Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer sending spam email


  • This topic is locked This topic is locked
18 replies to this topic

#1 SEO Acuity

SEO Acuity

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 23 December 2009 - 11:13 AM

luckily i have been virus free for years but since Monday my computer is sending a tons of spam emails. Unless it's shut down

below is my file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:48:02 AM, on 12/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\windows\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Smart PDF Converter Pro\sspdfagentd.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\windows\system32\RUNDLL32.EXE
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Documents and Settings\Pablo\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\windows\system32\ctfmon.exe
C:\Documents and Settings\Pablo\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\windows\system32\nvsvc32.exe
C:\windows\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O3 - Toolbar: FireShot - {6E6E744E-4D20-4ce3-9A7A-26DFFFE22F68} - C:\Documents and Settings\Pablo\Application Data\Mozilla\Firefox\Profiles\pzz6b5qw.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\fsaddin-0.76.dll (file missing)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SmartSoft PDF Printer (demo) Agent] "C:\Program Files\Smart PDF Converter Pro\sspdfagentd.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - HKCU\..\Run: [RCHotKey] "C:\PROGRA~1\RINGCE~1\RINGCE~1\RCHotKey.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Pablo\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [SansaDispatch] C:\Documents and Settings\Pablo\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: McAfee Security Scan.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\windows\SYSTEM32\avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9e0d06c713a09) (gupdate1c9e0d06c713a09) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Inkjet Printer/Scanner Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe

--
End of file - 7203 bytes


using xpro malware bytes, avg free

first got infected with securitytool got rid of it and right away found I was sending spam from my box

BC AdBot (Login to Remove)

 


#2 SEO Acuity

SEO Acuity
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 01 January 2010 - 02:44 PM

I still need help, i removed one malware then got rid of the spam/email problem only to be hit with antitivrus 2010 and the "you have been infected with the netsky virus" and redirect google , yahoo searches, and more spam email going out

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:03 PM

Posted 04 January 2010 - 03:32 PM

Hello ,
And :( to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results. Post both logs (no need to zip attach.txt).
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)
  • GMER log
Please do NOT post logs as attachments, unless you are unable to copy/paste a log directly in the reply box.


Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 SEO Acuity

SEO Acuity
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 06 January 2010 - 11:59 AM

Thanks s much for your help I was able to kill the trojan that was sending email and shutting my browser down but i have that nasty redirect virus. I was hit all at the same time.

I use avg fee and malwarebytes but it still doesn't get or find this monster.

Attached Files



#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:03 PM

Posted 06 January 2010 - 12:12 PM

Hello SEO Acuity,

P2P WARNING
-------------------
Going over your logs I noticed that you have uTorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.


COMBOFIX
---------------
Please download ComboFix from one of these locations:Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 SEO Acuity

SEO Acuity
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 06 January 2010 - 03:22 PM

i uninstalled utorrent

ComboFix 10-01-04.01 - Pablo 01/06/2010 13:14:49.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1615 [GMT -6:00]
Running from: c:\download\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\WebPosition 3\riCHtx32.ocx
c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
c:\recycler\S-1-5-21-1454471165-1284227242-725345543-1003
C:\Thumbs.db
c:\windows\system32\config\systemprofile\Start Menu\Programs\Security Tool.lnk
c:\windows\system32\drivers\npf.sys
c:\windows\system32\driVERs\wkdkins.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :(
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Legacy_SSHNAS
-------\Service_npf
-------\Legacy_wkdkins
-------\Service_wkdkins


((((((((((((((((((((((((( Files Created from 2009-12-06 to 2010-01-06 )))))))))))))))))))))))))))))))
.

