"System Check" and "Zeroaccess!kmem" Virus
Started by
malmbor
, Feb 20 2012 06:19 PM
#31
Posted 26 February 2012 - 11:49 AM
#32
Posted 26 February 2012 - 11:59 AM
Are you still getting the exact same blue screen?
Boot back into the minXP and look at the file C:\qoobox\ComboFix-quarantined-files.txt
This is a list of files that Combofix removed. The files it removed have .vir added to them and are stored in C:\Qoobox\Quarantine\c\
You can rename them to get rid of the .vir and copy them back to the folder they came from. Perhaps that will help.
Boot back into the minXP and look at the file C:\qoobox\ComboFix-quarantined-files.txt
This is a list of files that Combofix removed. The files it removed have .vir added to them and are stored in C:\Qoobox\Quarantine\c\
You can rename them to get rid of the .vir and copy them back to the folder they came from. Perhaps that will help.
#33
Posted 26 February 2012 - 02:26 PM
I did that and it still comes up with the same blue screen.
#34
Posted 26 February 2012 - 02:39 PM
Go into recovery console
I've asked in our internal forum if any one has an idea what else we can do.
Ron
disable z800obex
I've asked in our internal forum if any one has an idea what else we can do.
Ron
#35
Posted 27 February 2012 - 09:12 AM
Hi and
RKinner will be off for some time and have asked us to give him a hand.
We will need to view the system status from an external environment. You will need a USB drive and a CD to burn. There will be several steps to follow.
Download GETxPUD.exe to the desktop of your clean computer
RKinner will be off for some time and have asked us to give him a hand.
We will need to view the system status from an external environment. You will need a USB drive and a CD to burn. There will be several steps to follow.
Download GETxPUD.exe to the desktop of your clean computer
- Run GETxPUD.exe
- A new folder will appear on the desktop.
- Open the GETxPUD folder and click on the get&burn.bat
- The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
- Click on Start and follow the prompts to burn the image to a CD.
- Next download driver.sh by noahdfear to your USB drive
- Also Download Query.exe by noahdfear to the USB drive. In your working computer, navigate to the USB drive and click on the Query.exe. A folder and a file, query.sh, will be extracted.
- Once this process is completed, download Dumpit by noahdfear to the USB drive.
- Remove the USB & CD and insert them in the sick computer
- Boot the Sick computer with the CD you just burned
- The computer must be set to boot from the CD
- In some computers you need to tap F12 and choose to boot from the CD, in others is the Esc key. Please consult your computer's documentation.
- Follow the prompts
- A Welcome to xPUD screen will appear
- Press File
- Expand mnt
- sda1,2...usually corresponds to your HDD
- sdb1 is likely your USB
- Click on the folder that represents your USB drive (sdb1 ?)
- Confirm that you see driver.sh that you downloaded there
- Press Tool at the top
- Choose Open Terminal
- Type bash driver.sh
- Press Enter
- After it has finished a report will be located on your USB drive named report.txt
- Then type bash driver.sh -af
- Press Enter
- You will be prompted to input a filename.
- Type the following:
Winlogon.exe
- Press Enter
- If successful, the script will search for this file.
- After it has completed the search enter the next file to be searched
- Type the following:
volsnap.sys
- Press Enter
- If successful, the script will search for this file.
- After it has completed the search enter the next file to be searched
- Type the following:
svchost.exe
- Press Enter
- If successful, the script will search for this file.
- After it has completed the search enter the next file to be searched
- Type the following:
explorer.exe
- Press Enter
- After it has completed the search enter the next file to be searched
- Type the following:
Userinit.exe
- Press Enter
- After the search is completed type Exit and press Enter.
- After it has finished a report will be located in the USB drive as filefind.txt
- While still in the Open Terminal, type bash query.sh
- Press Enter
- After it has finished a report will be located in the USB drive as RegReport.txt
- Confirm that you see the file dumpit in your USB drive and double click on it.
- After it has finished a report will be located in your USB drive named mbr.zip
- Plug the USB back into the clean computer post the contents of the report.txt, filefind.txt and RegReport.txt in your next reply. The mbr.zip file must be attached to your reply.
#36
Posted 27 February 2012 - 01:58 PM
There seems to be a problem with the dumpit link.
#37
Posted 27 February 2012 - 04:53 PM
It sometimes happens with newer Internet Explorer versions.
Right click on the link and select "Save target as", browse to the USB drive and save the target.
Right click on the link and select "Save target as", browse to the USB drive and save the target.
#38
Posted 01 March 2012 - 09:58 PM
I decided to reninstall my operating system. Everything seems to be running fine. When I reboot, I have to select which operating system I want to run. Included in the list are the leftovers from my attempts to repair with recovery console. Is there any way to delete those useless options? Also, what should I do in terms of security? It was suggested that I not use Norton. Dell was pushing me to buy System Mechanic Professional by Iola.
Thanks for your help.
Thanks for your help.
Edited by malmbor, 01 March 2012 - 10:00 PM.
#39
Posted 01 March 2012 - 10:17 PM
Open in Notepad C:\Boot.ini and post its contents. I would recommend AVAST as an Anti-virus.
#40
Posted 01 March 2012 - 10:20 PM
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="XP Home 2" /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Home Edition" /fastdetect /noexecute=optin
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="XP Home 2" /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Home Edition" /fastdetect /noexecute=optin
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
#41
Posted 02 March 2012 - 10:19 AM
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="XP Home 2" /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Home Edition" /fastdetect /noexecute=optin
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
Remove all in Red above as follows:
Save a Backup Copy of Boot.ini
Edit the Boot.ini File
To view and edit the Boot.ini file:
Edit the Boot.ini to exclude the lines in red.
Note 1: Do not leave empty lines in between
Note 2: The Boot.ini must always rest on an empty line, so leave an empty line at the end of the script.
Note 3: The Timeout is set too long. You can reduce it to a number between 5 and 10.
Note 4: Since the Operating Systems are the same version, edit the resulting second line after [operating systems]. Name "Windows XP Home Edition" to "Windows XP Home Edition II"
Let me know the outcome.
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="XP Home 2" /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Home Edition" /fastdetect /noexecute=optin
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
Remove all in Red above as follows:
Save a Backup Copy of Boot.ini
- Right-click My Computer, and then click Properties.
-or-
- Click Start, click Run, type sysdm.cpl, and then click OK.
- On the Advanced tab, click Settings under Startup and Recovery.
- Under System Startup, click Edit. This opens the file in Notepad ready for editing.
- In Notepad, click File on the Menu bar, and then click Save As.
- Right click in an empty area of the Save As dialog box, point to New in the context menu, and then click Folder.
- Type a name for the new folder, for example temp, and then press the ENTER key to create the folder named temp.
- Double-click the new folder named temp, and then click the Save button to save a backup copy of the Boot.ini file.
Edit the Boot.ini File
To view and edit the Boot.ini file:
- Right-click My Computer, and then click Properties.
-or-
- Click Start, click Run, type sysdm.cpl, and then click OK.
- On the Advanced tab, click Settings under Startup and Recovery.
- Under System Startup, click Edit.
Edit the Boot.ini to exclude the lines in red.
Note 1: Do not leave empty lines in between
Note 2: The Boot.ini must always rest on an empty line, so leave an empty line at the end of the script.
Note 3: The Timeout is set too long. You can reduce it to a number between 5 and 10.
Note 4: Since the Operating Systems are the same version, edit the resulting second line after [operating systems]. Name "Windows XP Home Edition" to "Windows XP Home Edition II"
Let me know the outcome.
#42
Posted 02 March 2012 - 01:29 PM
It boots up fine without the deleted options. What I have renamed "Windows XP Home Edition II" was something created during my unsuccessful attempts to use the recovery console. Should that be deleted as well?
Thanks.
Thanks.
#43
Posted 02 March 2012 - 09:45 PM
How many installations of Windows are present?
#44
Posted 03 March 2012 - 12:12 AM
I thought it was just one. When I reinstalled Windows, I thought it wiped out the original installation.
#45
Posted 03 March 2012 - 12:23 AM
According to the Boot.ini, there are two installations, one on partition one (partition(1)\WINDOWS) and the other in partition two (partition(2)\WINDOWS). If that is the case, when you boot you should have a menu with four options as it is, instead of two. That is the reason I suggested to remove those options that are repeated, so you have just two options in the menu.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users