Well that does look promising, though the permissions may still be an issue in BJS’s case.

There are should two files in cab folders in the i386 folder. One in spx.cab (x=sevice pack installed) and one other. These where the ones we where trying to get to but alas the access denied error.

Which file did you use?

I checked on an xp machine and found the following:

The two files are different in size, the one in the spx.cab was about 2300b and the other about 1900b. I think the smaller was the origninal ntkrnl.exe installed and the larger a reflection of the service pack installed.

BJS did say he downloaded a copy of ntoskrnl.exe. This would probably a xp no sevice pack version and would be the same that would be extracted from an xp disk.

I think using Ultraiso to add that file to ntfswcdd.iso and burning just that iso to a cd may produce similar results as Badr had.

If BJS send me the files, I’ll try it. Or if he’s willing to give it one more try…

OK, I found someone nearby that has a XP disc with an oem number.
I have never overinstalled XP. We have ALL of our family pictures on my wifes PC and my wife is worried that the overinstall will erase all of them. When I put the XP disc in the tray, will it automatically install? or will it give me some options? How can I make sure we keep all our documents and programs?
I don’t want to try anything yet before I am informed about the process.

Thanks

Choose repair or update options. Do not format your disk and you won’t lose anything (just windows updates that you can download again later).

Do NOT format the disk and your files will remain there.

Hello, I chhose the repair option and after scanning some files, it took me to a dos command prompt.
It said “which windows installation would you like to log onto? (to cancel press enter)”

The option for repair was “r” but when we entered that in the DOS screen it said invalid.

When we pressed enter is just tried to boot but nothing was fixed.

What would I enter at the prompt? ???

Below is from another forum (in RED). He had the same question as me. I guess I choosing “repair” to early.
Now I am at the screen in which I have 3 choices. Here they are.

1: To set up XP press enter

2: To create a partion an unpartioned space, press C

3: To delete selected partion press D

[b]I’ve never had a problem running “Repair” with XP installation disk on my

old computer but on my month old Dell I’m running into a problem… On my
old computer I would just type “R” and it would go into the repair mode…
Now with my month old Dell 8400with XP Home SP2 included I run the repair
as I previously did I press “R” I get a:

"Microsoft Recovery Console “Typr Exit to quit Recovery Console.
1:C:\Windows
Which Windows installation would you like to log onto
(To cancel, Press ENTER)”
I found typing 1 and enter brings me to:
“Type Admin. Password”
I have no password set so I just hit enter and I get:
“C:\Windows>”

Below is the procedure I usually used to repair on my old computer…

"Boot with the Windows XP CD and at the Setup Screen press the Enter Key

You will be taken to the Windows XP Licensing Agreement. After reading the
agreement press F8 to proceed

The next screen gives you the option to do a fresh (clean) install or to
“Repair the selected Windows XP installation.” Press “R”

Windows XP will copy the necessary files to your Hard Drive to begin the
installation and will then reboot. You will see the message that informs
you to “Press any key to boot the CD”. Do not press any keys this time
just
wait a few seconds and the Windows Startup Screen will be displayed.
Following this you will be greeted by the Windows XP Setup Screens.

You’re selecting “Recovery Console - Repair” too early in the process. Be
patient and continue to press “enter/proceed” as if you planned to perform a
clean install.

You eventually reach a 4th or 5th menu which allows you the true “repair”
option w/o the recovery console.

I suspect this is what you’re seeing.

hth

Stew

PaulT
2005-05-19, 4:46 pm

SLewis your on the money, my bad… thank you…
[/b]

Hi

Here’s a lnk on how to run a repair install

You have scroll down to find it. It’s about 11th up from the bottom of the topics cointing from how to acces safe mode.

http://www.webtree.ca/windowsxp/repair_xp.htm#How%20to%20Repair%20Windows%20XP%20by%20Installing%20Over%20top%20of%20Existing%20Setup:

Great site, just what I needed, thanks OM ;D

(I will let you know when I am done)

Sounds good and good luck!!

This is the Windows Repair Console… it won’t be installed there.
Can you boot in XP and use the CD? If so, you can run install.exe from it and choose to update.
If you can’t boot in your disk and use the CD, you must boot with the CD and choose a way to install Windows.
On the links I’ve posted before there are some info.

Choose the option to install (and not repair), after that you would receive an option to install in the same partition that you have installed before, you can go further. You just do not format the disk.

