Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

"System Check" and "Zeroaccess!kmem" Virus


  • This topic is locked This topic is locked

#31
malmbor

malmbor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 72 posts
No. I ran it again and it didn't show any errors, but it still doesn't boot.
  • 0

Advertisements


#32
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,773 posts
  • MVP
Are you still getting the exact same blue screen?

Boot back into the minXP and look at the file C:\qoobox\ComboFix-quarantined-files.txt

This is a list of files that Combofix removed. The files it removed have .vir added to them and are stored in C:\Qoobox\Quarantine\c\

You can rename them to get rid of the .vir and copy them back to the folder they came from. Perhaps that will help.
  • 0

#33
malmbor

malmbor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 72 posts
I did that and it still comes up with the same blue screen.
  • 0

#34
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,773 posts
  • MVP
Go into recovery console

disable  z800obex



I've asked in our internal forum if any one has an idea what else we can do.

Ron
  • 0

#35
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,934 posts
Hi and :welcome:

RKinner will be off for some time and have asked us to give him a hand.

We will need to view the system status from an external environment. You will need a USB drive and a CD to burn. There will be several steps to follow.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download driver.sh by noahdfear to your USB drive
  • Also Download Query.exe by noahdfear to the USB drive. In your working computer, navigate to the USB drive and click on the Query.exe. A folder and a file, query.sh, will be extracted.
  • Once this process is completed, download Dumpit by noahdfear to the USB drive.
  • Remove the USB & CD and insert them in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • In some computers you need to tap F12 and choose to boot from the CD, in others is the Esc key. Please consult your computer's documentation.
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Then type bash driver.sh -af
  • Press Enter
  • You will be prompted to input a filename.
  • Type the following:

    Winlogon.exe

  • Press Enter
  • If successful, the script will search for this file.
  • After it has completed the search enter the next file to be searched
  • Type the following:

    volsnap.sys

  • Press Enter
  • If successful, the script will search for this file.
  • After it has completed the search enter the next file to be searched
  • Type the following:

    svchost.exe

  • Press Enter
  • If successful, the script will search for this file.
  • After it has completed the search enter the next file to be searched
  • Type the following:

    explorer.exe

  • Press Enter
  • After it has completed the search enter the next file to be searched
  • Type the following:

    Userinit.exe

  • Press Enter
  • After the search is completed type Exit and press Enter.
  • After it has finished a report will be located in the USB drive as filefind.txt
  • While still in the Open Terminal, type bash query.sh
  • Press Enter
  • After it has finished a report will be located in the USB drive as RegReport.txt
  • Confirm that you see the file dumpit in your USB drive and double click on it.
  • After it has finished a report will be located in your USB drive named mbr.zip
  • Plug the USB back into the clean computer post the contents of the report.txt, filefind.txt and RegReport.txt in your next reply. The mbr.zip file must be attached to your reply.

  • 0

#36
malmbor

malmbor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 72 posts
There seems to be a problem with the dumpit link.
  • 0

#37
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,934 posts
It sometimes happens with newer Internet Explorer versions.

Right click on the link and select "Save target as", browse to the USB drive and save the target.
  • 0

#38
malmbor

malmbor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 72 posts
I decided to reninstall my operating system. Everything seems to be running fine. When I reboot, I have to select which operating system I want to run. Included in the list are the leftovers from my attempts to repair with recovery console. Is there any way to delete those useless options? Also, what should I do in terms of security? It was suggested that I not use Norton. Dell was pushing me to buy System Mechanic Professional by Iola.

Thanks for your help.

Edited by malmbor, 01 March 2012 - 10:00 PM.

  • 0

#39
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,934 posts
Open in Notepad C:\Boot.ini and post its contents. I would recommend AVAST as an Anti-virus.
  • 0

#40
malmbor

malmbor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 72 posts
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="XP Home 2" /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Home Edition" /fastdetect /noexecute=optin
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
  • 0

Advertisements


#41
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,934 posts
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="XP Home 2" /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Home Edition" /fastdetect /noexecute=optin
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

Remove all in Red above as follows:

Save a Backup Copy of Boot.ini

  • Right-click My Computer, and then click Properties.

    -or-

  • Click Start, click Run, type sysdm.cpl, and then click OK.
  • On the Advanced tab, click Settings under Startup and Recovery.
  • Under System Startup, click Edit. This opens the file in Notepad ready for editing.
  • In Notepad, click File on the Menu bar, and then click Save As.
  • Right click in an empty area of the Save As dialog box, point to New in the context menu, and then click Folder.
  • Type a name for the new folder, for example temp, and then press the ENTER key to create the folder named temp.
  • Double-click the new folder named temp, and then click the Save button to save a backup copy of the Boot.ini file.

Edit the Boot.ini File

To view and edit the Boot.ini file:

  • Right-click My Computer, and then click Properties.

    -or-

  • Click Start, click Run, type sysdm.cpl, and then click OK.
  • On the Advanced tab, click Settings under Startup and Recovery.
  • Under System Startup, click Edit.

Edit the Boot.ini to exclude the lines in red.

Note 1: Do not leave empty lines in between
Note 2: The Boot.ini must always rest on an empty line, so leave an empty line at the end of the script.
Note 3: The Timeout is set too long. You can reduce it to a number between 5 and 10.
Note 4: Since the Operating Systems are the same version, edit the resulting second line after [operating systems]. Name "Windows XP Home Edition" to "Windows XP Home Edition II"

Let me know the outcome.
  • 0

#42
malmbor

malmbor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 72 posts
It boots up fine without the deleted options. What I have renamed "Windows XP Home Edition II" was something created during my unsuccessful attempts to use the recovery console. Should that be deleted as well?

Thanks.
  • 0

#43
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,934 posts
How many installations of Windows are present?
  • 0

#44
malmbor

malmbor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 72 posts
I thought it was just one. When I reinstalled Windows, I thought it wiped out the original installation.
  • 0

#45
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,934 posts
According to the Boot.ini, there are two installations, one on partition one (partition(1)\WINDOWS) and the other in partition two (partition(2)\WINDOWS). If that is the case, when you boot you should have a menu with four options as it is, instead of two. That is the reason I suggested to remove those options that are repeated, so you have just two options in the menu.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP