Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Stupidly Installed Combofix


  • This topic is locked This topic is locked
42 replies to this topic

#1 Sarahbelle

Sarahbelle

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 19 February 2010 - 12:02 AM

Sorry for my first post being a cry for help, but I did something stupid and I'm wondering if there's anything I can do to remedy it, or if I'm just screwed.

I installed Combofix on my laptop yesterday after a couple days of it totally freezing and just generally being out of commission. I'd had Avast Anti-Virus, Malwarebytes and Super Anti Spyware installed, but the virus seemed to disable them, because whenever I'd try to update the databases or do a scan, a log would come back saying everything was clean or the computer would just crash.

Then I noticed a suspect folder in my Documents titled "HelpAssistant," which had copies of all my files. I tried re-naming and deleting this folder, but it kept returning. I also noticed that "HelpAssistant" was now an administrative user, and I disabled and removed it from the admin group, but upon reboot it kept returning as an admin user.

I then elected to try Combofix. I downloaded it from one of the links recommended by this site and followed the instructions, I believe. It said it would be rebooting, but now it's continually restarting.

Is there anything I can do, besides a reformat?

Edited by elise025, 24 March 2010 - 04:48 AM.
Moved to a more appropriate forum ~ Elise


BC AdBot (Login to Remove)

 


#2 Sarahbelle

Sarahbelle
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 22 March 2010 - 03:32 PM

My computer still just keeps restarting. I'm wondering, would something like "Ultimate Boot CD for Windows" work?

QUOTE
UBCD4Win is a bootable recovery CD that contains software used for repairing, restoring, or diagnosing almost any computer problem. Our goal is to be the most complete and easy to use free computer diagnostic tool. Almost all software included in UBCD4Win are freeware utilities for Windows®. Some of the tools inlcuded are "free for personal use" copies so users need to respect these licenses.




#3 JJ2K

JJ2K

  • Members
  • 162 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 22 March 2010 - 03:52 PM

When you say your computer keeps restarting do you mean every time you boot up, the computer will just restart again, and it will keep looping round in this pattern? Is any error message displayed, and when does it restart?

You can disable automatic restarts by hitting F8 after you boot up your computer but before windows starts. This will take you into the "advanced boot options" menu, then select "disable automatic restarts on system failure" from the list of options.

This is assuming you have Windows anyway, what version if so?

Anyway for now that should help with the automatic restarting, then hopefully somebody with more knowledge than me can proceed to help you with the problem when you can describe what happens after.



#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,314 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:52 AM

Posted 24 March 2010 - 04:43 AM

Hello Sarahbelle, this is most likely a rootkit messing up things (more specifically, the mebroot/helpassistant rootkit).

OK this file is big Print these instruction out so that you know what you are doing

Two programs to download

First

ISOBurner this will allow you to burn OTLPE ISO to a cd and make it bootable. Just install the program, from there on in it is fairly automatic. Instructions

Second
  • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 292Mb in size so it may take some time to download.
  • When downloaded double click and this will then open ISOBurner to burn the file to CD
  • Reboot your system using the boot CD you just created.

    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Change Drivers to Use Safelist
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the OTL.txt file in your reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Sarahbelle

Sarahbelle
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 24 March 2010 - 08:38 AM

Thanks JJ2K and elise025 for the replies. Here's the OTL text:

OTL logfile created on: 3/24/2010 9:20:56 AM - Run
OTLPE by OldTimer - Version 3.1.37.1 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 84.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 96.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 56.36 Gb Free Space | 75.62% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 276.80 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO
Current User Name: SYSTEM
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
Using ControlSet: ControlSet002

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto] -- -- (vxx)
SRV - File not found [Auto] -- -- (vf)
SRV - File not found [Auto] -- -- (srgxx)
SRV - File not found [Auto] -- -- (haid)
SRV - File not found [Disabled] -- -- (avast! Web Scanner)
SRV - File not found [Disabled] -- -- (avast! Mail Scanner)
SRV - File not found [Disabled] -- -- (avast! Antivirus)
SRV - File not found [Disabled] -- -- (aswUpdSv)
SRV - [2007/07/25 17:41:42 | 000,647,168 | ---- | M] (Intel Corporation) [Auto] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng) Intel®
SRV - [2007/07/25 17:32:34 | 000,294,912 | ---- | M] (Intel® Corporation) [Auto] -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe -- (WLANKEEPER) Intel®
SRV - [2007/07/25 17:29:38 | 000,987,136 | ---- | M] (Intel Corporation ) [Auto] -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor) Intel®
SRV - [2007/07/25 17:22:44 | 000,327,680 | ---- | M] (Intel Corporation) [Auto] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc) Intel®
SRV - [2006/09/05 11:09:10 | 000,315,392 | ---- | M] (Wave Systems Corp.) [Auto] -- C:\Program Files\Wave Systems Corp\Common\DataServer.exe -- (DataSvr2)
SRV - [2006/06/12 11:01:14 | 000,180,224 | ---- | M] () [Auto] -- C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe -- (tcsd_win32.exe)
SRV - [2006/03/17 06:34:24 | 000,115,952 | ---- | M] (symantec) [Auto] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2006/03/17 06:34:20 | 001,799,408 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2006/03/17 06:34:12 | 000,030,448 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2006/03/07 13:03:02 | 000,169,632 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2006/03/07 13:02:34 | 000,192,160 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2006/02/06 12:50:24 | 001,160,848 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)
SRV - [2006/01/24 20:06:58 | 000,214,720 | ---- | M] (Symantec Corporation) [On_Demand] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2004/10/15 10:12:38 | 000,131,072 | ---- | M] (SonicWALL, Inc.) [On_Demand] -- C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe -- (RampartSvc)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (UIUSys)
DRV - File not found [Kernel | Auto] -- -- (TCPZ) TCP Half Open Limited Patcher ( TCP-Z)
DRV - File not found [Kernel | Boot] -- -- (pxscan)
DRV - File not found [File_System | Auto] -- -- (pxrts)
DRV - File not found [Kernel | On_Demand] -- -- (pxkbf)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (i2omgmt)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - File not found [Kernel | On_Demand] -- -- (catchme)
DRV - [2010/02/18 03:17:06 | 000,060,416 | ---- | M] () [Kernel | Boot] -- C:\WINDOWS\system32\drivers\Combo-Fix.sys -- (vkquwexg)
DRV - [2008/09/19 11:25:00 | 000,104,960 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ZTEusbser6k.sys -- (ZTEusbser6k)
DRV - [2008/09/19 11:25:00 | 000,104,960 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ZTEusbnmea.sys -- (ZTEusbnmea)
DRV - [2008/09/19 11:25:00 | 000,104,960 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ZTEusbmdm6k.sys -- (ZTEusbmdm6k)
DRV - [2008/09/19 11:25:00 | 000,007,680 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\massfilter.sys -- (massfilter)
DRV - [2008/05/07 13:27:24 | 000,895,408 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080506.003\NAVEX15.SYS -- (NAVEX15)
DRV - [2008/05/07 13:27:24 | 000,082,256 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080506.003\NAVENG.SYS -- (NAVENG)
DRV - [2008/04/03 17:02:15 | 000,385,072 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2008/03/18 15:13:34 | 000,109,616 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2007/08/08 09:17:54 | 002,211,456 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\NETw4x32.sys -- (NETw4x32) Intel®
DRV - [2007/05/29 15:29:30 | 000,012,416 | ---- | M] (Intel Corporation) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2007/03/30 22:34:14 | 005,704,672 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2007/02/23 16:47:34 | 000,056,576 | ---- | M] (O2Micro) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\oz776.sys -- (guardian2)
DRV - [2006/10/12 23:28:42 | 000,604,928 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2006/04/04 17:20:37 | 000,009,344 | ---- | M] (Hewlett Packard) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\hpfxbulk.sys -- (HPFXBULK)
DRV - [2006/03/24 18:34:30 | 001,156,648 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2006/02/06 12:50:22 | 000,389,776 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2006/01/31 13:29:20 | 000,107,696 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2006/01/24 20:06:36 | 000,195,776 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2006/01/24 20:06:32 | 000,024,768 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2006/01/16 10:36:40 | 000,028,800 | ---- | M] (UPEK Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\tcusb.sys -- (TcUsb)
DRV - [2005/12/19 20:41:58 | 000,054,968 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)
DRV - [2005/12/19 20:41:56 | 000,337,592 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)
DRV - [2005/12/01 02:40:56 | 000,936,960 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSX_DPV.sys -- (HSF_DPV)
DRV - [2005/12/01 02:40:12 | 000,192,512 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSXHWAZL.sys -- (HSXHWAZL)
DRV - [2005/12/01 02:40:08 | 000,669,696 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HSX_CNXT.sys -- (winachsf)
DRV - [2005/10/26 11:01:02 | 000,142,720 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2005/10/14 07:54:16 | 000,017,290 | ---- | M] (Broadcom Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\btpmw32.sys -- (BCMTPM)
DRV - [2005/09/28 21:57:18 | 000,113,847 | R--- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2004/10/15 10:46:12 | 000,091,136 | ---- | M] (SonicWALL, Inc.) [Kernel | System] -- C:\WINDOWS\system32\drivers\RCFOX.SYS -- (RCFOX)
DRV - [2004/08/12 18:45:54 | 000,137,728 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)
DRV - [2004/08/04 08:00:00 | 000,088,448 | ---- | M] (Microsoft Corporation) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)
DRV - [2004/08/04 08:00:00 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)
DRV - [2004/08/04 08:00:00 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)
DRV - [2004/05/14 17:15:22 | 000,147,236 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
DRV - [2003/08/20 14:01:22 | 000,023,180 | ---- | M] (SonicWALL, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\rcvpn.sys -- (rcvpn)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/?pollId=p220013223...18084&q1=c1
IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\lchengadmin_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\lchengadmin_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\melissag_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
IE - HKU\melissag_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\Oswald_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
IE - HKU\Oswald_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/18 02:34:37 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/18 02:19:28 | 000,000,000 | ---D | M]

[2009/10/23 03:52:28 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2004/08/04 08:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [autodetect] C:\WINDOWS\system32\SupportAppXL\AutoDect.exe ()
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [combofix] C:\ComboFix\CF30712.cfx File not found
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (Intel Corporation)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKLM..\RunOnce: [combofix] C:\ComboFix\CF30712.cfx File not found
O4 - HKLM..\RunOnceEx: [flags] Reg Error: Invalid data type. File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpzrcv01.LNK = C:\Program Files\HP\Temp\{B94428F6-E93C-4d1d-8580-46D70FA07A9D}\setup\hpzstub.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Advanced\Folder\Hidden\SHOWALL: CheckedValue = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: MaxGPOScriptWait = 480
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Advanced\Folder\Hidden\SHOWALL: CheckedValue = 1
O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\lchengadmin_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\melissag_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\melissag_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\melissag_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\melissag_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Advanced\Folder\Hidden\SHOWALL: CheckedValue = 1
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Oswald_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/e/7.../OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1194623865361 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1256244486437 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {BD4C7EDB-A392-11D9-8BFB-0040953018D7} http://www.streamerp2p.com/sfiles/phasex.cab (PhaseCaster Widget)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 207.164.234.193 207.164.234.129
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = generation5.ca
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O30 - LSA: Authentication Packages - (wvauth) - C:\WINDOWS\System32\wvauth.dll (Wave Systems Corp.)
O30 - LSA: Authentication Packages - (nwprovau) - C:\WINDOWS\System32\nwprovau.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/11/07 12:18:21 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 07:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/02/18 03:17:06 | 000,060,416 | ---- | C] () -- C:\WINDOWS\System32\drivers\Combo-Fix.sys
[2010/02/18 02:03:05 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\melissag\Local Settings\Application Data\housecall.guid.cache
[2009/10/28 02:35:12 | 000,000,031 | ---- | C] () -- C:\WINDOWS\System32\appmgmts.dll_lang.ini
[2009/10/26 03:52:25 | 000,000,238 | ---- | C] () -- C:\WINDOWS\mafosav.INI
[2009/10/24 03:42:59 | 000,000,967 | ---- | C] () -- C:\WINDOWS\oregon.ini
[2009/09/21 03:41:06 | 000,009,728 | ---- | C] () -- C:\Documents and Settings\melissag\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/09/11 15:02:51 | 000,000,058 | -HS- | C] () -- C:\WINDOWS\System32\User.ini
[2009/09/03 01:39:27 | 000,000,095 | ---- | C] () -- C:\WINDOWS\TOCR.ini
[2009/09/03 01:39:26 | 000,000,003 | ---- | C] () -- C:\WINDOWS\System32\bversion.dll
[2009/09/03 01:39:07 | 000,000,095 | ---- | C] () -- C:\WINDOWS\System32\TRSOCR.ini
[2009/08/21 14:27:16 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\lchengadmin\Local Settings\Application Data\fusioncache.dat
[2009/08/21 14:27:16 | 000,000,008 | ---- | C] () -- C:\Documents and Settings\lchengadmin\Local Settings\Application Data\.user_keys.dat
[2009/08/19 16:44:55 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\melissag\Local Settings\Application Data\fusioncache.dat
[2009/08/19 16:44:55 | 000,000,008 | ---- | C] () -- C:\Documents and Settings\melissag\Local Settings\Application Data\.user_keys.dat
[2009/07/10 14:43:34 | 000,006,730 | ---- | C] () -- C:\Documents and Settings\Oswald\Application Data\PrimoPDFSet.xml
[2009/07/10 14:43:31 | 000,000,326 | ---- | C] () -- C:\Documents and Settings\LocalService\Application Data\PrimoPDFSet.xml
[2009/07/10 14:42:35 | 000,176,235 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll
[2009/07/10 12:45:55 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\Oswald\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/07/09 09:59:37 | 000,000,394 | ---- | C] () -- C:\WINDOWS\hpbvspst.ini
[2009/07/09 09:59:16 | 000,001,191 | ---- | C] () -- C:\WINDOWS\hpbvnstp.ini
[2009/07/09 09:56:45 | 000,229,376 | ---- | C] () -- C:\WINDOWS\System32\HPPCPR01.DLL
[2009/07/08 14:32:07 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Oswald\Local Settings\Application Data\fusioncache.dat
[2009/07/08 14:32:07 | 000,000,008 | ---- | C] () -- C:\Documents and Settings\Oswald\Local Settings\Application Data\.user_keys.dat
[2009/04/27 00:13:36 | 000,000,314 | ---- | C] () -- C:\WINDOWS\primopdf.ini
[2008/10/28 07:34:22 | 000,380,928 | ---- | C] () -- C:\WINDOWS\System32\GeocoderWrapper.dll
[2008/04/03 17:51:01 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2008/04/03 17:12:50 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2008/04/03 17:12:46 | 000,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2008/04/03 15:46:20 | 000,151,024 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2007/11/19 11:51:00 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/11/11 10:41:39 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2007/11/07 13:52:30 | 000,000,008 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\.user_keys.dat
[2007/11/07 13:49:04 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\bioapi_mds300.dll
[2007/11/07 13:49:04 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\bioapi100.dll
[2007/11/07 13:48:51 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
[2007/11/07 13:39:00 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4814.dll
[2007/03/05 14:34:28 | 000,676,224 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2006/09/12 13:07:36 | 000,184,320 | ---- | C] () -- C:\WINDOWS\System32\AmRes_en.dll
[2006/09/12 13:01:48 | 000,196,608 | ---- | C] () -- C:\WINDOWS\System32\AmRes_es.dll
[2006/09/12 13:01:42 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ko.dll
[2006/09/12 13:01:34 | 000,196,608 | ---- | C] () -- C:\WINDOWS\System32\AmRes_de.dll
[2006/09/12 13:01:28 | 000,184,320 | ---- | C] () -- C:\WINDOWS\System32\AmRes_pt-BR.dll
[2006/09/12 13:01:20 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\AmRes_fr.dll
[2006/09/12 13:01:12 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ja.dll
[2006/09/12 13:01:06 | 000,208,896 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ru.dll
[2006/09/12 13:00:58 | 000,196,608 | ---- | C] () -- C:\WINDOWS\System32\AmRes_it.dll
[2006/09/12 13:00:52 | 000,176,128 | ---- | C] () -- C:\WINDOWS\System32\AmRes_zh-CHS.dll
[2006/09/12 13:00:44 | 000,172,032 | ---- | C] () -- C:\WINDOWS\System32\AmRes_zh-CHT.dll
[2006/09/05 11:05:32 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_en.dll
[2006/09/05 10:26:06 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_pt.dll
[2006/09/05 10:25:54 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_zh-CHT.dll
[2006/09/05 10:25:42 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_ko.dll
[2006/09/05 10:25:32 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_es.dll
[2006/09/05 10:25:20 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_ru.dll
[2006/09/05 10:25:10 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_ja.dll
[2006/09/05 10:24:58 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_it.dll
[2006/09/05 10:24:48 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_de.dll
[2006/09/05 10:24:36 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_fr.dll
[2006/09/05 10:24:26 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_zh-CHS.dll
[2006/06/12 11:01:18 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_RUS.dll
[2006/06/12 11:01:18 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_ITA.dll
[2006/06/12 11:01:18 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_FRA.dll
[2006/06/12 11:01:18 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_ESN.dll
[2006/06/12 11:01:18 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_ENU.dll
[2006/06/12 11:01:18 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_DEU.dll
[2006/06/12 11:01:18 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_CHS.dll
[2006/06/12 11:01:16 | 000,348,160 | ---- | C] () -- C:\WINDOWS\System32\Tsp.dll
[2006/02/09 14:46:30 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\VSHP1020.DLL
[2005/09/20 14:36:06 | 000,798,720 | ---- | C] () -- C:\WINDOWS\System32\DemoLicense.dll
[2004/07/21 16:03:14 | 000,917,504 | ---- | C] () -- C:\WINDOWS\System32\lmgr10.dll
[2004/07/20 15:27:52 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ADsSecurity.dll
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2009/12/02 15:00:42 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\config\systemprofile\Application Data\OfficeUpdate12
[2007/11/07 13:52:18 | 000,000,000 | ---D | M] -- C:\WINDOWS\system32\config\systemprofile\Application Data\Wave Systems Corp
[2008/04/03 16:16:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\OfficeUpdate12
[2008/04/03 15:49:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Wave Systems Corp
[2008/04/03 16:16:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\lchengadmin\Application Data\OfficeUpdate12
[2008/04/03 15:49:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\lchengadmin\Application Data\Wave Systems Corp
[2009/12/07 18:38:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\eejjs
[2009/12/07 17:21:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\sghrd
[2009/12/14 22:23:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\melissag\Application Data\ContentGuard
[2008/04/03 16:16:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\melissag\Application Data\OfficeUpdate12
[2009/08/29 22:20:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\melissag\Application Data\SRC
[2008/04/03 15:49:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\melissag\Application Data\Wave Systems Corp
[2008/04/03 16:16:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Oswald\Application Data\OfficeUpdate12
[2009/07/10 11:20:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Oswald\Application Data\SRC
[2008/04/03 15:49:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Oswald\Application Data\Wave Systems Corp
[2010/02/18 00:34:48 | 000,000,458 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 1).job
[2010/02/18 00:34:48 | 000,000,458 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 2).job
[2010/02/18 00:34:48 | 000,000,458 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 3).job
[2010/02/18 00:34:48 | 000,000,458 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Daily 4).job
[2010/02/18 00:34:48 | 000,000,458 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job

