Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Scour Redirect via Csrss.exe


  • This topic is locked This topic is locked
26 replies to this topic

#1 LA Freddy

LA Freddy

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 11 January 2011 - 10:58 PM

My browser regularly redirects links from a Google search to scour.com or other site. In my ...\Local Settings\Temp folder (where I regularly delete everything), I have a file that I can't delete named "csrss.exe" and sometimes some other files that I can't delete. If I rename this file, a new file with the same name reappears after some time (maybe after I restart the machine?). Some other small quirks have happened, but this is the one that I can most easily replicate and thus describe.

Thanks for any help you can give!





DDS (Ver_10-12-12.02) - NTFSx86
Run by Jacques at 22:20:30.02 on Tue 01/11/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.299 [GMT -5:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *Enabled/Outdated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\TeamViewer\Version5\TeamViewer.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\TpScrLk.exe
C:\PROGRA~1\InFocus\PROJEC~1\pmprjdet.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Jacques\Application Data\dwm.exe
C:\Documents and Settings\Jacques\Application Data\Microsoft\conhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jacques\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://mail.victoryschools.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:56364
mSearchAssistant = hxxp://www.google.com/ie
uWinlogon: Shell=explorer.exe,c:\documents and settings\jacques\application data\dwm.exe
uWindows: Load=c:\docume~1\jacques\locals~1\temp\csrss.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\Scriptcl.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: CutePDF Form Filler Helper: {d41289f2-69c6-417b-897e-c653d677cbaf} - c:\program files\cutepdf pro\CPFillerCo.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [yrtklgrp] c:\docume~1\jacques\locals~1\temp\ioskyvopc\cpsnbnkaffm.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TpShocks] TpShocks.exe
mRun: [TP4EX] tp4ex.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [TPHOTKEY] c:\progra~1\lenovo\pkgmgr\hotkey\TPHKMGR.exe
mRun: [LPManager] c:\progra~1\thinkv~2\prdctr\LPMGR.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [cssauth] "c:\program files\ibm thinkvantage\client security solution\cssauth.exe" silent
mRun: [PDService.exe] "c:\program files\ibm thinkvantage\safeguard privatedisk\pdservice.exe"
mRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [TPKBDLED] c:\windows\system32\TpScrLk.exe
mRun: [InFocusProjectorDetector] c:\progra~1\infocus\projec~1\pmprjdet.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [QuickTime Task] "c:\program files\quicktime alternative\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
mRun: [<NO NAME>]
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [conhost] c:\documents and settings\jacques\application data\microsoft\conhost.exe
StartupFolder: c:\documents and settings\jacques\start menu\programs\startup\Bourbon Dork.URL
StartupFolder: c:\docume~1\jacques\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\documents and settings\jacques\start menu\programs\startup\Poker Table Top - Craigslist.URL
StartupFolder: c:\documents and settings\jacques\start menu\programs\startup\Win With Phil at Golfsmith.com.URL
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Send To &Bluetooth - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: Send to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\lenovo\pkgmgr\\PkgMgr.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: intuit.com\ttlc
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1146846468812
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146846546296
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://homeroom.webex.com/client/T27LB/webex/ieatgpc.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: AwayNotify - c:\program files\lenovo\awaytask\AwayNotify.dll
Notify: igfxcui - igfxdev.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli csspwntfy psqlpwd svgmdirm.dll
Hosts: 192.168.2.10 earth
Hosts: 192.168.2.10 earth.vsi.local
Hosts: 192.168.2.20 douglass
Hosts: 192.168.2.20 douglass.vsi.local
Hosts: 192.168.2.25 mail

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jacques\applic~1\mozilla\firefox\profiles\2cv60ad4.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 56364
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin2.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin3.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin4.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin5.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin6.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin7.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: XULRunner: {A7A8357E-FE0F-4195-9102-F1B436034B2E} - c:\documents and settings\jacques\local settings\application data\{A7A8357E-FE0F-4195-9102-F1B436034B2E}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