2010-01-06 16:54 . 2010-01-06 16:54 -------- d-----w- C:\malware text
2009-12-31 22:31 . 2009-12-31 22:31 54016 ----a-w- c:\windows\system32\drivers\tgkbgey.sys
2009-12-31 20:53 . 2009-12-31 20:53 -------- d-----w- c:\program files\CCleaner
2009-12-31 16:27 . 2009-12-31 16:27 80784 ----a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-31 16:20 . 2010-01-02 01:23 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\tohsrm
2009-12-31 16:06 . 2009-12-31 16:06 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Mozilla
2009-12-31 15:51 . 2009-12-31 15:51 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe
2009-12-31 10:37 . 2009-12-31 10:37 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
2009-12-31 07:15 . 2009-12-31 11:13 0 ----a-w- c:\windows\system32\drivers\phuavd.sys
2009-12-31 07:08 . 2009-12-31 07:08 -------- d-----w- c:\documents and settings\Pablo\Local Settings\Application Data\PCHealth
2009-12-28 21:35 . 2009-12-28 21:36 -------- d-----w- C:\49b8e144dca00116a245
2009-12-28 21:22 . 2009-12-28 21:22 -------- d-----w- C:\f258c2d5e6e7f31d0775a6
2009-12-22 17:43 . 2009-12-22 17:43 -------- d-----w- c:\documents and settings\Pablo\Application Data\Thunderbird
2009-12-22 17:43 . 2009-12-22 17:43 -------- d-----w- c:\documents and settings\Pablo\Local Settings\Application Data\Thunderbird
2009-12-22 17:41 . 2010-01-05 07:27 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-12-22 17:29 . 2009-12-22 17:29 -------- d-----w- c:\program files\Trend Micro
2009-12-22 12:22 . 2009-12-22 12:22 -------- d-----w- c:\documents and settings\Pablo\Local Settings\Application Data\{156AB7AF-CDC1-443E-B586-CF5C66915D88}
2009-12-22 09:48 . 2009-12-22 09:48 116 ----a-w- c:\windows\system32\fjhdyfhsn.bat
2009-12-21 23:46 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-12-21 23:17 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-12-21 21:35 . 2009-12-21 21:35 -------- d-----w- c:\documents and settings\Pablo\Application Data\Malwarebytes
2009-12-21 21:35 . 2009-12-30 20:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-21 21:35 . 2010-01-02 23:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-21 21:35 . 2009-12-30 20:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-21 21:35 . 2009-12-21 21:35 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-12-21 19:10 . 2009-12-22 09:48 0 ----a-w- c:\windows\Bforowayecoxew.bin
2009-12-21 19:10 . 2009-12-22 12:22 120 ----a-w- c:\windows\Wpaxerebev.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-06 19:25 . 2005-05-27 05:31 -------- d-----w- c:\program files\WebPosition 3
2010-01-06 18:58 . 2009-05-28 19:13 -------- d-----w- c:\documents and settings\Pablo\Application Data\uTorrent
2010-01-06 06:24 . 2007-11-03 21:31 -------- d-----w- c:\documents and settings\Pablo\Application Data\IBP
2010-01-02 18:09 . 2009-09-14 17:50 -------- d-----w- c:\program files\McAfee Security Scan
2010-01-01 20:00 . 2008-09-06 00:11 -------- d-----w- c:\program files\AVS4YOU
2010-01-01 12:32 . 2001-08-23 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-21 15:30 . 2010-01-04 16:27 2066200 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\avg8\update\backup\avgcorex.dll
2009-12-18 00:55 . 2008-04-30 03:28 -------- d-----w- c:\program files\Google
2009-11-27 00:40 . 2009-06-30 00:40 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\CanonIJPLM
2009-11-24 20:04 . 2008-08-22 00:05 -------- d-----w- c:\program files\IBP 10
2009-11-24 19:09 . 2009-11-24 19:09 -------- d-----w- c:\documents and settings\Pablo\Application Data\com.adobe.example.avatarAirApplication.199ED43C2CFEB351CD0244628B93195D7C58F98C.1
2009-11-24 19:08 . 2009-11-24 19:08 -------- d-----w- c:\program files\Avatar Desktop App
2009-11-23 01:42 . 2009-09-30 06:51 -------- d-----w- c:\program files\Leawo
2009-11-23 01:42 . 2009-09-30 06:51 -------- d-----w- c:\documents and settings\Pablo\Application Data\Leawo
2009-11-16 08:29 . 2009-09-30 06:52 -------- d-----w- c:\program files\SeekService
2009-11-16 07:17 . 2009-09-30 06:52 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SeekService
2009-11-10 03:22 . 2009-11-10 03:22 -------- d-----w- c:\program files\Softi Software
2009-11-10 03:22 . 2009-11-10 03:22 -------- d-----w- c:\documents and settings\Pablo\Application Data\Softi Software
2009-10-29 05:38 . 2001-08-23 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2009-10-22 19:35 . 2010-01-01 17:41 565248 ----a-w- c:\documents and settings\Pablo\Application Data\Mozilla\Firefox\Profiles\pzz6b5qw.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\WINNT_x86-msvc\components\pagespeed.dll
2009-10-21 05:38 . 2005-05-26 03:57 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38 . 2005-05-26 03:57 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-20 16:20 . 2005-05-26 03:57 265728 ------w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2001-08-23 12:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2001-08-23 12:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2001-08-23 12:00 79872 ----a-w- c:\windows\system32\raschap.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Pablo\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]
"SansaDispatch"="c:\documents and settings\Pablo\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2009-07-21 79872]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmartSoft PDF Printer (demo) Agent"="c:\program files\Smart PDF Converter Pro\sspdfagentd.exe" [2006-11-21 69632]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-12 2043160]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-04 81920]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-04 8491008]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 13:40 11952 ----a-w- c:\windows\system32\avgrsstx.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\FTP\\WS_FTP95.exe"=
"c:\\Program Files\\IBP 9\\IBP.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\IBP 10\\IBP.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Adobe\\Adobe Flash CS3\\Flash.exe"=
"c:\\Program Files\\Softi Software\\Softi FreeOCR\\Program\\FreeOCR.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/7/2008 11:08 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/7/2008 11:08 PM 108552]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [4/7/2006 3:32 PM 13696]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [8/28/2009 7:40 AM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/28/2009 7:40 AM 297752]
S2 gupdate1c9e0d06c713a09;Google Update Service (gupdate1c9e0d06c713a09);c:\program files\Google\Update\GoogleUpdate.exe [5/29/2009 8:43 PM 133104]
S3 AtiBt829;WDM Video Capture For AIW (AtiBt829);c:\windows\system32\drivers\AtiBt829.sys [5/25/2005 11:15 AM 46464]
S3 ATITVAUDIO;WDM TVAudio (ATITVSnd);c:\windows\system32\drivers\ATITVSnd.sys [5/25/2005 11:15 AM 17152]
S3 ATIXBAR;ATI Video Audio Crossbar (ATIXBar);c:\windows\system32\drivers\atixbar.sys [5/25/2005 11:15 AM 23552]
S4 SeekService Service;SeekService Service;"c:\documents and settings\All Users.WINDOWS\Application Data\SeekService\seekservice135.exe" "c:\program files\SeekService\seekservice.dll" Service --> c:\documents and settings\All Users.WINDOWS\Application Data\SeekService\seekservice135.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2010-01-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-30 02:43]