========== Purity Check ==========


< End of report >

Edited by elise025, 24 March 2010 - 09:19 AM.
Removed code tags to make reading the log easier ~ Elise


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,314 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:52 AM

Posted 24 March 2010 - 09:24 AM

Hello again, I removed the code tags from your log. This makes reading the log a bit easier for me.

Can you please post me the contents of the c:\qoobox folder? (please look also in subfolder(s) of c:\qoobox\quarantine).

We Need to Diagnose Your BlueScreen
  1. When you boot your machine, press F8 to list the startup options, exactly as you would if you were trying to enter Safe Mode
  2. Select "Disable Automatic Restart on System Failure", as shown here:
  3. When your system BSODs, write down the STOP error code, as well as any written out error message back here. The STOP error will always appear, but the message may not. You are looking for this:
Please post me the error(s).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Sarahbelle

Sarahbelle
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 24 March 2010 - 05:11 PM

Ok, there's five sub-folders in C:\Qoobox - BackEnv, LastRun, Quarantine, Test and TestC. There are two sub-folders and one file in C:\Qoobox\Quarantine - C, Registry_backups and catchme.log. Do you need the actual files posted?

This is rather dumb, but I'm having a hard time restarting the computer with Reatogo. I try clicking the icon in the lower left side of the screen, where Start would normally be, and nothing happens. I also tried ctrl + alt + delete but it just shows processes, no option to restart or shutdown. Do I just unplug the power and wait for the comp to die and then plug it back in and restart it that way?

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,314 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:52 AM

Posted 25 March 2010 - 02:14 AM

Yes, you can restart that way. It can be some piece of connected hardware is causing this (for example, I have this issue when my mp3 player is connected).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Sarahbelle

Sarahbelle
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 25 March 2010 - 10:24 AM

Ok, I hit F8 and selected Disable Automatic Restart. Then I'm asked to select the OS to start: Microsoft Windows Recovery Console, Microsoft Windows XP Professional and Microsoft Windows XP Professional. Either one I select results in a restart and back to the OS Choices Menu. There's no blue screen or error message.

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,314 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:52 AM

Posted 25 March 2010 - 12:23 PM

QUOTE
There are two sub-folders and one file in C:\Qoobox\Quarantine - C, Registry_backups and catchme.log. Do you need the actual files posted?
I need to know what is in the C folder (also in the subfolders).


Also, look for c:\boot.ini (using My Computer on the Reatogo desktop). Right click on the file and open it and post me its contents.

Edited by elise025, 25 March 2010 - 12:23 PM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,314 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:52 AM

Posted 28 March 2010 - 11:55 AM

Hello, are you still there?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 Sarahbelle

Sarahbelle
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 28 March 2010 - 07:00 PM

Hi, yes, sorry...There's one folder in Qoobox\Quarantine\C - WINDOWS. In WINDOWS is a system32 folder and something called AegisP.inf.vir. In system32 there's a 4F3X.vir file.

Boot.ini contents:

[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect


#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,314 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:52 AM

Posted 29 March 2010 - 03:24 AM

When booting your computer, don't you see at one point the choice to start either Windows XP or the Recovery Console?

If so, try to boot in the Recovery Console and let me know what happens.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 Sarahbelle

Sarahbelle
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:52 AM

Posted 30 March 2010 - 02:32 AM

Unfortunately, selecting Recovery Console just takes me back to the OS Choices Menu upon reboot.

Edited by Sarahbelle, 30 March 2010 - 02:32 AM.


#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,314 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:52 AM

Posted 30 March 2010 - 04:12 AM

Please re-run OTLPE and copy/paste the text in the codebox below into the "custom scan/fix" field and click "run fix"

CODE
:services
vxx
vf
srgxx
haid


Afterwards let me know if anything changed.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users