============= SERVICES / DRIVERS ===============

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2006-12-25 19760]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2007-1-2 104000]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2006-11-30 144960]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2006-11-30 54872]
R2 PrivateDisk;PrivateDisk;c:\program files\ibm thinkvantage\safeguard privatedisk\privatediskm.sys [2005-11-15 46142]
R2 smi2;smi2;c:\program files\smi2\smi2.sys [2005-12-21 3968]
R2 smihlp2;SMI Helper Driver (smihlp2);c:\program files\common files\thinkvantage fingerprint software\drivers\smihlp.sys [2006-12-8 11152]
R2 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-10-10 2002728]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2006-8-2 6016]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2007-1-2 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2007-1-2 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-1-2 168776]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-10 135664]
S3 ifcprusb;ifcprusb;c:\windows\system32\drivers\ifcprusb.sys [2003-7-3 36800]
S3 tpflhlp;tpflhlp;c:\drivers\79uj17us\tpflhlp.sys [2006-12-13 13616]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-2-15 280344]

=============== Created Last 30 ================

2011-01-11 15:15:31 172544 ----a-w- c:\docume~1\jacques\applic~1\microsoft\conhost.exe
2011-01-05 03:55:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-01-05 03:55:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-01-05 03:32:44 -------- d--h--w- c:\windows\PIF
2011-01-04 00:37:56 182272 ----a-w- c:\docume~1\jacques\applic~1\dwm.exe
2010-12-15 09:12:09 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-15 09:11:21 45568 ------w- c:\windows\system32\dllcache\wab.exe

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 22:22:16.30 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:21 PM

Posted 12 January 2011 - 03:17 AM

Hi,

* Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
  • Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 LA Freddy

LA Freddy
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 12 January 2011 - 03:55 PM

Computer is now not making it into Windows XP. Went to boot the computer (ThinkPad laptop) and received the following message, between [START] and [END] below:

[START]

Cannot boot from any device

Current boot order and device status
1: USB FDD: -->Device not found
2: ATAPI CD0: Model HL-DT-ST DVDRAM GSA-4083N -->MNo valid operating system
3: USB CD: --> Device not found
4: ATA HDD0: Model HTS541060G9SA00-(S1) -->No valid operating system
5: PCI LAN: Model IBA GE Slot 0200 v1231 -->No valid operating system
6: USB HDD: -->Device not found
7: ATA HDD1: -->Device not found

Excluded from boot order:
ATA HDD2:
ATAPI CD1:

[END]

Before that screen comes up, another screen comes up and then disappears, that reads:



[START]

Intel ® Boot Agent GE v1.2.31P1

Intel ® Boot Agent PXE Base Code (PXE-2.1 build 084)

Initializing and establishing a link ...
PXE-E61: Media test failure, check cable
PXE-M0F: Exiting Intel Boot Agent

[END]

The last things that I remember doing:
YESTERDAY - basic web browsing and downloading and running the various programs in the "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help".
TWO DAYS AGO - Downloading and running Spybot and allowing it to cleanse infected files (or whatever the proper terminology is. Prior to that, ran a full scan of C: with McAfee Virus Scan and ran another spyware detection program (don't remember name and don't have acces to see it since I can't get into the computer).

Last night I definitely did a full shut down of the machine, but there's a chance that two days ago I just sent it to Hibernate instead.

Any suggestions?

Many thanks for generously sharing your time.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:21 PM

Posted 12 January 2011 - 05:03 PM

Hi,

Please try this:

http://helpdeskgeek.com/how-to/fix-mbr-xp-vista/
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 LA Freddy

LA Freddy
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 13 January 2011 - 10:57 AM

Thank you very much for your prompt reply. I don't have the XP Setup CD and will have to borrow one. (Tried the torrent route but I'm embarrassingly not familiar enough with this to be successful.) I can get one next Tuesday (holiday in the US on Monday) for certain if not before then; there is a good chance that I will not post again until Tuesday. Sorry for the delay and again many thanks for your help.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:21 PM

Posted 13 January 2011 - 11:40 AM

That's OK. I read you later :)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 LA Freddy

LA Freddy
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 18 January 2011 - 08:21 PM

Booted with the XP Setup disk in the CD drive. Chose "To repair a Windows XP installation using Recovery Console, press R." Immediately received the following:

"Setup did not find any hard disk drives installed in your computer.

