[clxskeeg]

I have an Acer Aspire Desktop and I tried to reinstall XP Home over the factory preinstall in Nov 2008, because of possible malwares.I thought I had botched the install so I shut it down until I could figure it out. I set up an old laptop and continued to use that, and forgot about the Acer, until the laptop died this week. So I am forced to deal with the Acer.

I booted it up and found the install apparently did go through OK, over the existing data. There were a couple hours of Microsoft updates to deal with. I have had to tweak various drivers and settings, but I can't use FireFox or IE6, they continually crash after viewing just a few web pages. I finally decided to set up a new user acct with minimal settings, and at least I can work Firefox, but IE6 is still not working. But now I think the malware is still present, and GMER shows rootkits.


I have cleaned with TFC. I have backed up with ERUNT. I have tried twice to run OTL, but it keeps on crashing after running for almost 10 minutes, I even tried a third time to use OT Helper but it still crashed. I have run chkdsk. I scanned with MBAM which was freshly updated today. It found nothing.

Below are the MBAM log, GMER log and an MBR log.


Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4042

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

4/27/2010 12:24:38
mbam-log-2010-04-27 (12-24-38).txt

Scan type: Quick scan
Objects scanned: 119914
Time elapsed: 9 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-27 10:17:34
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\fixer\LOCALS~1\Temp\ugldrpob.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess [0xF7A298AC]
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess [0xF7A29812]

---- Kernel code sections - GMER 1.0.15 ----

PAGE CLASSPNP.SYS!ClassInitialize + F4 F7D0342C 4 Bytes [60, 37, 40, 82]
PAGE CLASSPNP.SYS!ClassInitialize + FF F7D03437 4 Bytes [AC, F1, 3F, 82]
PAGE CLASSPNP.SYS!ClassInitialize + 10A F7D03442 4 Bytes [72, 37, 40, 82]
PAGE CLASSPNP.SYS!ClassInitialize + 111 F7D03449 4 Bytes [66, 37, 40, 82]
PAGE CLASSPNP.SYS!ClassInitialize + 118 F7D03450 4 Bytes [6C, 37, 40, 82]
PAGE ...
? C:\DOCUME~1\fixer\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[1556] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 013C2B7D
.text C:\WINDOWS\Explorer.EXE[1556] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 013C2B3A
.text C:\WINDOWS\Explorer.EXE[1556] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 013C2AFE
.text C:\WINDOWS\Explorer.EXE[1556] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 013C2AE3
.text C:\WINDOWS\Explorer.EXE[1556] WS2_32.dll!send 71AB4C27 5 Bytes JMP 013C296F
.text C:\WINDOWS\Explorer.EXE[1556] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 013C2A61
.text C:\WINDOWS\Explorer.EXE[1556] WS2_32.dll!recv 71AB676F 5 Bytes JMP 013C29A7
.text C:\WINDOWS\Explorer.EXE[1556] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 013C29DF
.text C:\Program Files\Mozilla Firefox\firefox.exe[3280] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 014D2B7D
.text C:\Program Files\Mozilla Firefox\firefox.exe[3280] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 014D2B3A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3280] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 014D2AFE
.text C:\Program Files\Mozilla Firefox\firefox.exe[3280] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 014D2AE3
.text C:\Program Files\Mozilla Firefox\firefox.exe[3280] WS2_32.dll!send 71AB4C27 5 Bytes JMP 014D296F
.text C:\Program Files\Mozilla Firefox\firefox.exe[3280] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 014D2A61
.text C:\Program Files\Mozilla Firefox\firefox.exe[3280] WS2_32.dll!recv 71AB676F 5 Bytes JMP 014D29A7
.text C:\Program Files\Mozilla Firefox\firefox.exe[3280] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 014D29DF

---- Devices - GMER 1.0.15 ----

Device \Driver\Cdrom \Device\CdRom0 82403760
Device \Driver\Cdrom \Device\CdRom0 823FF1AC
Device \Driver\Cdrom \Device\CdRom1 82403760
Device \Driver\Cdrom \Device\CdRom1 823FF1AC
Device \Driver\Disk \Device\Harddisk0\DR0 82403760
Device \Driver\Disk \Device\Harddisk0\DR0 823FF1AC
Device \Driver\Disk \Device\Harddisk1\DR4 82403760
Device \Driver\Disk \Device\Harddisk1\DR4 823FF1AC
Device \Driver\Disk \Device\Harddisk1\DP(1)0-0+8 82403760
Device \Driver\Disk \Device\Harddisk1\DP(1)0-0+8 823FF1AC
Device \Driver\Disk \Device\Harddisk2\DR5 82403760
Device \Driver\Disk \Device\Harddisk2\DR5 823FF1AC
Device \Driver\Disk \Device\Harddisk2\DP(1)0-0+9 82403760
Device \Driver\Disk \Device\Harddisk2\DP(1)0-0+9 823FF1AC
Device \Driver\Disk \Device\Harddisk3\DP(1)0-0+a 82403760
Device \Driver\Disk \Device\Harddisk3\DP(1)0-0+a 823FF1AC
Device \Driver\Disk \Device\Harddisk3\DR6 82403760
Device \Driver\Disk \Device\Harddisk3\DR6 823FF1AC
Device \Driver\Disk \Device\Harddisk4\DP(1)0-0+b 82403760
Device \Driver\Disk \Device\Harddisk4\DP(1)0-0+b 823FF1AC
Device \Driver\Disk \Device\Harddisk4\DR7 82403760
Device \Driver\Disk \Device\Harddisk4\DR7 823FF1AC

AttachedDevice \FileSystem\Fastfat \Fat VET-FILT.SYS (CA Antivirus File Protection Driver/Computer Associates International, Inc.)

---- Threads - GMER 1.0.15 ----

Thread System [4:1404] 8243A260
Thread System [4:1408] 82428280
Thread System [4:1412] 8246D910
Thread System [4:1416] 8240B610
Thread System [4:2540] 8243A260
Thread System [4:3096] 82428280
Thread System [4:3392] 8246D910
Thread System [4:300] 8240B610

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain@Asynchronous 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain@DllName crypt32.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain@Logoff ChainWlxLogoffEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet@Asynchronous 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet@DllName cryptnet.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet@Logoff CryptnetWlxLogoffEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@DLLName cscdll.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Logon WinlogonLogonEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Logoff WinlogonLogoffEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@ScreenSaver WinlogonScreenSaverEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Startup WinlogonStartupEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Shutdown WinlogonShutdownEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@StartShell WinlogonStartShellEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Asynchronous 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Asynchronous 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@DllName %SystemRoot%\System32\dimsntfy.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Startup WlDimsStartup
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Shutdown WlDimsShutdown
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Logon WlDimsLogon
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Logoff WlDimsLogoff
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@StartShell WlDimsStartShell
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Lock WlDimsLock
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Unlock WlDimsUnlock
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@DLLName wlnotify.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Logon SCardStartCertProp
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Logoff SCardStopCertProp
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Lock SCardSuspendCertProp
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Unlock SCardResumeCertProp
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Enabled 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Impersonate 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Asynchronous 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule@Asynchronous 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule@DllName wlnotify.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule@StartShell SchedStartShell
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule@Logoff SchedEventLogOff
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy@Logoff WLEventLogoff
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy@Asynchronous 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy@DllName sclgntfy.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@DLLName WlNotify.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Lock SensLockEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Logon SensLogonEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Logoff SensLogoffEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Safe 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@MaxWait 600
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@StartScreenSaver SensStartScreenSaverEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@StopScreenSaver SensStopScreenSaverEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Startup SensStartupEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Shutdown SensShutdownEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@StartShell SensStartShellEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@PostShell SensPostShellEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Disconnect SensDisconnectEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Reconnect SensReconnectEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Unlock SensUnlockEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Impersonate 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Asynchronous 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Asynchronous 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@DllName wlnotify.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Logoff TSEventLogoff
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Logon TSEventLogon
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@PostShell TSEventPostShell
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Shutdown TSEventShutdown
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@StartShell TSEventStartShell
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Startup TSEventStartup
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@MaxWait 600
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Reconnect TSEventReconnect
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Disconnect TSEventDisconnect
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon@DLLName wlnotify.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon@Logon RegisterTicketExpiredNotificationEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon@Logoff UnregisterTicketExpiredNotificationEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon@Impersonate 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon@Asynchronous 1

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior; MBR rootkit code detected <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 34: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 35: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 37: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 61: rootkit-like behavior; malicious code @ sector 0x12a18ac1 size 0x1ae
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.15 ----






Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> 0x82403766
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> 0x8243def0
Warning: possible MBR rootkit infection !
MBR rootkit code detected !
copy of MBR has been found in sector 37 !
malicious code @ sector 0x12a18ac1 size 0x1ae !
copy of MBR has been found in sector 62 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
PE file found in sector at 0x012A18AC1 !

Edited by clxskeeg, 28 April 2010 - 03:52 AM.

[Advertisements]

I have found a way to make OTL work, it was stopping because the default screensaver was kicking in at 10 mins, I have changed that, however, the majority of files on this machine are about 500 days old or older (Nov 2008) and I see that OTL default setting in quick scan is 90 days, so would a scan with OTL be useless, or can it be modified beyond 360 days?

[clxskeeg]

I have found a way to make OTL work, it was stopping because the default screensaver was kicking in at 10 mins, I have changed that, however, the majority of files on this machine are about 500 days old or older (Nov 2008) and I see that OTL default setting in quick scan is 90 days, so would a scan with OTL be useless, or can it be modified beyond 360 days?

[ldtate]

DO NOT use any TOOLS such as Combofix, Vundofix, or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.


Vista and Windows 7 users:
1. These tools MUST be run from the executable. (.exe) every time you run them
2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

XP Users

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Uncheck "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Uncheck "Hide protected operating system files."
Click Apply, and then click OK.


Vista Users

To enable the viewing of hidden and protected system files in Windows Vista please follow these steps:

Close all programs so that you are at your desktop.
Click on the Start button. This is the small round button with the Windows flag in the lower left corner.

Click on the Control Panel menu option.
When the control panel opens you can either be in Classic View or Control Panel Home view:

If you are in the Classic View do the following:
Double-click on the Folder Options icon.
Click on the View tab.


If you are in the Control Panel Home view do the following:

Click on the Appearance and Personalization link.
Click on Show Hidden Files or Folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.




Please do not delete anything unless instructed to.


Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

• The application window will appear
• Click the Disable button to disable your CD Emulation drivers
• Click Yes to continue
• A 'Finished!' message will appear
• Click OK
• DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

After the all clear post:

To re-enable your Emulation drivers, double click DeFogger to run the tool.

• The application window will appear
• Click the Re-enable button to re-enable your CD Emulation drivers
• Click Yes to continue
• A 'Finished!' message will appear
• Click OK
• DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.


We've been seeing some Java infections lately.
Go here and follow the instructions to clear your Java Cache


Next:

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
[/list]If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

Next:


Download ComboFix from one of these locations:

Link 1
Link 2 If using this link, Right Click and select Save As.


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
  
  Note: If you have SP3, use the SP2 package.If Vista or Windows 7, skip the Recovery Console part
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

[clxskeeg]

Well, pretty much a disaster has happened, while using ComboFix, it said it had found rootkit activity and it told me to restart, and now the computer will not boot beyond the black screen you get after the F12 screen for boot menu. Either you see a single blinking line at top left, or two lines that say Boot from CD/DVD, but no key that you press will enter any character or command.

I did the unhide files, and ran DeFogger. I clicked disable and it ran successful. It did NOT ask to reboot. I ran it again to enable. Again it did not ask to reboot. I looked at the log it produced, it was only 6 or 7 lines long, and ended at the bottom with 3 capitalized letters.I can't tell you anything more about the log, it is on the desktop of the "dead" computer.

I cleaned the java cache and cleaned with ATF. I downloaded ComboFix and started it, after disabling CA Antivirus, that's when I think something funny happened, while ComboFix was running, I heard these little beeps, I think 2 beeps about a second apart, I heard this about 4 or 5 times, every 1 or 2 minutes, from hte area right next to the computer box. I thought this may be coming from my cellphone, but I still do not exactly know where the sound came from. I do not remember hearing them while dealing with the black screen problem, only during the ComboFix.

After I started to get the black screen stall, I tried to see if I could some how boot from a disk ( I dont exactly know what that means beyond the f12 setting). I have the OEM Windows XP Home installation disk, complete with registration/validation keys, I have 4 Disks I got with the Acer computer, No 1 disk says bootable, and I have 5 "back up" cd disks that I produced when I first set up the computer. I have tried putting each of those in the DVD Rom drive and booting up with the f12 set to boot from CD, but I can only get the black screen as above. I think it was when I put in the XP disk, it seemed the computer was going into a complete reinstall. I some how got into XP recovery console, and some how found the FIXBOOT command and I had the computer write a new boot sector, and exited out of recovery, but I can still only get a black screen with blinking cursor. I tried also taking the cmos battery out of the motherboard, to see if some default would reset, bit it started to talk about Windows 98 and I didn't know how to proceed throught that setup. I am actually sending this from a brand new netbook, which I had planned to buy soon, but my choice was forced to get it now since the Acer desktop was the only computer I have and I need Internet access to run my business.

