1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved trojan deleted files cant run chkdsk

Discussion in 'Malware and Virus Removal Archive' started by jbutah, 2011/06/29.

Page 2 of 4
  1. 2011/06/30
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Do this on the computer you are posting from:
    Copy the text in the codebox below:


    Code:
    :OTL
SRV - File not found [Auto] -- -- (Seagate Sync Service)
SRV - File not found [Auto] -- -- (RoxWatch)
SRV - File not found [Auto] -- -- (RoxUpnpServer)
SRV - File not found [On_Demand] -- -- (RoxUPnPRenderer)
SRV - File not found [On_Demand] -- -- (RoxMediaDB)
SRV - File not found [Auto] -- -- (RoxLiveShare)
O2 - BHO: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - File not found
O2 - BHO: (uTorrentBar Toolbar) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - File not found
O3 - HKLM\..\Toolbar: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - File not found
O3 - HKLM\..\Toolbar: (uTorrentBar Toolbar) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - File not found
O3 - HKU\Guest_ON_C\..\Toolbar\WebBrowser: (uTorrentBar Toolbar) - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - File not found
O3 - HKU\John_ON_C\..\Toolbar\WebBrowser: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - File not found
O3 - HKU\John_ON_C\..\Toolbar\WebBrowser: (uTorrentBar Toolbar) - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - File not found
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [DivXUpdate] File not found
O4 - HKLM..\Run: [RoxioDragToDisc] File not found
O4 - HKLM..\Run: [RoxWatchTray] File not found
O4 - HKLM..\Run: [StxTrayMenu] File not found
O4 - Startup: C:\Documents and Settings\John\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = File not found
[2011/06/05 13:21:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\John\Application Data\PriceGong
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\John\My Documents\non-circ.jpeg:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\John\My Documents\non-circ jb ken.jpeg:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\John\My Documents\non circ jb ken.jpg:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\John\My Documents\My Videos:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\John\My Documents\JBAgreement.tif:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\John\My Documents\JBAgreement(2).tif:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\John\My Documents\GSS IC agreement2.jpg:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\John\My Documents\GSS IC agreement.jpg:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Documents and Settings\Guest\My Documents\Downloads:Roxio EMC Stream
@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\Temp:7631EA83
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\Temp:E7833B2E

:Services

:Reg

:Files
C:\WINDOWS\Driver Cache\i386\sp3.cab:hal.dll /E
C:\WINDOWS\system32\hal.dll|c:\hal.dll /replace

:Commands
[purity]
    Open Notepad and paste it.
    Save the document as Fix.txt on to a USB flash drive


    On the infected computer the following...

    Run OTLPE

    • Insert USB stick and find the file Fix.txt. Drag the file Fix.txt and drop it under the Custom Scans/Fixes box at the bottom.
      • (The content of Fix.txt should appear in the box)
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post the log produced (you'll need to transfer it with USB stick)
    • Attempt to reboot normally into Windows.
     
