local\Mozilla
2009-11-30 19:36 . 2009-11-30 19:36 -------- d-----w- c:\program files\WOT
2009-11-29 22:23 . 2009-11-29 22:23 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-11-29 22:22 . 2009-12-26 17:08 -------- d-----w- c:\users\TO\AppData\Roaming\SUPERAntiSpyware.com
2009-11-29 22:22 . 2009-12-26 17:08 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-29 18:38 . 2009-11-29 18:42 -------- d-----w- c:\programdata\SITEguard
2009-11-29 18:37 . 2009-11-29 20:44 -------- d-----w- c:\program files\STOPzilla!
2009-11-29 18:37 . 2009-11-29 18:37 -------- d-----w- c:\program files\Common Files\iS3
2009-11-29 18:37 . 2009-11-29 20:44 -------- d-----w- c:\programdata\STOPzilla!
2009-11-29 12:19 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-29 12:12 . 2009-11-29 12:12 -------- dc-h--w- c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-26 19:21 . 2007-04-13 08:09 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2009-12-26 19:21 . 2007-04-10 14:53 56680 ----a-w- c:\windows\system32\Rpcnet.dll
2009-12-26 18:59 . 2007-04-13 08:09 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2009-12-26 16:19 . 2006-11-02 08:32 56680 ----a-w- c:\windows\system32\rpcnet.exe
2009-12-23 20:47 . 2009-11-20 20:58 -------- d-----w- c:\programdata\avg9
2009-12-23 15:20 . 2007-06-08 17:59 -------- d-----w- c:\program files\Quicken
2009-12-21 01:03 . 2007-03-02 11:32 -------- d-----w- c:\programdata\McAfee
2009-12-19 17:10 . 2009-07-14 01:28 862040 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-12-19 17:09 . 2009-07-14 01:28 206944 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-12-19 17:09 . 2009-07-14 01:28 390288 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-12-19 17:08 . 2009-12-01 13:25 537576 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\aawapi.dll
2009-12-19 17:08 . 2009-07-14 01:28 370744 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-12-19 17:08 . 2009-07-14 01:28 194104 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2009-12-19 16:55 . 2009-07-14 01:28 6296864 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Resources.dll
2009-12-19 16:53 . 2009-07-14 01:28 933120 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-12-19 16:52 . 2009-07-14 01:28 816272 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-12-19 16:52 . 2009-07-14 01:28 822904 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-12-19 16:51 . 2009-07-14 01:28 1643272 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-12-19 16:51 . 2009-07-14 01:28 788880 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-12-19 16:50 . 2009-07-14 01:28 1181328 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-12-19 01:06 . 2008-11-14 17:12 -------- d-----w- c:\programdata\NOS
2009-12-18 14:11 . 2009-12-18 14:11 294656 ----a-w- c:\programdata\avg9\update\backup\avglngx.dll
2009-12-15 17:38 . 2009-07-14 17:31 -------- d-----w- c:\program files\Coupons
2009-12-14 21:03 . 2007-03-12 13:36 -------- d-----w- c:\users\TO\AppData\Roaming\Corel
2009-12-14 15:04 . 2009-12-14 15:04 4043032 ----a-w- c:\programdata\avg9\update\backup\avgui.exe
2009-12-14 15:04 . 2009-12-14 15:04 3776280 ----a-w- c:\programdata\avg9\update\backup\setup.exe
2009-12-14 15:04 . 2009-12-14 15:04 2352920 ----a-w- c:\programdata\avg9\update\backup\avgresf.dll
2009-12-14 15:04 . 2009-12-14 15:04 3967256 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2009-12-10 09:20 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-12-10 09:03 . 2007-03-02 11:29 -------- d-----w- c:\programdata\Microsoft Help
2009-12-01 13:25 . 2009-12-01 13:25 93360 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2009-12-01 13:25 . 2009-12-01 13:25 554280 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\sbap.dll
2009-12-01 13:25 . 2009-07-14 01:28 15880 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-12-01 13:25 . 2009-03-16 11:35 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-01 13:25 . 2009-12-01 13:25 212480 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\VipreBridge.dll
2009-12-01 13:25 . 2009-12-01 13:25 283944 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Vipre.dll
2009-12-01 13:25 . 2009-07-14 01:28 163728 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-12-01 13:25 . 2009-12-01 13:25 1223976 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\SBTE.dll
2009-12-01 13:25 . 2009-12-01 13:25 242984 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\SBRE.dll
2009-12-01 13:24 . 2009-07-14 01:28 327000 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-12-01 13:24 . 2009-07-14 01:28 87496 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-12-01 13:24 . 2009-10-13 01:28 641632 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-11-29 19:20 . 2009-11-29 18:47 5064 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-11-25 12:39 . 2009-08-06 14:53 19944 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-11-21 23:29 . 2009-11-20 20:59 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-20 21:36 . 2009-11-20 21:04 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-11-20 21:15 . 2009-11-20 21:04 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-20 20:59 . 2009-11-20 20:59 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-20 20:59 . 2009-11-20 20:59 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-20 20:59 . 2009-11-20 20:59 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-20 20:58 . 2009-11-20 20:58 -------- d-----w- c:\program files\AVG
2009-11-18 02:21 . 2009-11-18 02:21 -------- d-----w- c:\users\TO\AppData\Roaming\Malwarebytes
2009-11-18 02:21 . 2009-11-18 02:21 -------- d-----w- c:\programdata\Malwarebytes
2009-11-18 02:02 . 2007-03-08 21:56 5568 ----a-w- c:\users\TO\AppData\Local\d3d9caps.dat
2009-11-05 16:00 . 2007-03-12 20:09 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-03 02:42 . 2009-11-20 21:04 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-30 08:12 . 2009-10-30 08:12 -------- d-----w- c:\program files\Windows Portable Devices
2009-10-30 08:12 . 2009-10-30 08:12 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-10-30 08:12 . 2009-10-30 08:12 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-10-29 09:17 . 2009-11-26 09:01 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-21 16:45 . 2008-01-22 01:43 33792 ----a-w- c:\windows\system32\identprv.dll
2009-10-14 16:33 . 2007-03-07 20:04 248320 ----a-w- c:\users\TO\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-14 16:04 . 2009-10-14 16:04 50 ----a-w- c:\windows\system32\bridf08a.dat
2009-10-13 01:29 . 2009-10-13 01:29 17632 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\WSCUpdate.dll
2009-10-13 01:29 . 2009-10-13 01:29 68640 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Drivers\64\lbd.sys
2009-10-13 01:29 . 2009-10-13 01:29 303976 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Drivers\64\AAWDriverTool.exe
2009-10-13 01:28 . 2009-07-14 01:28 640760 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-10-08 21:08 . 2009-10-30 08:01 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-08 21:08 . 2009-10-30 08:01 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 21:07 . 2009-10-30 08:01 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-03 08:15 . 2009-11-29 12:12 2924848 -c--a-w- c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-10-01 01:02 . 2009-10-30 08:03 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-01 01:02 . 2009-10-30 08:04 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-10-01 01:02 . 2009-10-30 08:03 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02 . 2009-10-30 08:03 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02 . 2009-10-30 08:04 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01 . 2009-10-30 08:03 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-01 01:01 . 2009-10-30 08:03 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01 . 2009-10-30 08:04 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01 . 2009-10-30 08:03 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-01 01:01 . 2009-10-30 08:03 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01 . 2009-10-30 08:03 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01 . 2009-10-30 08:04 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-10-01 01:01 . 2009-10-30 08:03 40448 ----a-w- c:\windows\system32\drivers\WpdUsb.sys
2009-10-01 01:01 . 2009-10-30 08:03 226816 ----a-w- c:\windows\system32\WpdMtp.dll
2009-10-01 01:01 . 2009-10-30 08:03 61952 ----a-w- c:\windows\system32\WpdMtpUS.dll
2009-10-01 01:01 . 2009-10-30 08:03 33280 ----a-w- c:\windows\system32\WpdConns.dll
2009-11-19 11:54 . 2009-11-30 23:00 1261568 ----a-w- c:\program files\mozilla firefox\components\CtH-7z9h.dll
2007-03-02 18:58 . 2007-03-02 18:57 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2008-07-10 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2008-07-10 46368]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-14 2033432]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-27 199184]
Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2009-10-14 1089536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-12-10 00:54 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk
backup=c:\windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
2009-12-19 16:51 788880 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 18:08 935288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BKEXVGA]
2007-01-26 22:10 319488 ----a-w- c:\windows\System32\BKEXVGA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2006-11-27 22:56 1540096 ----a-w- c:\windows\System32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2006-11-12 08:19 446976 ----a-w- c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 15:55 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 15:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2006-11-17 21:19 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FLMOFFICE4DMOUSE]
2007-03-09 14:57 958464 ----a-w- c:\program files\Labtec\Desktop\V5.1\MOffice.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2008-08-06 10:49 29744 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HIDDAEMON]
2007-01-26 22:10 180224 ----a-w- c:\windows\System32\HIDDAEMON.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2006-12-12 16:03 106496 ----a-w- c:\windows\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2006-12-12 16:02 98304 ----a-w- c:\windows\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-02-16 21:15 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-07-10 15:51 289064 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2007-05-03 00:16 184320 ------w- c:\program files\Dell\MediaDirect\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2006-12-12 16:02 81920 ----a-w- c:\windows\System32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-05-27 15:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
2008-07-03 17:37 812952 ----a-w- c:\program files\Registry Mechanic\RMTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-01-12 15:51 303104 ----a-w- c:\windows\sttray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sprint SmartView]
2008-08-04 20:14 18968 ----a-w- c:\program files\Sprint\Sprint SmartView\SprintSV.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-03-07 22:41 171448 ----a-w- c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile Device Center]
2007-05-31 14:21 648072 ----a-w- c:\windows\WindowsMobile\wmdc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:(:e1,5f,70,1c,71,40,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4102386807-773373197-1560255618-1000]
"EnableNotificationsRef"=dword:00000001

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [11/29/2009 06:19 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [11/20/2009 14:59 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\drivers\avgtdix.sys [11/20/2009 14:59 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [11/20/2009 14:58 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/20/2009 14:58 285392]
R2 EMP_NSWLSV;EMP_NSWLSV;c:\program files\EPSON Projector\EMP NS Connection V2\EMP_NSWLSV.exe [5/26/2009 08:06 98304]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [11/20/2009 15:05 1153368]
R3 BLKPCIEVGAEX;BLKPCIEVGAEX;c:\windows\System32\drivers\blkgrpex.sys [3/8/2007 15:58 254080]
R3 BLKPCIEVGAMR;BLKPCIEVGAMR;c:\windows\System32\drivers\BLKGRPMR.sys [3/8/2007 15:58 252800]
S3 CM1063264;C-Media CM106 Like Sound UDAX Interface;c:\windows\System32\drivers\cm106.sys [3/8/2007 15:58 1290752]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [1/9/2009 14:28 21504]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [3/2/2007 05:34 29744]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 05:17 1181328]
S3 XGIGraphics;XGIGraphics;c:\windows\System32\drivers\XG20GRP.sys [3/8/2007 15:58 283136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1070302
mStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1070302
FF - ProfilePath - c:\users\TO\AppData\Roaming\Mozilla\Firefox\Profiles\77gero9a.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www1.iamwired.net/websearch.php?src=tops&search=
FF - prefs.js: browser.startup.homepage - hxxp://www1.iamwired.net/
FF - prefs.js: keyword.URL - hxxp://www1.iamwired.net/websearch.php?src=tops&search=
FF - component: c:\program files\Mozilla Firefox\components\CtH-7z9h.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-26 13:22
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x85005369]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x881aad24
\Driver\ACPI -> acpi.sys @ 0x82c9cd68
\Driver\atapi -> ataport.SYS @ 0x82dbfa2c
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK
copy of MBR has been found in sector 61 !
copy of MBR has been found in sector 62 !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3988)
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\SYSTEM32\Rpcnet.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\AVG\AVG9\avgtray.exe
c:\program files\Brother\Brmfcmon\BrMfimon.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2009-12-26 13:33:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-26 19:33
ComboFix2.txt 2009-12-26 17:28
ComboFix3.txt 2009-12-24 15:04

Pre-Run: 57,803,554,816 bytes free
Post-Run: 57,755,848,704 bytes free

- - End Of File - - E794C4774EAB1B36CA0F5F6603FF58EA

#37 toe

toe
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 26 December 2009 - 02:50 PM

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 13:47 on 26/12/2009 by TO (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi*"
C:\Windows\ERDNT\cache\atapi.sys --a--- 19944 bytes [15:00 24/12/2009] [12:39 25/11/2009] 1F05B78AB91C9075565A9D8A4B880BC4
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys --a--- 21560 bytes [14:48 03/03/2008] [14:48 03/03/2008] B35CFCEF838382AB6490B321C87EDF17
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_82339ef2\atapi.sys --a--- 19048 bytes [18:58 02/03/2007] [18:58 02/03/2007] A779CA2C76DA4FCB595E692C05E8E4EB
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys --a--- 19944 bytes [14:53 06/08/2009] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys --a--- 19048 bytes [10:25 02/11/2006] [09:49 02/11/2006] 4F4FCB8B6EA06784FB6D475B7EC7300F
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys --a--- 21560 bytes [20:29 09/01/2009] [07:41 19/01/2008] 2D9C903DC76A66813D350A562DE40ED9
C:\Windows\System32\drivers\atapi.sys --a--- 19944 bytes [14:53 06/08/2009] [12:39 25/11/2009] 1F05B78AB91C9075565A9D8A4B880BC4
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16391_none_daf194c024ab5b06\atapi.sys --a--- 19048 bytes [18:58 02/03/2007] [18:58 02/03/2007] A779CA2C76DA4FCB595E692C05E8E4EB
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16632_none_db337a442479c42c\atapi.sys --a--- 21560 bytes [14:48 03/03/2008] [14:48 03/03/2008] B35CFCEF838382AB6490B321C87EDF17
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20485_none_db8a029f3dbd443b\atapi.sys --a--- 19048 bytes [18:58 02/03/2007] [18:58 02/03/2007] 5653737BAD8C6C10136451C195C19881
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20757_none_dbac78a93da31a8b\atapi.sys --a--- 21560 bytes [14:48 03/03/2008] [14:48 03/03/2008] E03E8C99D15D0381E02743C36AFC7C6F
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys --a--- 21560 bytes [20:29 09/01/2009] [07:41 19/01/2008] 2D9C903DC76A66813D350A562DE40ED9
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys --a--- 19944 bytes [14:53 06/08/2009] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4

-=End Of File=-

#38 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:09 PM

Posted 26 December 2009 - 03:19 PM

Thanks for those logs.

Do you have the Vista disk with you? We are going to use that to access the Windows Recovery Environment to deal with this.

With Regards,
Extremeboy

Edited by extremeboy, 26 December 2009 - 03:20 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#39 toe

toe
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 26 December 2009 - 03:30 PM

No. I'll try to get it before Monday but may not happen. We're trying to recover from a blizzard.

#40 toe

toe
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 26 December 2009 - 03:35 PM

I'm going to attempt to go get it. Wish me luck.

#41 toe

toe
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 26 December 2009 - 04:25 PM

I now have "Reinstallation DVD Windows Vista Home Premium 32BIT" . Is that what I need?

#42 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:09 PM

Posted 26 December 2009 - 07:39 PM

Hello.

Step #1

Create and Execute batch script
  • Copy the following into notepad (Start>Run>"notepad"). Do not copy the word "quote".

    @ECHO OFF

    Copy /y "C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys" c:\
    Del %0

  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input Copy.bat.
  • Hit OK.
When done properly, the icon should look like Posted Image for XP machines and Posted Image for Vista machines.

Double click on Copy.bat to run it. If you are using Windows Vista, please right-click and Run As Administrator...

A Black DOS window shall appear and then disappear. This is normal please do not panic. The file will self-delete itself upon completion. This is normal.

Confirm that there is a copy of the file: atapi.sys in your C:\ drive. If the file is not there, report back here letting me know.

Booting into the Windows Vista WinRE Environment using Windows Vista disk

Please insert your Windows Vista installation media into your CD-Rom/DVD drive and reboot your computer. During the reboot and at boot up you should see Press Any key to Boot from CD/DVD.... If you see that please press any key to continue and continue and follow the next set of instructions on "Using the Vista CD Disk to Access the Vista WinRE Environment". If not, please follow the next set of instructions on "How to Configure the System to Boot from CD/DVD" and then follow the steps to "Using the Vista CD Disk to Access the Vista WinRE Environment ".

How to Configure the system to boot from CD/DVD

Some machines will automatically attempt boot from the CD if a CD is inserted, if that is the case, please skip the instructions below...
  • Please reboot your machine or turn it on (Without the CD)
  • As soon as the BIOS is loaded begin tapping tapping the F2 or F12 or perhaps F9, F10 or F11 (try all of them if unsure, starting with F2)
  • Different Machines have different keys.
  • This will bring up the configuration options, please use your arrow keys to go to the Boot Tab.
  • In the Boot tab, there should be instructions on your right-hand side on how to move your CD/DVD as the top or First Priority
  • After you have moved CD/DVD at the top/first priority, please make sure you SAVE AND EXIT <- Important
  • It will now exit with Configuration settings saved.
Using the Vista CD Disk to Access the Vista WinRE Environment
  • Insert the Windows Vista disk in your computer.
  • Restart your computer so you are booting off of the CD.
  • During the reboot and boot up you will get a message saying: "Press any key to boot from CD", press Enter on your keyboard.
  • Select your language options, Time and Keyboard and press Next
  • At the next prompt press Posted Image
  • Select your Operating System (Windows Vista; the main one) from the list, and then press Next
  • Now press the Command Prompt option.
  • Enter the following code line by line one at a time and pressing enter on your keyboard on each line.
  • Wait for each command to be completed before continuing with the next one.
    c:
    cd c:\windows\system32\drivers
    ren atapi.sys atapi.old
    Copy "C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys"
  • Press the Restart button Posted Image and remove your Windows Vista disk from the DVD drive. Windows should now begin to load.
With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#43 toe

toe
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 26 December 2009 - 08:15 PM

How do I do this: Confirm that there is a copy of the file: atapi.sys in your C:\ drive. If the file is not there, report back here letting me know.

#44 toe

toe
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 27 December 2009 - 07:55 AM

How do I do this? "Confirm that there is a copy of the file: atapi.sys in your C:\ drive". I looked for it from Vista Search Box and the only place that came up was COMBOFIX.

#45 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:09 PM

Posted 27 December 2009 - 11:58 AM

How do I do this?


In step#1 when you ran the batch script is there a file called atapi.sys in the root of your C:\ drive? If so, then the copy went successfully and then please continue with the rest of the instruction.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users