I used avast on a computer yesterday to scan for viruses, and it found a virus on the physical drive or MBR or something, cant remember. I deleted the file instead of repairing it (yeah dumb mistake I know). Now i get a blue screen on startup and have even tried using the windows xp home edition cd to repair it, but it was unsucessful.
[*]Download the attached scan.txt to a USB drive
[*]Download OTLPENet.exe to your desktop
[*]Ensure that you have a blank CD in the drive
[*]Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
[*]Reboot your system using the boot CD you just created. Note : If you do not know how to set your computer to boot from CD follow the steps here
[*]As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads
[*]Your system should now display a Reatogo desktop. Note : as you are running from CD it is not exactly speedy
[*]Double-click on the OTLPE icon.
[*]Select the Windows folder of the infected drive if it asks for a location
[*]When asked “Do you wish to load the remote registry”, select Yes
[*]When asked “Do you wish to load remote user profile(s) for scanning”, select Yes
[*]Ensure the box “Automatically Load All Remaining Users” is checked and press OK
[*]OTL should now start.
[*]Double click the Custom scans and fixes box
[*]In the dialogue locate the scan.txt you have on the USB
[*]Press Run Scan to start the scan.
[*]When finished, the file will be saved in drive C:\OTL.txt
[*]Copy this file to your USB drive if you do not have internet connection on this system.
[*]Right click the file and select send to : select the USB drive.
[*]Confirm that it has copied to the USB drive by selecting it
[*]You can backup any files that you wish from this OS
[*]Please post the contents of the C:\OTL.txt file in your reply.
Essexboy will be the person giving your instructions on malware removal and reviewing your logs.
I have a question for you. When you removed or uninstalled your previous antiviruses, like Kaskpersky (KAV), AVG, and ESET, did you use the vendor’s uninstaller tools or do it some other way. KAV is still showing up in your machine.
Also, with Spyboot, do you use Teatimer (TT)?
Is your SAS the Pro version?
I notice that you also use Adaware. This has become obsolete and most people have replaced this with MBAM (Malwarebytes), which we will have you put on your machine for better security when we are done with your malware removal and better detection rates.
While you are waiting for Essexboy, please do not make any further changes to your machine or you will have to repeat making logs. In addition, do not sync your machine with your phone or any other devices. Try to not use the machine for email or surfing or anything else; use anther machine or your phone if possible. Essexboy comes on the forum late UK time.
[*]Insert your USB drive with fix.txt on it
[*]Start OTLPE
[*]Drag and drop fix.txt into the Custom scans and fixes box
[*]If you cannot drag and drop for some reason. Then press the Run Fix button and a dialogue box will pop up asking for the location - select the file on your USB drive
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done to normal mode if possible
[*]Then post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )
actually when i try to get on it shows a black screen that says “windows cannot start because the following file is missing or corrupt -\windows\system32\config\SYSTEM”. Earlier it showed blue screen because i didnt run the MBRfix correctly; I didnt type in the code correctly or something.
how would i restore the system file? I tried repairing it but it wouldnt work.
I found that file in my repair folder and I made a zip of it. I don’t know if you’d be able to put it where it belongs but I can send it if you want. Essexboy would know better than me if it would work or not.
We will use an mobile operating system called xPUD, and a script called rst.sh to restore your computer.
On the clean computer.
Creating a bootable USB using xPUD
[*]Please download the following files and save it to the desktop
[]Unetbootin.exe
[]xPUDlatest version is xpud-0.9.2.iso Insert the USB device to make bootable to the computer. (Make sure that no other USB’s are inserted)
[*]Double-click on unetbootin.exe to run Select Disk Image, ISO and in the space provided, enter the path location of xpud-0.9.2.iso (ex. [I]C:\Documents and Settings[B]yourusername\Desktop\xpud-0.9.2.iso)
[*]Select USB Drive type and the drive letter assigned to your USB stick.
[*]Click “OK” and wait until the program finishes. You now have a bootable xPUD.
[*]Download the following tool and save it inside the bootable USB
Please note: if you prefer to create a bootable CD using xPUD, you may download the ISO image found here and burn it to a CD.
On the infected computer.
[*]Reboot your system using the xPUD bootable USB you just created. Note : If you do not know how to set your computer to boot from USB follow the steps here
[*]Your system should now display a xPUD desktop.
[*]Select on the File icon; on the right pane click on the “mnt” folder and highlight “sdb1” - this is your USB device.
[indent]sda1,2…usually corresponds to your HDD
sdb1 is likely your USB[/indent]
[*]Click on the “Tool” menu and select Open Terminal
[*]In the open terminal window, type in the following:
bash rst.sh
[*]Press “Enter” and let it run uninterrupted.
(The program lists available Restore Points and will save a report enum.log located in the USB drive.)
[*]The program is finished when it say’s “Done”.
[*]Type “Exit” to close the terminal window.
[*]Please attached the enum.log file in your reply. (You may remove your USB drive when transferring log to a clean computer).
Please note: If you have an ethernet connection you can access the internet by way of xPUD (Firefox). You can perform all these steps on your sick computer. When you download the download will reside in the Download folder. It can be found under the File tab also. You can similarly access our thread by way of this OS too so you can send the logs that way.
I think I’ll try it sometime in the future if a virus takes over my computer and rkill.exe wont work to stop the processes. Thanks for referring me to it though.
I’ve found a way to burn xpud onto cd.
heres the enum log
35.0M Jun 3 00:03 /mnt/sda1/WINDOWS/system32/config/software
6.0M Jun 2 18:10 /mnt/sda1/WINDOWS/system32/config/system
33.1M Mar 2 23:50 /sda1/~/RP842/~SOFTWARE
33.1M Mar 3 23:59 /sda1/~/RP843/~SOFTWARE
33.1M Mar 6 02:06 /sda1/~/RP845/~SOFTWARE
33.1M Mar 7 05:39 /sda1/~/RP846/~SOFTWARE
33.1M Mar 8 05:52 /sda1/~/RP847/~SOFTWARE
33.1M Mar 9 06:10 /sda1/~/RP848/~SOFTWARE
33.1M Mar 10 15:43 /sda1/~/RP849/~SOFTWARE
33.1M Mar 11 15:45 /sda1/~/RP850/~SOFTWARE
33.1M Mar 12 17:08 /sda1/~/RP851/~SOFTWARE
33.1M Mar 13 20:36 /sda1/~/RP852/~SOFTWARE
33.1M Mar 15 00:43 /sda1/~/RP853/~SOFTWARE
33.1M Mar 16 03:18 /sda1/~/RP854/~SOFTWARE
33.1M Mar 17 04:45 /sda1/~/RP855/~SOFTWARE
33.1M Mar 18 15:10 /sda1/~/RP856/~SOFTWARE
33.1M Mar 19 15:11 /sda1/~/RP857/~SOFTWARE
33.1M Mar 20 15:38 /sda1/~/RP858/~SOFTWARE
33.1M Mar 21 17:07 /sda1/~/RP859/~SOFTWARE
33.1M Mar 22 19:56 /sda1/~/RP860/~SOFTWARE
33.1M Mar 23 20:54 /sda1/~/RP861/~SOFTWARE
33.1M Mar 24 21:10 /sda1/~/RP862/~SOFTWARE
33.1M Mar 26 02:48 /sda1/~/RP863/~SOFTWARE
33.1M Mar 27 05:02 /sda1/~/RP864/~SOFTWARE
33.1M Mar 29 23:11 /sda1/~/RP866/~SOFTWARE
33.1M Mar 31 02:23 /sda1/~/RP867/~SOFTWARE
33.1M Apr 1 14:40 /sda1/~/RP868/~SOFTWARE
33.4M Apr 3 00:30 /sda1/~/RP869/~SOFTWARE
33.5M Apr 9 15:04 /sda1/~/RP870/~SOFTWARE
33.5M Apr 10 15:08 /sda1/~/RP871/~SOFTWARE
33.5M Apr 16 03:58 /sda1/~/RP872/~SOFTWARE
33.5M Apr 17 14:30 /sda1/~/RP873/~SOFTWARE
33.5M Apr 22 01:21 /sda1/~/RP874/~SOFTWARE
33.5M Apr 23 19:54 /sda1/~/RP875/~SOFTWARE
33.5M Apr 24 20:12 /sda1/~/RP876/~SOFTWARE
33.5M Apr 25 22:24 /sda1/~/RP877/~SOFTWARE
33.5M Apr 26 22:37 /sda1/~/RP878/~SOFTWARE
33.5M Apr 28 00:52 /sda1/~/RP879/~SOFTWARE
33.5M Apr 28 00:52 /sda1/~/RP880/~SOFTWARE
33.5M Apr 28 00:54 /sda1/~/RP881/~SOFTWARE
33.8M Apr 29 00:46 /sda1/~/RP882/~SOFTWARE
33.8M Apr 29 00:50 /sda1/~/RP883/~SOFTWARE
33.8M Apr 30 01:54 /sda1/~/RP884/~SOFTWARE
33.8M May 1 02:10 /sda1/~/RP885/~SOFTWARE
34.6M May 2 02:56 /sda1/~/RP887/~SOFTWARE
34.6M May 6 23:02 /sda1/~/RP888/~SOFTWARE
34.6M May 7 23:04 /sda1/~/RP889/~SOFTWARE
34.6M May 8 23:21 /sda1/~/RP890/~SOFTWARE
34.6M May 10 05:20 /sda1/~/RP891/~SOFTWARE
34.6M May 12 05:20 /sda1/~/RP892/~SOFTWARE
34.6M May 12 19:01 /sda1/~/RP893/~SOFTWARE
34.6M May 13 19:35 /sda1/~/RP894/~SOFTWARE
34.6M May 14 01:02 /sda1/~/RP895/~SOFTWARE
34.6M May 15 03:27 /sda1/~/RP896/~SOFTWARE
34.6M May 16 03:33 /sda1/~/RP897/~SOFTWARE
34.6M May 17 04:05 /sda1/~/RP898/~SOFTWARE
34.6M May 18 09:30 /sda1/~/RP899/~SOFTWARE
34.6M May 20 03:42 /sda1/~/RP900/~SOFTWARE
34.6M May 21 03:49 /sda1/~/RP901/~SOFTWARE
34.6M May 22 04:08 /sda1/~/RP902/~SOFTWARE
34.6M May 23 18:27 /sda1/~/RP903/~SOFTWARE
34.6M May 24 20:13 /sda1/~/RP904/~SOFTWARE
34.6M May 26 01:57 /sda1/~/RP905/~SOFTWARE
34.6M May 27 03:29 /sda1/~/RP906/~SOFTWARE
34.6M May 28 14:56 /sda1/~/RP907/~SOFTWARE
34.6M May 29 15:12 /sda1/~/RP908/~SOFTWARE
34.6M May 29 20:48 /sda1/~/RP909/~SOFTWARE
34.8M May 30 22:17 /sda1/~/RP910/~SOFTWARE
34.8M May 31 18:27 /sda1/~/RP911/~SOFTWARE
33.1M Mar 5 00:33 /sda1/~/RP844/~SOFTWARE
33.1M Mar 28 21:05 /sda1/~/RP865/~SOFTWARE
33.8M May 1 02:56 /sda1/~/RP886/~SOFTWARE
5.6M Mar 2 23:50 /sda1/~/RP842/~SYSTEM
5.6M Mar 3 23:59 /sda1/~/RP843/~SYSTEM
5.6M Mar 6 02:06 /sda1/~/RP845/~SYSTEM
5.6M Mar 7 05:39 /sda1/~/RP846/~SYSTEM
5.6M Mar 8 05:52 /sda1/~/RP847/~SYSTEM
5.6M Mar 9 06:10 /sda1/~/RP848/~SYSTEM
5.6M Mar 10 15:43 /sda1/~/RP849/~SYSTEM
5.6M Mar 11 15:45 /sda1/~/RP850/~SYSTEM
5.6M Mar 12 17:08 /sda1/~/RP851/~SYSTEM
5.6M Mar 13 20:36 /sda1/~/RP852/~SYSTEM
5.6M Mar 15 00:43 /sda1/~/RP853/~SYSTEM
5.6M Mar 16 03:18 /sda1/~/RP854/~SYSTEM
5.6M Mar 17 04:45 /sda1/~/RP855/~SYSTEM
5.6M Mar 18 15:10 /sda1/~/RP856/~SYSTEM
5.6M Mar 19 15:11 /sda1/~/RP857/~SYSTEM
5.6M Mar 20 15:38 /sda1/~/RP858/~SYSTEM
5.6M Mar 21 17:07 /sda1/~/RP859/~SYSTEM
5.6M Mar 22 19:56 /sda1/~/RP860/~SYSTEM
5.6M Mar 23 20:54 /sda1/~/RP861/~SYSTEM
5.6M Mar 24 21:10 /sda1/~/RP862/~SYSTEM