Make sure any hard disk drives are powered on and properly connected to your computer, and that any disk-related hardware configuration is correct. This may involve running a manufacturer-supplied diagnostic or setup program.

Setup cannot continue. To quit Setup, press F3."


I tried running the BIOS Setup Utility "Hard disk drive diagnostics program" and received the following:

Main hard disk drive | HDD0 :HTS541060G9SA00
Status | Test complete
Result | Pass: Read verification and speed test

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:21 PM

Posted 19 January 2011 - 01:35 AM

Hi,

Please see here: http://www.windowsreinstall.com/winxppro/nohdd/indexfullpage.htm

But I guess it's better to post this issue in the hardware related forum here as this is not malware related anymore and my knowledge about hardware is limited (my knowledge area is anything, but hardware, haha).
http://www.bleepingcomputer.com/forums/forum7.html
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 LA Freddy

LA Freddy
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 19 January 2011 - 06:35 PM

I might have used poor etiquette in posting, not sure. Apologies if so and please direct me as appropriate.

I was able to get help and now the Setup CD will recognize the hard drive:
http://www.bleepingcomputer.com/forums/topic374401.html/

New problem now with Recovery Console not locating Windows. I assumed that I shouldn't respond here until/unless I was able to boot back up into XP, so I posted to the XP forum:
http://www.bleepingcomputer.com/forums/topic374470.html

I infer that I should have posted back here? Sorry. I did read the pinned posts beforehand but didn't see any guidelines on a similar situation. If you confirm, I will try to figure out if there is a way for me to undo my posting to the other forum. Or if I should just post a link in that forum to this posting?

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:21 PM

Posted 20 January 2011 - 03:37 AM

Hi,

I see from your other post you were able to get this:

The one command that might work is FIXMBR, which produces the following message:

[START]

** CAUTION **

This computer appears to have a non-standard or invalid master boot record.

FIXMBR may damage your partition tables if you proceed.

This could cause all the partitions on the current hard disk to become inaccessible.

If you are not having problems accessing your drive, do not continue.

Are you sure you want to write a new MBR?

[END]

I think this is a standard message, but I'm afraid to select "Yes" without really knowing what I'm doing. Especially since I don't know what it does. (I've seen references to FIXMBR and FIXBOOT in Google searches for the problem but I'm not knowledgeable enough to know if they're a good idea or to guess if the malware would cause one of these to hose the system.)


You should select YES there to restore the MBR.

But, I suggest it you try it another way first.
I suggest you create an UBCD: http://www.ubcd4win.com/
You can do this via a working PC to create it.
Then boot the affected cd with UBCD. This way, you can access your data on your Windows anyway (always good in case you want to backup some stuff)
Normally, UBCD has a tool build in called MBRFix to restore the MBR + TestDisk to fix it for you instead.

If you use UBCD and boot from it, run the MBRFix first to fix mbr. Then reboot and see if that fixed it.
I'll post screenshots of how to use it below:

Posted Image
Posted Image
Posted Image
Posted Image
Posted Image

If not fixed,
Then Run TestDisk (also present in UBCD) to repopulate the partition table.

Posted Image
Posted Image
Posted Image
Posted Image
Posted Image
Posted Image
Posted Image
Posted Image
Reboot.

OR... you can try another/similar method instead, with XPud.

Elise already posted instructions how to do this via XPud here: http://www.bleepingcomputer.com/forums/topic364469.html

Note, I have not tried both methods myself.

