[DAV2]

Status: Detected (events: 2)
1/18/2012 7:46:26 PM Detected Trojan program Trojan.Win32.Chifrax.cxp C:\Documents and Settings\975\Downloads\Hirens.BootCD.15.1 (1).zip/Hiren's.BootCD.15.1.iso//HBCD/Programs/Files/WinNTSetup.7z//WinNTSetup.exe High
1/18/2012 7:50:38 PM Detected Trojan program Trojan.Win32.Chifrax.cxp C:\Users\975\Downloads\Hirens.BootCD.15.1 (1).zip/Hiren's.BootCD.15.1.iso//HBCD/Programs/Files/WinNTSetup.7z//WinNTSetup.exe High

Still no F8 safe boot and it bypasses Pagefile.sys.

[Advertisements]

F8 only brings up boot manager and turning off the computer during boot only brings up the repair menu. No way still to get to safe mode.

[DAV2]

F8 only brings up boot manager and turning off the computer during boot only brings up the repair menu. No way still to get to safe mode.

[RKinner]

Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue. Type with an Enter after the line:

msconfig

There should be an option under Boot that says Safe Mode. IF you click it then OK and reboot it should go into Safe Mode. Caveat here is that if something is wrong with Safe Mode you may need to boot from the Disk and run the BootRec /FixBoot command in order to get back into regular mode.

[DAV2]

Ron, yes that got computer into safe mode. I ran Kas... again and it flagged same 2 Trojans and nothing else. I keep telling it to disinfect and if not to delete, but it keeps detecting.

1/19/2012 5:07:39 PM","Detected","Trojan program Trojan.Win32.Chifrax.cxp","File C:\Documents and Settings\975\Downloads\Hirens.BootCD.15.1 (1).zip/Hiren's.BootCD.15.1.iso//HBCD/Programs/Files/WinNTSetup.7z// WinNTSetup.exe","High
1/19/2012 5:10:21 PM","Detected","Trojan program Trojan.Win32.Chifrax.cxp","File C:\Users\975\Downloads\Hirens.BootCD.15.1 (1).zip/Hiren's.BootCD.15.1.iso//HBCD/Programs/Files/WinNTSetup.7z// WinNTSetup.exe","High

What do you recommend I do with computers. They are all past the usual 2 week lifespan of Win. Should I kill/reformat/reload and pray it will last longer next time? Should I upgrade to XPSP3? Is there a way to stop this from happening? I would really like a stable computer that could be used for something secure instead of only useful for games (Which I never play on a computer. Too busy trying to get them to work for real world use.) I hope you realize I am no computer expert, but I also hope you realize how frustrated I am with Win.
Win will not open png files any more. It will not do anything except make coasters with the dvd drive. It will not respond to the F8 key on boot and the Trojans reported either return or do not go away.

Edited by DAV2, 19 January 2012 - 06:44 PM.

[RKinner]

I'm puzzled by why your PC doesn't have the option to go into Safe Mode.

Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue. Type with an Enter after each line:

bcdedit  /enum  all  >  C:\bcd.txt

notepad  \bcd.txt

Copy and past the text from notepad


See if you can get gparted to work.



download: gparted-live-0.10.0-3.iso (115.1 MB)

Create a bootable CD, 1 for Gparted from the ISO image. You can use ImgBurn do this.

Now boot off of the newly created Gparted CD.


You should be here...
Press ENTER


By default, "do not touch keymap" is highlighted. Leave this setting alone and just press ENTER.


Choose your language and press ENTER. English is default [33]


Once again, at this prompt, press ENTER

You will now be taken to the main GUI screen below

[DAV2]

Windows Boot Manager
--------------------
identifier {bootmgr}
device partition=D:
description Windows Boot Manager
locale en-US
inherit {globalsettings}
default {current}
resumeobject {a0813e32-29e7-11e1-b3e2-877c319a4585}
displayorder {current}
toolsdisplayorder {memdiag}
timeout 5

Windows Boot Loader
-------------------
identifier {current}
device partition=C:
path \Windows\system32\winload.exe
description Windows 7
locale en-US
inherit {bootloadersettings}
recoverysequence {a0813e34-29e7-11e1-b3e2-877c319a4585}
recoveryenabled Yes
osdevice partition=C:
systemroot \Windows
resumeobject {a0813e32-29e7-11e1-b3e2-877c319a4585}
nx OptOut

Windows Boot Loader
-------------------
identifier {a0813e34-29e7-11e1-b3e2-877c319a4585}
device ramdisk=[C:]\Recovery\a0813e34-29e7-11e1-b3e2-877c319a4585\Winre.wim,{a0813e35-29e7-11e1-b3e2-877c319a4585}
path \windows\system32\winload.exe
description Windows Recovery Environment
inherit {bootloadersettings}
osdevice ramdisk=[C:]\Recovery\a0813e34-29e7-11e1-b3e2-877c319a4585\Winre.wim,{a0813e35-29e7-11e1-b3e2-877c319a4585}
systemroot \windows
nx OptIn
winpe Yes

Resume from Hibernate
---------------------
identifier {a0813e32-29e7-11e1-b3e2-877c319a4585}
device partition=C:
path \Windows\system32\winresume.exe
description Windows Resume Application
locale en-US
inherit {resumeloadersettings}
filedevice partition=C:
filepath \hiberfil.sys
debugoptionenabled No

Windows Memory Tester
---------------------
identifier {memdiag}
device partition=D:
path \boot\memtest.exe
description Windows Memory Diagnostic
locale en-US
inherit {globalsettings}
badmemoryaccess Yes

EMS Settings
------------
identifier {emssettings}
bootems Yes

Debugger Settings
-----------------
identifier {dbgsettings}
debugtype Serial
debugport 1
baudrate 115200

RAM Defects
-----------
identifier {badmemory}

Global Settings
---------------
identifier {globalsettings}
inherit {dbgsettings}
{emssettings}
{badmemory}

Boot Loader Settings
--------------------
identifier {bootloadersettings}
inherit {globalsettings}
{hypervisorsettings}

Hypervisor Settings
-------------------
identifier {hypervisorsettings}
hypervisordebugtype Serial
hypervisordebugport 1
hypervisorbaudrate 115200

Resume Loader Settings
----------------------
identifier {resumeloadersettings}
inherit {globalsettings}

Device options
--------------
identifier {a0813e35-29e7-11e1-b3e2-877c319a4585}
description Ramdisk Options
ramdisksdidevice partition=C:
ramdisksdipath \Recovery\a0813e34-29e7-11e1-b3e2-877c319a4585\boot.sdi

[RKinner]

Appears your backup software has been here.

This is what mine says:


Windows Boot Manager
--------------------
identifier {bootmgr}
device partition=\Device\HarddiskVolume1
description Windows Boot Manager
locale en-US
inherit {globalsettings}
extendedinput Yes
default {current}
resumeobject {fdc6f00f-7920-11de-a56d-0018716eb820}
displayorder {current}
toolsdisplayorder {memdiag}
timeout 30
customactions 0x1000085000001
0x5400000f
custom:5400000f {e396c91c-e69f-11e0-844e-60eb69f488ad}

Windows Boot Loader
-------------------
identifier {e396c91c-e69f-11e0-844e-60eb69f488ad}

Windows Boot Loader
-------------------
identifier {current}
device partition=C:
path \Windows\system32\winload.exe
description Windows 7
locale en-US
inherit {bootloadersettings}
recoverysequence {e396c91c-e69f-11e0-844e-60eb69f488ad}
recoveryenabled Yes
osdevice partition=C:
systemroot \Windows
resumeobject {fdc6f00f-7920-11de-a56d-0018716eb820}
nx OptIn

Resume from Hibernate
---------------------
identifier {fdc6f00f-7920-11de-a56d-0018716eb820}
device partition=C:
path \Windows\system32\winresume.exe
description Windows Resume Application
locale en-US
inherit {resumeloadersettings}
filedevice partition=C:
filepath \hiberfil.sys
pae Yes
debugoptionenabled No

