After "What have we here, if anything"

[phlashlite 0]

Greetings,

I went to the "Start Here" page and read the instructions. I cannot run the required tools (as yet - until/unless instructed to do so) because I can only boot into Safe Mode. Please see my other thread "What have we here, if anything?" where I received help in cleaning up my system, to be aware of what transpired just before. Here's where I'm at now:

The PC will not finish its boot into Windows. Here is a timing sequence after Power On:

01:00 - Welcome screen appears.

01:30 - Wallpaper appears.

04:30 - Desktop icons fully load; Quick Launch icons load;

Clock appears in Task Tray.

---- - Some additional sporadic disk activity (you can hear

the disk being accessed).

06:30 - No additional disk activity. Boot will not complete.

59:00 - Screen static, still no boot completion; manual power off.

After the 4:30 mark I have control of the mouse pointer. When pointing at the bottom bar, it becomes an hourglass. I can single-click a desktop icon and it will be highlighted. I can select different icons in this way. Double-clicking of any icon has no result other than to subsequently prevent single-clicking on any other icon to select/highlight it. This remains blocked until power off.

I can boot into Safe Mode with Networking and that's how I'm making this post. The last thing I have tried is cleaning and compacting the registry. I was hopeful, but it didn't help. I've also been tinkering with the Startup config, also to no avail.

Thanks for your time.

[Kevin Zoll 309]

From Safe Mode with Networking

Download ComboFix from one of these locations:

Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1

Link 2

* IMPORTANT !!! Save ComboFix to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  See HERE for help
  
• Double click on Combo-Fix & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:

1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

• ComboFix (C:\combofix.txt)
  

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

[phlashlite 0]

OK, getting a bit frustrated. Trying to run ComboFix and getting this msg: antivirus: ESET NOD32 Antivirus 5.0 - The above real time scanner(s) are still active but ComboFix shall continue to run. Kindly note that this is at your own risk.

I went into msconfig and unchecked the ESET entry there and restarted the machine and reran ComboFix, but it didn't help. Ran Services.msc from Run dialog box. Located ESET service but was presented only with the option to Start the process, as indicators were that it was not running. I can't get into the full configuration for NOD32 because I'm in Safe Mode. Do you have a clue was to what exactly ComboFix is seeing so I can turn it off? I think I'm going to need help tracking this down.

[Kevin Zoll 309]

MsConfig is not a startup manger. You should not be disabling anything with MsConfig, nor should you be using MsConfig to enter Safe Mode.

On the second ComboFix alert about ESET, just exit the warning box and let ComboFix run.

[phlashlite 0]

Instructions followed. ComboFix log attached. I would like to go back into services and put back ESET to Automatic as I had changed it to Manual while trying to figure out how to turn the service off. Won't do that just yet, but I did want to alert you to the situation, just in case it mattered. Thanks a bunch.

[Kevin Zoll 309]

You can set the ESET service back to automatic.

Read carefully and follow these steps.

• Download TDSSKiller and save it to your Desktop.
  
• Double-click on TDSSKiller.exe to run the application.
  
  
• Click Change parameters
  
  
• Check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK
  
  
• Click on the Start Scan button to begin the scan and wait for it to finish.
  NOTE: Do not use the computer during the scan!
  
• During the scan it will look similar to the image below:
  
  
• When it finishes, you will either see a report that no threats were found like below:
  
  If no threats are found at this point, just click the Report selection on the top right of the form to generate a log. A log file report will pop which you can just close since the report file is already saved.
  
• If any infection or suspected items are found, you will see a window similar to below:
  
  
  • If you have files that are shown to fail signature check do not take any action on these. Make sure you select Skip. I will tell you what to do with these laater. They may not be issues at all.
    
  • If Suspicious objects are detected, the default action will be Skip. Leave the default set to Skip.
    
  • If Malicious objects are detected, they will show in the Scan results. TDSSKiller automatically selects an action (Cure or Delete) for malicious objects
    Make sure that Cure is selected. Important! - If Cure is not available, please choose Skip instead. Do not choose Delete unless instructed to do so.

  [*]Click Continue to apply selected actions.

  [*]A reboot may be required to complete disinfection. A window like the below will appear:

  

  Reboot immediately if TDSSKiller states that one is needed.

  [*]Whether an infection is found or not, a log file should have already been created on your C: drive (or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run.

  [*]Attach this log to your next reply.

[phlashlite 0]

Ok, done. Here is the result. I also changed back the Services entry for ESET. Thank you.

[Kevin Zoll 309]

Disconnect the Ethernet cable from the system, boot to Normal Mode.

Still hang?

[phlashlite 0]

No.... How did you do that? ....

.... and what's next?

[Kevin Zoll 309]

No.... How did you do that? ....

Educated guess....

Reconnect the Ethernet cable to the system.

Download Windows Repair by Tweaking.com to your desktop. Use the direct download link for the Portable version of Windows Repair by Tweaking.com

• Double-click tweaking.com_windows_repair_aio.zip and extract the Tweaking.com - Windows Repair folder to your desktop.
  
• Now open this folder and double-click Repair_Windows.exe.
  