    broni,
    #21
  2. 2011/06/30
    jbutah

    jbutah Inactive Thread Starter

    Joined:
    2011/06/15
    Messages:
    51
    Likes Received:
    0
    ========== OTL ==========
    Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Seagate Sync Service deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RoxWatch deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RoxUpnpServer deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RoxUPnPRenderer deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RoxMediaDB deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RoxLiveShare deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{30F9B915-B755-4826-820B-08FBA6BD249D}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\ deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{30F9B915-B755-4826-820B-08FBA6BD249D} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{30F9B915-B755-4826-820B-08FBA6BD249D}\ not found.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\ not found.
    Registry value HKEY_USERS\Guest_ON_C\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}\ not found.
    Registry value HKEY_USERS\John_ON_C\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{30F9B915-B755-4826-820B-08FBA6BD249D} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{30F9B915-B755-4826-820B-08FBA6BD249D}\ not found.
    Registry value HKEY_USERS\John_ON_C\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}\ not found.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\DivXUpdate deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\RoxioDragToDisc deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\RoxWatchTray deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\StxTrayMenu deleted successfully.
    C:\Documents and Settings\John\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk moved successfully.
    C:\Documents and Settings\John\Application Data\PriceGong\Data folder moved successfully.
    C:\Documents and Settings\John\Application Data\PriceGong folder moved successfully.
    ADS C:\Documents and Settings\John\My Documents\non-circ.jpeg:Roxio EMC Stream deleted successfully.
    ADS C:\Documents and Settings\John\My Documents\non-circ jb ken.jpeg:Roxio EMC Stream deleted successfully.
    ADS C:\Documents and Settings\John\My Documents\non circ jb ken.jpg:Roxio EMC Stream deleted successfully.
    ADS C:\Documents and Settings\John\My Documents\My Videos:Roxio EMC Stream deleted successfully.
    ADS C:\Documents and Settings\John\My Documents\JBAgreement.tif:Roxio EMC Stream deleted successfully.
    ADS C:\Documents and Settings\John\My Documents\JBAgreement(2).tif:Roxio EMC Stream deleted successfully.
    ADS C:\Documents and Settings\John\My Documents\GSS IC agreement2.jpg:Roxio EMC Stream deleted successfully.
    ADS C:\Documents and Settings\John\My Documents\GSS IC agreement.jpg:Roxio EMC Stream deleted successfully.
    ADS C:\Documents and Settings\Guest\My Documents\Downloads:Roxio EMC Stream deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\Temp:7631EA83 deleted successfully.
    ADS C:\Documents and Settings\All Users\Application Data\Temp:E7833B2E deleted successfully.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    hal.dll extracted to C:\
    File C:\WINDOWS\system32\hal.dll successfully replaced with c:\hal.dll
    ========== COMMANDS ==========

    OTLPE by OldTimer - Version 3.1.46.0 log created on 06302011_214608
     
    jbutah,
    #22


  3. to hide this advert.

  4. 2011/06/30
    jbutah

    jbutah Inactive Thread Starter

    Joined:
    2011/06/15
    Messages:
    51
    Likes Received:
    0
    got the reboot blue screen flash again.. loading cd again
     
    jbutah,
    #23
  5. 2011/06/30
    jbutah

    jbutah Inactive Thread Starter

    Joined:
    2011/06/15
    Messages:
    51
    Likes Received:
    0
    my boot.ini
     
    jbutah,
    #24
  6. 2011/06/30
    jbutah

    jbutah Inactive Thread Starter

    Joined:
    2011/06/15
    Messages:
    51
    Likes Received:
    0
    boot.ini does not look like any others i have seen all day today.. i was going to try and make a copy but had a hard time getting it to the usb..
     
    jbutah,
    #25
  7. 2011/06/30
    jbutah

    jbutah Inactive Thread Starter

    Joined:
    2011/06/15
    Messages:
    51
    Likes Received:
    0
    [boot loader]
    timeout=30
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    multi(0)disk(0)rdisk(0)partition(3)\WINDOWS= "Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
     
    jbutah,
    #26
  8. 2011/06/30
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    How did you access boot.ini file?

    Which XP version do you use, Pro, or Home?

    Did you see, what it says?
     
    broni,
    #27
  9. 2011/06/30
    jbutah

    jbutah Inactive Thread Starter

    Joined:
    2011/06/15
    Messages:
    51
    Likes Received:
    0
    its xp pro and i went to system folder from the xpe cd and search for boot.ini i copied it to the thumb drive. this comp had xp home when it was new but paid to have hard drive reformatted and they put xp pro on it... i see both os listed but pro was working
     
    jbutah,
    #28
  10. 2011/06/30
    jbutah

    jbutah Inactive Thread Starter

    Joined:
    2011/06/15
    Messages:
    51
    Likes Received:
    0
    i also accessed some files and got them off the hard drive, that otl cd worked great.
     
    jbutah,
    #29
  11. 2011/06/30
    jbutah

    jbutah Inactive Thread Starter

    Joined:
    2011/06/15
    Messages:
    51
    Likes Received:
    0
    i am running the reatogo xpe cd with windows now so can do alot, just not sure what to do..
     
    jbutah,
    #30
  12. 2011/06/30
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    If "Pro" was working, then boot.ini file is correct.

    See, if you can boot to recovery console and run chkdsk from there.
     
    broni,
    #31
  13. 2011/06/30
    jbutah

    jbutah Inactive Thread Starter

    Joined:
    2011/06/15
    Messages:
    51
    Likes Received:
    0
    I meant pro was working a week ago, not recently.. no safe mode, no restore, no dos prompt.. so reloading xpe cd again..
     
    jbutah,
    #32
  14. 2011/06/30
    jbutah

    jbutah Inactive Thread Starter

    Joined:
    2011/06/15
    Messages:
    51
    Likes Received:
    0
    can i run chkdsk from the cd?
     
    jbutah,
    #33
  15. 2011/06/30
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    No, you can't.

    If you have Windows CD...(if you don't have Windows CD, scroll down)

    1. Insert your Windows XP CD into your CD and assure that your CD-ROM drive is capable of booting the CD.
    2. Once you have booted from CD, do NOT select the option that states: Press F2 to initiate the Automated System Recovery (ASR) tool.
    You’re going to proceed until you see the following screen, at which point you will press the “R” key to enter the recovery console:

    [​IMG]

    3. After you have selected the appropriate option from step two, you will be prompted to select a valid Windows installation (typically number 1).
    Select the installation number, and hit Enter.
    If there is an administrator password for the administrator account, enter it and hit Enter (if asked for the password, and you don't know it, you're out of luck).
    You will be greeted with this screen, which indicates a recovery console at the ready:

    [​IMG]

    If you don't have Windows CD...
    Download Windows Recovery Console: http://www.thecomputerparamedic.com/files/rc.iso
    Download, and install free Imgburn: http://www.imgburn.com/index.php?act=download
    Using Imgburn, burn rc.iso to a CD.
    Boot to the CD...let it finish loading.
    When the "Welcome to Setup" screen appears, press R to start the Recovery Console.

    Then, at command prompt type this:
    chkdsk /f /r
    Press Enter.
     
    broni,
    #34
  16. 2011/06/30
    jbutah

    jbutah Inactive Thread Starter

    Joined:
    2011/06/15
    Messages:
    51
    Likes Received:
    0
    it says the parameter is not valid.. it said xp home and this was xp pro... and i put a space after chkdsk /f /r right?
     
    jbutah,
    #35
  17. 2011/06/30
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Yes...

    Run hard drive diagnostics: http://www.tacktech.com/display.cfm?ttid=287 (or http://www.bleepingcomputer.com/forums/index.php?showtopic=28744&hl=hard+drive+diagnostic)
    Make sure, you select tool, which is appropriate for the brand of your hard drive.
    Depending on the program, it'll create bootable floppy, or bootable CD.
    If downloaded file is of .iso type, use ImgBurn: http://www.imgburn.com/ to burn .iso file to a CD (select "Write image file to disc" option), to make the CD bootable.
    For Toshiba hard drives, see here: http://sdd.toshiba.com/main.aspx?Pa...rivesUSandCanada/SoftwareUtilities#diagnostic

    Note : If you do not know how to set your computer to boot from CD follow the steps HERE
     
    broni,
    #36
  18. 2011/06/30
    jbutah

    jbutah Inactive Thread Starter

    Joined:
    2011/06/15
    Messages:
    51
    Likes Received:
    0
    ok thanks so much for your help.. sounds like this will take the rest of tonight.. i'll keep going and let you know..
     
    jbutah,
    #37
  19. 2011/06/30
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I'll be around.

    If that checks out, restart to recovery console again and run these two commands, pressing Enter after each one:

    fixmbr

    fixboot

    Type exit, press Enter and try to restart normally again.
     
    broni,
    #38
  20. 2011/06/30
    jbutah

    jbutah Inactive Thread Starter

    Joined:
    2011/06/15
    Messages:
    51
    Likes Received:
    0
    so far first 2 will not run.. just keeps rebooting..
     
    jbutah,
    #39
  21. 2011/06/30
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    What first 2?
     
    broni,
    #40
Page 2 of 4

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...