Windows Memory Tester
---------------------
identifier {memdiag}
device partition=\Device\HarddiskVolume1
path \boot\memtest.exe
description Windows Memory Diagnostic
locale en-US
inherit {globalsettings}
badmemoryaccess Yes

EMS Settings
------------
identifier {emssettings}
bootems Yes

Debugger Settings
-----------------
identifier {dbgsettings}
debugtype Serial
debugport 1
baudrate 115200

RAM Defects
-----------
identifier {badmemory}

Global Settings
---------------
identifier {globalsettings}
inherit {dbgsettings}
{emssettings}
{badmemory}

Boot Loader Settings
--------------------
identifier {bootloadersettings}
inherit {globalsettings}
{hypervisorsettings}

Hypervisor Settings
-------------------
identifier {hypervisorsettings}
hypervisordebugtype Serial
hypervisordebugport 1
hypervisorbaudrate 115200

Resume Loader Settings
----------------------
identifier {resumeloadersettings}
inherit {globalsettings}

Device options
--------------
identifier {e396c91d-e69f-11e0-844e-60eb69f488ad}
description Ramdisk Options
ramdisksdidevice unknown
ramdisksdipath \Recovery\WindowsRE\boot.sdi

I'm looking at: http://msdn.microsof...5(v=vs.85).aspx

as a reference to the options but yours is so much different than mine than I'm getting lost.

Got to walk the dog so have to go for now.

Ron

[DAV2]

Ron, thanks. There is no backup software on the computer and it is a new load and has not been backed up yet. This is the original and I ran the Win boot disk on it to do the MBR as you directed earlier. Win IE crashed on both computers with the download of ImgBurn. It ran on computer 2 . Booted on computer 1. Now what? (I have my dogs trained to walk themselves.)

[DAV2]

Ron, Hir... from 2nd computer booted on first computer. It listed 4 partitions. Two were 0 bytes 1 was 100mb and the 4th was 60955mb.

[DAV2]

The Avira only gave 4 warnings and listed 3 of them. Two were an encrypted file 6924636rar.exe

[RKinner]

It listed 4 partitions. Two were 0 bytes 1 was 100mb and the 4th was 60955mb.

Don't think I have ever seen a 0 byte partition before. Is this using gparted? Which of the partitions is the boot partition? Can you delete the 0 byte partitions?
aswMBR says that the 100 MB is the boot.

16:49:34.484 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
16:49:34.484 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 60955 MB offset 206848

This is usually something from your PC maker but I suppose it could be something bad. You could change it to make it boot from the bigger partition.

You will now be taken to the main GUI screen below

According to your logs, the partition that you want to delete is 0
Click the trash can icon to delete and then click Apply.

You should now be here confirming your actions:


Now you should be here:



Is "boot" next to your OS drive? (The big partition)

If "boot" is not next to your OS drive under "Flags", right-mouse click the OS drive while in Gparted and select Manage Flags

In the menu that pops up, place a checkmark in boot like the picture below:


Now double-click the button.

You should receive a small pop up like this:

Choose reboot and then press OK.

Then boot off your Win 7 Disk and run the

• bootrec /FixMbr
• bootrec /FixBoot
• exit

[DAV2]

Ron, ok. Gparted labeled the largest partition as boot. Win boot disk fixed mbr and boot, but boot ends with "BOOTMGR" is missing.

[DAV2]

Ron, Win starts in x drive from load disk. I think bootrec worked there. I changed to c and did bootrec and same. I changed to d and did bootrec and same. "BOOTMGR" is missing

[DAV2]

Ron, I changed to e and did bootrec again and still " BOOTMGR " is missing. There is no f drive.

[DAV2]

Ron, Gparted still only lists the 2 partitions of 100mb and 59.53gb with the larger marked boot. Is there another way to load "BOOTMGR"?

Edited by DAV2, 20 January 2012 - 12:53 PM.