Malware Removal help requested, please

I have completed all of the steps in your malware removal guide. I, also, followed the Special SpywareQuake & SpyFalcon Removal Procedure. I believe it’s that (type?) which got me.

At least one of the symptoms of its presence (an icon in my taskbar) is gone.

Attached are 3 of 6 files generated from the list. The other 3 files to follow immediately.

Thank you SO much
Joanie

 

Here are the other three files.

Thank you!!!

 

Things are looking better already!
Here are 3 of the 4 new logs. Last one to follow shortly.

 

Log 4 of 4, attached. Thank you!!!!

 

Hey TimW.

I am finally back to finish up this project. Had to focus on my work!

The details are a bit fuzzy now, but, the gist of it is that, in between my last post and yours, CounterSpy had run and found some things which were removed. When I did the first step of your instructions, something didn't work.

So, I went back to your previous instructions, and followed those steps, again. When I ran HJT, the two lines were gone from the first run, so, I skipped the rest of that step. New logs for the other three are attached.

Would you be so kind as to review these 3 new logs, and tell me what's next?

Also, whenever I reboot, 2 Application popups appear. I will attach a doc showing those in a post following this one.

Thank you SO much.

Joanie

 

Here's the file re: the 2 pop ups.

Thanks again. I am so grateful! :wave

 

Here's what happened. I followed the instructions, but after selecting the "R" from the blue screen, instead of a DOS prompt, I got the following text from the recovery console:

------------------------------

Microsoft Windows XP (TM) Recovery Console.

The Recovery Console provides system repair and recovery functionality.

Type EXIT to quit the recovery console and restart the computer.


1: D:/WINDOWS

Which Windows installation would you like to log onto
(To cancel, press Enter)?

------------------------------

The cursor is sitting after the question mark and will only allow one character to be entered, presumably "1"; (no way to type "exit")

I am also wondering why it appears that WINDOWS is on the D drive when I know it's on the C drive, and am hesitant to do anything outside of your instructions.

Thank you,

Joanie

 

Please look at the attached jpg of the screen that follows after hitting F8 to the agreement. As you can see, R for repair was not an option. I stopped there. Will watch for your reply.

By the way, CounterSpy ran this AM, and found stuff I thought I'd had it removed the other day. Today, I chose to remove all but one, which was ignored. Today's CS scan history is attached.

A couple of side thoughts:

There are 5 items quarantined in CounterSpy. Would it be best to remove those, before my trial ends in about a week?

My boyfriend, Carl, has been giving me a little guidance, and is curious why it appears that the system is on drive D and data is on C. Carl thinks it is/should be the other way around.

And, the app pop-ups, mentioned in my post of Sat, 11/3, 14:14(file: error msgs.doc), still need to be addressed.

Thanks, TimW!!

Joanie

 

Hi Tim, Carl here (Joanie's boyfriend)...been watching over Joanie's shoulder through all this. Although things are pretty bad right now, I sincerely thank you for your help.

Right now, we are in a world of hurt. Can't even access BIOS by starting the machine while tapping F8. When we try to start, we get the error message "NTLDR missing." Will probably copy that from the WIN XP Pro disc to both the C: and D: drives after writing these notes to you.

Before, we got as far as the Set up page, then as she mentioned, it gets kind of weird in that the D: drive is listed as the partition1 system drive and the C: drive is listed as the partition1 data drive. The opposite should be true. Windows is on C.

Earlier, from the Setup window, (see attached image ending in 001), we tried to set up Windows on both D: then C: and Setup did not see anything installed to repair, and only offered us fun things like formatting. (see attached image ending with 003)

Before things went totally haywire, I made it into Disc Manager and saw two partitions: C: Sysytem, and D: Data - as it shoud be. I'd also mention that her machine is a RAID? system (if that's what it's called) where Device Manager shows two hard drives (mirrored?) with the same name, in case one fails. I hope they are not both mirror/trashed.

Side thought: I had to get under the hood to rename my drives on my computer once; I think it was after my restarting with (or without) my photo image card reader...somehow Windows changed the drive letters/names. (She has had a card reader attached recently and may have restarted with or without it)...just trying to offer any clues with the GREAT hope that we can get back to normal without losing all the data.

Back to what we've done. Once inside the Recovery Console, with 1: D:\WINDOWS as the only option, we got in there and ran "chkdsk /r" even though it was D:. Since it just occurred to me and I am able to get to the C: prompt from the recovery console with DOS commands, I am now running "chkdsk /r" on C:

We notice that the percentage complete progress advanced to 75% complete then jumps back to 50% and marches slowly forward. We'll await its full completion while we pray.

We hope you can find your way back here soon. We check here frequently.

Thank you again

Joanie (and Carl)

 

Still hurting....Joanie can no longer tele-commute

--most of this disaster was with starting without the card reader, so I've tried it with the reader, with and without the card, and without the reader...no luck...

--I changed the drive letter at the DOS prompt to "C:" using the command "C:" at the prompt. I'm very glad I didn't hurt anything by running "checkdsk /r" on both the D and C drives. I wish it helped more. It didn't.



When I look at the white DOS letters on the black background and run the "dir" comand, all the Windows stuff is on "D" including "ntldr" and "ntdetect." This drive, or partition is supposed to be labeled "C."

I did not add these two files to C, or refresh them at their current location on what DOS thinks is D, because I do not know if having these two files in two different locations will harm anything (confuse the startup) or not, and I'm not sure how to remove them.




I did finally awaken to the fact that tapping F2 (not F8) while starting the machine is how to get to the BIOS settings ... which I reviewed and made only one minor change (something that enabled BIOS to make some checks of something before starting which, when enabled, makes starting a little slower). I was REALLY hoping there would be something in the BIOS settings to direct the computer to look in the "D" drive for windows, or something to change the drive/partition's letter/label.




Is there a way, a DOS command, to start windows from the DOS prompt?

If I run "fixboot" from the Recovery Console, will data be lost?

Shall I copy the "ntldr" onto C or D or both?

Is there a way to rename the drive/partition from DOS? Do I even want to do this?




I've attached three relevant? images.

I really hope you have some good answers and ideas...I have faith and trust in you...and hope you are back soon.:cry

Thanx,

Carl

 

Will do and I'll be back ASAP with results.

 

I'm at the "D" prompt and found the boot.ini file and am trying desperatly to run the attrib changes...and am doing trial and error (and Google searches) to figure out the exact command, like, where the spaces go (or not)... trying to get it done before you're gone...getting "parameter is not valid" message.

trying these:

attrib -h -r -s d:boot.ini
attrib -h -r -s d: boot.ini

next I'll try attrib -h -r -s d:\boot.ini

GOT IT! --had to run each attribute change alone...

Moving onward....running "bootcfg /rebuild" now



Carl

 

running "bootcfg /rebuild" and it's asking me "add installation to bood list? yes / no / all" - sheesh...I guess "yes"

I entered "y" and "enter" ---now it says "enter load identifier" -what's that? -I'm stuck

OK - I see your reply...(about load identifier) --thanx

Please note that your examples are using the drive letter "C" and I am doing all this on "D" since that's where the machine seems to think the files are

thanx for your promptness, too

 

Nuts. I exited out and rebooted. Same message now: "ntdlr missing - ctrl-alt-del to restart" Nutz. Will read your last post now.

WAIT - I did not run Fixboot yet! I only ran "bootcfg /rebuild"

Current plan:
get back to Recovery Console
get to "D" prompt
run "fixboot"

Will do C if this fails.

(*thinking* there was a step where it searched for Windows installations to run "bootcfg" on and the ONLY one was on "D" - I woinder if I can even get ti to do this on C?)

 

should I run fixboot on D first, or not?

 

did not run "fixboot" on D yet.

went to C prompt
changed attributes (-h -s -r) on boot.ini on C
DEL boot.ini on C
ran, from C, "bootcfg /rebuild"

Message: Total identified Windows installs: 1
[1]D:\WINDOWS
Add installation to boot list? yes / no / all

Since you mentioned do it again on C...I am assuming that by "it" you mean to take the steps above, and to run "bootcfg" and "fixboot" on C...thing is, how do I do it on C when I am left only with D as a "add installation to boot list" choice?

Stuck

 

(see attached image)

said "y" to the only choice to add to the boot list...on D
started fixboot which advised me

The target partition is D:
Are you sure you want to write a new bootsector to the partition D:?

and so it sits until I hear from you...

thanks,

carl

 

Hi Tim,

Glad you're back. As I sit here wondering what to do, I read your instructions from the post that starts "And yet one more method" and have a couple of questions.

2. Choose to install onto the already formatted partition with the unbootable Windows, but opt to leave the existing filesystem and any other OSes alone. Choosing this will require you to create another folder for Windows to avoid writing over the existing installation (that it somehow sees now but not when the Repair "Scanning for previous installations of Windows" is run, argh!) I usually call the new folder "WINXP."


RE: "...the existing installation (that it somehow sees now but not when the Repair "Scanning for previous..."
---No screens have seen Windows on C. I have only ever said C because I know it's supposed to be and was on C. All the screens I've seen show Windows on D. Examining the files present on C and D leads me to believe the labels are switched.


RE: "Already formatted partition with the unbootable Windows..."
---the setup screen will show me two existing partition choices. (see attached image) The first is "D: Partition 1 <System>", and the second is "C: Partition 1 <Data>". So, there are two formatted partitions, but which is the unbootable Windows drive that you are directing me to? My confusion is because I know that Windows is on C, (or WAS on C and the drive might be renamed or relabeled), but this screen as well as all? other screens we've been through (such as within the Recovery Console) only sees a Windows installation on D. So, which is the correct choice? The unbootable that I know ~was~ on C, or the unbootable that ~appears~ to be on D?

5. Edit the BOOT.INI on the hard drive from the original installation of Windows.

---Edit? I'm lost. Open boot.ini in notepad and change something? Move the file? I'm not sure what you mean by edit.


---looking forward to the "congratulations" part.

 

Tim - Major update forthcoming...along the lines of congrats!

Carl

 

Whew!

Here's what I did:

Went back to run fixboot but backed out because I didn't know how to answer the question about writing a new partition.

Decided to try this:

COPY E:\i386\NTLDR C:
COPY E:\i386\NTDETECT.COM C:

After the two files were sucessfully copied to C:, I entered "exit" and went for a restart.

It was a nice sight to see...very nice.



On startup, I am now offered a choice between ~TWO~ XP Pros to start. Since I was busy trying to grab a quick photo, it started with the first one highlighted (Image attached) and it got me in.

I restarted and it still worked. I tried the second choice and it works as well. I find myself just wanting to sit here and repeating the successful restarting routine......nice....

I did a add/remove for the stupid Sprint internet activity trouble shooting software that was installed some time ago and was causing one of the pop-up error messages and now all that is gone.

There is still a refrence to WildTangent, a pop-up error message that I have not yet looked into. (second image attached)

After this much time, and with Joanie now at least able to tele-commute, I need a break!

Although I'd like to, I am hesitant to run "CCleaner / Issues" for a registry clean-up because I'm not sure how it will handle these two instances (if that's what I should call them) of XP Pro offered during start-up.

I looked at Disc Manager and at Windows Explorer, and see that the C: drive/partition is showing as the System drive, and the D: drive has the photos and music and the other things we call "data" for storage and to keep the C: drive less cluttered.


Thank you for your continued support...

Now, where were we? Malware?

Carl (n Joanie)

 

OK, will do...probably later or tomorrow.

And, just for clarity, we WILL "fix" the following with HJT with nothing else open, (no other browsers or running programs), right?

I will probably do a restart, then run HJT, then fix that one entry, below...(sorry to be repetitive - just want to get it right.)

Entry to fix with HJT:

O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

...then we will do everything else you mentioned ending with two sfc scans...

Will repost when that's all done.

Thanx,

Carl (n Joanie)

 

Hi Tim,

Sorry for the delay. Am trying to complete this now before the Counter Spy trial runs out in 2 days (if that even matters; it's just been handling cookies.)

I did the HJT fix and ran the reg patch (thanx).

Next I got into msconfig but am unable to fin any "boot.ini" tab or any boot.ini reference anywhere in there. In case you may have been thinking SYSTEM.INI or WIN.INI I have attached screen shots of what is listed there. [I checked another computer running XP Home, and sure enough, there is a boot.ini tab which is not present on her XP Pro machine we've been working on - Carl]

Even if I could find the 'boot.ini' in 'msfonfig', I'm not sure how to actually remove/delete anything...I don't see a remove or delete button and I believe that the only options in there are selecting or deselecting with a checkmark...I guess I'll cross that bridge when we get to it?...

Also, since you said to run sfc /scannow after I "have that information," and I don't know if I have that information or not, I have not yet run sfc...and will on your command.

Note: when we restart, we do still get the white letters on the black background showing what appears to be two instances of WINDOWS, both of which ~seem~ to work just fine...though I have not tested them both in a few days.

Standing by and thanx again for your expert review.

Carl & Joanie

 

PS - I was poking around her computer to discover where her boot.ini file is and found a few. I accessed their contents with notepad and took a screen shot of my search results - both attached.

I suspect that the one on D: is the active one.

I wish I knew why I can not see "boot.ini" with Windows Explorer as Explorer is set to show hidden and to display contents of system folders. Any clue? Maybe it doesn't matter...

I hope that whatever solution includes consideration that she's got a mirror?RAID? system as well as any other important personalizations...

TIA

Carl

 

When we go to Start / run and type “boot.ini”, an error box opens which says:

Windows cannot find ‘boot.ini’. Make sure you typed the name correctly, and then try again. To search for a file, click the start button, and then click search.​

When we right click my computer / properties / advanced / startup and recovery ...what displays in the dialog window is this:

In the bottom section under Startup and Recovery it says:
System startup, system failure, and debugging information.


When we go further and click the Settings button, we see

System Startup
Default Operating System
“Microsoft Windows XP Professional” /Fastdetect
Selecting the dropdown arrow shows a second instance with identical wording ( note that the /fastdetect /NoExecute=OptIn part does not appear in either case). ALSO not that there ARE quotations marks surrounding the operating system description within this dropdown menu.

Checked: time to display list of operating systems: 20 seconds
Checked: time to display recovery options when needed: 30 seconds

System Failure
Checked: Write an event to the system log
Checked: Send an administrative alert
Checked: Automatically restart

Write Debugging Information
Small memory dump (64KB)
Small dump directory: %SystemRoot%\Minidump

Clicking on the “Edit” button under System Startup opens notepad and displays:

[boot loader]
timeout=20
default=multi(0)disk(0)rdisk(1)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Professional" /Fastdetect
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Professional" /Fastdetect

(I'd be tempted to delete the scond instance here but certaily will not without your direction)


RE: In msconfig on the general tab ... button - use original boot ini under selective startup…

First, no, I do not have Selective startup checked, but instead have been starting with the “normal startup” radio button selected.

Second, if I ~do~ select the “selective startup” radio button, there is no option for “use original boot.ini”…perhaps it is just as missing as the “boot.ini” tab.
There are only 4 options checkable:
Process SYSTEM.INI
Process WIN.INI
Load System Services
Load Startup



Although you might expect to see two instances of XP Pro ([1] C:\Windows, and [2] D:\Windows), and although I have not yet done the bootcfg /rebuild, I suspect that as before, ONLY ONE instance will be found ( on D: ), and it will show this way:

[1] D:\Windows
Add installation to boot list? (Yes/No/All):
Enter Load Identifier: (we’d enter “Microsoft Windows XP Professional” {without the quotes})
Enter Operating System Load Options: (we’d type: /fastdetect)




Even if I am in fear of disabling her system, Shall I now go back into the Recovery Console to do the “bootcfg /rebuild” routine? And, if so, once there, shall I say “Yes” even if it only offers me “[1] D:\Windows” and nothing on C?

Shall I make the new “boot.ini” file that you mentioned and post it onto C:\ ? (Remember I did find one on D: and have located something that looks like a backup … it lacks the “/NoExecute=OptIn” part


Thank you more,

Carl (n Joanie)

 

I made the new boot.ini, saved it to C:, marked it read only and restarted.

Opened msconfig...there IS now a boot.ini tab with all the trimmings.

Did the right-click My Computer / properties / advanced -settings button and see that under System startup, there are still two choices in the drop-down menu.

I clicked the "edit" button and saw this:

[boot loader]
timeout=20
default=multi(0)disk(0)rdisk(1)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Professional" /Fastdetect
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Professional" /Fastdetect


I notice that a) there are two entries and that b) "/NoExecute=OptIn
" is not at the end of either one of them (not sure if it's supposed to be)

Makes me suspect that it's starting from the boot.ini that's still on the D: partition since that file also lacks the /NoExecute switch.

You must know that I am hesitant to do ANYthing without double checking with you for your kind review, and if I don't have a plan to get back where I was.

So...what's next? ...... (and in what order)

A) Delete the second "multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Professional" /Fastdetect" ? (while in the System Startup / edit ???) --see if it starts?

B) remove the boot.ini from D: ? --see if it starts?

C) run "bootcfg /rebuild" ? --see if it starts?

At your command, Awesome Mr Tim....

Carl