Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Last known good config used,malware issues

Started by arclight , Apr 26 2011 07:06 AM

  • This topic is locked This topic is locked

#31
Render
Posted 02 May 2011 - 11:05 AM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Hi,

No, do not run FixMBR please. Do the following in safe mode:

Posted Image Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

Notes:
  • Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  • ComboFix may reset a number of Internet Explorer's settings, including making Internet Explorer the default browser.
  • Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
  • CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
  • If you are using personal certificates I recommend you to export them before running ComboFix and save them to external media.
Please carefully follow all steps below:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes. ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
  • When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.
  • 0

Advertisements

#32
arclight
Posted 02 May 2011 - 12:04 PM

arclight

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 176 posts
I turned off the avira guard and it wasn't running on processes in the task manager

combofix said it was but the scan ran anyway



ComboFix 11-05-02.02 - user 02/05/2011 18:44:36.18.1 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.331 [GMT 1:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\user\Application Data\Adobe\plugs
c:\documents and settings\user\Application Data\Adobe\shed
c:\documents and settings\user\WINDOWS
c:\program files\Mozilla Firefox\extensions\{1CE11043-9A15-4207-A565-0C94C42D590D}
c:\program files\Mozilla Firefox\extensions\{1CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{1CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\plug.xul
c:\program files\Mozilla Firefox\extensions\{1CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
.
.
((((((((((((((((((((((((( Files Created from 2011-04-02 to 2011-05-02 )))))))))))))))))))))))))))))))
.
.
2011-04-29 19:57 . 2001-08-17 21:36 26112 -c--a-w- c:\windows\system32\dllcache\EXCH_seos.dll
2011-04-29 19:56 . 2004-08-04 12:00 5632 -c--a-w- c:\windows\system32\dllcache\kbdfa.dll
2011-04-29 19:55 . 2004-08-04 12:00 97792 -c--a-w- c:\windows\system32\dllcache\chtmbx.dll
2011-04-29 19:54 . 2005-01-28 12:44 335872 ----a-w- c:\windows\system32\WMDRMdev.dll
2011-04-29 19:46 . 2004-08-03 21:31 20992 ----a-w- c:\windows\system32\drivers\RTL8139.sys
2011-04-29 19:40 . 2011-04-29 19:40 -------- d-----w- c:\windows\LastGood.Tmp
2011-04-29 19:40 . 2004-08-04 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2011-04-29 19:40 . 2004-08-04 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2011-04-29 19:40 . 2004-08-04 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2011-04-29 19:40 . 2004-08-04 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2011-04-29 19:01 . 2011-05-02 14:30 34360 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2011-04-29 18:07 . 2004-08-04 12:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2011-04-29 18:07 . 2004-08-04 12:00 16384 ----a-w- c:\program files\Internet Explorer\Connection Wizard\isignup.exe
2011-04-29 17:52 . 2004-08-04 12:00 22016 -c--a-w- c:\windows\system32\dllcache\agt0408.dll
2011-04-29 17:52 . 2004-08-04 12:00 19968 -c--a-w- c:\windows\system32\dllcache\agt040e.dll
2011-04-29 17:52 . 2004-08-04 12:00 19456 -c--a-w- c:\windows\system32\dllcache\agt041f.dll
2011-04-29 17:52 . 2004-08-04 12:00 19456 -c--a-w- c:\windows\system32\dllcache\agt0419.dll
2011-04-29 17:52 . 2004-08-04 12:00 19456 -c--a-w- c:\windows\system32\dllcache\agt0415.dll
2011-04-29 17:52 . 2004-08-04 12:00 19456 -c--a-w- c:\windows\system32\dllcache\agt0405.dll
2011-04-25 14:57 . 2011-04-25 14:57 -------- d-----w- c:\documents and settings\user\Application Data\998BBD2E40E10AC64314E9FB78BCA3CB
2011-04-17 13:54 . 2011-04-17 13:54 -------- d-----w- c:\documents and settings\user\fontconfig
2011-04-17 13:50 . 2011-04-17 13:51 -------- d-----w- c:\program files\SMPlayer
2011-04-14 02:39 . 2011-04-14 02:39 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-04-14 02:39 . 2011-04-14 02:39 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2006-05-03 11:06 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 12:47 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 14:30 216064 --sha-r- c:\windows\system32\nbDX.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-07-10 28739]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"lxdpmon.exe"="c:\program files\Lexmark Z2300 Series\lxdpmon.exe" [2008-03-27 656040]
"EzPrint"="c:\program files\Lexmark Z2300 Series\ezprint.exe" [2008-03-27 107176]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"ATIModeChange"="Ati2mdxx.exe" [2008-03-12 26112]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-08 68856]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2006-02-28 44544]
.
c:\documents and settings\user\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBCSSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^Alarm Master.lnk]
path=c:\documents and settings\user\Start Menu\Programs\Startup\Alarm Master.lnk
backup=c:\windows\pss\Alarm Master.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2007-08-31 11:01 1037736 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBCSTray]
2007-06-15 14:17 699120 ----a-w- c:\program files\Sunbelt Software\CounterSpy\SBCSTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2008-01-21 12:17 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\SopCast\\sopvod.exe"=
"c:\\Program Files\\Azureusvuze\\Azureus.exe"=
"c:\\Program Files\\Azureus2\\Azureus.exe"=
"c:\\Program Files\\Lexmark Z2300 Series\\lxdpmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdppswx.exe"=
"c:\\WINDOWS\\system32\\lxdpcoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdptime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdpjswx.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Abyss Web Server\\abyssws.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R0 SBHR;SBHR;c:\windows\system32\drivers\sbhr.sys [14/09/2007 19:27 15544]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [04/12/2009 21:19 108289]
S2 lxdp_device;lxdp_device;c:\windows\system32\lxdpcoms.exe -service --> c:\windows\system32\lxdpcoms.exe -service [?]
S2 lxdpCATSCustConnectService;lxdpCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdpserv.exe [01/12/2007 08:16 98984]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [14/08/2009 15:53 88176]
S3 AIDA32Driver;AIDA32Driver;\??\f:\aida32.sys --> f:\aida32.sys [?]
S3 DMService;Whale Component Manager;c:\windows\DOWNLO~1\DMService.exe [06/04/2008 15:25 423576]
S3 kardelia;Rootkit Unhooker Driver; [x]
S3 Normandy;Normandy SR2; [x]
S3 S6U12BScanner;MUSTEK 1200 UB Still Image Device Service;c:\windows\system32\drivers\usbscan.sys [08/12/2008 02:54 15104]
S3 SBAPIFS;SBAPIFS;c:\windows\system32\drivers\sbapifs.sys [29/04/2011 20:01 34360]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [23/09/2005 08:01 2799808]
S4 STOPzilla Local Service;STOPzilla Local Service;c:\program files\STOPzilla!\SZNTSvc.exe [09/11/2003 11:34 45056]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - aswMBR
*Deregistered* - klmd25
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
IE: Download using LeechGet - file://c:\program files\LeechGet 2009\\AddUrl.html
IE: Download using LeechGet Wizard - file://c:\program files\LeechGet 2009\\Wizard.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Parse with LeechGet - file://c:\program files\LeechGet 2009\\Parser.html
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\x36qtul5.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=mcafee&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Old Location Bar: {3205B348-523A-4fac-9BC4-9939CBF583B0} - %profile%\extensions\{3205B348-523A-4fac-9BC4-9939CBF583B0}
FF - Ext: Torbutton: {e0204bd5-9d31-402b-a99d-a6aa8ffebdca} - %profile%\extensions\{e0204bd5-9d31-402b-a99d-a6aa8ffebdca}
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-AdobeUpdater - c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
AddRemove-SMPlayer - c:\program files\SMPlayer1\uninst.exe
AddRemove-SMPlayer_is1 - c:\program files\SMPlayer\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-02 18:54
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(208)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-05-02 19:00:01
ComboFix-quarantined-files.txt 2011-05-02 17:59
.
Pre-Run: 18,131,406,848 bytes free
Post-Run: 18,087,845,888 bytes free
.
- - End Of File - - 52C787DBDE51AE178CC0D504C0E7A00B
  • 0

#33
Render
Posted 02 May 2011 - 12:37 PM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Do the following:

Download fresh AVPTool from Here to your desktop

Run the program you have just downloaded to your desktop (it will be randomly named )

We will run a virus scan only
  • On the first tab select all elements down to including Computer and then select start scan (1)
  • Once it has finished select report (2) and post that.

Posted Image

  • Please be patient as this scan could take a long time to complete.
  • Click on Exit to uninstall AVP tool. You may need to restart your computer after that.

  • 0

#34
arclight
Posted 02 May 2011 - 05:26 PM

arclight

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 176 posts
Autoscan: completed 1 minute ago (events: 18, objects: 345261, time: 04:20:47)
02/05/2011 20:02:06 Task started
02/05/2011 20:11:11 Detected: Rootkit.Win32.TDSS.mbr C:\Documents and Settings\user\Desktop\Copy of MBR.txt
02/05/2011 21:46:54 Cannot be deleted: Rootkit.Win32.TDSS.mbr C:\Documents and Settings\user\Desktop\Copy of MBR.txt Object is locked
02/05/2011 21:46:54 Will be deleted on system restart: Rootkit.Win32.TDSS.mbr C:\Documents and Settings\user\Desktop\Copy of MBR.txt
02/05/2011 22:11:58 Detected: Rootkit.Win32.TDSS.mbr C:\Documents and Settings\user\Desktop\Copy of MBR.txt
02/05/2011 22:13:31 Untreated: Rootkit.Win32.TDSS.mbr C:\Documents and Settings\user\Desktop\Copy of MBR.txt Cannot be disinfected
02/05/2011 22:14:11 Deleted: Rootkit.Win32.TDSS.mbr C:\Documents and Settings\user\Desktop\Copy of MBR.txt
02/05/2011 23:30:30 Detected: Trojan-Spy.JS.Agent.a C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\extensions\{1CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\plug.xul.vir
03/05/2011 00:22:15 Deleted: Trojan-Spy.JS.Agent.a C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\extensions\{1CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\plug.xul.vir
03/05/2011 00:22:17 Detected: Rootkit.Win32.TDSS.mbr F:\MBR.dat
03/05/2011 00:22:17 Detected: Rootkit.Win32.TDSS.mbr F:\MBR.txt
03/05/2011 00:22:28 Detected: Rootkit.Win32.TDSS.mbr F:\MBR.rar/MBR.txt
03/05/2011 00:22:43 Untreated: Rootkit.Win32.TDSS.mbr F:\MBR.dat Cannot be disinfected
03/05/2011 00:22:44 Untreated: Rootkit.Win32.TDSS.mbr F:\MBR.txt Cannot be disinfected
03/05/2011 00:22:45 Deleted: Rootkit.Win32.TDSS.mbr F:\MBR.rar
03/05/2011 00:22:48 Deleted: Rootkit.Win32.TDSS.mbr F:\MBR.dat
03/05/2011 00:22:53 Deleted: Rootkit.Win32.TDSS.mbr F:\MBR.txt
03/05/2011 00:22:53 Task completed
  • 0

#35
Render
Posted 02 May 2011 - 05:37 PM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
If you still can't boot into normal mode I would suggest System Repair. If you agree please prepare Windows XP Home Edition setup CD and give me a note.
  • 0

#36
arclight
Posted 02 May 2011 - 05:39 PM

arclight

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 176 posts
That would be ok

I have the setup CD ready
  • 0

#37
Render
Posted 02 May 2011 - 05:57 PM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
We will do system repair. Don't worry system repair won't delete your data, installed programs, personal information, or settings. It just repairs the operating system!
Please, have your Windows XP CD-KEY ready and print out these instructions.

  • Boot from your Windows XP CD. Insert the Windows XP CD into your computer's CD-ROM or DVD-ROM drive, and then restart your computer.
  • When the "Press any key to boot from CD" message appears on the screen, press a key to start your computer from the Windows XP CD.
    NOTE: If computer does not boot from CD you must change device boot order in BIOS. Read here for more information how to do that.
  • A blue screen will appear and begin loading Windows XP Setup from the CD.
  • When completed loading files, you will be presented with the following "Windows Setup" screen, and your first option. Select "To set up Windows XP now, press ENTER". DO NOT select Recovery Console.

    Posted Image

  • When presented with the screen below press the F8 key to continue.

    Posted Image

  • Next, Windows Setup will find existing Windows XP installations. You will be asked to repair an existing XP installation, or install a fresh copy of Windows XP.
  • Press the R key.

    Posted Image

  • Windows XP will appear to be installing itself for the first time, but it will retain all of your data and settings.
  • Follow the instructions that appear on the screen to reinstall Windows XP. After you repair Windows XP, you may have to reactivate your copy of Windows XP.
  • Let me know if the bootup problem has been solved.

  • 0

#38
arclight
Posted 03 May 2011 - 06:25 AM

arclight

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 176 posts
The repair process started and i went through the blue screen set up

The pc rebooted and then i went through the windows install set fine

After the install repair was finished it then rebooted a third time and froze on the windows logo screen

I left it for 3-4 hours but still nothing just frozen , when i rebooted manually the pc would still not start up in normal mode
  • 0

#39
Render
Posted 03 May 2011 - 07:53 AM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Hi,

Interesting one. But you still can get into Safe mode? If so please do the following:

We need to run an OTL Fix

  • Please reopen Posted Image on your desktop.
  • Copy (select all lines inside quote box and press CTRL+C) and Paste (press CTRL+V) the following code into the Posted Image textbox.

    :OTL

    :Files
    C:\DOCUME~1\user\LOCALS~1\Temp\0.032674144558119456.exe

    ipconfig /flushdns /c

    :Reg
    [HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command]
    ""="C:\Program Files\Mozilla Firefox\firefox.exe"

    [HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command]
    ""="C:\Program Files\Mozilla Firefox\firefox.exe"

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [EMPTYFLASH]
    [CREATERESTOREPOINT]
    [Reboot]

  • Click on Posted Image button.
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click on Posted Image button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.

On completion of this please post OTL fix log and try to reboot into Normal mode.
  • 0

#40
arclight
Posted 03 May 2011 - 08:32 AM

arclight

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 176 posts
All processes killed
========== OTL ==========
========== FILES ==========
File\Folder C:\DOCUME~1\user\LOCALS~1\Temp\0.032674144558119456.exe not found.
< ipconfig /flushdns /c >
Windows IP Configuration
An internal error occurred: The request is not supported.

Please contact Microsoft Product Support Services for further help.
Additional information: Unable to query host name.
F:\cmd.bat deleted successfully.
F:\cmd.txt deleted successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\""|"C:\Program Files\Mozilla Firefox\firefox.exe" /E : value set successfully!
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\""|"C:\Program Files\Mozilla Firefox\firefox.exe" /E : value set successfully!
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: user
->Temp folder emptied: 221 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 4307210 bytes
->Opera cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2142714 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 82944 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 6.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

User: user
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

Error starting restore point: The function was called in safe mode.
Error closing restore point: The sequence number is invalid.

OTL by OldTimer - Version 3.2.22.3 log created on 05032011_152359

Sill not booting in normal mode and still rootkitunhooker will not work

Edited by arclight, 03 May 2011 - 08:40 AM.

  • 0

Advertisements

#41
Render
Posted 03 May 2011 - 08:38 AM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
:) What's wrong?
  • 0

#42
arclight
Posted 03 May 2011 - 08:43 AM

arclight

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 176 posts
oops

forgot to rename the log file to a .txt-edited post

i'm posting from a macbook atm since i can't get into safe mode with networking as i can't activate windows in normal mode
  • 0

#43
Render
Posted 03 May 2011 - 08:46 AM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
I need to look into that. It'll probably take a while.
  • 0

#44
Render
Posted 03 May 2011 - 01:07 PM

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
We will try to create a new account in safe mode and then try to boot in normal mode from that newly created account.

  • So, restart in safe mode
  • Click on Start then on Control Panel and then double-click on User Accounts
  • Inside User Accounts window click on Create a new account
  • Give some name to that account
  • Make sure that Computer administrator is selected and click on Create Account button

Now restart your computer
When prompted please select that newly created account and let me know if you can successfully boot into Windows in normal mode.
  • 0

#45
arclight
Posted 03 May 2011 - 01:53 PM

arclight

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 176 posts
Tried it and still reboots even in the new account

If i leave the screen alone without double clicking on an account it reboots anyway regardless
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP