[Jintan]

Sorry, I caught the email notification late. I will post back the procedures for an alternate CD in the morning (my time).

[Advertisements]

Sounds great, no worries catching it late as I am just wrapping up finals for grad school today so it wasn't like I had a ton of free time to mess with this machine.

[craigrulez]

Sounds great, no worries catching it late as I am just wrapping up finals for grad school today so it wasn't like I had a ton of free time to mess with this machine.

[Jintan]

Had to test the steps myself, since it has been a while since I used them. Just need a pc that has CD writing capabilities, and a blank CD.

You will need a ISO burning program installed first on the working PC, so if you do not have one then InfraRecorder will work fine for this

http://infrarecorder....net/?page_id=5

But either way you can download a Recovery Console ISO from here

http://www.thecomput...om/files/rc.iso

To burn a disk using the InfraRecorder program just install it, insert a blank disk then open the program, click Actions on the Top bar then click Burn Image, locate the rc.iso then double click it and follow the onscreen prompts.

----------

Load the XP CD into the CD-ROM drive and restart the system. On reboot watch for and agree to any prompts to boot from the CD. If the system only reboots to Windows stop and post back here and we will discuss steps to make changes in the BIOS.

After the installation software inspects the system and loads all necessary device drivers you will see the the "Welcome To Setup" screen, with the following menu:

This portion of the Setup program prepares Microsoft Windows XP to run on your computer:

To setup Windows XP now, press ENTER.

To repair a Windows XP installation using Recovery Console, press R.

To quit Setup without installing Windows XP, press F3.

Press "R" to start the Recovery Console setup. After you start the Windows Recovery Console, you receive the following message:

Microsoft Windows® Recovery Console

The Recovery Console provides system repair and recovery functionality.
Type EXIT to quit the Recovery Console and restart the computer.

1: C:\WINDOWS

Which Windows Installation would you like to log on to
(To cancel, press ENTER)?

After you enter the number for the appropriate Windows installation, Windows will then prompt you to enter the Administrator account password. If you do not know this, it may just be blank, so press Enter when asked for the password.

For now, let's just see what disabling those two services that showed earlier might do. At the C:\Windows\> prompt, type each of the following, pressing Enter after each:

disable vwservice

disable winss

exit

You should get confirmation each time that the start type of the service has changed. Be sure to let me know in your next reply if you did not, or the service wasn't found. When you hit Enter after typing exit your computer will reboot. Do Not press any key until the system has completely rebooted, then after the reboot be sure to remove your XP CD from the CD-ROM drive.

Then see if you can run TDSSKiller, followed by ComboFix, and post those logs please.

[craigrulez]

Hey Jintan:

Sorry about the lateness of my reply, but I was out of town this weekend.

I will be able to run this procedure tomorrow and will post the log results.

Thanks!

[Jintan]

That'll be just fine.

[craigrulez]

Hey Jintan:

Just burnt the CD, inserted into the drive, and restarted, but the system booted straight to windows normally. I didn't have the option to boot from the CD.

Thanks!

[Jintan]

Okay, need to change the boot order. Anything show on the first "splash" screen as the computer boots up - key options, such as "Esc - Change Boot Order/Boot Menu" or "Delete/F2 to Enter Setup"? May be only briefly shown, depending on some settings in the BIOS.

[craigrulez]

Yes there is an F2-Setup option.

[Jintan]

Select that. In the BIOS, look around (using the arrow keys to navigate, and Escape key to go back a page), and locate the Boot Options.

Here's some general instructions for changing the boot order (thanks to Andy M., wherever he's gotten to lately)

http://www.hiren.inf...bios-boot-cdrom

http://www.windowsre.../articles/bios/

[craigrulez]

Hey Jintan:

I was able to get the recovery disk to run this time, performed both the disabling tasks and each time it told me that both of them were found, but they were both already disabled.

I then attempted to run TDSSKiller and it still doesn't run. I am trying to run Combofix right now and it told me that it was expired, I clicked "yes" to run in lowered functionality mode and then the program disappeared.

Also, not sure if this may help, but the other day I also noticed that my front USB drives have something also wrong. Whenever I plug in a flash drive, it's telling me the drive is not properly formatted and asks me to format it each time. When I was booting from the USB drive earlier, I had to always unplug the drive after entering the boot screen, and plug it back in before it would show up in the screen for me to click on.

Thanks.

Edited by craigrulez, 13 December 2011 - 06:37 PM.

[Jintan]

Sorry, it won't be until tomorrow until I can access a test system to trial some methods for you to work with there. My apologies for this dragging on like this, though no apologies for the cheesy, purse-snatching malware clowns who infect systems this way.

[craigrulez]

Not a problem at all, I clearly have more than one PC so it's not like I'm completely stuck or anything, so no apology necessary. I will say that I am almost slightly impressed with the writers of this one, the code on it has got to be very extensive to say the least!

[Jintan]

Let's see if some brute force will move things forward there.

First, go here and download and install the free trial version of Revo's Uninstaller. See if you can use that to uninstall Spyware Doctor and Browser Defender. Need these unknowns out of the way, if possible.

Leave the default setting of "Moderate" for each uninstall, and it is okay to use "Select All" to Delete what Revo finds.

-------------

Be sure ComboFix.exe is directly on your desktop (the Administrator account that has been showing in these logs).

Download The Avenger by Swandog from here and save it to your Desktop, and unzip the downloaded avenger.zip file. Then in the new avenger folder created locate avenger.exe, and rename that to mike.com

Then click mike.com to start Avenger.

Okay the warning. When the Avenger display opens copy/paste the following text inside the Code box into the Avenger box titled "Input script here:". Then click the Execute button to run the repair, click Yes, then allow Avenger to reboot your system.

Begin copying here:
Drivers to delete:
winss
vwservice
Folders to delete:
C:\Documents and Settings\All Users\Application Data\ZEi5uYcgM071Dh 
C:\Documents and Settings\All Users\Application Data\~ZEi5uYcgM071Dh 
C:\Documents and Settings\All Users\Application Data\~ZEi5uYcgM071Dhr
Files to delete:
C:\Documents and Settings\All Users\Application Data\7hmxw681gt1y0f48sfbt21434460ctd2rv6u2 
C:\Documents and Settings\Administrator\Local Settings\Application Data\7hmxw681gt1y0f48sfbt21434460ctd2rv6u2 
C:\WINDOWS\System32\pvgeydbw.ini  
C:\WINDOWS\System32\ffbplnlx.ini  
C:\WINDOWS\hpfins05.dat.temp  
C:\WINDOWS\hpfmdl05.dat.temp  
C:\WINDOWS\System32\disynhif.ini  
C:\WINDOWS\System32\qqstv.ini2  
C:\WINDOWS\System32\wnsintcc32.exe  
C:\WINDOWS\System32\hpzidi01.dll  
C:\WINDOWS\System32\hpzids01.dll  
C:\WINDOWS\System32\koeouatg.ini  
C:\DOCUME~1\ChrisV\LOCALS~1\Temp\win1B.tmp.exe
C:\WINDOWS\TEMP\win1002.tmp.exe
Programs to launch on reboot:
C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

Your system may reboot twice to complete the repairs. After the reboot a text will open - copy/paste those contents back here please. The log can also be found at C:\avenger.txt.

If things go according to plan, and of course that is not guaranteed, Avenger will also try to start ComboFix. If it succeeds, post that C:\ComboFix.txt log as well please.

[Jintan]

No response in a day or so. That procedure was not without some risks, so if you ran into problems after, do see if you can follow up here to resolve any issues.