• Click the Start Repairs tab on the far right.
  
• Click the Start button (bottom right)
  Note: When asked if you would like to create a restore point. It is recommended just in-case something does not go as planned.
  
• Click Unselect All
  
• Put a checkmark in the following items:
  
  • Reset Registry Permissions
    
  • Reset File Permissions
    
  • Repair Windows Firewall
    
  • Repair Internet Explorer
    
  • Remove Policies Set By Infections
    
  • Repair Winsock & DNS Cache
    
  • Repair Proxy Settings
    
  • Repair Windows Updates
    
  • Repair Volume Shadow Copy Service
    
  • Set Windows Services To Default Startup

  Note: Leave everything else unchecked

  [*]Put a checkmark in Restart System When Finished

  [*]Now click the Start button (bottom right)

This will take some time to complete.

Still having problems with Normal Mode?

[phlashlite 0]

Downloaded Windows Repair by Tweaking.com Portable Version from the Bleepingcomputer site to my Desktop and extracted there as instructed. Cannot execute Repair_Windows.exe because when I try to run it, I get the following dialog box: "Windows cannot access the specified device, path, or file. You may not have appropriate permissions to access the item.

I am the only user on this PC and have Administrator rights, so I don't know why I'm not being allowed to run this program. I re-downloaded and re-extracted the file just in case, with the same result. Also downloaded .zip file from Major Geeks and followed the instructions with the same result.

[phlashlite 0]

Found the problem. Firewall. Will run and report back.

[phlashlite 0]

Ran the utility. Mistakenly left my Antivirus running when I kicked it off. Didn't notice until a couple of tasks had completed already. I then deactivated it. I did have problems getting back into Normal mode after rebooting. Tried disconnecting the Ethernet cable again and rebooted twice, no luck. So, I plugged the cable back in and tried it again - Funny but that worked, and it's been booting into Normal Windows since. Occasional file system issue where the system hangs for almost a minute before returning control and taking the requested action. I was able to open an Explorer window, but when I tried to access a file, it froze in the manner just described. Control did eventually return. Currently trying to figure out why my NOD32 icon isn't appearing in the Task Tray and I can'y select "egui" in the msconfig Startup tab. I select it, but when I close the window it gets automatically deselected, for some strange reason.

[phlashlite 0]

Not going to apply these changes unless/until instructed, but want to pass along information about updated the PC is requesting.

[Kevin Zoll 309]

Yes, apply those updates.

Now try running ComboFix.

[phlashlite 0]

Got a crash message on running ComboFix although it continued to run, completed, and generated a log. I'm posting the log but I think I will have to try running it again.

[Kevin Zoll 309]

We need to use ComboFix to remove some stuff.

• Make sure that the copy of ComboFix that you downloaded earlier is on your Desktop but Do not run it!
  
• If it is not on your Desktop, the below will not work.
  
• Download and Save CFscript.txt, attached below, to your Desktop.
  
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
  
• You should have both the ComboFix and CFScript.txt icons on your Desktop.
  
• Now use your mouse to drag CFScript.txt on top of ComboFix
  
  
• Follow the prompts.
  
• When it finishes, a log will be produced named c:\combofix.txt
  
• Attach the new log generated by ComboFix to your next reply.
  

Note: DO NOT mouseclick combofix's window while it is running. That may cause it to stall.

[phlashlite 0]

I hope this ran OK. I was called away from the machine. When I came back it had rebooted. Here is the log.

[Kevin Zoll 309]

ComboFix didn't run completely. Run ComboFix and attach the new ComboFix log to your next reply.

[phlashlite 0]

Ok, done. Here is the new log.

[Kevin Zoll 309]

Much better, your ComboFix log looks fine.

How are things running?

[phlashlite 0]

Things are running very smoothly now. I was going to mention that I'm booting normally now ever since you did that ninja move with the Ethernet cable.

Haven't had any hangs yet on the file system. Browsers are smooth and quick. Internet connection seems more stable - I had been having problems, but not experiencing those symptoms as yet. Case closed and a very large "Thank You"? I'm still going to move slowly forward with turning back on certain items in the config Startup. Going to make sure nothing is a problem before moving ahead.

[Kevin Zoll 309]

It is time to do the final steps.

Now to remove most of the tools that we have used in fixing your machine:

• Download OTC to your desktop and run it
  
• A list of tool components used in the cleanup of malware will be downloaded.
  
• If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  
• Click Yes to begin the cleanup process and remove these components, including this application.
  
• You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.
  

Delete the following from your Desktop (If they exist)

CFscript.txt

TDSSKiller.exe

Anything else I had you use

Delete the following files: (If they exist)

C:\ComboFix.txt

Delete the following folders: (If they exist)

C:\ComboFix

C:\Qoobox

C:\TDSSKiller_Quarantine

Empty the Recycle Bin

Download to your Desktop:

- CCleaner Portable

• UnZip CCleaner Portable to a folder on your Desktop named CCleaner

Run CCleaner

• Open the CCleaner Folder on your Desktop and double click CCleaner.exe (32-bit) or CCleaner64.exe (64-bit)
  
• The following should be selected by default, if not, please select:
  
  
• Click and choose
  
• Uncheck
  
• Then go back to and click to run it.
  
• Exit CCleaner.

Turn off System restore to flush all your restore points then turn system restore back on. See How To Enable and Disable System Restore.

You can delete and uninstall any programs I had you download, that you do not wish to keep on the system.

Run Windows Update and update your Windows Operating System.

Run the Secunia Online Software Inspector, this will inspect your system for software that is out-of-date and in need of updating. Update anything program/application detected as being out-dated.

Articles to read:

How to Protect Your Computer From Malware

How to keep you and your Windows PC happy

Web, email, chat, password and kids safety

10 Sources of Malware Infections

That should take care of everything.

Safe Surfing!

[phlashlite 0]

-Ran OTC. Program ran and rebooted system

-Deleted tweaking.com_windows_repair from Desktop (was wondering if this was a utility I should keep)

-CFscript was eaten by ComboFix

-Tried to delete folder Qoobox from Desktop but access denied

-Downloaded CCleaner Portable from link provided. Window presented when run was slightly different from what you presented. My post-run screen cap of CCleaner is attached.

-About to run Windows Update and then Secunia Online Software Inspector. Will report back.

Note re: Windows Update - Once we are finished I'm going to back up my system before I try to move to SP3 via WU. I can't attempt that until I make a new backup.

[phlashlite 0]

Before this gets closed, I want to mention that I am having a problem with setting my system so that NOD32 starts with the system. For some reason at the moment I have to put a shortcut in the Startup folder in Windows in order to have the program load at boot time. I may have to go to the ESET site to try to get help for this. I have looked thoroughly through the application settings but can't seem to find anything.

[Kevin Zoll 309]

You will need to take ownership of the Qoobox folder.

Windows XP Home Edition

• Boot to Safe Mode

Windows XP Professional

• Disable Simple File Sharing
  
  1. Click Start, and then click My Computer.
     
  2. On the Tools menu, click Folder Options.
     
  3. Click the View tab.
     
  4. In the Advanced Settings section, click to clear the Use simple file sharing (Recommended) check box.
     
  5. Click OK.

To take ownership of a file or a folder

How to take ownership of a file

You must have ownership of a protected file in order to access it. If another user has restricted access and you are the computer administrator, you can access the file by taking ownership.

To take ownership of a file, follow these steps:

1. Right-click the file that you want to take ownership of, and then click Properties.
   
2. Click the Security tab, and then click OK on the Security message (if one appears).
   
3. Click Advanced, and then click the Owner tab.
   
4. In the Name list, click Administrator, or click the Administrators group, and then click OK.
   The administrator or the administrators group now owns the file.

To change the permissions on the file that you now own, follow these steps:

1. Click Add.
   
2. In the Enter the object names to select (examples) list, type the user or group account that you want to have access to the file. For example, type Administrator.
   
3. Click OK.
   
4. In the Group or user names list, click the account that you want, and then select the check boxes of the permissions that you want to assign that user.
   
5. When you are finished assigning permissions, click OK.
   
6. You can now access the file.

How to take ownership of a folder

You must have ownership of a protected folder in order to access it. If another user has restricted access and you are the computer administrator, you can access the folder by taking ownership.

To take ownership of a folder, follow these steps:

1. Right-click the folder that you want to take ownership of, and then click Properties.
   
2. Click the Security tab, and then click OK on the Security message (if one appears).
   
3. Click Advanced, and then click the Owner tab.
   
4. In the Name list, click your user name, or click Administrator if you are logged in as Administrator, or click the Administrators group. If you want to take ownership of the contents of the folder, select the Replace owner on subcontainers and objects check box.
   
5. Click OK, and then click Yes when you receive the following message:
   You do not have permission to read the contents of directory folder name. Do you want to replace the directory permissions with permissions granting you Full Control?
   All permissions will be replaced if you click Yes.
   Note folder name is the name of the folder that you want to take ownership of.
   
6. Click OK, and then reapply the permissions and security settings that you want for the folder and its contents.

You should now be able to delete the Qoobox folder.

The image I use in the CCleaner instructions, is a partial image of the entire application window.

Yes, you should ask any NOD32 related question on the ESET support forums.

[phlashlite 0]

OK, Qoobox is gone. Thanks. I'll be taking up my NOD32 Startup issue on their Support Forum. Everything else seems OK. As stated previously, once we're completely done with this (I guess we're pretty much there now), I'll be making a system backup and then trying (again) to move to SP3. Maybe I'll actually be able to boot into Windows after the upgrade this time, thanks to you. (hopeful...)

File system access is still good. Browsers running quickly and smoothly. System boot running smoothly and in good time - all normal. Not experiencing undue delays (lag) over network (especially when gaming). Thank you very much.

[phlashlite 0]

Forgot to mention that I ran Secunia Online Software Inspector and only had to update the Adobe Flash Player (The detected version installed on your system is 11.4.402.265 (NPAPI), however, the latest patched version released by the vendor, fixing one or more vulnerabilities, is11.4.402.287 (NPAPI).)

[Kevin Zoll 309]

Thread Closed

Reason: Resolved

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread.