Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Repair not showing CD Rom


  • This topic is locked This topic is locked
7 replies to this topic

#1 jgrocks

jgrocks

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:09 AM

Posted 06 June 2011 - 10:40 AM

I'm doing a system repair on Windows XP Pro and it's looking for files in i386. But when I browse it doesn't recognize the CD rom that the XP disk is in.

Any help would be great

Thanks

BC AdBot (Login to Remove)

 


#2 Allan

Allan

  • BC Advisor
  • 8,644 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:06:09 AM

Posted 06 June 2011 - 10:51 AM

Please explain EXACTLY what you are doing and how you are doing it (and why you have a need to restore).

#3 jgrocks

jgrocks
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:09 AM

Posted 06 June 2011 - 11:31 AM

I run from the windows disk. When the first screen comes up with option to install or repair I click enter to install, then hit F8 to accept agreement. Then when the next option to install or repair I hit R to repair.

The reason being the computer seems to have had a malware and some programs are missing such as System recovery.

Prior ro all this, When I would log on to my user name a "Windows XP Recovery" screen would appear. Looks like it's doing a disk scan and has every imaginable error there is. I know this is a fake.
When I click on Start, All Programs - it's empty. When I go to explorer, it only shows the OS partition and it looks empty and the other partition is gone.

I ran Malwarebytes and here is the log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 6516
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
6/2/2011 4:07:07 PM
mbam-log-2011-06-02 (16-07-07).txt
Scan type: Quick scan
Objects scanned: 191185
Time elapsed: 14 minute(s), 50 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
C:\Documents and Settings\All Users\Application Data\15851300.exe (Trojan.FakeAlert.Gen) -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\SolutionAV (Rogue.AntivirSolutionPro) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ljeuyboo (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbiyamxf (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mvrsoper (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\putxfgwt (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\All Users\Application Data\15851300.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.

Then I ran ComboFix, and it came up with Infected copy of C:\WINDOWS\system32\drivers\volsnap.s
ys was found and disinfected
Restored copy from - Kitty had a snack
Should I be concered about this?? Log below:

ComboFix 11-06-02.01 - Bob 06/03/2011 9:50:22.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1256 [GMT -4:00]
Running from: C:\Documents and Settings\Bob\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\All Users\Application Data\15851300.exe
C:\Documents and Settings\All Users\Application Data\yiMjvSkpKyOa.exe
C:\Documents and Settings\Bob\WINDOWS
C:\Documents and Settings\Leona\WINDOWS
C:\WINDOWS\system32\gotomon.log

Infected copy of C:\WINDOWS\system32\drivers\volsnap.s
ys was found and disinfected
Restored copy from - Kitty had a snack

((((((((((((((((((((((((( Files Created from 2011-05-03 to 2011-06-03 )))))))))))))))))))))))))))))))


2011-06-03 13:26:55 . 2011-06-03 13:30:23 -------- d--h--w- C:\Documents and Settings\Leona\Application Data\U3
2011-06-03 13:11:13 . 2011-06-03 13:11:13 -------- d--h--w- C:\Documents and Settings\Bob\Application Data\U3
2011-06-02 19:33:27 . 2010-04-29 19:39:38 38224 ---ha-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2011-06-02 19:33:26 . 2011-06-02 19:33:31 -------- d--h--w- C:\Program Files\Malwarebytes' Anti-Malware
2011-06-02 19:07:39 . 2011-06-02 19:23:53 -------- d--h--w- C:\Documents and Settings\Administrator\Application Data\U3
2011-06-02 18:33:12 . 2011-06-02 18:33:12 -------- d--h--w- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2011-06-02 16:33:50 . 2010-08-12 12:15:20 15880 ---ha-w- C:\WINDOWS\system32\lsdelete.exe
2011-06-02 16:25:27 . 2011-06-02 16:25:27 -------- d--h--w- C:\Documents and Settings\Bob\Application Data\Malwarebytes
2011-06-02 15:38:51 . 2011-06-02 15:38:51 -------- d--h--w- C:\Documents and Settings\Leona\Application Data\Malwarebytes
2011-06-02 15:20:23 . 2011-06-02 15:20:23 -------- d--h--w- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2011-06-02 14:58:07 . 2010-08-12 12:15:20 64288 ---ha-w- C:\WINDOWS\system32\drivers\Lbd.sys
2011-06-02 14:57:26 . 2011-06-02 14:57:27 -------- dc-h--w- C:\Documents and Settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2011-06-02 14:57:06 . 2011-06-02 14:57:06 -------- d--h--w- C:\Program Files\Lavasoft
2011-05-16 21:59:23 . 2011-05-16 21:59:23 404640 ---ha-w- C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-03-14 12:56:56 . 2011-03-14 12:56:56 18944 ---ha-r- C:\Documents and Settings\Bob\Application Data\Microsoft\Installer\{8F018A9E-56DE-4A79-A5EF-25F413F1D538}\IconBB6A16301.exe
2011-03-14 12:56:56 . 2011-03-14 12:56:56 11264 ---ha-r- C:\Documents and Settings\Bob\Application Data\Microsoft\Installer\{8F018A9E-56DE-4A79-A5EF-25F413F1D538}\IconBB6A1630.exe
2011-03-14 12:41:33 . 2011-03-14 12:41:29 398760 ---ha-r- C:\WINDOWS\system32\cpnprt2.cid
2011-03-07 05:33:50 . 2008-04-25 21:27:47 692736 ---ha-w- C:\WINDOWS\system32\inetcomm.dll
2011-05-05 00:35:09 . 2011-03-24 22:21:04 142296 ---ha-w- C:\Program Files\mozilla firefox\components\browsercomps.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2009-12-29 14:08:28 1653248]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 12:00:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\bcmntray" [X]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 20:44:46 66680]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-03-12 19:18:32 124128]
"EPSON Stylus Photo 825"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE" [2002-04-10 03:04:00 74240]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2009-05-26 21:18:30 413696]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 08:44:43 35760]
"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 03:07:44 932288]