Edited by miekiemoes, 20 January 2011 - 03:38 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 LA Freddy

LA Freddy
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 20 January 2011 - 12:32 PM

[snip]
I suggest you create an UBCD: http://www.ubcd4win.com/
You can do this via a working PC to create it.
Then boot the affected cd with UBCD. This way, you can access your data on your Windows anyway (always good in case you want to backup some stuff)
[snip]


I created UBCD and booted using it. I have *not* run MBRFix yet--I wanted to access my data and see if I can back it up. I do not see an easy way to do this. What am I missing? Tried "My Computer" but C: drive isn't present. Also tried clicking on a couple of the programs on the desktop (DriveImage XML, Fab's Autobackup) but didn't see the C: drive as an option in either of these. Am I out of luck and just need to run MBRFix and hope for the best?

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:21 PM

Posted 20 January 2011 - 01:12 PM

Yes, run the MBRFix first. Don't worry, MBRFix just restores your master boot record. It doesn't delete anything on your disk (what's already present).
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 LA Freddy

LA Freddy
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 20 January 2011 - 02:39 PM

Booted to the UBCD and ran MBRFix. The program gave me a dialog box saying that it was successful. Took the CD out and started up again. Did not make it into Windows. No longer a blinking cursor, though; instead some messages about not finding a drive with an operating system. (I can get exact verbiage if it is relevant.)

So, booted again to the UBCD and ran TestDisk. Got similar but different screens from what you posted. Before having it proceed, I wanted to make sure it was okay. The first 4 screens were identical to what you posted. When I selected [Analyze] though got the following screen:


TestDisk 6.11.3, Data Recovery Utility, May 2009
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org

Disk /dev/sda - 60 GB / 55 GiB - CHS 7752 240 63
Current partition structure:
Partition Start End Size in sectors

No partition is bootable



[Quick Search]
Try to locate partition

{I hit enter}

--NEXT SCREEN--

Should TestDisk search for partition created under Vista ? [Y/N] (answer Yes if unsure)

{I typed "N" and hit Enter}


--NEXT SCREEN--

Disk /dev/sda - 60 GB / 55 GiB - CHS 7752 240 63
Partition Start End Size in sectors
* HPFS - NTFS 0 1 1 6884 239 63 104101137 [IBM_PRELOAD]
P FAT32 LBA 6885 0 1 7746 239 63 13033440 [IBM_SERVICE]
L FAT32 LBA 7747 1 1 7751 239 63 75537 [ACRONIS SZ]



Structure: Ok. Use Up/Down Arrow keys to select partition
Use Left/Right ...
*=Primary bootable P=Primary ...
Keys ...
Enter: to continue
NTFS, 53 GB / 49 GiB

{I pressed Enter}

--NEXT SCREEN--

Disk /dev/sda - 60 GB / 55 GiB - CHS 7752 240 63

Partition Start End Size in sectors
1 * HPFS - NTFS 0 1 1 6884 239 63 104101137 [IBM_PRELOAD]
2 P FAT32 LBA 6885 0 1 7746 239 63 13033440 [IBM_SERVICE]
3 E extended LBA 7747 0 1 7751 239 63 75600
5 L FAT32 LBA 7747 1 1 7751 239 63 75537 [ACRONIS SZ]

[Quit] [Deeper Search] [Write]




I only understand a little about what this program does, so I was hesitant to change it from the choice selected, [Deeper Search], to [Write] without checking in first. Anything to be concerned about, or should I just go through the same steps and select [Write]?

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:02:21 PM

Posted 20 January 2011 - 02:52 PM

You're doing OK here. You just had to do the last step.. which is WRITE :)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 LA Freddy

LA Freddy
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 20 January 2011 - 03:57 PM

Wow! That's like magic.

I had a couple of scares, but I think it's fine now. (After the first restart after clicking [Write], had low-level beeping for a minute or so with black screen, then blue screen flash with some sort of KERNEL error. Restarted again and got to a message that read:

"The last attempt to restart the system from its previous location failed. Attempt to restart again?

Delete restoration data and proceed to system boot menu
Continue with system restart"

and selected Continue with system restart. Another blue screen flash with what appeared to be similar KERNEL warning. Restarted again. Same question as above, selected Continue with system restart again ... and into Windows. I have restarted a couple of times now without problem.

Should I now proceed according to your post #2 above (Malwarebytes' Anti-Malware)?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users