OK, you have a rootkit that infected a critical system file. We need to find a suitable replacement. First, don't worry. Your data is there.
We need to find a clean file and replace the infected one.
First, I need to give you this warning.Backdoor Warning
One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information
and download and execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?When Should I Format, How Should I Reinstall
We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.
Next, we can do one of two approaches:
1. Replace the file to fix the computer.
2. Access your data to save it, then reformat.
I'll assume you want to fix. Do you have the Windows Installation CD? Can you get into the recovery console that Combofix should have installed?Step 1
Enter the Recovery Console, to do that:
- Insert the Windows XP cd in your computer.
- Restart your computer so you are booting off of the CD. When you see "press any key to boot off CD ..." press a key. (if you don't get this you have tochange the boot order from the BIOS).
- When the Welcome to Setup screen appears, press the R button on your keyboard to start the Recovery Console.
- The Recovery Console will start and ask you which Windows installation you would like to log on to. If you have multiple Windows installations, it will list each one, and you would enter the number associated with the installation you would like to work on and press enter. If you have just one Windows installation, type 1 and press enter.
- It will then prompt you for the Administrator's password. If there is no password, simply press enter. Otherwise type in the password and then press enter. If you do not know your password then see this.
- If you entered the correct password you will now be presented with a C:\Windows> prompt and you can start using the Recovery Console.
At the C:\windows prompt, please type each bolded line below and press Enter. The italics give you more information about each command.mapthis will give you a listing of your drives. Note the letter of your CD-ROM.ren c:\windows\system32\drivers\mountmgr.sys mountmgr.oldyou'll get a fresh prompt without any notificationsexpand e:\i386\mountmgr.sy_ c:\windows\system32\driversReplace E with the letter of your CD-ROM drive from the map command above. You should get notified that the file expanded.exityour computer will reboot
Then, reboot from your hard drive and not the CD. Does Windows load? If not, I have more ways to replace this file.
Edited by etavares, 05 June 2010 - 05:49 AM.