5.6M Mar 26 02:49 /sda1/~/RP863/~SYSTEM
5.6M Mar 27 05:02 /sda1/~/RP864/~SYSTEM
5.6M Mar 29 23:11 /sda1/~/RP866/~SYSTEM
5.6M Mar 31 02:23 /sda1/~/RP867/~SYSTEM
5.6M Apr 1 14:40 /sda1/~/RP868/~SYSTEM
5.7M Apr 3 00:30 /sda1/~/RP869/~SYSTEM
5.7M Apr 9 15:04 /sda1/~/RP870/~SYSTEM
5.7M Apr 10 15:08 /sda1/~/RP871/~SYSTEM
5.7M Apr 16 03:58 /sda1/~/RP872/~SYSTEM
5.7M Apr 17 14:30 /sda1/~/RP873/~SYSTEM
5.7M Apr 22 01:21 /sda1/~/RP874/~SYSTEM
5.7M Apr 23 19:54 /sda1/~/RP875/~SYSTEM
5.7M Apr 24 20:12 /sda1/~/RP876/~SYSTEM
5.7M Apr 25 22:24 /sda1/~/RP877/~SYSTEM
5.7M Apr 26 22:37 /sda1/~/RP878/~SYSTEM
5.7M Apr 28 00:52 /sda1/~/RP879/~SYSTEM
5.7M Apr 28 00:52 /sda1/~/RP880/~SYSTEM
5.7M Apr 28 00:54 /sda1/~/RP881/~SYSTEM
5.8M Apr 29 00:46 /sda1/~/RP882/~SYSTEM
5.8M Apr 29 00:50 /sda1/~/RP883/~SYSTEM
5.8M Apr 30 01:54 /sda1/~/RP884/~SYSTEM
5.8M May 1 02:10 /sda1/~/RP885/~SYSTEM
5.8M May 2 02:56 /sda1/~/RP887/~SYSTEM
5.8M May 6 23:02 /sda1/~/RP888/~SYSTEM
5.8M May 7 23:04 /sda1/~/RP889/~SYSTEM
5.8M May 8 23:21 /sda1/~/RP890/~SYSTEM
5.8M May 10 05:20 /sda1/~/RP891/~SYSTEM
5.8M May 12 05:20 /sda1/~/RP892/~SYSTEM
5.8M May 12 19:01 /sda1/~/RP893/~SYSTEM
5.8M May 13 19:35 /sda1/~/RP894/~SYSTEM
5.8M May 14 01:02 /sda1/~/RP895/~SYSTEM
5.8M May 15 03:27 /sda1/~/RP896/~SYSTEM
5.8M May 16 03:33 /sda1/~/RP897/~SYSTEM
5.8M May 17 04:05 /sda1/~/RP898/~SYSTEM
5.8M May 18 09:30 /sda1/~/RP899/~SYSTEM
5.8M May 20 03:42 /sda1/~/RP900/~SYSTEM
5.8M May 21 03:49 /sda1/~/RP901/~SYSTEM
5.8M May 22 04:08 /sda1/~/RP902/~SYSTEM
5.8M May 23 18:27 /sda1/~/RP903/~SYSTEM
5.8M May 24 20:13 /sda1/~/RP904/~SYSTEM
5.8M May 26 01:57 /sda1/~/RP905/~SYSTEM
5.8M May 27 03:29 /sda1/~/RP906/~SYSTEM
5.8M May 28 14:56 /sda1/~/RP907/~SYSTEM
5.8M May 29 15:12 /sda1/~/RP908/~SYSTEM
5.8M May 29 20:48 /sda1/~/RP909/~SYSTEM
6.0M May 30 22:17 /sda1/~/RP910/~SYSTEM
6.0M May 31 18:27 /sda1/~/RP911/~SYSTEM
5.6M Mar 5 00:33 /sda1/~/RP844/~SYSTEM
5.6M Mar 28 21:05 /sda1/~/RP865/~SYSTEM
5.8M May 1 02:56 /sda1/~/RP886/~SYSTEM
OK lets use this sytem restore first, we have plenty to choose from
[*]Boot the Sick computer with the USB drive again
[*]Press File
[*]Expand mnt
[*]Expand your USB (sdb1)
[*]Press Tool at the top
[*]Choose Open Terminal
[*]Type bash rst.sh -r
[*]Type RP910
[*]Press Enter
[*]After it has finished a report will be located at sdb1 named restore.log
[*]Please try to boot into normal Windows now and indicate if you were successful
Please note - all text entries are case sensitive
Copy and paste the restore.log from your USB drive for my review