Jump to content

PC AntiSpyware 2010 / braviax


Recommended Posts

I hope I'm on the right board here.

This machine is infected, and I've been following the procedures to try to remove the infections shown. After renaming MBAM.exe to WINLOGON.exe, I was able to get it to run, but in the middle of the scan, the desktop went away, and now the explorer shell is whacked. Can't run it manually. It tells me it cant access the file because I may not have permission.

SO.....I can boot normally otherwise, just no desktop, start menu, etc etc. Safe mode, same same. Safe mode with command prompt, I do get the command prompt. Can't run SFC....can't run chkdsk. Can't run system restore.

I have HJT on a flash drive, along with combofix, and taskmon & regmon.......I haven't tried to run any of these from the flash drive yet.

So here I am...............

Semper Fi,

Sarge

Link to post
Share on other sites

Hello Sarge,

We'll stay with this thread, going forward, and I'll be helping you.

Please advise (or refresh my recollection) if you have the XP CD for this system, or if this system has a diskette drive.

Try running HJT even if it is on flash drive. Let's see if it can generate a report and if you can copy it here.

Advise that you are logged in with administrator rights.

Link to post
Share on other sites

I'm logged on as the administrator.

Using the taskman, I tried to copy a file from the flash drive to the desktopp, and the taskman went away. Now I don't have the explorer shell or the task manager. I have the HP Home cd and the SP# update on the flash drive. That's how I installed the OS. I tried to burn a slipstreamed disk but it didn't work, so I gave up on it.

I haven't tried it yet, but I believe that if I try to run a repair install from the CD it's gonna tell me that the version I'm using is newer than what's on the disk. I suppose I could try to slipstream another disk in order to try a repair install.

At this point, without the task manager, I have access to nothing. Black screen, that's it.

Link to post
Share on other sites

I can still boot to the safe mode command prompt. No task manager anywhere or anyhow tho.

Sarge,

First, because this system has a malware infection, a repair install will not do the job for you. You'll still be left with hidden malware.

I highlighted your note above, because I need for you to try once more, to reboot, tap F8 as pc restarts, and select Safe mode with command prompt.

Then, run RSTRUI.exe as outlined in this next MS article

HOW TO: Start the System Restore Tool from a Command Prompt ( MS Knowledge Base Article 304449)

http://support.microsoft.com/kb/304449

do as the article outlines to "attempt" System Restore to run and then restore to some ealier point (earlier than when this problem 1st started). Use another system to view & print the article, if needed.

I need to know the results of that attempt. And if it works, you let me know and await my next reply.

If all this does NOT work, get your Windows XP CD. I would have you attempt to bootup & get to the Recovery Console.

Set pc BIOS to boot from CDROM. Place XP CD in drive. Reboot

from the CD. Await for message Welcome to setup. Have plenty of patience.

You'll see some options listed at bottom of that screen.

Select the first option R Repair/Recovery Console. Select your

Windows partition by number. Usually it is 1 . (select the one that has XP listed). Login to XP with administrator password.

When at the command prompt, let me know by replying here on the forum, and I'll guide you on what would follow.

Link to post
Share on other sites

Get a notepad ready to jot down info of services available on the system

While at the command prompt of Recovery Console, type in

listsvc

Jot down the info and copy back here into a reply. I'd like to see if we can see the "bandit" services show up.

added note

Also while in Recovery Console, type in (1 at a time) the following commands:

set AllowWildCards = TRUE

set AllowAllPaths = TRUE

set AllowRemovableMedia = TRUE

Link to post
Share on other sites

As long as you can do downloads using another system, and save to a flash drive....then.... get and try to run SYSCLEAN utility program from TrendMicro.

You'll likely have to extract the contents of each ZIP folder whilst using the other pc.

Providing you ran the SET commands (listed earlier by me) you should be able to access the USB flash drive while in Recovery Console

The following procedure is the typical way to get & run Sysclean while Windows is useable.

In your case, you'll need to do the prep work and un-zipping and making the folder (on flash drive or maybe burn a CD) while on the "other" pc.

Please download and run the Trend Micro Sysclean Package on your computer.

NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.

  • Create a brand new folder to copy these files to.
  • As an example: DCE
  • Then open each of the zipped archive files and copy their contents to DCE
  • Copy the file sysclean.com to the new folder DCE as well.
  • Take the media where you saved Sysclean to the infected/problem system
  • Double-click on the file sysclean.com that is in the DCE folder and follow the on-screen instructions.
    While using Recovery Console, you will have to explicitly specify the drive, folder where sysclean.com can be found

    example, if on E drive and folder named DCE
    I'd use
    E:\DCE\sysclean.com

    and press ENTER to start sysclean
    After doing all of this, please post back your results, including the log file sysclean.log that will be left behind by sysclean.....if possible, that is...... otherwise, a summary will do
    BTW, the log ought to be in same folder as the sysclean.com file
    and then stay in Recovery Console. See IF you can manage to Rename the exe file from the other day, back to original.
    Even so, stay in Recovery console, until we figure out next step.

How To Use Compressed (Zipped) Folders in Windows XP

Compress and uncompress files (zip files) in Vista

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.