FINALLY ;D
I needed to call my brother-in-law (who is a computer programmer) andI told him that I had a copy of XP but it would not let me do a repair. I had tried to copy the ntoskrnl.exe file from the XP CD to the c-drive but it didn’t work. That is because I did not copy it to the windows\system32 folder. We had to use the expand command to find the file and I had to copy it using ntoskrnl.ex_ but in the end it worked!
Now that I can get into windows, I am going to do the repair as Tech advised from the XP CD. I will post my results (good or bad)

Thanks again

Is your wife’s computer booting to Windows now?

Yes it is, I am now doing an overinstall from the CD

Well if you haven’t started we may be able to get around that, but if it’s already started don’t interupt it. If the product key is on a sticker on the computer case use that instead of the key on the CD, then install as any of the Windows updates as you can.

OK, I am back at my wifes (infected) PC. Right now I am updating the XP SP2 patch.
Once this is done, I think we can resume what we were working on last week which get rid of some rootkits and get Avast back in.

Good. Sounds like you used the recovery console. You could have gotten the file from the i386 folder, but the one on the disk is known to be clean.

Good luck the rest of the way.

Thanks, that whole process wore me out…I’m hitting the sack now…I will check in tomorrow PM…

(Once this PC is “healed” we will definitely be making recovery cd’s as well as a copy of XP)

Good plan. Something else to look into is something like Acronis True Image, Go Back, etc. Well worth the bucks.

Thanks Oldman, I’ll remember that.

I thought I was going to bed but I figured I would check msconfig and see what startup programs were running on her computer.

Guess what? You know that “bagle trojan” that Mauserme saw I had? It was in my startup program.
It was named “wintems.exe”. I looked it up. I don’t have it in startup anymore but I am sure it is still on my hardrive somewhere. I also found another startup program names vsnpstd2.exe. I guess that is some sort of spyware.

Now I am going to bed…

Since the repair install leaves all the data, etc intact the malware that was remaining before we got sidetracked is also still there. This was expected.

If you want to, back up the family pics to cd or dvd. Then post fresh ComboFix and HJT logs (run i that order).

EDIT: Looking at your first ComboFix log (way back on page 2 :o ) shows that C:\WINDOWS\system32\wintems.exe was deleted but the registry key that called it was one of the things I wanted to get. If that key is gone now we’re a little farther along than I expected, but for sure we’ll double check.

Sorry I have been MIA. I reinstalled XP and installed XP SP2 on my wifes computer and now I cannot download the windows installer and therefore cannot install any security updates. That, combined with having no Avast has made me hesitant about going online with my wifes computer.

Those problem aside, here are my new Combo Fix and HJT logs…

Also, if I made restore discs for all of our files (pictures, documents, programs etc) and then formatted our computer clean and reinstalled XP (along with our restore discs) would that that take care of some problems? Or would we still be infected from the restore discs?

ComboFix Log

ComboFix 07-08-14.4 - “Ben” 2007-08-22 13:44:54.2 - NTFS x86
C:\WINDOWS\system32\chkdsk.exe not present

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\Ben\Desktop.\internet explorer.lnk

((((((((((((((((((((((((( Files Created from 2007-07-22 to 2007-08-22 )))))))))))))))))))))))))))))))

2007-08-21 17:18 27,648 --a–c— C:\WINDOWS\system32\dllcache\xrxftplt.exe
2007-08-21 17:18 23,040 --a–c— C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2007-08-21 17:18 17,408 --a–c— C:\WINDOWS\system32\dllcache\xrxscnui.dll
2007-08-21 17:18 116,224 --a–c— C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2007-08-21 17:17 99,865 --a–c— C:\WINDOWS\system32\dllcache\xlog.exe
2007-08-21 17:17 8,832 --a–c— C:\WINDOWS\system32\dllcache\wmiacpi.sys
2007-08-21 17:17 8,192 --a–c— C:\WINDOWS\system32\dllcache\wshirda.dll
2007-08-21 17:17 4,608 --a–c— C:\WINDOWS\system32\dllcache\xrxflnch.exe
2007-08-21 17:17 19,455 --a–c— C:\WINDOWS\system32\dllcache\wvchntxx.sys
2007-08-21 17:17 16,970 --a–c— C:\WINDOWS\system32\dllcache\xem336n5.sys
2007-08-21 17:17 154,624 --a–c— C:\WINDOWS\system32\dllcache\wlluc48.sys
2007-08-21 17:17 12,063 --a–c— C:\WINDOWS\system32\dllcache\wsiintxx.sys
2007-08-21 17:16 87,040 --a–c— C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2007-08-21 17:16 771,581 --a–c— C:\WINDOWS\system32\dllcache\winacisa.sys
2007-08-21 17:16 701,386 --a–c— C:\WINDOWS\system32\dllcache\wdhaalba.sys
2007-08-21 17:16 53,760 --a–c— C:\WINDOWS\system32\dllcache\wiamsmud.dll
2007-08-21 17:16 35,871 --a–c— C:\WINDOWS\system32\dllcache\wbfirdma.sys
2007-08-21 17:16 34,890 --a–c— C:\WINDOWS\system32\dllcache\wlandrv2.sys
2007-08-21 17:16 33,599 --a–c— C:\WINDOWS\system32\dllcache\watv04nt.sys
2007-08-21 17:16 31,744 --a–c— C:\WINDOWS\system32\dllcache\wceusbsh.sys
2007-08-21 17:16 29,311 --a–c— C:\WINDOWS\system32\dllcache\watv01nt.sys
2007-08-21 17:16 23,615 --a–c— C:\WINDOWS\system32\dllcache\wch7xxnt.sys
2007-08-21 17:16 19,551 --a–c— C:\WINDOWS\system32\dllcache\watv02nt.sys
2007-08-21 17:16 19,016 --a–c— C:\WINDOWS\system32\dllcache\w926nd.sys
2007-08-21 17:16 16,925 --a–c— C:\WINDOWS\system32\dllcache\w940nd.sys
2007-08-21 17:16 12,415 --a–c— C:\WINDOWS\system32\dllcache\wadv01nt.sys
2007-08-21 17:16 12,127 --a–c— C:\WINDOWS\system32\dllcache\wadv02nt.sys
2007-08-21 17:16 11,775 --a–c— C:\WINDOWS\system32\dllcache\wadv05nt.sys
2007-08-21 17:15 765,884 --a–c— C:\WINDOWS\system32\dllcache\usrti.sys
2007-08-21 17:15 7,556 --a–c— C:\WINDOWS\system32\dllcache\usroslba.sys
2007-08-21 17:15 687,999 --a–c— C:\WINDOWS\system32\dllcache\usrwdxjs.sys
2007-08-21 17:15 64,605 --a–c— C:\WINDOWS\system32\dllcache\vvoice.sys
2007-08-21 17:15 604,253 --a–c— C:\WINDOWS\system32\dllcache\vmodem.sys
2007-08-21 17:15 5,376 --a–c— C:\WINDOWS\system32\dllcache\viaide.sys
2007-08-21 17:15 397,502 --a–c— C:\WINDOWS\system32\dllcache\vpctcom.sys
2007-08-21 17:15 249,402 --a–c— C:\WINDOWS\system32\dllcache\vinwm.sys
2007-08-21 17:15 24,576 --a–c— C:\WINDOWS\system32\dllcache\viairda.sys
2007-08-21 17:15 19,528 --a–c— C:\WINDOWS\system32\dllcache\w840nd.sys
2007-08-21 17:15 113,762 --a–c— C:\WINDOWS\system32\dllcache\usrpda.sys
2007-08-21 17:14 94,720 --a–c— C:\WINDOWS\system32\dllcache\umaxud32.dll
2007-08-21 17:14 794,654 --a–c— C:\WINDOWS\system32\dllcache\usr1801.sys
2007-08-21 17:14 794,399 --a–c— C:\WINDOWS\system32\dllcache\usr1806v.sys
2007-08-21 17:14 793,598 --a–c— C:\WINDOWS\system32\dllcache\usr1806.sys
2007-08-21 17:14 69,632 --a–c— C:\WINDOWS\system32\dllcache\umaxu12.dll
2007-08-21 17:14 50,688 --a–c— C:\WINDOWS\system32\dllcache\umaxscan.dll
2007-08-21 17:14 50,176 --a–c— C:\WINDOWS\system32\dllcache\umaxp60.dll
2007-08-21 17:14 47,616 --a–c— C:\WINDOWS\system32\dllcache\umaxcam.dll
2007-08-21 17:14 32,384 --a–c— C:\WINDOWS\system32\dllcache\usb101et.sys
2007-08-21 17:14 28,160 --a–c— C:\WINDOWS\system32\dllcache\umaxu40.dll
2007-08-21 17:14 26,624 --a–c— C:\WINDOWS\system32\dllcache\umaxu22.dll
2007-08-21 17:14 25,600 --a–c— C:\WINDOWS\system32\dllcache\usbser.sys
2007-08-21 17:14 224,802 --a–c— C:\WINDOWS\system32\dllcache\usr1807a.sys
2007-08-21 17:14 22,912 --a–c— C:\WINDOWS\system32\dllcache\umaxpcls.sys
2007-08-21 17:14 20,480 --a–c— C:\WINDOWS\system32\dllcache\usbuhci.sys