Up All Nite - this has been a tough one!

Hello Gentleman,

Wow ... what a battle going on with my system.

About 4 weeks ago, I was hit with a fake ANTI-Virus screen [ave I believe],
and thought I had taken steps to properly remove it ... but things got slowly worst.

I have scanned & rescanned numerous times ... finding 2 or 3 registry keys
that where flagged and removed. Still the computer was not right.

I have NO pop-ups ... and there have been NO error messages ... but I still
ran a SFC /scannow ... nothing semed to change.

I do get ONE error message when I start up:

INVALID BOOT.INI

but then Windows will proceed to load [whether in SAFE mode or Normal] mode.

Coming back to MajorGeeks [had to use your services years ago on another computer], I tried to get all the prepatory log files ... although I did have problems with lock-ups. In fact ... that is what's been happening with this computer.

As a next major step, I went on to run COMBOFIX.
It tried to install the 'Recovery Console', but reported an error [probably due to the Boot.ini issue] ... but then went on to scan. It found a rootkit ... then re-booted itself ... and then continued with the scan ... posting a log file in C:\ .

Which is what bring me here .... I need YOU !!!!!

Concurrently ... another issue has been going on.

My harddrive LED has been writing ALOT ... and I now have 2 instances of something called 'HELPASSISTANT' in my doc folder. I tried to turn these off and delete ... but they return. This is not normal for this computer. And these folders are HUGE ... some 40k+ files nearly 1-2 gigs.

At this point ... I wanted to post what logs I have and await guidance before proceeding ahead. [as I know just enough about computers to be dangerous]

Thank-you ... and await your reply.

Sincerely,

RJHollins

 

Hello chaslang,

First ... thank-you for handling my case

OK ... I ran the 'HelpAsst_mebroot_fix' file that you posted ...

It DID detect an mbr infection.
Ran it according to your instructions.
After shutdown ... then restarted ... waited 5+min and then
CommandPrompt 'helpasst -mbrt'

That command executed in about 1 second ... and posted a log [which I
have attached.

I understand this is early ... but just to notify of what I see ...

The computer is responding much faster ... but ...

When I first boot ... the INVALID BOOT.INI still shows before WINDOWS
launches.

Also ... all IE associations seem to be changed as they do not have the
IE icon reference ... and ALL 'bookmarks' have changed icons and do NOT
respond in IE.

Anyway ... just wanted to mention this observation.

OK ... so I will now attempt to run the instructions in the last half of your
post "READ & RUN ME FIRST" and try to get new logs.

I'll check emails via my iPhone during this

Again ... thank-you for your guidance !!!!

Sincerely,

RJHollins

 

Hi chaslang,

hmm ... something I should have noticed/remembered ... sorry

Looking at the HelpAsst log file ... and then I went to the Documents &
Settings folder on C:\ and noticed that the folder called:

'HelpAssistant.RJHQ9450-kill this' is still there ... and I think I know why ...

I had thought I disabled this in the 'My Computer' ... MANAGE ... USER group
section ... and thought I could just delete the 'HelpAssistant.RJHQ9450' folder. When I couldn't, I found that I could RE-NAME it ... so I did:

to 'HelpAssistant.RJHQ9450-kill this'

I thought after a Re-Boot ... the folder might be released so I could delete it ... no can do.

I forgot to name it back to its original name 'HelpAssistant.RJHQ9450' before
running the HelpAsst_mebroot_fix.exe' file.

I would think we want this one deleted too ... before I try to run any other
cleaning programs.

Big apologies for messing us up like that ...

I will wait to hear from you BEFORE I do anything else.

Thank-you for your understanding !!!

Sincerely,

RJHollins

 

hmmm ... no way to edit previous post ?!?

Another 'item' ....

When COMBOFIX was first ran ... the 'Repair Console' did NOT install.

Just wanted to keep you informed of the current status.

Apologies for the multiple posting ...

RJHollins

 

Hi chaslang,

Here are the attached log files from my recent scans.

There was an issue with SUPERAntiSpyware ... I had to download the 'portable' version in order to run it.
It completed the scan, found 11 .dll files suspected ... it then deleted them,
then RE-BOOT. When I re-ran SUPER [in order to get the log files, as instructed, the Stat/log section was blank. :|
I looked for a log in SUPER's folder ... not there ... nor in the C:\ root.

So I've included all the logs that I now have.

Awaiting your further instructions ... and again, THANK-YOU

Sincerely,

RJHollins

 

Hi chaslang,

To the questions you asked:

1. I use Avast. The SpywareDoctor was a trial I installed.
2. SUPERAntiSpyPro is also something I use.
3. I've NOW un-installed SpywareDoctor.

4. Spybot 1.4 is now UN-installed ... I guess I should go to the latest version.

5. 'Accept button for HiJackThis' ... I thought I did.

For this last scan with MGTools I DEFINITELY did accept ... however, I received an error message ... something wrong there :|

You asked about RunMe.exe ... [i know, that is a very suspecious name] but it is a Program Launcher Toolbar that floats offscreen. The website is: www.ksoft.nm.ru it is a free utility [hope nothing is wrong about it cause it is quite handy.
------------

As per your instructions, I pasted the script to CFscript.txt ... following step by step the drag/drop to Combofix. The log file is attached.

Then ... ran MGTools ... accepted HiJackThis ... which posted an error [hope that is included in the logs].

OK

How things are working?

Well ... definite improvement ... but a few issues.

1. Still the 'INVALID Boot.ini' message when I start up ... yet Windows still launches.

2. The massive 'HelpAssistant.RJHQ9450-kill this' is still there. This is the folder that I had renamed [added the '-kill this'] all before contacting you at MajorGeeks.

3. In IE, it seems all my bookmarks are inactive, and all website shortcuts on the desktop have also lost their 'association'.


These are the few issues I've noticed ... but I must relay that the computer has not crashed or lockedup like before.
I was able to run SUPERAntiSpy [the portable version] and it reported a clean scan [still can't find a saved log for that ... but a complete full scan came up clean got to be happy bout that !!

Anyway ... let me get these logs up to you, and look forward to your next instructions.

Sincerely, and THANK-YOU !

RJHollins
[Up All Nite Mastering Studios]

 

"If Registry Mechanic came with it ( and I assume it did ) you should uninstall it too."

Reg Mechanic was a separate install. It's an older version. I only used it from time to time ... but since changing wincfg to 'normal startup', it is loading at boot-up. I'd prefer it not to autoload ... not sure how to do that ... that is unless there is some issue with this app that you recomend removing it ?



" You already had 1.6.2 installed. I only asked you to uninstall the 1.4 version but you uninstalled both and will have to reinstall the current version later. "

Thanks for the link ... 1.6.2 now installed.



"That's because your boot.ini file appears to be missing based on your logs."

I see the BOOT.INI file is in the root C:\ directory, but I think it is 'blank'. Can I replace this file? or edit it ? As you probably know, WINDOWS is installed in the 'standard' location on my 1st primary drive [followed by 5 more harddrives and a SATA CD/DVD burner.


"My last fix was supposed to delete this folder, but it does not look like it deleted. Can you delete it manually?"

I was able to 're-name' the folder to its original name [removing the "-kill this" that I added] ... once I did that, I was able to delete the folder & content. BTW, that was one massive folder :|


" Your file association for HTML files may have been broken. Go here and download and run the fix for HTM/HTML files."


OK ... grabbed the .reg file from this site, dbl-clicked & added it to the registry. Even after a re-boot, still bookmarks are not working


" Why can't you run a scan with the Pro version you have installed."

The PRO version was locking up when checking for updates ... I will try a re-install.


OK ... wanted to get this info back to you ... awaiting further instructions!

Thank-you

RJHollins

 

Did not help Added to the register ... even re-booted .. no change.

The 'bookmarks' in IE 'Favorites' do not work ... clicking on them does nothing.
In the 'Favorites' sidebar menu, all of the icons have a 'generic' look ... like they are not assigned to any app.

On the desktop I have a 'Internet shortcut' web link ... and again, they do nothing and also have the same 'generic' icon. When I right click for 'Properties', I only get 1 tab that says 'General' ... there is no 'Scortcut' tab in the Properties window.

I tried to 'paste' one of the shortcut in this message ... but it won't. It was a link from Major Geeks on the 'Cleaning procedure for WinXP'.

----
As to the BOOT.INI rebuild ... I need to read the link you provided. Since the 'Recovery Console' never installed after we ran [I believe] the ComboFix app a couple of times ... I'm guessing I'll need to turn to my XP install disk if there is no other way ... a tech friend has 'loaned' me his HIREN BOOT Utilities v10.5 disk that has a slew of apps on it ... might a solution be available from it ? just wondering.

Once again ... Thank-you chaslange! Hope you're able to make sense of my descriptions and that we can get these final pieces put together ... then I'd like to inquire about making donations.

Sincerely,
RJHollins

 

Hi chaslang,

Lastest logs attached.

Regarding IE Favorites. When I click on a favorite [bookmark] link, I now get a 'OPEN WITH' menu.
First I tried linking it to Internet Explorer. It ask to 'OPEN' or 'SAVE'. Selecting open did nothing.

Then I tried linking to 'Shell Doc Object and Control Library'. This DID open a new IE page to the bookmark link. So that does seem to be the one to use, but I need your confirmation on that.
The same scenario holds true for IE links saved on the desktop.


As to the BOOT.INI file. When I open to view it with Notepad, it shows no characters or numbers. Definately nothing as the text you recently posted.

I do have another [old] computer with XP Pro installed. I emailed a copy of its' boot.ini file over to this computer [just in case]. The old computer boot file looks very similar to what you have posted.

Old computer boot.ini looks like this:

[boot loader]
timeout=10
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons


At this point, I'm not touching the boot file till I hear back from you after these log files, and observations on 'bookmark' favs. My concern is that the boot file may be 'locked' by Windows or something. I did read somewhere that the 'property' of this file has special settings. Again, I'll wait.

Thank-you again!
RJHollins

 

hi chaslang,

ok, I ran the fixme.reg file as instructed.
Message returned back that it was succesful adding to registry.

After re-boot, still not working. This is both for bookmard favorites and web shortcuts saved to desktop. All related icons still have the generic look as a box with 3 small colored dots [red, blue, green].

With the boot.ini I ran the CMD command and entered each command with a return in the dos box. No error message or anything. When I re-booted I still get the same INVALID Boot.ini message, and then Windows load up.

I opened boot.ini within Notepad to have a look, still shows as a blank page.

Still need your help please.

Will wait to hear from you. THANK-You !

Sincerely,
RJHollins

 

Hello chaslang,

I don't see a way to edit my previous post.

Anyway, just noticed another IE issue that I wanted to bring to your attention.

When I try to 'Send a Link' email, the webpage that I'm on will just close down. I use Outlook Express by default.

Maybe this helps point to where the problem is ?

thank-you
RJHollins

 

Hi chaslang,

OK !! We have success with the IE shortcut/bookmark repair !

I've done only a preliminary check, but favorites & desktop shortcuts seem to be working.

Wanted to get some 'happy' news back to you. Thanks for sticking with me on this.

Alright, now to the Boot.ini stuff.

I still have to get the RecoveryConsole installed [since it failed during Combofix runs]. I've printed the #12 message weblink you provided in regards to this.

I may need a day or two to get to this, in order to prepare everything.

Needless to say, me messin' with the BOOT file makes me somewhat nervous, as I have no back-up system on this computer.

What would you recommend to provide some sort of 'safety net'. Is a 'System Restore Point' good enough ??? Would I be able to recover [even in SAFE MODE] should this not work as hoped ? The computer does boot to Windows now. [just a little hand wringing] :|

If you ask, 'Why No Backup!", well the issue has been that every app I've tried to read up on seemed to have some kind of issues that others would bash. I do have a storage internal harddrive with a 500g partition that I could make available, and possibly use a floppy or CD to initiate a boot from should a catastrophe need be averted.

Any insights or suggestions would be much appreciated. Especially before attempting the boot fix.

Thank-you again!

Sincerely,
RJHollins
[Up All Nite Studios]

 

Hello chaslang,

Yes I do have my original XP install disk.

My specific question to 'system restore point' had to do with a safety net before repair of Boot.ini . I fully understand that this is no substitute for a complete back-up. Having been a recording engineer for the past 30 years, I fully appreciate the redundant back-up procedure.

With my other computer, I use Acronis True Image for back-ups. HOWEVER, I have yet to ever perform a full restore from a back-up, nor any real need to access any of those files.

This 'new' computer [the one under repair] is just now getting installed with all my necessary programs. This quad-core has 5 harddrives. The ONLY drive I would like 'backed-up' would be the main C:\ drive. This is a 300gig partition that is currently filled with 100gigs of OPSystem and certain data files. All other drives are storage related. All audio projects I manually back-up to gold Ti-Yudan DVD's. Our studio is looking at a possible 'RAID' solution for back-ups due to the sheer quantity of data. [All our work uses 32-bit float, and 44.1k, 88.2k or 96k sampling rates].

For the moment, I wonder what is the best/most reliable backup app. Since I've not had to ever restore a computer, and having read user comments that this or that back-up failed, leaves me doubting or false sense of 'security'. I had hoped that MGeeks might have had a consensus or recommendation.

If I just copied my C drive to another drive, would that be best? If my current C drive died, would I be able to use this back-up?

I'd prefer to use an app that would do incremental back-ups, and should catastrophe happen, that I'd be able to force a boot to this back-up data.

In your opinion, is 'Acronis True Image Home' a good choice?

Thank-you for your insights.

Sincerely,
RJHollins