Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Not booting after running Combofix


  • This topic is locked This topic is locked
41 replies to this topic

#1 maxkat

maxkat

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 17 January 2010 - 10:11 AM

Hello elise,
I'm a new member. I have pretty much the same problem than rns25 (except that it's my desktop instead of a laptop). I also run on windows XP.
I followed your instructions in this blog and this is what I get when I execute the comand dir c:\qoobox\quarantine :

date time d------ 0.
date time d------ 0..
date time d------ 0 C
date time -a----- 827 catchme.log
date time d------ 0 Registry_backups


I would really appreciate if you could help me.
Thank you very much in advance.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:33 AM

Posted 17 January 2010 - 01:57 PM

I split off your first post to a separate topic. Posting in someone elses topic with your own problem is considered rude. Also, the chance of getting a reply that can help you is a lot bigger when you have your own topic.

Using the Recovery Console, please tell me whats in the following folder:

c:\qoobox

if there is a file named combofix-quarantined-files.txt in there, type the following bolded line and press enter.

type combofix-quarantined-files.txt

This will show you a list of files. Please note them down and post them here.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 maxkat

maxkat
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 17 January 2010 - 03:02 PM

I'm sorry Elise. I apologize for my ignorance (like I said this is my first time)
I'll try to get that txt file now.
Thanks much
Max

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:33 AM

Posted 17 January 2010 - 03:13 PM

Okay, let me know if you run in any problems ;)

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 maxkat

maxkat
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 17 January 2010 - 03:36 PM

Elise,
Here it is what is on c:\qoobox

d------- 0 .
d------- 0 ..
-a------ 8552 Add-Remove Programs.txt
d------- 0 BackEnv
-a------ 57868 ComboFix2.txt
-a------ 39150 ComboFix3.txt
-a------ 55234 ComboFix4.txt
-a------ 188199 ComboFix5.txt
d------- 0 LastRun
d------- 0 Quarantine
-a------ 1227664 SnapShot@2009-05-22_04.48.05.dat
-a------ 1256241 SnapShot_2009-09-13_15.29.27.dat
-a------ 1274551 SnapShot_2009-10-29-05.37.45.dat
-a------ 1295072 SnapShot_2010-01-09_18.22.13.dat
d------- 0 Test
d------- 0 Test C
16 files 5402531 bytes


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:33 AM

Posted 17 January 2010 - 03:46 PM

Okay, please list me the contents of the c:\qoobox\quarantine\c folder

This folder will contain subfolders (named as was the filepath of the original file). So please note down everthing from C, all subfolders there.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 maxkat

maxkat
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 17 January 2010 - 11:00 PM

Ok Elise
Here it is

C:\qoobox\quarantine\C

d----- 0 .
d----- 0 ..
-a---- 883 Jeron.exe.vir
-a---- 39150 log.txt.vir
-a---- 883 MSN.exe.vir
-a---- 720 MSN9.exe.vir
d----- 0 Program Files
-a---- 5259 tmp1247.exe.vir
d----- 0 WINDOWS

C:\qoobox\quarantine\C\windows

d----- 0 .
d----- 0 ..
d----- 0 Installer
-a---- 208896 PATCH.EXE.vir
d----- 0 system32




#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:33 AM

Posted 18 January 2010 - 02:50 AM

QUOTE
d----- 0 system32

Please post me the contents of this folder as well as its subfolders (a folder will have d-----0 in front of it).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 maxkat

maxkat
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 18 January 2010 - 09:04 AM

Here it is.
I still have to list you the contents of dir drivers, but now I'm at work, so I won't be able to access my home computer until tonight.
Sorry Elise. Thanks much

c:\qoobox\quarantine\c\cwindows\system32

d------- 0.
d------- 0..
-a------ 1360134 dorfdclp.ini.vir
d------- 0 drivers
-a------ 784673 hNWwyJjl.ini.vir
-a------ 784673 hNWwyJjl.ini2.vir
-a---c-- 0 iAlmcoin.dll.vir
-a------ 1285262 ndllhbbw.ini.vir
-a------ 1258892 ppghdtnl.ini.vir
-a------ 81920 ps2.bat.vir
-a---c-- 0 user_32.dll.vir
-a------ 1537209 veefjcxh.ini.vir
-a------ 294 xuvcqkil.ini.vir





#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:33 AM

Posted 18 January 2010 - 09:05 AM

Okay, in system32, I need you to look in the drivers folder. Please list what is there.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 maxkat

maxkat
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 18 January 2010 - 06:22 PM

Hi again Elise,

c:\qoobox\quarantine\c\cwindows\system32\drivers

d------ 0 .
d------ 0 ..
-a----- 95360 atapi.sys.vir



#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:33 AM

Posted 19 January 2010 - 03:12 AM

Good! Please type the following bolded lines and press enter after each of them.

ren c:\windows\system32\drivers\atapi.sys c:\windows\system32\drivers\atapi.sys.bak

Note, if you get an error file not found, just skip this step. If you get an error Invalid command or something like that, post back here.

expand c:\cmdcons\atapi.sy_ c:\windows\system32\drivers\atapi.sys

You should now see 1 file(s) expanded.

exit

Your computer will now restart. Let me know if it boots.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 maxkat

maxkat
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 19 January 2010 - 07:42 AM

Thanks Elise

When I ran this command
ren c:\windows\system32\drivers\atapi.sys c:\windows\system32\drivers\atapi.sys.bak
It came back saying the parameter is not valid
So I checked for help on the ren command and says:
ren [drive:][path]filename1 filename2
So I executed ren c:\windows\system32\drivers\atapi.sys atapi.sys.bak and worked ok

Now I do the expand command but it tells me:
unable to create file atapi.sys
0 file(s) expanded

If I list the dir c:\windows\system32\drivers
I see an atapi.svs file, but no atapi.sys and no atapi.sys.bak files

Edited by maxkat, 19 January 2010 - 07:43 AM.


#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:33 AM

Posted 19 January 2010 - 07:48 AM

Please try the following command:

copy c:\cmdcons\atapi.sy_ c:\windows\system32\drivers\atapi.sys


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 maxkat

maxkat
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 19 January 2010 - 07:55 AM

Ok,
1 file(s) copied

Exit now to see if it boots?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users