Hi, I’m running XP SP3. You have to forgive me because I’m trying to do all of this from memory.
Avast found a file while I was surfing(though I don’t think that’s related) Something suspious wanted to open in the temp folder. I told avast not to open it. Minute later something else popped up I think from the temp folder again and I had avast not open it again. something popped a third time and I choose open in sandbox figuring it would give more info or choices on what to do. Somewhere in those three pop ups there was something about explorer.EXE as well as WIN32:Alureon-DXX(XX are letters I can’t remember), I can’t recall where exactly. At this point a system error message popped(typical windows box with an ok button) up about my SATA hard drive and I lost about half of my desktop icons. The message said I needed to reboot. I ignore the message and tried to do a scan to maybe find the virus before I rebooted think that the reboot my be part of the virus. While scanning the message popped up again about the hard drive. I decided maybe I should reboot and now I can’t even get into safe mode.
I’ve booted of the CD and did a repair with no luck. I did a chkdsk which was fine, I’m doing a chkdsk /r now.
Anything you can do to help would be greatly appreciated.
[]Quit all running programs
[]For Vista/Seven, right click → run as administrator, for XP simply run RogueKiller.exe
[]When prompted, type 1 and validate
[]The RKreport.txt shall be generated next to the executable.
[*]If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe
Please post the contents of the RKreport.txt in your next Reply.
[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in
umm,I might be missing something but I can’t get windows to start so I don’t think I can do any of the things you are suggesting. I get to the windows splash/load screen, then I get a quick BSOD that goes so quick I can’t read it, and the it reboots and does the same thing.
[*]Download the attached scan.txt to a USB drive
[*]Download OTLPENet.exe to your desktop
[*]Ensure that you have a blank CD in the drive
[*]Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
[*]Reboot your system using the boot CD you just created. Note : If you do not know how to set your computer to boot from CD follow the steps here
[*]As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads
[*]Your system should now display a Reatogo desktop. Note : as you are running from CD it is not exactly speedy
[*]Double-click on the OTLPE icon.
[*]Select the Windows folder of the infected drive if it asks for a location
[*]When asked “Do you wish to load the remote registry”, select Yes
[*]When asked “Do you wish to load remote user profile(s) for scanning”, select Yes
[*]Ensure the box “Automatically Load All Remaining Users” is checked and press OK
[*]OTL should now start.
[*]Double click the Custom scans and fixes box
[*]In the dialogue locate the scan.txt you have on the USB
[*]Press Run Scan to start the scan.
[*]When finished, the file will be saved in drive C:\OTL.txt
[*]Copy this file to your USB drive if you do not have internet connection on this system.
[*]Right click the file and select send to : select the USB drive.
[*]Confirm that it has copied to the USB drive by selecting it
[*]You can backup any files that you wish from this OS
[*]Please post the contents of the C:\OTL.txt file in your reply.
Start OTLPE as you did previously from CD
Copy the attached Fix.txt to a USB
[*]Insert your USB drive with fix.txt on it
[*]Start OTLPE
[*]Drag and drop fix.txt into the Custom scans and fixes box
[*]If you cannot drag and drop for some reason. Then press the Run Fix button and a dialogue box will pop up asking for the location - select the file on your USB drive
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done to normal mode if possible
[*]Then post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )
So the fixed went thru and did it’s thing correctly but the computer still doesn’t load windows. I used F8 and disabled auto restart andI can now see the BSOD error. The short verison is "check for viruses, remove newly installed hard drive or hard drive controller, check hard drive is properly configured and terminated, run chkdsk /f (I did a chkdsk /r already)
I was impatient and I did a fixmbr for the recovery console. I left the disk in on reboot and it reinstalled windows. I’m in windows now but I have lost all my icons and some programs from my start menu. Everything still appears to be there when I look on the C drive. Also, I had my "my documents folder pointed to a separate drive. Now the drive looks empty but properties shows it half full. So the stuff is still there, I just can’t see it.
[]Quit all running programs
[]For Vista/Seven, right click → run as administrator, for XP simply run RogueKiller.exe
[]When prompted, type 1 and validate
[]The RKreport.txt shall be generated next to the executable.
[*]If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe
Please post the contents of the RKreport.txt in your next Reply.
FINALLY
Download OTS to your Desktop and double-click on it to run it
[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check
[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.
I believe it was a repair install, but I don’t. I left the disk in after a rebooted after doing a “FIXMBR” from the recovery console. When I came back int he room it was already in mid-install.
If you have a relatively recent Windows “image” backup from the Windows backup program that you think is clean based upon when you did it then you can just restore that and it should solve this whole problem.
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-515967899-507921405-839522115-1003\] > -> HKEY_USERS\S-1-5-21-515967899-507921405-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{32099AAC-C132-4136-9E9A-4E364A424E17}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\Program Files\Teamspeak2_RC2\server_windows.exe" -> [C:\Program Files\Teamspeak2_RC2\server_windows.exe:*:Enabled:Server]
YN -> "C:\WINDOWS\system32\msi32a.exe" -> [C:\WINDOWS\system32\msi32a.exe:*:Enabled:MsnUpdate]
YN -> "C:\WINDOWS\system32\schost32.exe" -> [C:\WINDOWS\system32\schost32.exe:*:Enabled:schost]
YN -> "C:\WINDOWS\system32\tdmic.exe" -> [C:\WINDOWS\system32\tdmic.exe:*:Enabled:tdmic.exe]
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
Took awhile and then looked like it froze but then asked for reboot and the log popped up after I logged back into windows.
My only issue now is the loss of our old profiles. I guess because I’m using NFTS when you reinstall windows it creates new profiles, even with the same names. So everyhting is still on the computer but it’s like I’m logged in as a guest. Is there anyway to copy the old profile over to the new one. I read about this here:
If you go to all programs it looks like there are maybe 6-8 programs install(besides the winxp default stuff) but if you go to add/remove programs you see I’ve install like 25-30 programs.
Should I just create shortcuts or reinstall or is there something else I can do?