So, please, what can we do to fix the boot problem?

Edited by clxskeeg, 04 May 2010 - 04:17 AM.

[ldtate]

Restart your computer in Safe Mode.

Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen.
Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.
This can take several miniutes to load.

If that still doesn't load, try Last Know Good Configuration.

[clxskeeg]

I cannot boot into safe mode, all I can get is the first screen with an Acer logo, at the bottom it says del enter bios and f12 set boot. I tried hitting the f8 button continually after turning on the power, but the safe mode choose page will not come up. I tried going to the bios adjust page and set the bios to first boot from cd, and I have the Windows XP disk in the DVD drive, but all I see on the black screen are two lines, both say Boot from CD/DVD : , and then the blinking cursor, but no key will change the cursor, it just keeps on blinking.

[ldtate]

but all I see on the black screen are two lines, both say Boot from CD/DVD : , and then the blinking cursor, but no key will change the cursor, it just keeps on blinking.

At that point did you tap the Enter Key?

[clxskeeg]

Yes, when I press the enter key, nothing happens. Just the two lines Boot from CD/DVD, and a blinking cursor line underneath. Nothing changes when you press enter or any other key.

[clxskeeg]

OK, something is going on now, I powered up again and I pressed the f8 just as the "two lines" came on the screen, and another line appeared that said press any key to boot from CD, and a blue screen appeared and it appears Setup has begun. It has loaded some files I guess, and now the blue screen says Welcome to setup

* To set up Windows XP now press enter

*To repair a Windows XP installation using Recovery console, press R

*To quit Setup without installing Windows XP, press F3

[ldtate]

*To repair a Windows XP installation using Recovery console, press R

Select that one.
Don't do anthing else yet. I'll post back in a minute

[ldtate]

This is way too long for me to type out so you'll need to follow the instructions from here.
http://www.icompute...._from_xp_cd.htm

You're starting point will be here, so just scrowl down to.

I. Boot to Recovery Console as described above.


II. Restore the registry with the steps below.

Edited by ldtate, 04 May 2010 - 09:30 AM.

[clxskeeg]

I went to that page link you gave but I think there is a step missing, I pressed R and got to a black screen Recovery Console but after the line C:\Windows it says Which windows installation would you like to log onto (to cancel press enter) then the blinking cursor. The page you refered me to says to type cd \ but it won't accept this, only the c will type in. I think I have to skip the "which installation" command, or type something in (a number?) before I can proceed in any way.

OK, I read higher up on the page and I went through and I am going thru the secttion you referred to. I am continuing.


Well, I went through the steps on the icompute page, I got to the point where I got the "access denied" response, and I carefully went through the next steps down to typing in system.bak, typed exit, pressed enter, the computer restarted, but now what I get is a black screen, with 3 lines of text, Boot from CD/DVD, Boot from CD/DVD, Press any key to boot from CD....., and then a blinking cursor, but again, the cursor will NOT respond to ANY key that is pressed, nor ENTER or spacebar or F8 or any other key. I also hear a tiny "clink" noise when any key is pressed, I guess that is some kind of error sound that says the keyboard is not working.

Edited by clxskeeg, 04 May 2010 - 10:13 AM.

[ldtate]

Power it off and try again.

[clxskeeg]

The power off worked, so I went back to the instructions on the icompute page and I am down to

c:\system~1\resto~1\rp21\cd snapshot

on the recovery page. But I am not sure what to do next, (1)press enter or (2)continue typing as the page says copy_registry_machine_system.

Well I went ahead and did this (2) and got to the point where it said 1 file copied, then the icompute page said to do the same thing for "software" copy_registry_machine_software, but then it said file or directory could not be found. So the icompute page suggests using an earlier restore folder, but now I am seeming to be in a loop of somehow doing the wrong thing and starting over and over again, I cannot seem to be able to repeat my steps to pick a different restore folder.

FOr instance, in the screenshot below, I get down to system.bak, and it says file exists, if I type exit all it does ois start over with the recovery console, I can't get back down to snapshot

[ldtate]

Try moving down to step 14 on