No Internet access, probably a root file?

Hi! Your forum self-clean guide has helped me more than once (Thanks for that!), however this time it is not.

PC is my Cousin's. WinXP 32bit.
Basically it will not connect to the internet at all. I installed a PCI network card just to make sure it wasn't a bad motherboard chip, and it still will not connect. The green lights are on the network router as they should be.

His home page is still google.com. He ran malwarebytes and avast, and spybot and they all came up clean. He then uninstalled avast and ran hijackthis. he then brought it over and I went through the clean-thread.

I didnt save the super-spyware or malwarebytes logs because they both said it was clean and tbh I didn't expect to need to post them based on past experience, but I have the other 3 attached. Also, the versions I used could not be updated because of no internet connection.

His PC could not run the windows recovery console as it wasn't installed, and I didn't know if I needed to try and download it on another pc and transfer it in the middle of the programs operation, and then rerun it, especially since the guide says not to rerun it.

Anyway, see if you can help, one program said his calc.exe file is corrupt.

 

The Combofix I downloaded a couple times, and it kept saying out of date. It must get stuck in the registry the first time it runs and wont overwrite? I'll have to uninstall it or something I guess.

So nothing in them is useable right now?

I'll repost logs after I rerun it all.
Thanks.

 

Alright, I redownloaded all the files and reran them.

I couldn't get the Super anti-spyware program to run, it crashes, so I have no log for it.

Again, I have no internet connection, and one of the programs (I forget which one) said it's files were 111 days out of date. (this is the version you had me download)

Thanks for the help.

 

I couldn't update the programs without access to the internet, so I didn't. :confused

I ran the program and attached the log.

 

Hello jerkbucket,

• mbam-rules.exe
• SASDEFINITIONS.exe

You can download (from a working computer) and run these (on the infected computer) to update the definitions (on the infected computer).

 

I assume you want me to rerun those programs with the new definitions, and post new logs?

 

Yes, if you can please do while chaslang gets back to you.

 

Unfortunately, the PC in question has become extremely slow after running the aswMBR program. It has been stuck at the windowsXP screen for ten minutes, reboot and it does the same thing.

Trying to boot into safemode, it gets stuck at MUP.SYS

 

Yes, I have the XP disk.

Is it saveable? or should I just wipe it and start over? I think we got all his files, but you know how people can rathole something away in a folder and decide they need it as soon as you format the drive....

I'm up for the challenge if you are! tell me how to use the XP disk to boot into the system!

P.S. I wasn't blaming the slow boot on the MBR thing, just that happened to be the last time I touched it, and it was too slow to use afterwards. I know it is jacked up, that's why I'm here

 

Well, I read the thread and it says it only works for SP3 disks. Mine is not SP3, and I don't get the option of hitting "R" to recover it.
I guess we are out of luck?

 

Sorry about that, you are correct.

At step 5, part one, where it says "type the following...."

md tmp

I get "access denied"

 

additional info for prior post:

Oh, btw, I didn't get the option to enter a password for admin (in recovery), but I know there wouldn't have been one on this machine, so I am assuming it either skipped it and didn't ask for it, or the drive is not allowing write access due to the rootkit junk.

 

This is exactly what it says.

Code:

C:\>dir tmp
 Directory of C:\tmp

An error occurred during directory enumeration.

C:\>

C:\>dir
 Directory of C:\

An error occurred during directory enumeration.

C:\>

I booted using the windowsXP CD. I can't boot without it.

 

Step 5 does not tell me to change to the /windows folder, it just says generically:

Code:

At the Recovery Console command prompt, type the following lines, pressing ENTER after you type each line:
md tmp
copy c:\windows\system32\config\system c:\windows\tmp\system.bak
copy c:\windows\system32\config\software c:\windows\tmp\software.bak
copy c:\windows\system32\config\sam c:\windows\tmp\sam.bak
copy c:\windows\system32\config\security c:\windows\tmp\security.bak
copy c:\windows\system32\config\default c:\windows\tmp\default.bak

delete c:\windows\system32\config\system
delete c:\windows\system32\config\software
delete c:\windows\system32\config\sam
delete c:\windows\system32\config\security
delete c:\windows\system32\config\default

copy c:\windows\repair\system c:\windows\system32\config\system
copy c:\windows\repair\software c:\windows\system32\config\software
copy c:\windows\repair\sam c:\windows\system32\config\sam
copy c:\windows\repair\security c:\windows\system32\config\security
copy c:\windows\repair\default c:\windows\system32\config\default

Well, I did exactly what it said, and it doesn't work. I can't even change directory to /windows, it says 'the path or file specified is not valid', which I am guessing it can't get to the windows folder, and that is why it is stuck at the C:\ prompt.
Now that we have established this fact, what's next to try?

 

Yep, I get the same blue setup screen. But when the next one shows the command prompt, mine does NOT go to C:\windows, it goes to C:\ and none of the standard dos commands except HELP work. You can question my ability all you want, but I am telling you the truth about the C:\ prompt. I've been using PC's since 286's needed a math-coprocesser to run CAD applications, and I made custom bootable floppys to get specific games to run on 486's. I apologize if I sound offended, I just want to know what to do since the recovery doesn't work. If you don't know, then I will format the drive and start over from scratch. If there are other avenues to try, then I let's give them a go.

 

I get no choice what to work on, no password, no anything. Once I hit "R" at the blue welcome screen, it does its thing and lands me at the C:\ prompt with no commands regarding folders or files useable. Reinstall it is.

 

I'm somewhat surprised about this, since it started out as a routine virus. Is this becoming more prevalent? Should I warn friends about backing their stuff up more than normal? (dumb question, I know)

I've never seen spyware so bad that it causes a reformat before. Especially since it was working ok (without internet) for a good week or more before it got unusable.

 

I thank you for your efforts, it would have been nice to save it but sh!t happens.