2010-01-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-30 02:43]

2010-01-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-776561741-562591055-682003330-1003Core.job
- c:\documents and settings\Pablo\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 01:57]

2010-01-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-776561741-562591055-682003330-1003UA.job
- c:\documents and settings\Pablo\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 01:57]
.
.
------- Supplementary Scan -------
.
mSearch Bar =
uSearchAssistant =
uCustomizeSearch =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Pablo\Application Data\Mozilla\Firefox\Profiles\pzz6b5qw.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - component: c:\documents and settings\Pablo\Application Data\Mozilla\Firefox\Profiles\pzz6b5qw.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
FF - component: c:\documents and settings\Pablo\Application Data\Mozilla\Firefox\Profiles\pzz6b5qw.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\WINNT_x86-msvc\components\pagespeed.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll
FF - plugin: c:\documents and settings\Pablo\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: XULRunner: {156AB7AF-CDC1-443E-B586-CF5C66915D88} - c:\documents and settings\Pablo\Local Settings\Application Data\{156AB7AF-CDC1-443E-B586-CF5C66915D88}\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-RCHotKey - c:\progra~1\RINGCE~1\RINGCE~1\RCHotKey.exe
HKCU-Run-IBP - (no file)
MSConfigStartUp-CTFMON - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-06 13:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SansaDispatch = c:\documents and settings\Pablo\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe?=&platform=&is-debug=&rom-version=&part-number=&product-name=&content-class=common_conten

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\Access.Shortcut.Report.1\shell\Design\ddeexec\appl*cation]
@="Msaccess"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{02BCC737-B171-4746-94C9-0D8A0B2C0089}\VersionIndep*ndentProgID]
@="Office.awsdc"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1456)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\program files\Maxtor\Sync\SyncServices.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\RUNDLL32.EXE
c:\documents and settings\Pablo\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-01-06 13:38:02 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-06 19:38

Pre-Run: 42,722,770,944 bytes free
Post-Run: 43,735,785,472 bytes free

- - End Of File - - 7EDF2680BDAB2401EE574AB6FA77AA64

Attached Files


Edited by elise025, 06 January 2010 - 03:44 PM.
pasted in the log


#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:03 PM

Posted 06 January 2010 - 03:47 PM

Hi, as you can see, I pasted the log in your reply, I forgot to ask you in my last post to do that and since I will have to copy/paste some entries from your log, I decided it was easier to have it this way.

I see you didn't install the Recovery Console when Combofix asked. Do you have connection problems that don't allow combofix to download/install the Recovery Console? If so, let me know and I will give you instructions on how to install the Recovery Console without internet connection. Otherwise, please re-run Combofix and this time allow Recovery Console download/installation.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 SEO Acuity

SEO Acuity
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 07 January 2010 - 12:59 AM

I tried but it gives me an error, see attached image.

Attached Files



#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:03 PM

Posted 07 January 2010 - 05:17 AM

Ah, I see :(

Please verify if the following file exists: c:\boot.ini

Note, you might need to enable hidden files and folders:

Go to Start > My Computer
Go to Tools > Folder Options
Click on the View tab
Untick the following:
  • Hide extensions for known file types
  • Hide protected operating system files (Recommended)
You will get a message warning you about showing protected operating system files, click Yes
Make sure this option is selected:
  • Show hidden files and folders
Click Apply and then click OK

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 SEO Acuity

SEO Acuity
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 07 January 2010 - 12:53 PM

yup no boot. ini

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:03 PM

Posted 07 January 2010 - 01:31 PM

Do you have your XP CD at hand?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 SEO Acuity

SEO Acuity
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 07 January 2010 - 02:36 PM

yes i do but can't find it. It's xp pro sp 3

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:03 PM

Posted 07 January 2010 - 02:48 PM

Hello SEO Acuity,

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    boot*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

In your next reply, please include the following:
  • SystemLook.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 SEO Acuity

SEO Acuity
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 07 January 2010 - 03:09 PM

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 13:52 on 07/01/2010 by Pablo (Administrator - Elevation successful)

========== filefind ==========

Searching for "boot*"
C:\1AAA\Patio Furniture\bootglasstopendtable.jpg --a--- 126826 bytes [06:09 25/04/2005] [03:48 06/03/2004] 5B2FD4044471E78D5F74136637817503
C:\Design\Program Files\Joomla templates\c\CivicRM\com_civicrm\civicrm\packages\dojo\dojo\_base\_loader\bootstrap.js ------ 8236 bytes [01:19 19/03/2008] [11:50 15/01/2008] C83D1AA2949A09F7E728D34B1F228D0A
C:\Old Drives\D\MAIN\BOOTLOG.TXT --ah-- 219 bytes [03:09 25/04/2005] [14:07 12/04/2005] EFE1BD8A8E79BA5FD66FB8D846C2E493
C:\Program Files\Google\Google Gears\Firefox\components\bootstrap.js --a--- 4615 bytes [20:46 16/10/2009] [20:46 16/10/2009] 538F7B73D4665DFED6A9040C456D99FC
C:\Program Files\Stellarium\skycultures\western\bootes.png --a--- 41109 bytes [22:18 31/10/2008] [06:56 28/02/2008] FF610747E520B972A7E053790BA17A9A
C:\WINDOWS\$NtServicePackUninstall$\bootcfg.exe -----c 136704 bytes [16:15 18/04/2009] [12:00 23/08/2001] D82BA004D3D48A5889EB261AC663DDC4
C:\WINDOWS\bootstat.dat --a-s- 2048 bytes [22:28 25/05/2005] [09:41 07/01/2010] 6A2CB42966136854F4464516FBB4AE72
C:\WINDOWS\Help\bootcons.chm --a--- 39622 bytes [12:00 23/08/2001] [12:00 23/08/2001] 729C93B5DAE750C4F705FC3C48E81BBC
C:\WINDOWS\ServicePackFiles\i386\bootcfg.exe ------ 142848 bytes [01:58 19/08/2008] [00:12 14/04/2008] DF42260BA2A5826F77B7A4BD105BAACC
C:\WINDOWS\system32\bootcfg.exe --a--- 142848 bytes [12:00 23/08/2001] [00:12 14/04/2008] DF42260BA2A5826F77B7A4BD105BAACC
C:\WINDOWS\system32\bootok.exe --a--- 4608 bytes [12:00 23/08/2001] [12:00 23/08/2001] 875E85605BD6921862734F8A6E70E7A7
C:\WINDOWS\system32\bootvid.dll --a--- 12288 bytes [12:00 23/08/2001] [12:00 23/08/2001] CC306BF581446D5E443EAE5B3BB900F0
C:\WINDOWS\system32\bootvrfy.exe --a--- 5120 bytes [12:00 23/08/2001] [12:00 23/08/2001] C2AB77D9DC66447DC1DB63751D7F673A
C:\WINDOWS\system32\dllcache\bootok.exe --a--c 4608 bytes [12:00 23/08/2001] [12:00 23/08/2001] 875E85605BD6921862734F8A6E70E7A7
C:\WINDOWS\system32\dllcache\bootvid.dll --a--c 12288 bytes [12:00 23/08/2001] [12:00 23/08/2001] CC306BF581446D5E443EAE5B3BB900F0
C:\WINDOWS\system32\dllcache\bootvrfy.exe --a--c 5120 bytes [12:00 23/08/2001] [12:00 23/08/2001] C2AB77D9DC66447DC1DB63751D7F673A

-=End Of File=-

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:03 PM

Posted 07 January 2010 - 03:15 PM

Well, it seems we sill have to rebuild boot.ini

If you have your XP CD at hand, you can use it, otherwise follow the steps below on how to make a bootable CD.

Please download the Recovery Console Bootable CD iso
Unzip the file and user your favourite burning application to burn the iso to a CD. Note, this is not the same as just burning the iso file on a CD.
  • Insert the CD-ROM into the CD-ROM drive, and then restart the computer.

  • If your PC is not booting from the CD, you need to change the boot order:
    • Restart your PC
    • As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
    • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
    • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
    • The tab should now show your current boot order.
      If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
    • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
  • Your PC should now boot from your CD.
    Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.

  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.

  • When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.

  • A command prompt will open
Once in Recovery Console, please type bootcfg /rebuild and hit enter.

This command scans the hard disks of the computer for Windows XP, Microsoft Windows 2000, or Microsoft Windows NT installations, and then displays the results. Follow the instructions that appear on the screen to add the Windows installations to the Boot.ini file.
When you receive a message that is similar to the following message, press Y
Total Identified Windows Installs: 1

[1] C:\Windows
Add installation to boot list? (Yes/No/All)

You receive a message that is similar to the following message:
Enter Load Identifier
This is the name of the operating system. When you receive this message, type the name of your operating system, and then press ENTER. This is either Microsoft Windows XP Professional or Microsoft Windows XP Home Edition.

You receive a message that is similar to the following:
Enter OS Load options
When you receive this message, type /fastdetect and then press ENTER.

Note The instructions that appear on your screen may be different, depending on the configuration of your computer.

Type exit to exit and restart your PC.

Please verify in windows that c:\boot.ini exists and if so, re-run Combofix and allow the Recovery Console to be installed

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users