C:\Documents and Settings\Leona\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 02:41:34 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-06-09 04:23:21 10536 ---ha-w- C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2009-12-15 22:13:00 15216 ---ha-w- C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=C:\WINDOWS\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 03:07:44 932288 ---ha-r- C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44:43 35760 ---ha-w- C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2007-07-17 02:48:40 69632 ---ha-w- C:\WINDOWS\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00:00 15360 ----a-w- C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell DataSafe Online]
2008-11-03 14:54:00 1745648 ---ha-w- C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter]
2009-01-30 05:50:06 206064 ---ha-w- C:\Program Files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-07-17 02:45:12 162584 ---ha-w- C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-07-17 02:45:24 142104 ---ha-w- C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-06-05 17:39:22 292136 ---ha-w- C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 17:42:30 1695232 ---ha-w- C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2008-12-03 03:41:54 3882312 ---ha-w- C:\Program Files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2008-05-23 19:06:08 128296 ---h--w- C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-07-17 02:45:14 138008 ---ha-w- C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18:30 413696 ---ha-w- C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-07-17 02:48:52 16132608 ---ha-w- C:\WINDOWS\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-03-09 09:19:17 148888 ---ha-w- C:\Program Files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Samsung\\SAMSUNG PC Share Manager\\WiselinkPro.exe"=
"C:\\Program Files\\Samsung\\SAMSUNG PC Share Manager\\http_ss_win_pro.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

R0 Lbd;Lbd;C:\WINDOWS\system32\drivers\Lbd.sys [6/2/2011 10:58:07 AM 64288]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16:28 PM 130384]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [8/12/2010 8:15:19 AM 1355416]
S3 AllShare;SAMSUNG AllShare Service;C:\Program Files\Samsung\SAMSUNG PC Share Manager\WiselinkPro.exe [7/16/2010 6:23:30 PM 6638080]
S3 EPUSBSTOR;EPSON USB Storage Driver;C:\WINDOWS\system32\drivers\epusbsto.sys [9/10/2001 9:00:00 AM 17976]
S3 SavRoam;SAVRoam;C:\Program Files\Symantec AntiVirus\SavRoam.exe [3/12/2004 3:18:06 PM 169192]
S3 WinRM;Windows Remote Management (WS-Management);C:\WINDOWS\system32\svchost.exe -k WINRM [4/25/2008 12:16:26 PM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16:28 PM 753504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM

Contents of the 'Scheduled Tasks' folder

2011-06-03 C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
- C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 12:15:19 . 2010-08-12 12:15:19]


------- Supplementary Scan -------

uInternet Settings,ProxyOverride = <local>
TCP: Interfaces\{C5EADFF9-EE89-4583-A48D-F055F105842F}: NameServer = 66.252.170.3
FF - ProfilePath - C:\Documents and Settings\Bob\Application Data\Mozilla\Firefox\Profiles\ttbilwlx.default\

- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
HKCU-Run-yiMjvSkpKyOa - C:\Documents and Settings\All Users\Application Data\yiMjvSkpKyOa.exe
MSConfigStartUp-ljeuyboo - C:\Documents and Settings\Bob\Local Settings\Application Data\uepxtuklr\saymvdttssd.exe
MSConfigStartUp-mcagent_exe - C:\Program Files\McAfee.com\Agent\mcagent.exe
MSConfigStartUp-mvrsoper - C:\Documents and Settings\Bob\Local Settings\Application Data\ghhlqm\bmpjsysguard.exe
MSConfigStartUp-putxfgwt - C:\Documents and Settings\Bob\Local Settings\Application Data\hjqnohncp\scieefhshdw.exe
MSConfigStartUp-wbiyamxf - C:\Documents and Settings\Bob\Local Settings\Application Data\nrbwtvwmg\syprtmbtssd.exe

Everything seemed fine, till I saw a lot of empty program folders and nothing in the System Tools folder.
Hence the system repair


#4 Allan

Allan

  • BC Advisor
  • 8,644 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:06:09 AM

Posted 06 June 2011 - 11:48 AM

I think that before you do anything else you should post in the Am I Infected forum and make sure your system is, in fact, clear of all malware. And just to be clear, what you are trying to do is called a repair installation of Windows, not a system repair - that's why I was confused by your first post.

#5 jgrocks

jgrocks
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:09 AM

Posted 06 June 2011 - 11:54 AM

I did post last week but no one replied

#6 Eyesee

Eyesee

    Bleepin Teck Shop


  • BC Advisor
  • 3,545 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:In the middle of Kansas
  • Local time:06:09 AM

Posted 06 June 2011 - 12:04 PM

Windows XP Recovery removal instructions.

I think a repair installation will not fix the infection and think it is a waste of time.
Please follor the instructions in the link above
In the beginning there was the command line.

#7 Allan

Allan

  • BC Advisor
  • 8,644 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:06:09 AM

Posted 06 June 2011 - 12:16 PM

I did post last week but no one replied


They are very busy over there. Please give them time to respond.

#8 hamluis

hamluis

    Moderator


  • Moderator
  • 56,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:05:09 AM

Posted 06 June 2011 - 02:08 PM

OP hasx open MRL topic at http://www.bleepingcomputer.com/forums/topic401496.html/page__p__2275303#entry2275303 .

Current backlog for MRL topics is 7-8 days, topic posted 3 Jun.

You should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the logs you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on, the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Please DO NOT make another reply to your malware log topic...until it has been responded to by a member of the Malware Removal Team. Generally, the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Removal Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.

Louis




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users