Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Probably Virus, No Malware, Stuck in Safe Mode with Command Prompt


  • This topic is locked This topic is locked
63 replies to this topic

#1 centerct

centerct

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:06:22 PM

Posted 07 November 2011 - 06:58 PM

This all started when computer would lock up after about 5-10 mins of use. I figured it was a virus since our virus protection lapsed(go figure). So first thing I did was run hijackthis and I will post the log from that. Then downloaded Malwarebytes and did a scan and removed all that with no luck on the computer working any better. So I figured it was time to start safe mode. Well, that just got me in to more trouble. I now boot up to safe mode with the cmd.exe screen. I have tried F8, F6, F12 and esc. They all get me to the same screen of starting in safe mode or windows normally. Anything I choose gets me back to the command prompt in safe mode.

One last thing, this is a Gateway Netbook without a cd rom.

Log is as follows:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:07:13 AM, on 11/7/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxedcoms.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\McAfee Online Backup\MOBKbackup.exe
C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
C:\QUALCOMM\QDLService\QDLService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\WINDOWS\PLFSetL.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Lexmark S600 Series\lxedmon.exe
C:\Program Files\Lexmark S600 Series\ezprint.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\WINDOWS\System32\vssvc.exe
C:\Program Files\Palm\Hotsync.exe
C:\WINDOWS\system32\igfxext.exe
D:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=0&o=xph&d=0610&m=lt20
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://quickaccess.verizonwireless.com/quickaccess?olp=lqh6zEJfjVLHxj9nsU1OX0KjoHlIXQEsnkUqhI1CkMF1BxiWwxUbHGqRY%2B5bBzVm
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll (file missing)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: BHO Project - {66D8FBA6-D90F-40A9-AC55-84896F79CA69} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110601085527.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Search Toolbar - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Search Toolbar - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\Drivers\AzMixerSel.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PLFSetL] C:\WINDOWS\PLFSetL.exe
O4 - HKLM\..\Run: [snp2uvc] rundll32.exe C:\WINDOWS\system32\csnp2uvc.dll,ResetCIDS
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HotSync] "C:\Program Files\PalmSource\Desktop\HotSync.exe" -AllUsers
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [lxedmon.exe] "C:\Program Files\Lexmark S600 Series\lxedmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark S600 Series\ezprint.exe"
O4 - HKLM\..\Run: [RIMBBLaunchAgent.exe] C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Real\RealPlayer\update\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {61900274-3323-4446-BDCD-91548D32AF1B} (SpiderSolitaire Control) - http://www.worldwinner.com/games/v56/spidersolitaire/spidersolitaire.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8F6E7FB2-E56B-4F66-A4E1-9765D2565280} (WorldWinner ActiveX Launcher Control) - http://www.worldwinner.com/games/launcher/ie/v2.23.01.0/iewwload.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - http://www.worldwinner.com/games/v42/tilecity/tilecity.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\mcsniepl.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxedCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxedserv.exe
O23 - Service: lxed_device - - C:\WINDOWS\system32\lxedcoms.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
O23 - Service: McAfee Online Backup (MOBKbackup) - McAfee, Inc. - C:\Program Files\McAfee Online Backup\MOBKbackup.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: Internet Pass-Through Service (PassThru Service) - Unknown owner - C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Qualcomm Gobi Download Service (QDLService) - QUALCOMM, Inc. - C:\QUALCOMM\QDLService\QDLService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 12937 bytes

Any help would be a god send lol.

Edited by Budapest, 07 November 2011 - 08:24 PM.
Moved from XP ~Budapest


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:22 PM

Posted 12 November 2011 - 07:00 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/426806 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 centerct

centerct
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:06:22 PM

Posted 15 November 2011 - 11:28 AM

I still need help. I cannot offer any new information due to the fact the computer is stuck in safe mode with the command.exe screen coming up when started.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:22 PM

Posted 17 November 2011 - 09:08 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

We will need to try and boot your machine using another operating system called xPUD - it uses Linux

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Download http://noahdfear.net/downloads/rst.sh to the USB drive
  • Insert the USB drive and CD in the Sick computer and boot the computer from the CD
  • Press File
  • Expand mnt
  • Expand your USB (sdb1)
  • Confirm that you see rst.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash rst.sh
  • Press Enter
  • After it has finished a report will be located at sdb1 named enum.log
  • Plug that USB back into the clean computer and open it
Please note: If you have an ethernet connection you can access the internet by way of xPUD (Firefox). You can perform all these steps on your sick computer. When you download the download will reside in the Download folder. It can be found under the File tab also. You can similarly access our thread by way of this OS too so you can send the logs that way.

Please also note - all text entries are case sensitive

Copy and paste the enum.log for my review
Posted Image
m0le is a proud member of UNITE

#5 centerct

centerct
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:06:22 PM

Posted 18 November 2011 - 10:11 AM

I do NOT have cd rom drive in the netbook. Thats one of hurdles I'm having trouble with.

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:22 PM

Posted 18 November 2011 - 06:28 PM

Okay same tool, same program, no CD ROM :)

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Next download http://noahdfear.net/downloads/rst.sh to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • Expand your USB (sdb1)
  • Confirm that you see rst.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash rst.sh
  • Press Enter
  • After it has finished a report will be located at sdb1 named enum.log
  • Plug that USB back into the clean computer and open it

Please note: If you have an ethernet connection you can access the internet by way of xPUD (Firefox). You can perform all these steps on your sick computer. When you download the download will reside in the Download folder. It can be found under the File tab also. You can similarly access our thread by way of this OS too so you can send the logs that way.

Please also note - all text entries are case sensitive

Copy and paste the enum.log for my review
Posted Image
m0le is a proud member of UNITE

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:22 PM

Posted 21 November 2011 - 09:18 PM

Hi,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#8 centerct

centerct
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:06:22 PM

Posted 22 November 2011 - 10:21 AM

Here is the log you are asking for:
32.3M Nov 21 2011 /mnt/sda2/WINDOWS/system32/config/software
12.5M Nov 21 2011 /mnt/sda2/WINDOWS/system32/config/system

31.8M Oct 6 04:19 /sda2/~/RP501/~SOFTWARE
31.8M Oct 7 05:31 /sda2/~/RP502/~SOFTWARE
31.8M Oct 8 06:31 /sda2/~/RP503/~SOFTWARE
31.8M Oct 9 07:19 /sda2/~/RP504/~SOFTWARE
31.8M Oct 10 08:19 /sda2/~/RP505/~SOFTWARE
31.8M Oct 11 08:31 /sda2/~/RP506/~SOFTWARE
31.8M Oct 12 09:59 /sda2/~/RP507/~SOFTWARE
31.8M Oct 13 07:00 /sda2/~/RP508/~SOFTWARE
32.3M Oct 14 08:03 /sda2/~/RP509/~SOFTWARE
32.3M Oct 14 21:25 /sda2/~/RP510/~SOFTWARE
32.3M Oct 14 21:26 /sda2/~/RP511/~SOFTWARE
32.3M Oct 15 20:08 /sda2/~/RP512/~SOFTWARE
32.3M Oct 15 20:10 /sda2/~/RP513/~SOFTWARE
32.4M Oct 15 23:58 /sda2/~/RP514/~SOFTWARE
32.4M Oct 16 01:36 /sda2/~/RP515/~SOFTWARE
32.3M Oct 17 01:52 /sda2/~/RP516/~SOFTWARE
32.3M Oct 18 02:37 /sda2/~/RP517/~SOFTWARE
32.3M Oct 19 02:48 /sda2/~/RP518/~SOFTWARE
32.3M Oct 20 03:34 /sda2/~/RP519/~SOFTWARE
32.3M Oct 21 04:34 /sda2/~/RP520/~SOFTWARE
32.3M Oct 23 02:20 /sda2/~/RP522/~SOFTWARE
32.3M Oct 24 14:46 /sda2/~/RP523/~SOFTWARE
32.3M Oct 25 15:11 /sda2/~/RP524/~SOFTWARE
32.3M Oct 26 16:11 /sda2/~/RP525/~SOFTWARE
32.3M Oct 27 17:31 /sda2/~/RP526/~SOFTWARE
32.3M Oct 28 18:11 /sda2/~/RP527/~SOFTWARE
32.3M Oct 29 18:25 /sda2/~/RP528/~SOFTWARE
32.3M Oct 30 18:26 /sda2/~/RP529/~SOFTWARE
32.3M Oct 31 19:26 /sda2/~/RP530/~SOFTWARE
32.3M Nov 1 19:44 /sda2/~/RP531/~SOFTWARE
32.3M Nov 2 19:53 /sda2/~/RP532/~SOFTWARE
32.3M Nov 3 20:10 /sda2/~/RP533/~SOFTWARE
32.3M Nov 4 20:44 /sda2/~/RP534/~SOFTWARE
32.3M Nov 5 21:44 /sda2/~/RP535/~SOFTWARE
32.3M Nov 6 15:04 /sda2/~/RP536/~SOFTWARE
32.3M Nov 6 19:10 /sda2/~/RP537/~SOFTWARE
32.3M Nov 6 19:10 /sda2/~/RP538/~SOFTWARE
32.3M Nov 6 20:32 /sda2/~/RP539/~SOFTWARE
32.3M Nov 6 20:43 /sda2/~/RP540/~SOFTWARE
32.3M Nov 6 21:04 /sda2/~/RP541/~SOFTWARE
32.3M Nov 7 01:19 /sda2/~/RP542/~SOFTWARE
31.5M Sep 15 07:44 /sda2/~/RP480/~SOFTWARE
31.5M Sep 16 08:41 /sda2/~/RP481/~SOFTWARE
31.5M Sep 17 09:41 /sda2/~/RP482/~SOFTWARE
31.5M Sep 18 09:42 /sda2/~/RP483/~SOFTWARE
31.5M Sep 19 10:36 /sda2/~/RP484/~SOFTWARE
31.5M Sep 20 10:40 /sda2/~/RP485/~SOFTWARE
31.5M Sep 21 12:00 /sda2/~/RP486/~SOFTWARE
31.5M Sep 22 12:08 /sda2/~/RP487/~SOFTWARE
31.5M Sep 23 12:10 /sda2/~/RP488/~SOFTWARE
31.5M Sep 24 12:41 /sda2/~/RP489/~SOFTWARE
31.5M Sep 25 13:48 /sda2/~/RP490/~SOFTWARE
31.5M Sep 26 14:40 /sda2/~/RP491/~SOFTWARE
31.5M Sep 27 17:38 /sda2/~/RP492/~SOFTWARE
31.5M Sep 28 17:40 /sda2/~/RP493/~SOFTWARE
31.5M Sep 28 20:29 /sda2/~/RP494/~SOFTWARE
31.5M Sep 29 23:34 /sda2/~/RP495/~SOFTWARE
31.5M Oct 1 00:19 /sda2/~/RP496/~SOFTWARE
31.5M Oct 2 01:19 /sda2/~/RP497/~SOFTWARE
31.5M Oct 3 04:13 /sda2/~/RP498/~SOFTWARE
31.5M Oct 4 04:19 /sda2/~/RP499/~SOFTWARE
31.5M Oct 5 03:28 /sda2/~/RP500/~SOFTWARE
32.3M Oct 22 04:37 /sda2/~/RP521/~SOFTWARE
6.7M Oct 6 04:19 /sda2/~/RP501/~SYSTEM
6.7M Oct 7 05:31 /sda2/~/RP502/~SYSTEM
6.7M Oct 8 06:31 /sda2/~/RP503/~SYSTEM
6.7M Oct 9 07:19 /sda2/~/RP504/~SYSTEM
6.7M Oct 10 08:19 /sda2/~/RP505/~SYSTEM
6.7M Oct 11 08:31 /sda2/~/RP506/~SYSTEM
6.7M Oct 12 09:59 /sda2/~/RP507/~SYSTEM
6.7M Oct 13 07:00 /sda2/~/RP508/~SYSTEM
6.7M Oct 14 08:03 /sda2/~/RP509/~SYSTEM
6.7M Oct 14 21:25 /sda2/~/RP510/~SYSTEM
6.7M Oct 14 21:26 /sda2/~/RP511/~SYSTEM
6.7M Oct 15 20:08 /sda2/~/RP512/~SYSTEM
6.7M Oct 15 20:10 /sda2/~/RP513/~SYSTEM
11.0M Oct 15 23:58 /sda2/~/RP514/~SYSTEM
11.0M Oct 16 01:36 /sda2/~/RP515/~SYSTEM
6.7M Oct 17 01:52 /sda2/~/RP516/~SYSTEM
6.7M Oct 18 02:37 /sda2/~/RP517/~SYSTEM
6.7M Oct 19 02:48 /sda2/~/RP518/~SYSTEM
6.7M Oct 20 03:34 /sda2/~/RP519/~SYSTEM
6.7M Oct 21 04:34 /sda2/~/RP520/~SYSTEM
6.7M Oct 23 02:20 /sda2/~/RP522/~SYSTEM
6.7M Oct 24 14:46 /sda2/~/RP523/~SYSTEM
6.7M Oct 25 15:11 /sda2/~/RP524/~SYSTEM
6.7M Oct 26 16:11 /sda2/~/RP525/~SYSTEM
6.7M Oct 27 17:31 /sda2/~/RP526/~SYSTEM
6.7M Oct 28 18:11 /sda2/~/RP527/~SYSTEM
6.7M Oct 29 18:25 /sda2/~/RP528/~SYSTEM
6.7M Oct 30 18:26 /sda2/~/RP529/~SYSTEM
6.7M Oct 31 19:26 /sda2/~/RP530/~SYSTEM
6.7M Nov 1 19:44 /sda2/~/RP531/~SYSTEM
6.7M Nov 2 19:53 /sda2/~/RP532/~SYSTEM
6.7M Nov 3 20:10 /sda2/~/RP533/~SYSTEM
6.7M Nov 4 20:44 /sda2/~/RP534/~SYSTEM
6.7M Nov 5 21:44 /sda2/~/RP535/~SYSTEM
6.7M Nov 6 15:04 /sda2/~/RP536/~SYSTEM
6.7M Nov 6 19:10 /sda2/~/RP537/~SYSTEM
6.7M Nov 6 19:10 /sda2/~/RP538/~SYSTEM
6.7M Nov 6 20:32 /sda2/~/RP539/~SYSTEM
6.7M Nov 6 20:43 /sda2/~/RP540/~SYSTEM
6.7M Nov 6 21:04 /sda2/~/RP541/~SYSTEM
6.7M Nov 7 01:19 /sda2/~/RP542/~SYSTEM
10.5M Sep 15 07:44 /sda2/~/RP480/~SYSTEM
10.5M Sep 16 08:42 /sda2/~/RP481/~SYSTEM
10.5M Sep 17 09:41 /sda2/~/RP482/~SYSTEM
10.5M Sep 18 09:42 /sda2/~/RP483/~SYSTEM
10.5M Sep 19 10:36 /sda2/~/RP484/~SYSTEM
10.5M Sep 20 10:41 /sda2/~/RP485/~SYSTEM
10.5M Sep 21 12:00 /sda2/~/RP486/~SYSTEM
10.5M Sep 22 12:08 /sda2/~/RP487/~SYSTEM
10.5M Sep 23 12:10 /sda2/~/RP488/~SYSTEM
10.5M Sep 24 12:41 /sda2/~/RP489/~SYSTEM
10.5M Sep 25 13:48 /sda2/~/RP490/~SYSTEM
10.5M Sep 26 14:41 /sda2/~/RP491/~SYSTEM
10.5M Sep 27 17:38 /sda2/~/RP492/~SYSTEM
10.5M Sep 28 17:40 /sda2/~/RP493/~SYSTEM
10.5M Sep 28 20:29 /sda2/~/RP494/~SYSTEM
6.7M Sep 29 23:34 /sda2/~/RP495/~SYSTEM
6.7M Oct 1 00:19 /sda2/~/RP496/~SYSTEM
6.7M Oct 2 01:19 /sda2/~/RP497/~SYSTEM
6.7M Oct 3 04:13 /sda2/~/RP498/~SYSTEM
6.7M Oct 4 04:19 /sda2/~/RP499/~SYSTEM
6.7M Oct 5 03:28 /sda2/~/RP500/~SYSTEM
6.7M Oct 22 04:37 /sda2/~/RP521/~SYSTEM

Sorry it takes so long. I don't have internet at home due to the computer being down. I can get on daily and that's about it. The weekends are difficult as we usually aren't around wifi for our other computer to work.

Thank you for the help.
Ted

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:22 PM

Posted 22 November 2011 - 08:14 PM

Sorry it takes so long. I don't have internet at home due to the computer being down. I can get on daily and that's about it. The weekends are difficult as we usually aren't around wifi for our other computer to work.


Thanks for letting me know. I won't bug you quite so regularly :)

We have some options now. The restore points go back to October so we'll try and restore the system back to October.

  • Boot the Sick computer with the USB drive again
  • Press File
  • Expand mnt
  • Expand your USB (sdb1)
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash rst.sh -r then press Enter
  • Type 509
  • Press Enter
  • After it has finished a report will be located at sdb1 named restore.log
  • Please try to boot into normal Windows now and indicate if you were successful

Please note - all text entries are case sensitive

Copy and paste the restore.log from your USB drive for my review
Posted Image
m0le is a proud member of UNITE

#10 centerct

centerct
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:06:22 PM

Posted 22 November 2011 - 08:35 PM

I will post the log tomorrow asap. I tried rebooting. It still goes into safe mode with the command.exe screen coming up

#11 centerct

centerct
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:06:22 PM

Posted 24 November 2011 - 11:00 AM

Here is the log that you asked for.
SOFTWARE hive restored from RP509
SYSTEM hive restored from RP509
SECURITY hive restored from RP509
SAM hive restored from RP509

Again after rebooting it went into safe mode with the cmd.exe box.

Thanks again for the help.

Edited by centerct, 24 November 2011 - 11:00 AM.


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:22 PM

Posted 24 November 2011 - 02:52 PM

No go. :(

Let's try checking the Master Boot Record
  • Download xPUDtestdisk.exe and save it to the usb device, then double click it to extract the contents. It will create a folder named testdisk on the device.
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear


Now to run TestDisk in the xPUD environment

  • Press File
  • Expand mnt
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive
  • Confirm that you see TestDisk that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type testdisk/testdisk_static
  • Press Enter
  • Start TestDisk.
  • The first screen will present log options - press Enter to continue.

    Posted Image
  • TestDisk will scan the system and show drive information.
  • If more than 1 drive, select the correct drive, make sure [Proceed] is selected then press Enter to continue.

    Posted Image
  • Select [Intel] partiton and press Enter to continue.

    Posted Image
  • Select [MBR Code] and press Enter to continue.

    Posted Image
  • Type Y when prompted to write a new mbr code to the first sector, then confirm at the next screen by typing Y again.

    Posted Image
  • Press Q repeatedly until TestDisk exits then remove the USB and reboot.

Posted Image
m0le is a proud member of UNITE

#13 centerct

centerct
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:06:22 PM

Posted 26 November 2011 - 10:02 PM

I tried this on Thursday and it still rebooted into safe mode with the cmd.exe screen coming up. Any more ideas? Thanks

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:22 PM

Posted 27 November 2011 - 09:04 PM

Reboot your machine and when the Boot Menu flashes up - select "Microsoft Windows Recovery Console"
(you need to be very fast with the arrow key as you only have a couple of seconds before it defaults to the windows XP bootup)

Posted Image

Posted Image

When you get to the above screen, take note of the number that references your operating system.
If it's '1' like the picture above, type 1 and press Enter


Posted Image

Next type FIXMBR

Posted Image

If it ask if you're sure you want to write a new MBR, answer 'Y'

Then type EXIT to reboot the machine.

Let me know how that goes.


Also, if you can now boot normally, run a new scan with MBRCheck and post the log.
Posted Image
m0le is a proud member of UNITE

#15 centerct

centerct
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:06:22 PM

Posted 27 November 2011 - 09:32 PM

How do I get to that screen? Every button I try just gets me to reboot and the F2 gets me to InsydeH2O Setup Utility. I'm sorry this such a headache but I appreciate your patience. Just fyi, I have internet access all the time now through my other laptop.

Edited by centerct, 28 November 2011 - 02:14 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users