[Duncan63]

OK, here it is - thanks for your continued support!



Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.24.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: DELLD520-NB [administrator]

24/01/2012 01:18:00
mbam-log-2012-01-24 (01-18-00).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 236393
Time elapsed: 47 minute(s), 21 second(s)

Memory Processes Detected: 2
C:\Documents and Settings\All Users\Application Data\ScFifFUnavADgjd.exe (Trojan.FakeAlert) -> 1356 -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\Gp08U7VTsS7cIZ.exe (Rogue.FakeAlert) -> 2824 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|ScFifFUnavADgjd.exe (Trojan.FakeAlert) -> Data: C:\Documents and Settings\All Users\Application Data\ScFifFUnavADgjd.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 7
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 12
C:\Documents and Settings\All Users\Application Data\ScFifFUnavADgjd.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\Gp08U7VTsS7cIZ.exe (Rogue.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\20\219c8554-2ac9e95a (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\30\39c6d6de-1bee563a (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\qkm.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP311\A0224555.exe (Rogue.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP311\A0224558.exe (Rogue.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP311\A0224582.exe (Rogue.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP314\A0226626.exe (Rogue.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP314\A0226627.exe (Rogue.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP314\A0226650.exe (Rogue.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP314\A0226685.exe (Rogue.FakeAlert) -> Quarantined and deleted successfully.

(end)

[Advertisements]

Hi.

OK, here it is - thanks for your continued support!

Actually there is nothing in the log to account for the current boot issues. Some System Restore Points were flagged as infected and subsequently the offending removed which would in turn render the actual whole System Restore Point useless...though that is moot at this time actually as non of the the various Restore Points we tried work at all.

Regarding the particular infections removed it is entirely feasible before-hand they had further downloaded more malware as a either a attempt to re-spawn in case of removal and or further compromise/infect. Unfortunately at this time I cannot say for sure which possible scenario.

Overall not looking good as I mentioned in post #30. However lets check if we can find out how many critical system files are either missing and or corrupt and though a long shot if not too many...with a future check at least some to copy over we may be able to get your Son's machine to boot up and use the XP Installation CD-ROM from your machine(if you can find it) to perform a System File Check.

All mentioned may just not be feasible but no harm checking I feel at this point as follows...

Next:

Boot your Son's machine with the xPUD disk again.

Click on File >> MMT >> sda1

• Press Tool at the top
• Choose Open Terminal
• Type bash driver.sh
• Press Enter
• After it has finished a report will be created named report.txt

Then click on Menu and in turn:-

Web Browser
firefox

In the browser address bar enter www.google.com >> then in the Google search box enter >> Geeks to Go

Go to the forum and navigate back to this topic and post the requested report.txt and we will go from there, thank you.

[Dakeyras]

Hi.

OK, here it is - thanks for your continued support!

Actually there is nothing in the log to account for the current boot issues. Some System Restore Points were flagged as infected and subsequently the offending removed which would in turn render the actual whole System Restore Point useless...though that is moot at this time actually as non of the the various Restore Points we tried work at all.

Regarding the particular infections removed it is entirely feasible before-hand they had further downloaded more malware as a either a attempt to re-spawn in case of removal and or further compromise/infect. Unfortunately at this time I cannot say for sure which possible scenario.

Overall not looking good as I mentioned in post #30. However lets check if we can find out how many critical system files are either missing and or corrupt and though a long shot if not too many...with a future check at least some to copy over we may be able to get your Son's machine to boot up and use the XP Installation CD-ROM from your machine(if you can find it) to perform a System File Check.

All mentioned may just not be feasible but no harm checking I feel at this point as follows...

Next:

Boot your Son's machine with the xPUD disk again.

Click on File >> MMT >> sda1

• Press Tool at the top
• Choose Open Terminal
• Type bash driver.sh
• Press Enter
• After it has finished a report will be created named report.txt

Then click on Menu and in turn:-

Web Browser
firefox

In the browser address bar enter www.google.com >> then in the Google search box enter >> Geeks to Go

Go to the forum and navigate back to this topic and post the requested report.txt and we will go from there, thank you.

[Duncan63]

Here it is, thank you! The boot problem didn't exist until after I'd run the MalwareBytes application and applied the fixes when prompted. Maybe the fixes included removing some critical items that had become infected? If so, is there a restore / recovery feature with the MalwareBytes application that saves the configuration and restores back to it in case of problems (as there is in e.g. Spybot)?

Sat Feb 18 09:56:52 UTC 2012
Driver report for /mnt/sda2/i386/SP1/Windows/System32/Drivers /mnt/sda2/i386/SP1/Windows/System32/Drivers/mrxsmb.sys has NO Company Name!/mnt/sda2/i386/SP1/Windows/System32/Drivers/rdbss.sys has NO Company Name!

7f09b37065b61ddbc6116f612e6183d1 /mnt/sda2/i386/SP1/Windows/System32/Drivers/mrxsmb.sys
Microsoft Corporation

1fd256b6025449dca3670574c0229d65 /mnt/sda2/i386/SP1/Windows/System32/Drivers/rdbss.sys
Microsoft Corporation

Driver report for /mnt/sda2/i386/SP2/Windows/System32/Drivers /mnt/sda2/i386/SP2/Windows/System32/Drivers/mrxsmb.sys has NO Company Name!

7b195060ff456fa65954c72c5c1640ff /mnt/sda2/i386/SP2/Windows/System32/Drivers/mrxsmb.sys
Microsoft Corporation

Driver report for /mnt/sda2/WINDOWS/system32/drivers

090880e9bf20f928bc341f96d27c019e Apfiltr.sys
Alps Electric

ac7280566a7bb85cb3291f04ddc1198e dxg.sys
Microsoft Corporation

Edited by Duncan63, 18 February 2012 - 04:21 AM.

[Dakeyras]

Hi.

The boot problem didn't exist until after I'd run the MalwareBytes application and applied the fixes when prompted. Maybe the fixes included removing some critical items that had become infected? If so, is there a restore / recovery feature with the MalwareBytes application that saves the configuration and restores back to it in case of problems (as there is in e.g. Spybot)?

As mentioned prior nothing removed by Malwarebytes Anti-Malware does account for the current non booting issue and as I have surmised it is merely one of those things and a consiquence of the infections on-board in all likely hood having downloaded/installed more. Probably something along the lines of say a specific Root-Kit for example. Though I do not know for sure at this time unless I am able to get your son's machine to boot. Though this is looking less likely all the time and it may just be the actual Operating System is corrupted/damaged beyond anything I can advise.

Malwarebytes Anti-Malware does have a feature to replace moved items but this cannot be done via xPUD.

Unfortunately the medium of support I do provide can be limited at times because I have no physical access to any one machine. If I did I could say remove the hard-drive and slave it via a special cable for laptop hard-drives and work on it that way for example...

Next:

Have you managed to locate the XP Installation CD-ROM for you machine at all? As we may be able to use that to try some repairs with on your Son's machine.

In the meantime carry out the below for me please...

Next:

Boot your Son's machine with the xPUD disk again.

Click on File >> MMT >> sda2

Now right-click on boot.ini and select Copy

Then click on Menu and in turn:-

Web Browser
firefox

In the browser address bar enter www.google.com >> then in the Google search box enter >> Geeks to Go

Go to the forum and navigate back to this topic and post the contents of the boot.ini and we will go from there, thank you.

[Duncan63]

Hi,

Yes, I did find the installation disk for my (good) machine, although this is for XP Home, and the bad machine is (was!) XP Pro, but I guess for what you need it for this shouldn't make any difference?

Contents of boot.ini as follows:

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

[Dakeyras]

Hi.

Yes, I did find the installation disk for my (good) machine, although this is for XP Home, and the bad machine is (was!) XP Pro, but I guess for what you need it for this shouldn't make any difference?

Good and no it should not make any difference if we use it to access what is known as the Recovery Console.

Contents of boot.ini as follows:

That does not look quite right to me...Anyway in my experience the actual boot.ini for your Son's machine should be similar to the below for any type of XP based rig and just change the actual Operating System version etc:-

[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP >version name<" /fastdetect

So lets check if changing the boot.ini will actually help as follows...

Next:

Boot your Son's machine with the xPUD disk again.

Click on Menu then:-

Web Browser
firefox

In the browser address bar enter www.google.com >> then in the Google search box enter >> Geeks to Go

Go to the forum and navigate back to this topic and download the attached boot.zip <-- see below

Then click on File >> double click on MMT to expand >> under File System >> Downloads >> you should now see boot.zip. Extract this then copy boot.ini

Now navigate back to sda2 >> right-click and select Paste >> at the prompt >> click on Overwrite

Click on Home >> Power Off >> Restart

Let myself know if your Son's machine is now able to boot normally.

[Duncan63]

Hi,

I was called away from home at short notice on Sunday and haven't had a chance to log in until now. I'm still away, so have no access to my son's machine, however as soon as I can I will get back to you when I have access - thanks again for your continued support.

[Dakeyras]

OK and thank you for the courtesy of informing myself.

[Dakeyras]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.