XP Internet Security 2012 Help please

Whenever you attempt to boot your PC, do you have the option to go into the Recovery Console? We will most likely need to restore the registry to a working state if you aren't able to get into Safe Mode.

http://www.bleepstatic.com/tutorials/rc/startup.gif

Look at the above picture and tell me if you have this option available to you. If you allowed ComboFix to install the Recovery Console, you should.
Note: By default, this screen only stays active for ~3 seconds.

 

That option is not available to me because combo fix was never ran with an active internet connection.

 

Safe mode
safe mode with networking
Safe mode with command Prompt

Enable Boot Logging
Enable VGA Mode
Last Known Good Configuration (didn't work)
Directory Services Restore Mode (windows domain controllers only)
Debugging Mode

 

I could also try the hammer mode (take a hammer to the side of the tower,LOL)

 

We need to make use of the Windows XP Recovery Console

If you do not have a windows xp disk, download the following file: rc.iso

Now download ImgBurn
See the download links under this icon: http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

Install ImgBurn on a working computer by double-clicking SetupImgBurn_2.5.5.0.exe
Don't install the Ask toolbar that tries to install itself by default. (uncheck all of their boxes)

• After Installation
• Double-click rc.iso
• Insert a blank CD-R
• Press the Write button

When finished, boot off this newly created CD on the PC with the registry problem.
Since you have a Dell, you're going to want to press F12 at the Dell splash screen to go into its Boot Menu.
Select the CD/DVD ROM device and be ready to press ANY key when you see:
http://www.bleepstatic.com/tutorials/vista-repair-options/boot-from-cd-prompt.jpg
You should start hearing the CD spinning up, wait until everything is loaded (~30-45 seconds)
When you arrive at this screen:
http://web.mit.edu/ist/products/winxp/advanced/repair01.gif

Press R to go into the Recovery Console.

When at this screen:
http://support.microsoft.com/Library/Images/2399081.png

• Type in the number of the Windows installation you want to repair (usually 1), then press ENTER.
  
• Type in the Administrator password (leave blank if you are unsure what it is) and press ENTER.
  
• At the command prompt type
• cd erdnt
• then press ENTER
  
• Now type
• dir
• then press ENTER

Tell me what is listed here in your next message

 

*onboard or USB CD-Rom Drive

Put the disk in and Strike F1 key to continue, F2 to run the setup utility?
Just want to make sure

 

Try Onboard first. make sure you have the CD inside the tray.

 

That said
Selected boot device not available-
strike F1 to retry boot, F2 for setup utility

Here is what my Boot Device Menu says

Onboard SATA Hard Drive
Onboard or USB CD-Rom Drive

System setup
hard drive diagnostics
Boot to Utility Partition

 

Your logs indicate that you have 2 CD/DVD-Rom drives. Is this true? Can you try inserting the CD into the other drive (the one you haven't tried yet) and see if the same problem occurs. Try pressing F1 to Retry boot.

Also, did you have any trouble creating the CD?
Or are you using your own Win XP disc?

 

I got to the recovery console but when I type in cd erdnt it says that there is no floppy disk or cd in the drive even though there is a cd in the drive?

 

I found the disk here is where I am at


The volume in drive C has no label
The volume serial number is 7c43-3f5a

Directory of C:\WINDOWS\ERDNT

08/22/11 01:25a d------- 0 .
08/22/11 01:25a d------- 0 ..
08/19/11 02:33a d------- 0 cache
08/22/11 01:25a -a------ 110 CFrecovery.bat
08/22/11 12:31p d------- 0 Hiv-backup

5 file(s) 110 bytes
123152371712 bytes free

 

From here, do the following:

type: cd Hiv-backup
press ENTER
type: batch erdnt.con
Press ENTER

The erunt backups will begin copying.
At the next prompt, type the following bolded text, and press ENTER:

exit

Windows will now begin loading.
Success?

 

It did come up as an error starting I hit start windows normally and The desktop is up and running I do have that same error as before though

Error Loading C:\Docume~1\chrisz~1\applic~1\micros~1\protect\hfva.fx

 

That's good to hear. I have a feeling SAS did not want me to remove that registry value. Let's try the following to clean up any last traces and to test that theory

Now we need to make use of ComboFix by sUBs

• Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop but do not run it!
  • If it is not on your desktop, the below will not work.
• Shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

KillAll::

File::
C:\Documents and Settings\Chris Zalatoris\Application Data\Microsoft\Protect\hfvh.fx
C:\Documents and Settings\Chris Zalatoris\Application Data\Microsoft\Protect\s32.txt
C:\Windows\ws386.ini
C:\Windows\db32.txt
C:\Windows\s32.txt
C:\Windows\f32.txt

Driver::
Microsoft ASPI Manager

Folder::
C:\Documents and Settings\Chris Zalatoris\Application Data\Microsoft\Protect

Registry::
[-HKLM\SOFTWARE\Microsoft\Sft]
[HKEY_USERS\S-1-5-21-3129692339-3349063710-2787916754-1007\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]
"LastKey"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]
"LastKey"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"bxmpp"=-

• Save the above as CFScript.txt and make sure you save it to the same location (should be on your desktop) as ComboFix.exe
• At this point, you must exit all browsers now before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your desktop.
• Now use your mouse to drag CFScript.txt on top of ComboFix.exe.
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
• This shall launch ComboFix.
  Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
• Allow ComboFix to update itself if prompted.
• When it finishes, a log will be produced at C:\ComboFix.txt
  Note: If after running ComboFix you discover none of your programs will open up because you receive the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
• Attach this log to your next message. (How to attach items to your post)

Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
Notes:

• This will automatically update all the logs inside MGlogs.zip
• Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.

Tell me how the PC is running now?

 

When the combo fix was running it logs off and restarts, I now have no icons on the desktop the screen saver is up.

 

ComboFix was supposed to boot your machine -- So this is normal

You say the screensaver is active? What happens if you move your mouse? Does it come out of the screensaver?

By chance did you set ComboFix to run and then stepped away from the computer for a while?

 

I did step away for a couple of mins. I explained it incorrectly the shortcut on the desktop are gone ie. super spyware, walware bytes, IE no taskbar nothing but my background image is up shook the mouse and nothing.

 

Please download Unhide by Grinler to your desktop. (or into an explorer folder you can find later)
Double-click unhide.exe to run it (Vista and Win7 right-click and select Run as Administrator)

Can you see your desktop icons now?

 

Its freezing up then going blank before the F drive loads so I cannot get the unhide.exe to load. If I turn off then turn back on everything is fine for a few moments then it freezes and shortcuts and icons disappear.

 

Do you have Ut165 USB2FlashStorage USB Device plugged in? Is that your F: drive? If so, please remove it and reboot. Please be more specific on what is happening what you reboot.

 

yes the usb is the F drive I have be able to run the unhide.exe so far so good only been a couple of mins. Ok It seems like it is back to normal, I waited 5 mins. and the desk top is still visible.

 

Glad ot hear it. Please attach C:\ComboFix.txt

Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
Notes:

• This will automatically update all the logs inside MGlogs.zip
• Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.

 

Ok I don't have a log for Combo fix it isnot in the C\drive where it should be I can run the C:\MGtools\GetLogs.bat but not sure if that will help should I try and run Combo again

 

Do this.

No!

 

ok here is C:\MGtools\GetLogs.bat

 

CF did delete the files specified. Your latest logs are clean.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Just out of curiosity when I plug back into the internet should I run combo fix again just to get the Windows Recovery Console or is it not important. Thanks for all your help over the past couple of days and weeks I was on the verge of throwing the whole thing away. You made it simple enough for a computer novice to understand and were so patience with all of the complex problems that kept coming up. Thanks again so grateful.

On a side note scale of 1-10 how bad was this problem

 

I would prefer to have the Recovery Console on a CD that you have now. It is more effective against the latest types of infections.

You're welcome. We did have quite a few ups and downs, LOL

Well it was something I have not seen before so it's up there

Here are a couple of links I read along the way, maybe you will find them interesting too:
http://home.mcafee.com/virusinfo/virusprofile.aspx?key=562394#none
http://www.threatexpert.com/report.aspx?md5=476cefa4ca9ec2e9e9e39d7cf1060432

 

Hello again
I 'm getting a couple of errors maybe you could direct me to the right place I keep getting svchost errors and a Generic Host Process error and finally I got the blue screen again about the physial memory dump. would that be hardware or software forum. Thanks again it seems to boot up slower than normal also.

 

Hi, I would try the software forum for your BSOD.