Sign in to follow this  
Solokan

Malware

Recommended Posts

Hi,

 

Are you able to login from safe mode or by using "last known good configuration" option (press F8 before Windows launching screen to access the menu)?

Share this post


Link to post
Share on other sites

Ok. Do you have your XP OS installation disc around?

Share this post


Link to post
Share on other sites

Ok. What I need you to do is to boot the system using recovery console.

 

Insert XP installation media (CD) and restart the computer. If prompted, select any options required to boot from the CD.

When the text-based part of Setup begins, follow the prompts; choose the repair or recover option by pressing R. When prompted, type the Administrator password. That should take you to the system prompt.

 

Let's see if userinit.exe file is present. Write following commands and note the results down at marked points:

cd C:\Windows\System32 (press enter)

dir userinit.exe (press enter)

<--note the results down-->

 

cd C:\Windows\System32\dllcache (press enter)

dir userinit.exe (press enter)

<--note the results down-->

exit (press enter to exit recovery console)

 

Let me know the results of both queries.

Share this post


Link to post
Share on other sites

Can't get the cd to run.

 

I press f12 to go to the boot menu and my 3 choices are:

 

1: Normal

2: Hard-Disk Drive C

3: IDE CD-ROM Device

 

I chose to use the cd-rom and it says strike f1 to retry boot, f2 for setup utility. Hit f1 and same message comes up over and over. Any suggestions?

Share this post


Link to post
Share on other sites

Hi,

 

What BIOS version does your system have (and what model is your computer)? Did you try to change boot order in setup utility? Did it ask you to save the changes? If changes are not saved then boot order won't be correct. Have CD-ROM device set as first boot device and hard drive as second.

Share this post


Link to post
Share on other sites

Got the cd to work and I have a problem.

 

When I press R and it moves to the next screen it says:

 

Which windows installation would you like to log onto?

 

Don't exactly understand that but that's not the problem. I can't type more than one character.

Edited by Solokan

Share this post


Link to post
Share on other sites

Made it past the admin password part. Now attempting to do what you said lol.

 

No matching files found in either.

Edited by Solokan

Share this post


Link to post
Share on other sites

Hi,

 

Ok. Please give following commands in recovery console (replace D: with your cd drive letter):

expand D:\i386\userinit.ex_ C:\windows\system32

exit

 

See if you're able to boot now.

Share this post


Link to post
Share on other sites

Alright I had turned off my computer so I just booted it back up. Can you list what I need to type in step by step from just pressing r and logging onto the admin?

Share this post


Link to post
Share on other sites

Hi,

 

In console, write those two commands I have bolded in my previous post (replace D: drive letter with your cd-rom drive letter if it's different).

Share this post


Link to post
Share on other sites

seperately? or in the same line? and the _ is it suppose to be there or should it be an e to finish the .exe?

 

I tried putting it in as written and it gave me an error message saying the system cannot find the file or directory specified.

Edited by Solokan

Share this post


Link to post
Share on other sites

Hi,

 

Those were two commands meant to be entered separately, exit command only after successful file expanding operation. Underscore (_) is there on purpose too.

 

So, it sounds like D: is not drive letter for your cd drive then. What happens if you press D: (and enter) in system prompt? If it gives an error, please try E: next and. Try next alphabet if still get an error. When successful, prompt should show blinking cursor with D:\> (or some other drive letter different from C) in front of it.

Share this post


Link to post
Share on other sites

Hi,

 

Is your cd-rom drive under letter D?

 

Please try these commands in recovery console:

D: [ENTER]

CD I386 [ENTER]

EXPAND USERINIT.EX_ C:\WINDOWS\SYSTEM32 [ENTER]

Share this post


Link to post
Share on other sites
Hi,

 

Is your cd-rom drive under letter D?

 

Please try these commands in recovery console:

D: [ENTER]

CD I386 [ENTER]

EXPAND USERINIT.EX_ C:\WINDOWS\SYSTEM32 [ENTER]

 

Can't find the directory or file specified.

Share this post


Link to post
Share on other sites

After which command you get that error? Does it come after CD I386? Is D: drive your cd-rom?

Share this post


Link to post
Share on other sites
After which command you get that error? Does it come after CD I386? Is D: drive your cd-rom?

Came after the last command. I'm guessing since it let me get that far it's my cd drive. But I'll try E and F and so on and so forth if need be because I have 2 cd drives.

Share this post


Link to post
Share on other sites

What files it lists if you give following command in D:\i386 folder:

dir userinit*

 

One way to make sure it's correct drive is to take media out of the drive and then try give command dir in D:\i386 folder. If it lists files instead of showing an error then D is not your cd-rom drive.

Share this post


Link to post
Share on other sites

So, you're out of login-logout loop now? Good, let's get some to get a picture of your system's current status.

 

Download DDS and save it to your desktop from here or here or here.

Disable any script blocker, and then double click dds.scr to run the tool.

  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

    [*]Save both reports to your desktop. Post them back to your topic.

Download GMER here by clicking download exe -button and then saving it your desktop:

  • Double-click .exe that you downloaded
  • Click rootkit-tab and then scan.
  • Don't check
    Show All
    box while scanning in progress!
  • When scanning is ready, click Copy.
  • This copies log to clipboard
  • Post log in your reply.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this