Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Bad case of malware that keeps coming back [Closed]


  • Please log in to reply

#31
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Yes, No Problem :)
Get back to me when you can.
  • 0

Advertisements


#32
shbullets

shbullets

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Hey sage5.


I'm actually getting some help from my cousin too since he's coming over tomorrow to help me out with following your steps.


Could you tell us in advance right now (don't have the cd key yet) what to do once we have it with us and *if* it's possible to load onto the CD drive and my pc responds to it? Particularly what to do with steps #2 and #4?
  • 0

#33
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Let's deal with these one at a a time:

1. Access the Recovery Console via the WinXP CD, to perform a chkdsk run on the hard drive.

The Recovery Console that got loaded during the ComboFix run, seems to have been corrupted & cannot run, so we will attempt to access the PC, using the Recovery Console, via the WinXP CD.

First you need to get the CD into the drive, & reboot the PC.
Pressing the F12 key right as your computer starts up will allow you to choose from a list of boot devices on most recent computer models.
Note: Otherwise, you will need to take a look at your user manual to figure out how to set the BIOS to boot from CD first.
Some older PC's require that you hit the Del key to access the CMOS screen.
You may have to check out the User Manual to get the right section to alter, to set the Boot Order to CD first.
Once you can get the PC to boot to the CD:
  • Windows Setup will spend a few minutes loading the various drivers.
  • At the next screen, press the R key to access the Recovery Console option.
  • Enter the number that corresponds to the Windows installation that you want to work with. (Most likely 1)
  • When you are prompted for the local administrator's password for that installation, press the Enter key.
  • At the Command prompt type chkdsk /p & press Enter --> Note the space between the k & the /
    Note: This is a short test that will tell you whether or not a longer test is needed. If after the test completes, the message "One or more errors detected on the volume" appears, then proceed to step 6. If no errors are reported, then your drive can not be repaired using chkdsk.
  • Now you should be back at the command prompt. Type chkdsk /r and press Enter.
    Note: This test will take a while depending on the size of your drive. It will look for the errors on your drive and repair them. When it completes, you will be back at a command prompt.

If you cannot boot after the chkdsk runs, it might be that the registry has become corrupted.
Try to boot using the Last Known Good Configuation.
Boot the PC & tap the F8 key repeatedly from the first beep.
You will get to the Boot screen you use to access Safe Mode from.
Choose the Boot Using Last Known Good Configuation option.
Let me know how you get on.

Edited by sage5, 23 May 2009 - 07:52 AM.

  • 0

#34
shbullets

shbullets

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Hi Sage5. We are scanning the drive with the cd. Will update you soon.

Edited by shbullets, 23 May 2009 - 04:21 PM.

  • 0

#35
shbullets

shbullets

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Okay. What I did was a chkdsk /p and it found one or more errors. So I did a chkdsk /r and it said that the scan was complete. Nothing else. I tried repairing my Windows installation with the CD and I can actually get into Windows, but only at the blue startup screen. I've tried going through safe mode and last known good configuration but the error still persists. I've did some reading and it seems that my problem is the same as this one: http://www.geekstogo...-Up-t80182.html

Is my only solution is to reformat? Could my hard drive be damaged? Could I somehow access my hard drive so I can back up my files? Thanks!
  • 0

#36
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi shbullets,

This is a fairly complex fix, but just work through it slowly & carefully & you will be fine.
PART 1:
******

  • Insert the Windows XP CD into the CD-ROM drive, and then restart the computer.
  • Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted to do so.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • If you have a dual-boot or multiple-boot computer, select the installation that you want to access from the Recovery Console.
  • When you are prompted to do so, type the Administrator password. If the administrator password is blank, just press ENTER.
  • At the Recovery Console command prompt, type the following lines, pressing ENTER after you type each line:
    NOTE: The ^ symbols show where you need to add a space.

    md^tmp
    copy^c:\windows\system32\config\system^c:\windows\tmp\system.bak
    copy^c:\windows\system32\config\software^c:\windows\tmp\software.bak
    copy^c:\windows\system32\config\sam^c:\windows\tmp\sam.bak
    copy^c:\windows\system32\config\security^c:\windows\tmp\security.bak
    copy^c:\windows\system32\config\default^c:\windows\tmp\default.bak

    delete^c:\windows\system32\config\system
    delete^c:\windows\system32\config\software
    delete^c:\windows\system32\config\sam
    delete^c:\windows\system32\config\security
    delete^c:\windows\system32\config\default

    copy^c:\windows\repair\system^c:\windows\system32\config\system
    copy^c:\windows\repair\software^c:\windows\system32\config\software
    copy^c:\windows\repair\sam^c:\windows\system32\config\sam
    copy^c:\windows\repair\security^c:\windows\system32\config\security
    copy^c:\windows\repair\default^c:\windows\system32\config\default

  • Type exit to quit Recovery Console. Your computer will restart.


PART 2:
*******

Reboot into Safe Mode:
  • Restart your Computer
  • As soon as it starts to boot up, tap your F8 key repeatedly.
  • This should bring up the Windows Advanced Options Menu.
  • Use your arrow keys to select Safe Mode and click the Enter key.

Please ensure Windows XP is set to display all files:
  • Click Start > My Computer.
  • On the Tools menu, click Folder Options.
  • On the View tab,
    • Uncheck Hide extensions for known file types.
    • Uncheck Hide protected operating system files.
    • Then, under the "Hidden files and folders" folder, click Show hidden files and folders.
    • You will see a warning message, click Yes.
  • Click Apply.
  • Click OK.

Browse to the C:\System Volume Information folder & double click it.
If you can access this folder, go straight on to PART 3, below.
If you get this warning:

C:\System Volume Information is not accessible. Access is denied.

We have to do change the permissions on that folder, so that you can get access to the files within
Because you have WinXP Home Edition & your file sysem is NTFS we have to use this method:

  • Go to Start > Run & type cmd and Hit ENTER
  • You will need to type cd^C:\ & hit ENTER. Again, the ^ symbols show where to add the spaces, when you type.
    Note: This ensures the you are at a "C:\" prompt
  • Type the following line, and then hit ENTER. Again, the ^ symbols show where to add the spaces, when you type.
    cacls^"C:\System^Volume^Information"^/E^/G^Gavin:F
    Note: Make sure to type the quotation marks as indicated. This command adds the specified user to the folder with Full Control permissions.
  • Double-click the System Volume Information folder in the root folder to open it.
  • If you need to remove the permissions after troubleshooting, type the following line at a command prompt: Again the ^ = space
    cacls^"C:\System^Volume^Information"^/E^/R^Gavin
This command removes all permissions for the specified user.



PART 3.
*******

  • When you open the C:\System Volume Information folder, click Details in the View menu.
  • Now click in the bar above the Date Modified column, to make the folders display by Date.
  • Look for a folder, name starting with _restore, that was created/modified on the 19/05/2009 & open it.
    Note: There may be one or more folders starting with RPx, where x is a digit, under this folder. These are restore points.
  • Open one of these folders to locate a Snapshot subfolder. The following path is an example of a folder path to the Snapshot folder:
    C:\System Volume Information\_restore{D86480E3-73EF-47BC-A0EB-A81BE6EE3ED8}\RP1\Snapshot
  • From the Snapshot folder, copy the following files to the C:\Windows\Tmp folder:

    _REGISTRY_USER_.DEFAULT
    _REGISTRY_MACHINE_SECURITY
    _REGISTRY_MACHINE_SOFTWARE
    _REGISTRY_MACHINE_SYSTEM
    _REGISTRY_MACHINE_SAM
  • Rename the files in the C:\Windows\Tmp folder as follows:

    Rename _REGISTRY_USER_.DEFAULT to DEFAULT
    Rename _REGISTRY_MACHINE_SECURITY to SECURITY
    Rename _REGISTRY_MACHINE_SOFTWARE to SOFTWARE
    Rename _REGISTRY_MACHINE_SYSTEM to SYSTEM
    Rename _REGISTRY_MACHINE_SAM to SAM


PART 4.
******

  • Reboot the computer into the Recovery Console.
  • At the command prompt, type the following lines, pressing ENTER after you type each line:

    del^c:\windows\system32\config\sam
    del^c:\windows\system32\config\security
    del^c:\windows\system32\config\software
    del^c:\windows\system32\config\default
    del^c:\windows\system32\config\system


    copy^c:\windows\tmp\software^c:\windows\system32\config\software
    copy^c:\windows\tmp\system^c:\windows\system32\config\system
    copy^c:\windows\tmp\sam^c:\windows\system32\config\sam
    copy^c:\windows\tmp\security^c:\windows\system32\config\security
    copy^c:\windows\tmp\default^c:\windows\system32\config\default
  • Type exit to quit Recovery Console. Your computer restarts.


PART 5.
******

Run OTListIt2:
  • Close all open windows and double click the OTListIt2.exe icon on your Desktop
  • Tick the Scan all Users box, & check Standard Output.
  • Set the File Age: box to 30 days
  • Make sure that Extra Registry is set to Use SafeList.
  • Leave all the other boxes set to the defaults
  • Click the Run Scan button and let the program run uninterrupted.
  • It will produce 2 logs for you. OTListIt.txt will open automatically.
  • I need you to post the text from those logs here.
NOTE: These can be large files, and there is a limit to the number of characters that can be posted at once on this forum.
It may require you to make 2 posts, to get all the information to me



If you get stuck, stop there & post me the issue, but do not shut down the PC till you here back from me.

Cheers,

sage5

Edited by sage5, 24 May 2009 - 07:59 AM.

  • 0

#37
shbullets

shbullets

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Hi Sage5. Thank you for those steps. I'll get back to you by Saturday (I hope)!
  • 0

#38
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP