Browser redirect/Pop-ups?

Please double-click the RootRepeal.exe previously downloaded.

* Select File then Scan
* On the Select Drives form select drive C by "ticking" the box for drive C and click OK
* When the scan is complete - highlight each of the following file(s) (one at a time if more then one is listed) by left clicking it. Then use right mouse click and select the Wipe File option only for each file.
C:\WINDOWS\system32\drivers\tsk3.tmp
* After Wiping all files, immediately reboot your pc!



Please run this: GMER - running with a random name and attach the log from GMER.

Now please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1


Download Mirror #2

• Double-click SystemLook.exe to run it. (If you are using Vista, please right-click and select run as administartor)
• A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
• Copy and Paste the content of the following codebox into the main textfield under "File":

Code:

:filefind
atapi.sys
netbt.sys

• Please Confirm everything is copied and Pasted as I have provided above
• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. You can close this notepad window as the log will already be saved as SystemLook.txt on your Desktop ( if you downloaded and ran SystemLook to your Desktop as requested ).
• Please attach this log in your next reply.

Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task.

 

FYI for TimW. This is just a backup file of atapi.sys created by TDSSkiller. Someone must have previously run this on the PC before coming here to follow instructions.

 

OK....I need you to do system look one more time.

• Double-click SystemLook.exe to run it. (If you are using Vista, please right-click and select run as administartor)
• A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
• Copy and Paste the content of the following codebox into the main textfield under "File":

• Please Confirm everything is copied and Pasted as I have provided above
• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. You can close this notepad window as the log will already be saved as SystemLook.txt on your Desktop ( if you downloaded and ran SystemLook to your Desktop as requested ).
• Please attach this log in your next reply.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\MGlogs.zip

 

Look in the C:\i386 folder on your harddisk and see if there is a file with a name like below (yes the underscore is correct)

ohci1394.sy_

or anything similar.

 

Okay follow the below instructions.

Click Start, Run, and copy and paste the below into the Run box and click OK.

expand c:\i386\ohci1394.sy_ c:\ohci1394.sys

You may notice a bried black command prompt window appear and disappear. Check to see if you now have a c:\ohci1394.sys file and right click on it and select Properties. Tell me the size of the file in bytes.

 

You're welcome. Good! That is the correct size for your Window XP SP3.


Now we also need to create a batch file to run from the Windows Recovery Console ( henceforth just called the RC ) that you installed when you first ran ComboFix. This will make steps easier for you when we do get to using the RC.

• Open notepad
• Copy the contents of the Code Box below into the notepad window.
• Click File -> Save As...
• In the File name: field, type C:\grfix.txt, then click Save.
• Close notepad

Code:

ren c:\windows\system32\drivers\ohci1394.sys ohci1394.old
copy c:\ohci1394.sys c:\windows\system32\drivers\ohci1394.sys

Now double check the C:\grfix.txt file by double clicking on it and make absolutely sure that it looks exactly like I gave above noting to maintain spacing which is why my instructions stated to copy ( typing could lead to mistakes ). If it looks okay, just let me know that you have this grfix.txt file created properly.

 

Now we will boot into the Windows XP Recovery Console. You should print these to have on hand while offline. Also read thru all of them now to be sure you understand before starting them.

• Restart your computer.
• Shortly after restart and way before Windows loads, you will be prompted to choose which Operating System to start. Pay attention it flashes fast and you will only have about 1 or 2 seconds to hit a key!
• Use the up and down arrow key to select Microsoft Windows Recovery Console that was installed with Combofix and hit enter after selecting.
• Later you will be asked to enter which Windows installation to log onto. Type 1 and press 'Enter'.
• At the C:\Windows prompt, type the following bolded entries, and press 'Enter' (note the spaces):

batch C:\grfix.txt

Type in Exit and press enter and your computer shall reboot. Reboot back in to Normal Mode and run Combofix once more.


Now also run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• the new c:\combofix.txt log
• C:\MGlogs.zip

 

Do you have your Windows XP boot CD that you can use to boot to the Recovery Console?

 

Then you are going to have to create a CD that you can boot from. There are some special CDs that are frequently used some of which also have scan capabilities. I suggest that you work on making the below OTLPE CD and let us know when you have it built and when you have actually been able to boot from it.



Creating OTL-PE Environment

1. Please print out these instructions for reference.
2. Be aware that the OTLPE.iso file is a large download.
   
   

Step 1

• Download ISOBurner this will allow you to burn REATOGO-X-PE ISO to a cd and make it bootable.
• Double-click IsoBurner-Setup.exe to install the program.
  

Step 2

• Download >OTLPE.iso< and save it to your Desktop.
• NOTE: This file is 292Mb in size so it may take some time to download.
• Once downloaded, double-click the OTLPE.iso file and ISOBurner will open.
• Burn the .iso file to a CD. Additional instructions on doing this can be found in the below link:
  • Iso Burner Instructions
    

Step 3

• Insert the CD into the drive of the problem computer and reboot.
  • Note: If you do not know how to set your computer to boot from CD follow the steps >here<
• The computer should now display a REATOGO-X-PE desktop (be patient - this takes a long time to load)
• Double-click on the OTLPE icon.
• When asked "Do you wish to load the remote registry", select Yes
• When asked "Do you wish to load remote user profile(s) for scanning", select Yes
• Ensure the box "Automatically Load All Remaining Users" is checked and press OK
• OTL should now start.

Step 4

• In OTL, please change the following settings:
• Change Drivers to Non-Microsoft
• Press Run Scan to start the scan.
• When finished, the file will be saved at C:\OTL.txt
• Copy this file to a USB memory stick if you do not have a working internet connection on this computer at this time. If you do have a working connection, then just come here and attach it. The OTL PE environment gives you the ability to connect and surf.

Once we have this log we will know that you have been successful at making the CD and that you are able to boot from it. Then we should be able to explain how to copy the file we want to replace.

 

You're welcome.

Should not necessary if you have the CD, but it's your choice on what approach you prefer to take. But a new install involves more than you may think. Especially to get back to a level of where your system is at. You have to consider all of the below:

• you have to backup all you own data, settings, configurations etc and first you have to know what/where all of these are. And you have to have the medium (burnable media, second hard drive, tape drive [yuck] )
• then you must make sure you have the necessary disks to reinstall not just your OS but all other software you use especially protection before going online
• then delete your partitions, recreate partitions, format, reinstall the OS
• now reinstall all your software especially protection
• get online (requires some setup and config that novices have problems with)
• download updates for OS
• download updates for protection software
• download updates for all other software
• tweak all software back the way you like it. Including Desktop settings, icons etc.
• create all the folders that you use for everything in your normally routines
• re-load from your backups to get data back, to get settings, Favorites,.....etc back
• now over the next two weeks you will realize that you forgot to backup some stuff and also you will keep finding something else that you need to reinstall.