Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan PSW.Generic7.BBKU


  • Please log in to reply
16 replies to this topic

#1 iMacuser

iMacuser

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 11 January 2010 - 11:28 PM

Hello all. Hoping for some assistance with one last attempt at cleaning a trojan firmly installed in my System Volume Info area. I am running WinXP SP3 on an iMac partitioned hard drive through Bootcamp (OSX on one side WinXP on the other).

Infection first showed up a week ago via AVG 9.07 Resident Shield. Here is the infection history:

Infection;"Object";"Result";"Detection time";"Object Type";"Process"
Trojan horse PSW.Generic7.BBKU;"C:\System Volume Information\_restore{8D67C9BC-9DA7-4C41-BEAE-504A2C76E51C}\RP833\A0222089.dll";"Infected";"10/01/2010, 4:35:51 AM";"file";"C:\WINDOWS\system32\svchost.exe"
Trojan horse PSW.Generic7.BBKU;"C:\System Volume Information\_restore{8D67C9BC-9DA7-4C41-BEAE-504A2C76E51C}\RP833\A0222089.dll";"Infected";"10/01/2010, 3:35:51 AM";"file";"C:\WINDOWS\system32\svchost.exe"
Trojan horse PSW.Generic7.BBKU;"C:\System Volume Information\_restore{8D67C9BC-9DA7-4C41-BEAE-504A2C76E51C}\RP833\A0222089.dll";"Infected";"10/01/2010, 2:35:51 AM";"file";"C:\WINDOWS\system32\svchost.exe"
Trojan horse PSW.Generic7.BBKU;"C:\System Volume Information\_restore{8D67C9BC-9DA7-4C41-BEAE-504A2C76E51C}\RP833\A0222089.dll";"Infected";"10/01/2010, 1:59:52 AM";"file";"C:\WINDOWS\system32\svchost.exe"
Trojan horse PSW.Generic7.BBKU;"C:\System Volume Information\_restore{8D67C9BC-9DA7-4C41-BEAE-504A2C76E51C}\RP833\A0222089.dll";"Infected";"10/01/2010, 12:58:16 AM";"file";"C:\WINDOWS\system32\svchost.exe"
Trojan horse PSW.Generic7.BBKU;"C:\System Volume Information\_restore{8D67C9BC-9DA7-4C41-BEAE-504A2C76E51C}\RP833\A0221093.dll";"Moved to Virus Vault";"09/01/2010, 7:55:15 PM";"file";"C:\WINDOWS\system32\svchost.exe"
Trojan horse PSW.Generic7.BBKU;"C:\System Volume Information\_restore{8D67C9BC-9DA7-4C41-BEAE-504A2C76E51C}\RP833\A0221093.dll";"Moved to Virus Vault";"09/01/2010, 7:45:26 PM";"file";"C:\WINDOWS\system32\svchost.exe"
Trojan horse PSW.Generic7.BBKU;"C:\System Volume Information\_restore{8D67C9BC-9DA7-4C41-BEAE-504A2C76E51C}\RP833\A0220108.dll";"Infected";"09/01/2010, 4:32:12 PM";"file";"C:\WINDOWS\explorer.exe"
Trojan horse PSW.Generic7.BBKU;"C:\System Volume Information\_restore{8D67C9BC-9DA7-4C41-BEAE-504A2C76E51C}\RP833\A0220108.dll";"Moved to Virus Vault";"09/01/2010, 3:48:27 PM";"file";"C:\WINDOWS\system32\svchost.exe"
Trojan horse PSW.Generic7.BBKU;"C:\System Volume Information\_restore{8D67C9BC-9DA7-4C41-BEAE-504A2C76E51C}\RP832\A0219460.dll";"Moved to Virus Vault";"08/01/2010, 7:56:15 PM";"file";"C:\WINDOWS\system32\svchost.exe"
Trojan horse PSW.Generic7.BBKU;"C:\System Volume Information\_restore{8D67C9BC-9DA7-4C41-BEAE-504A2C76E51C}\RP834\A0223104.dll";"Deleted";"08/01/2010, 7:23:26 PM";"file";"C:\WINDOWS\system32\cidaemon.exe"

And here is the latest AVG scan result:

Scan "Scheduled scan" was finished.
Infections;"26";"26";"0"
Information;"1"
Folders selected for scanning:;"Scan whole computer"
Scan started:;"January 11, 2010, 5:15:44 PM"
Scan finished:;"January 11, 2010, 7:40:11 PM (2 hour(s) 24 minute(s) 26 second(s))"
Total object scanned:;"313902"
User who launched the scan:;"SYSTEM"

Infections
File;"Infection";"Result"
C:\System Volume Information\_restore{8D67C9BC-9DA7-4C41-BEAE-504A2C76E51C}\RP830\A0218732.dll;"Trojan horse PSW.Generic7.BBKU";"Moved to Virus Vault"
C:\System Volume Information\_restore{8D67C9BC-9DA7-4C41-BEAE-504A2C76E51C}\RP830\A0217732.dll;"Trojan horse PSW.Generic7.BBKU";"Moved to Virus Vault"
C:\System Volume Information\_restore{8D67C9BC-9DA7-4C41-BEAE-504A2C76E51C}\RP830\A0216731.dll;"Trojan horse PSW.Generic7.BBKU";"Moved to Virus Vault"
C:\System Volume Information\_restore{8D67C9BC-9DA7-4C41-BEAE-504A2C76E51C}\RP830\A0215735.dll;"Trojan horse PSW.Generic7.BBKU";"Moved to Virus Vault"
C:\System Volume Information\_restore{8D67C9BC-9DA7-4C41-BEAE-504A2C76E51C}\RP830\A0214745.dll;"Trojan horse PSW.Generic7.BBKU";"Moved to Virus Vault"
C:\System Volume Information\_restore{8D67C9BC-9DA7-4C41-BEAE-504A2C76E51C}\RP830\A0214271.dll;"Trojan horse PSW.Generic7.BBKU";"Moved to Virus Vault"
C:\System Volume Information\_restore{8D67C9BC-9DA7-4C41-BEAE-504A2C76E51C}\RP830\A0213253.dll;"Trojan horse PSW.Generic7.BBKU";"Moved to Virus Vault"
C:\System Volume Information\_restore{8D67C9BC-9DA7-4C41-BEAE-504A2C76E51C}\RP830\A0212267.dll;"Trojan horse PSW.Generic7.BBKU";"Moved to Virus Vault"
C:\System Volume Information\_restore{8D67C9BC-9DA7-4C41-BEAE-504A2C76E51C}\RP830\A0211745.dll;"Trojan horse PSW.Generic7.BBKU";"Moved to Virus Vault"
C:\System Volume Information\_restore{8D67C9BC-9DA7-4C41-BEAE-504A2C76E51C}\RP829\A0210322.dll;"Trojan horse PSW.Generic7.BBKU";"Moved to Virus Vault"
C:\System Volume Information\_restore{8D67C9BC-9DA7-4C41-BEAE-504A2C76E51C}\RP829\A0209751.dll;"Trojan horse PSW.Generic7.BBKU";"Moved to Virus Vault"
C:\System Volume Information\_restore{8D67C9BC-9DA7-4C41-BEAE-504A2C76E51C}\RP828\A0208296.dll;"Trojan horse PSW.Generic7.BBKU";"Moved to Virus Vault"
C:\System Volume Information\_restore{8D67C9BC-9DA7-4C41-BEAE-504A2C76E51C}\RP828\A0207294.dll;"Trojan horse PSW.Generic7.BBKU";"Moved to Virus Vault"
C:\System Volume Information\_restore{8D67C9BC-9DA7-4C41-BEAE-504A2C76E51C}\RP828\A0206293.dll;"Trojan horse PSW.Generic7.BBKU";"Moved to Virus Vault"
C:\System Volume Information\_restore{8D67C9BC-9DA7-4C41-BEAE-504A2C76E51C}\RP828\A0205298.dll;"Trojan horse PSW.Generic7.BBKU";"Moved to Virus Vault"
C:\System Volume Information\_restore{8D67C9BC-9DA7-4C41-BEAE-504A2C76E51C}\RP828\A0204672.dll;"Trojan horse PSW.Generic7.BBKU";"Moved to Virus Vault"
C:\System Volume Information\_restore{8D67C9BC-9DA7-4C41-BEAE-504A2C76E51C}\RP828\A0202675.dll;"Trojan horse PSW.Generic7.BBKU";"Moved to Virus Vault"
C:\System Volume Information\_restore{8D67C9BC-9DA7-4C41-BEAE-504A2C76E51C}\RP828\A0201684.dll;"Trojan horse PSW.Generic7.BBKU";"Moved to Virus Vault"
C:\System Volume Information\_restore{8D67C9BC-9DA7-4C41-BEAE-504A2C76E51C}\RP827\A0199359.dll;"Trojan horse PSW.Generic7.BBKU";"Moved to Virus Vault"
C:\System Volume Information\_restore{8D67C9BC-9DA7-4C41-BEAE-504A2C76E51C}\RP825\A0198731.dll;"Trojan horse PSW.Generic7.BBKU";"Moved to Virus Vault"
C:\System Volume Information\_restore{8D67C9BC-9DA7-4C41-BEAE-504A2C76E51C}\RP824\A0198155.dll;"Trojan horse PSW.Generic7.BBKU";"Moved to Virus Vault"
C:\System Volume Information\_restore{8D67C9BC-9DA7-4C41-BEAE-504A2C76E51C}\RP824\A0197154.dll;"Trojan horse PSW.Generic7.BBKU";"Moved to Virus Vault"
C:\System Volume Information\_restore{8D67C9BC-9DA7-4C41-BEAE-504A2C76E51C}\RP824\A0196153.dll;"Trojan horse PSW.Generic7.BBKU";"Moved to Virus Vault"
C:\System Volume Information\_restore{8D67C9BC-9DA7-4C41-BEAE-504A2C76E51C}\RP824\A0195176.dll;"Trojan horse PSW.Generic7.BBKU";"Moved to Virus Vault"
C:\System Volume Information\_restore{8D67C9BC-9DA7-4C41-BEAE-504A2C76E51C}\RP821\A0193804.dll;"Trojan horse PSW.Generic7.BBKU";"Moved to Virus Vault"
C:\System Volume Information\_restore{8D67C9BC-9DA7-4C41-BEAE-504A2C76E51C}\RP819\A0192799.dll;"Trojan horse PSW.Generic7.BBKU";"Moved to Virus Vault"

As you can see it has now propagated to multiple restore points. This did not occur directly from actually performing a system restore since I did that a few days back and only had one RP infection (see history at top).

Began an attempt to clean up using the advice from AustrAlien posted elsewhere. [b]Here is some history of MBAM infections found and removed in last week:

Malwarebytes' Anti-Malware 1.44
Database version: 3536
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/01/2010 1:45:36 PM
mbam-log-2010-01-10 (13-45-36).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 108427
Time elapsed: 1 hour(s), 13 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Image-Line\Shared\DSP_IPP\Uninstall.exe (Rootkit.Agent) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.44
Database version: 3544
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/01/2010 5:48:38 PM
mbam-log-2010-01-11 (17-48-38).txt

Scan type: Full Scan (F:\|)
Objects scanned: 346842
Time elapsed: 21 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

NOTE: F: is an external hard drive that contains a number of programs, C: drive full backups and also some System Volume Info.

Here is the latest MBAM log AFTER AVG found and removed the 26 infections:

Malwarebytes' Anti-Malware 1.44
Database version: 3545
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/01/2010 7:55:38 PM
mbam-log-2010-01-11 (19-55-38).txt

Scan type: Quick Scan
Objects scanned: 153481
Time elapsed: 4 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

AustrAlien recommended use of SuperAntiSpyware in Safe mode followed by DrWebCureIt also in safe mode. However, I seem to have a problem in Safe mode since the keyboard becomes non-functional. This may be a Bootcamp issue (I am investigating). When run in normal mode it has found Tracking Cookies but nothing else.

Will now try both of these programs in safe node and report back.

Thanks!

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:04 AM

Posted 12 January 2010 - 12:17 AM

Ok wil look back
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 iMacuser

iMacuser
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 12 January 2010 - 12:52 AM

Ran SuperAntiSpyware in NORMAL mode (no luck iwth keyboard in safe mode) with only "close browsers"; "scan for tracking cookies" and "terminate memory threats before quarantine" checked (per AustralAlien). 40 minutes later....np threats found.

Will move on to DrWebCureIt in normal mode.

A thought...what about setting a new restore point and using Disk Cleanup to remove all the old ones?

Cheers!

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:04 AM

Posted 12 January 2010 - 10:00 AM

I prefer setiing the new Restore Point when done. just in case we need one. beter an infected one than non e.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 iMacuser

iMacuser
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 12 January 2010 - 10:31 AM

Latest:

Set new system restore point after ALL checkers showed clean (still not able to run Spyware or DrWeb in saft though). Shutdown.

Startuo in Normal mode run AVG = clean

Run MBAM and get following:

Malwarebytes' Anti-Malware 1.44
Database version: 3548
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/01/2010 7:29:53 AM
mbam-log-2010-01-12 (07-29-53).txt

Scan type: Quick Scan
Objects scanned: 153601
Time elapsed: 4 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Related to Trojan or no?

Will check back later for advice.

Thanks

#6 iMacuser

iMacuser
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 12 January 2010 - 12:42 PM

One other piece of info. I use a 3rd party Windows utility program call System Mechanic Pro. Between the time I had all clean and the time MBAM showed a recurrence in the HKEYS area of the registry I used SM pro to "repair" 125 registry problems it had found. Not sure what the "repairs" involve but I have a suspicion that the fixes brought back the malware. No recurrence of the Trojan as yet.

Cheers!

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:04 AM

Posted 12 January 2010 - 01:42 PM

Hi we are not big fans of Reg cleaners here. i will post our position so you may decide.

Bleeping Computer DOES NOT recommend the use of registry cleaners/optimizers for several reasons:

• Registry cleaners are extremely powerful applications that can damage the registry by using aggressive cleaning routines and cause your computer to become unbootable.

The Windows registry is a central repository (database) for storing configuration data, user settings and machine-dependent settings, and options for the operating system. It contains information and settings for all hardware, software, users, and preferences. Whenever a user makes changes to settings, file associations, system policies, or installed software, the changes are reflected and stored in this repository. The registry is a crucial component because it is where Windows "remembers" all this information, how it works together, how Windows boots the system and what files it uses when it does. The registry is also a vulnerable subsystem, in that relatively small changes done incorrectly can render the system inoperable. For a more detailed explanation, read Understanding The Registry.

• Not all registry cleaners are created equal. There are a number of them available but they do not all work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad entry". One cleaner may find entries on your system that will not cause problems when removed, another may not find the same entries, and still another may want to remove entries required for a program to work.

• Not all registry cleaners create a backup of the registry before making changes. If the changes prevent the system from booting up, then there is no backup available to restore it in order to regain functionality. A backup of the registry is essential BEFORE making any changes to the registry.

• Improperly removing registry entries can hamper malware disinfection and make the removal process more difficult if your computer becomes infected. For example, removing malware related registry entries before the infection is properly identified can contribute to system instability and even make the malware undetectable to removal tools.

• The usefulness of cleaning the registry is highly overrated and can be dangerous. In most cases, using a cleaner to remove obsolete, invalid, and erroneous entries does not affect system performance but it can result in "unpredictable results".

Unless you have a particular problem that requires a registry edit to correct it, I would suggest you leave the registry alone. Using registry cleaning tools unnecessarily or incorrectly could lead to disastrous effects on your operating system such as preventing it from ever starting again. For routine use, the benefits to your computer are negligible while the potential risks are great.
Now aside from that it may be interfereing with repairs as SPybot's S&D will. So turn it off while cleaning.
Let's see if you can fix safe mode..
SUPERAntiSypware has a built in "Repairs" feature to fix policy restrictions and certain Windows settings which are sometimes targeted by malware infection.

Please download SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • Click the Repairs tab.
  • Click on (highlight) "Repair broken SafeBoot key" and then click the Repair button.
  • You may be asked to reboot your computer for the changes to take effect.
now you can run DRWeb and SAS(Super A)
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 iMacuser

iMacuser
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 12 January 2010 - 09:26 PM

Message received loud and clear. Registry cleaner gonzo!~

Beginning whole scan sequence again using all four programs. Will report back.

So far AVG scan clean.

Edited by iMacuser, 12 January 2010 - 09:27 PM.


#9 iMacuser

iMacuser
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 12 January 2010 - 11:18 PM

What a FRUSTRATING business this is!

AVG clear. MBAM...new TROJANS!!

Malwarebytes' Anti-Malware 1.44
Database version: 3552
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/01/2010 7:19:37 PM
mbam-log-2010-01-12 (19-19-37).txt

Scan type: Quick Scan
Objects scanned: 153598
Time elapsed: 4 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Aidan\My Documents\downloads\fmsdisk01(2).exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Aidan\My Documents\downloads\fmsdisk01(3).exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Aidan\My Documents\downloads\fmsdisk01.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Moved on to SAS repair of Safe mode key. Tried twice...no go. Keyboard still non functional in attempted safe mode. May be Apple bootcamp issue? Boot up sequence has an extra step (choose OSX or WinXP) not sure.

Trying SAS and Dr Web in normal mode.

Also, does each restore point have its own reference in Sys Vol Info? I created a new RP and ran disc cleanup yesterday and a still have multiple RP references with attached A0***.exe. files and .dll files.

Anyway, will report back.

ty

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:04 AM

Posted 13 January 2010 - 04:56 PM

That is an odd occurance for the RS. They should all go. If this doesn't improve we'll move to the HiJack forum.

Can you get in to safe mode with command prompt?
See if you can, type C:\windows\system32\restore\rstrui.exe in to the command prompt and press return. This should allow you to run system restore to an earlier date.

Edited by boopme, 13 January 2010 - 05:16 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 iMacuser

iMacuser
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 14 January 2010 - 12:53 AM

No luck with Safe mode. Checkers seem to be clear. Some unexpected blue screens during SAS and DrWeb scans of my external F drive indicating a device driver or devise issue. Does Windows have a disc repair function? System Restore runs OK but the only restore point I have is a recent one post Safe Mode issue. I erased points from period of first infection.

Not sure where to go next.

Thanks

#12 iMacuser

iMacuser
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 14 January 2010 - 01:24 AM

Chkdsk stalled on the F: drive. Will try some malware/virus scans.

Edited by iMacuser, 14 January 2010 - 01:25 AM.


#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:04 AM

Posted 14 January 2010 - 10:33 AM

I think the best three options when safe mode is a serious problem is A> we post in the hJT forum ( need about a week) or B> Perform a REpair install, C>we wipe the drive and re install..
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 iMacuser

iMacuser
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 14 January 2010 - 12:41 PM

Thanks again. Not sure how to do a repair install. I have the WINXP install discs if that is necessary.

Current status seems to be the C: drive is clear using all testers but SAS and Dr W have been run in Normal mode not safe. Safe mode remains inactive. It DID work at one point early on when I started this trek.

Second concern is my external hard drive. It has become damaged/corrupted (I believe through an attempt to "repair it" using System Mechanic a Windows utility suite). I have uninstalled SM as you advised earlier.

F: drive now hangs on an AVG scan, and crashes the system on a MBAM or SAS scan. As I noted yesterday, chdsk also hangs at Phase 4 (repair stage I think).

If I reformat the F: drive would it be likely to repair itself? (not sure how to do this) Any online drive assessment or repair tools oyu know off??

Seems I am down to fixing the F: drive and fixing Safe Mode.

Still hope not to have to wipe the hard drives but.....

Many thanks.

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:04 AM

Posted 14 January 2010 - 01:08 PM

A repair install does not. How to Perform a Windows XP Repair Install
A Repair Install will replace the system files with the files on the XP CD used for the Repair Install. It will leave your applications and settings intact, but Windows updates will need to be reapplied.
A Repair Install will replace files altered by adware and malware, but will not fix an adware, malware problem.


Reformatting (Wipe and reinstall OS) a hard disk deletes all data.
Reformatting Windows XP
In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

The best proceedure is a low level format. This completely wipes the drive. Then reinstall the OS.
Use the free version of Active@ KillDisk.
Or Darik's Boot And Nuke

The best sources of Information on this are
Reformatting Windows XP
Michael Stevens Tech

Of course also feel free to ask anything on this in the XP forum. They'd be glad to help.

==============================

2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe/.scr/.htm/.html/.xml/.zip/.rar files as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.

Download Belarc Advisor - builds a detailed profile of your installed software and hardware, including Microsoft Hotfixes, and displays the results in your Web browser.
Run it and then print out the results, they may be handy.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users