Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware seems to have survived re-format [Computer 1]


  • This topic is locked This topic is locked
37 replies to this topic

#1 darylv6

darylv6

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 14 November 2010 - 07:20 PM

Hello,

I posted this issue here: http://www.bleepingcomputer.com/forums/topic360389.html, and cryptodan advised posting as a new topic here.

It's a Gateway GT5028. Windows XP. The problem began with a flicker in the screen (LG Flatron L1917S), which I guessed was connected to the graphics card, and figured I couldn't do anything about it. Next came what I now have read was a trojan disguised as "Microsoft Security Essentials" which I fell for. I tried AntiMalwareBytes, but only made minor progress. Within 30 minutes of a reboot, I would have nine "svchost.exe" processes running each at about 140MB. Also, in any internet browser I used, when I right clicked to open in a new tab I'd get some random site opening about insurance or mortgages. Explorer didn't start up with re-boots and I'd have to do it manually through Task Manager to get my desktop up. Tried some fixes I found online but to no avail. When all else failed in my attempts to remove this from my system, I re-formatted the HD, but the problem persisted somehow, though the screen flicker seems to have disappeared. The problem seemed entangled in McAfee which came with the system (with it finding malware in its own files), and which I only finally removed with the McAfee removal kit. Still, every time I run AntiMalwareBytes, it finds new malware. Also, using just IE now I have the same problem with the right-clicks open new tabs with and get some random sites about insurance or mortgages.

Some more info: the first re-format went fine but on the re-install it got stuck on nvidia chipset - not recognizing wiondows logo. Started from scratch and somehow got through it. Something not okay with Nero but it didn't get stuck there. Now, pretty close to the end of the re-install I started getting McAfee boxes popping up saying there was an infected file. But McAfee wasn't even fully installed.

Also, I've discovered one of my memory sticks had a RECYCLER file and four useless shortcuts. The other memory stick was unreadable to the desktop since it didn't have some RECYCLER file. I've since shredded what I could with Your Uninstaller (though I've read it might just re-appear), and now the computer won't read that one either.

I'm also concerned I may have infected my laptop as well (but I haven't included those logs here).

Thanks very much for your help.


I've attached Attach.txt and ark.log. Here is the DDS log:


DDS (Ver_10-11-10.01) - NTFSx86
Run by Owner at 18:39:54.84 on 14/11/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1918.1466 [GMT -5:00]

AV: *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.ca/
mDefault_Page_URL = hxxp://www.gatewaybiz.com
mStart Page = hxxp://www.gatewaybiz.com
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/
mWinlogon: Userinit=c:\windows\system32\userinit.exe,,c:\program files\microsoft\watermark.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [{B707FF4C-2B2C-82F7-9F4F-F49A7ED285D9}] "c:\documents and settings\owner\application data\uwavvu\yluh.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [readericon] c:\program files\digital media reader\readericon45G.exe
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\j1646hpf.default\
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJPI150_02.dll

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

=============== Created Last 30 ================

2010-11-14 22:37:31 -------- d-----w- c:\windows\system32\CatRoot_bak
2010-11-14 17:27:24 -------- d-----w- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2010-11-14 17:27:24 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-11-14 17:27:15 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-11-14 16:04:20 -------- d-----w- c:\program files\Speccy
2010-11-14 14:45:25 -------- d-----w- c:\windows\ServicePackFiles
2010-11-14 14:44:35 -------- d-----w- c:\docume~1\owner\applic~1\Liloow
2010-11-14 14:44:35 -------- d-----w- c:\docume~1\owner\applic~1\Hamaut
2010-11-14 08:58:50 -------- d-----w- c:\docume~1\owner\applic~1\Ambua
2010-11-14 05:06:34 -------- d-----w- c:\program files\CCleaner
2010-11-14 04:05:37 -------- d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-11-14 04:05:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-14 04:05:31 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-14 04:05:31 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-11-14 04:05:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-14 03:54:50 17920 -c----w- c:\windows\system32\dllcache\msyuv.dll
2010-11-14 03:53:21 -------- d-----w- c:\docume~1\owner\applic~1\Uwavvu
2010-11-14 03:47:59 -------- d-----w- c:\docume~1\owner\applic~1\URSoft
2010-11-14 03:47:54 -------- d-----w- c:\program files\Your Uninstaller 2010
2010-11-14 03:41:57 -------- d-----w- c:\windows\system32\SoftwareDistribution
2010-11-14 03:16:26 67072 ----a-w- c:\windows\POWERCFG.EXE
2010-11-14 03:15:17 -------- d-----w- c:\program files\Microsoft Money 2005
2010-11-14 03:15:13 -------- d-----w- c:\program files\MSN Encarta Plus
2010-11-14 03:14:51 -------- d-----w- c:\program files\Digital Media Reader
2010-11-14 03:14:43 -------- d-----w- c:\windows\Downloaded Installations
2010-11-14 03:12:47 -------- d-----w- c:\program files\common files\aolshare
2010-11-14 03:12:39 -------- d-----w- c:\program files\common files\AOL
2010-11-14 03:12:20 -------- d-----w- c:\docume~1\alluse~1\applic~1\Napster
2010-11-14 03:12:16 -------- d-----w- c:\program files\Napster
2010-11-14 03:10:29 -------- d-----w- c:\program files\Microsoft Digital Image 2006
2010-11-14 03:10:14 89088 ----a-w- c:\windows\system32\atl71.dll
2010-11-14 03:10:14 127382 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2010-11-14 03:09:51 20480 ----a-w- c:\windows\system32\Marker32.exe
2010-11-14 03:09:43 49265 ----a-w- c:\windows\system32\jpicpl32.cpl
2010-11-14 03:08:58 471298 ----a-w- c:\windows\wallpg.exe
2010-11-14 03:08:52 -------- d-----w- c:\docume~1\alluse~1\applic~1\Prism Deploy
2010-11-14 03:08:45 -------- d-----w- c:\program files\tmp
2010-11-14 03:08:37 -------- d-----w- c:\program files\common files\New Boundary
2010-11-14 03:05:56 6400 ----a-w- c:\windows\system32\drivers\splitter.sys
2010-11-14 03:04:54 -------- d-----w- c:\program files\CONEXANT
2010-11-14 03:04:43 6400 ----a-w- c:\windows\system32\drivers\enum1394.sys
2010-11-14 03:04:42 61056 ----a-w- c:\windows\system32\drivers\ohci1394.sys
2010-11-14 03:04:42 53248 ----a-w- c:\windows\system32\drivers\1394bus.sys
2010-11-14 03:04:26 17024 ----a-w- c:\windows\system32\drivers\usbohci.sys
2010-11-14 03:04:24 26624 ----a-w- c:\windows\system32\drivers\usbehci.sys
2010-11-14 03:04:23 7168 ----a-w- c:\windows\system32\hccoin.dll
2010-11-14 03:03:01 -------- d-----w- c:\program files\Microsoft
2010-11-14 02:45:50 470528 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-11-14 02:45:06 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll
2010-11-14 02:44:42 82432 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-11-14 02:43:25 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll
2010-11-14 02:43:14 23040 ------w- c:\windows\kb913800.exe
2010-11-14 02:43:06 332800 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-11-14 02:36:30 -------- d-----w- c:\windows\system32\PreInstall
2010-11-14 02:01:41 -------- d-----w- c:\windows\creator
2010-11-14 01:59:58 49211 ----a-w- c:\windows\system32\usrsdpia.dll
2010-11-14 01:58:56 17920 ----a-w- c:\windows\system32\msyuv.dll
2010-11-14 01:57:59 43008 ----a-w- c:\windows\system32\drivers\AMDAGP.SYS
2010-11-14 01:57:59 41088 ----a-w- c:\windows\system32\drivers\SISAGP.SYS
2010-11-14 01:57:58 44928 ----a-w- c:\windows\system32\drivers\AGPCPQ.SYS
2010-11-14 01:57:58 42752 ----a-w- c:\windows\system32\drivers\ALIM1541.SYS
2010-11-14 01:57:57 52224 ----a-w- c:\windows\system32\dmutil.dll
2010-11-14 01:57:57 42368 ----a-w- c:\windows\system32\drivers\AGP440.SYS
2010-11-14 01:57:54 47104 ----a-w- c:\windows\system32\cnbjmon.dll
2010-11-14 01:45:16 65536 -c----w- c:\windows\system32\dllcache\nwwks.dll
2010-11-14 01:45:16 64000 -c----w- c:\windows\system32\dllcache\nwapi32.dll
2010-11-14 01:45:16 163584 -c----w- c:\windows\system32\dllcache\nwrdr.sys
2010-11-14 01:45:16 142336 -c----w- c:\windows\system32\dllcache\nwprovau.dll
2010-11-14 01:45:14 927504 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-11-14 01:45:13 981760 -c----w- c:\windows\system32\dllcache\mfc42u.dll
2010-11-14 01:45:08 69632 -c----w- c:\windows\system32\dllcache\raschap.dll
2010-11-14 01:45:08 112128 -c----w- c:\windows\system32\dllcache\rastls.dll
2010-11-14 01:45:07 253952 -c----w- c:\windows\system32\dllcache\es.dll
2010-11-14 01:45:04 132096 -c----w- c:\windows\system32\dllcache\wkssvc.dll
2010-11-14 01:45:03 247326 -c----w- c:\windows\system32\dllcache\strmdll.dll
2010-11-14 01:45:02 344064 -c----w- c:\windows\system32\dllcache\localspl.dll
2010-11-14 01:43:59 453120 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-11-14 01:42:48 8192 -c----w- c:\windows\system32\dllcache\rasadhlp.dll
2010-11-14 01:42:47 148992 -c--a-w- c:\windows\system32\dllcache\dnsapi.dll

==================== Find3M ====================

2010-11-14 03:13:32 24576 ----a-w- c:\windows\system32\prefscpl.cpl

============= FINISH: 18:40:22.64 ===============

I've posted the scan results from the laptop here: http://www.bleepingcomputer.com/forums/topic360633.html

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 14 November 2010 - 11:07 PM.


BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:47 AM

Posted 22 November 2010 - 04:48 PM

Hello and welcome to Bleeping Computer! :welcome:

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log





Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 darylv6

darylv6
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 22 November 2010 - 09:26 PM

New problem: the computer won't even boot up properly, even when I try Safe Mode. It gets to where you'd expect the desktop to load up, but never gets there and just re-boots itself. (I hadn't touched the computer in a week since I posted on this site).

Is this machine finished?

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,830 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:47 AM

Posted 23 November 2010 - 03:10 PM

Hi, please let me know if you see a blue screen.

We Need to Diagnose Your BlueScreen
  • When you boot your machine, press F8 to list the startup options, exactly as you would if you were trying to enter Safe Mode
  • Select "Disable Automatic Restart on System Failure", as shown here:
    Posted Image
  • When your system BSODs, write down the STOP error code, as well as any written out error message back here. The STOP error will always appear, but the message may not. You are looking for this:
    Posted Image
Please post me the error(s).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 darylv6

darylv6
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 23 November 2010 - 03:16 PM

STOP: c000021a {Fatal System Error}
The Windows Logon Process system process terminated unexpectedly with a status of 0xc0000005 (0x00000000 0x00000000).
The system has been shut down

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,830 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:47 AM

Posted 23 November 2010 - 03:20 PM

From the sound of it you did a repair installation, not a complete reformat/reinstall.

Before continuing, are you using a normal XP install CD, or a recovery disk?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 darylv6

darylv6
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 23 November 2010 - 03:34 PM

The disc says:
Microsoft Windows XP Media Center Edition
Operating System Disc
Dual-core

And there are instructions on how to re-install the operating system

#8 darylv6

darylv6
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 23 November 2010 - 03:36 PM

(MS Windows XP Media Center Edition 2005)

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,830 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:47 AM

Posted 23 November 2010 - 03:44 PM

  • Insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer.

  • If your PC is not booting from the CD, you need to change the boot order:
    • Restart your PC
    • As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
    • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
    • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
    • The tab should now show your current boot order.
      If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
    • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
  • Your PC should now boot from your XP-CD.
    Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.

  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • When prompted to choose a windows installation, type 1 and press enter.
  • When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.

  • A command prompt will open
Type the following lines and press enter after each line (assuming that your cd drive letter is D. If this is not the case, change the D: in the script below accordingly).

ren explorer.exe explorer.vir

expand d:\i386\explorer.ex_ explorer.exe

cd system32

ren winlogon.exe winlogon.vir

expand d:\i386\winlogon.ex_ winlogon.exe

exit

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 darylv6

darylv6
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 23 November 2010 - 10:42 PM

Hi Elise,

I'm not getting the prompts as you described them. The PC does boot up from the cd, and I'm asked on a black screen to press 'R' for Gateway System Recovery Options. When I press 'R', I get another screen (still black) asking me again - 'R' for standard Gateway System Recovery Options, or 'Q' to boot to quit and boot the OS on hard disc. When I choose 'R', I get a green and white Gateway screen - System Recovery. I have two choices: Full System Restore (destructive) or Full System Restore (with backup).

Should I go for the destructive option again (this is what I did originally, twice).

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,830 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:47 AM

Posted 24 November 2010 - 05:02 AM

No, try the steps using this disk instead:

Please download ARCDC from Artellos.com.
  • Double click ARCDC.exe
  • Follow the dialog until you see 6 options. Please pick: Windows Professional SP2 & SP3
  • You will be prompted with a Terms of Use by Microsoft, please accept.
  • You will see a few dos screens flash by, this is normal.
  • Next you will be able to choose to add extra files. Select the Default Files.
  • The last window will allow you to burn the disk using BurnCDCC
Your ISO is located on your desktop.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 darylv6

darylv6
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 24 November 2010 - 04:36 PM

OK. I burned the cd & booted from it.
I didn't get prompted for an admin pwd
I get a c:\MiniNT> prompt
When I type in the first command

ren explorer.exe explorer.vir

(even when I try changing directory to c:\), I get "The system cannot find the file or directory specified"

I tried the next command (just for laughs)

expand e:\i386\explorer.ex_ explorer.exe

and got that there was no floppy or cd in the drive (i tried d,e,f,g,h) - it should have been e:

what to do?

thanks

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,830 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:47 AM

Posted 24 November 2010 - 04:47 PM

Sorry, I think you need to swap the disks (put in your XP disk) once you are in the Recovery console.

If the ren... command doesn't work, it means the file doesn't exist, you can then move on to the next line.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 darylv6

darylv6
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 24 November 2010 - 05:08 PM

hi. it seems like nothing is working. none of the commands work (except "exit"), and i can't even swap out the disks (the eject button suddenly seems to not work). i can put my XP cd in the other cd drive, but it's not recognized (there is no floppy, etc.)

i'm also a bit confused what we're trying to do here

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,830 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:47 AM

Posted 25 November 2010 - 03:58 AM

What we are trying to do here is replace two files that will allow Windows to boot normally.

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download driver.sh to your USB drive
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Remove the USB drive and insert it back in your working computer and navigate to report.txt

    Please note - all text entries are case sensitive
Copy and paste the report.txt for my review

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users