Google Search Result Redirects

[tetonbob]

Was there an error message regarding Recovery Console? Did you see the first image in my second post? Is Recovery Console already installed on this machine? Do you have a Windows XP installation disk?

[rem524]

I did not see the dialog saying that the Recovery Console needed to be installed and there were no error messages about the Recovery Console.

I don't know for sure that the Recovery Console is installed but I thought it may be and therefore wasn't surprised when CF did not try to install it. I am looking for an XP installation disk.

Is there a way to check if the Recovery Console is installed?

[tetonbob]

Well, if it is, you'd usually see two boot options at startup, one for the Windows installation, and one for Recovery console. If you didn't receive any error message, or see the image, then it's likely installed.

We can check with this tool, hopefully you can run it.

Please download BootCheck.exe to your desktop.

• Double click BootCheck.exe to run the check
• When complete, a Notepad window will open with some text in it
• Save the Notepad file to your desktop as BootCheck.txt
• Copy the contents of BootCheck.txt and post it in your next reply

[rem524]

Having trouble getting BootCheck.exe to download. Firefox is just hanging and leaving me with a 0 byte file on my Desktop. Working on another way to get it on that PC.

[tetonbob]

This might work well enough also

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

type "C:\boot.ini">C:\look.txt
Start notepad C:\Look.txt
del peek.bat

Save this as peek.bat Choose to "Save type as - All Files"
It should look like this:
Double click on peek.bat & allow it to run. A notepad file will open. Post the contents of that file in your next reply, and close the file.

[rem524]

Here's the contents of that file:

[boot loader]
timeout=0
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons


Having fun yet?

[tetonbob]

LOL, these are usually a bit more smooth.

Ok, we have a Recovery Console entry in the boot.ini, so I'm taking that as we do.

Reboot the machine, and try to run DDS once again, and post the logs. If you can't, use this tool in it's place.

• Download RSIT by random/random and save it to your desktop.
• Double click RSIT.exe to start the tool and click Continue at the disclaimer.
• When the scan completes it will open a log named log.txt maximized, and a log named info.txt minimized.
• Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of log.txt here.
  
• Please attach info.txt to your post.

To attach a file to a new post, simply

1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
2. copy and paste the following into the "Upload File from your Computer" box:

   C:\rsit\info.txt
   

3. Click Upload.

---------------------------------------------------------------------------------------------

[rem524]

The fun never ends. I did the re-boot and it came up fine. I am still have problems downloading a file to my Desktop. Firefox just hangs and I never see the download window come up.

I downloaded RSIT.exe on another PC and copied the file up to an FTP site that I can access. When I tried to download it onto the infected PC, even FTP was not working. In the FTP command, I get an error message saying "Can't open data connection.".

Any thoughts?

[tetonbob]

Use a USB stick to transfer the file from one machine to the other. Or use IE instead of Firefox.

I have to sign off now. I'll look in later.

[tetonbob]

Any progress?

[rem524]

Hi,

First of all, thank you for all of your help. It is greatly appreciated. You've already spent a lot of time on this cleanup.

I'm not with the PC now but will be in a couple of hours.

I was not able to download RSIT.exe through either Firefox or IE. The attempt to save the file to my Desktop would just hang and leave me with a 0-byte file. I also could not access the file from a USB stick on the system.

When trying to access the USB stick, I found that I could not open My Computer or My Documents in the Windows Explorer. I could navigate the C: drive if I typed C:\ in the address field. When trying to open My Computer, the Explorer window shows the "busy" icon as if it is loading but never shows the contents.

I attempted one more system boot after we manually rebooted last night. I saw that Avast was re-activating on reboot. I again deactivated the active scans and booted. When I tried to shut down, the system did not shut down cleanly. It cleared the Desktop icons but hung for 10 minutes with the background image on screen. It would not respond to any actions so I powered it down to reboot. Upon reboot, Avast had re-activated again.

One difference in Avast since the CF hang after the CF reboot is that only 4 of the 6 scanning processes are showing as active. 2 of them show that they are waiting for another process (don't remember the specific message). Previously, all 6 showed as active.

If I screwed things up with the unsanctioned reboot, say the word and I'll just have to re-install the OS from the recovery partition.

-Bob

[tetonbob]

Well, let's try to run ComboFix once more on the machine before we go to a reinstall. This time, also disable Avast's self protection module, accessible from the system tray icon, program settings > troubleshooting.

[rem524]

Should I select all of the checked boxes shown in that graphic or just the self-defense module?

And while I'm at it, will I need to re-boot to get these changes in place?

[tetonbob]

Just the self-defense mode will do. I can't recall if you'll need to reboot for that action, I'm sure Avast will tell you.

Disabling self-defense mode allows you to end process on ashServ.exe should it be running.

[rem524]

Okay - no reboot needed.

ashDisp.exe, ashServ.exe, aswUpdSv.exe and avast.setup are currently running.

[tetonbob]

I think I'd end process on any of those I could before running ComboFix. It might behoove us to run it with the following switch, from the Run box.

"%userprofile%\desktop\Combo-Fix.exe" /killall

This assumes Combo-Fix is on your desktop.

[rem524]

So, I tried stopping ashServ.exe first. As soon as it was killed, it was like a gate opened up. A few new System Tray icons appeared and AIM started up. It also then recognized that a USB stick was in a USB port and said it connected (although I still can't seem to reach it). I also can now open My Computer successfully.

The other issue is that ashServ.exe re-started as soon as it was stopped. Should I stop other Avast processes to try to find the parent?

[tetonbob]

As long as you've disabled On Access Protection, and also disabled Self-Defense mode, we should be good to run CF.

[rem524]

One last thing - after Avast re-started, a dialog from Avast opened saying two new suspicious files were found:
c:\WINDOWS\system32\Drivers\gmwnydiwyxv.sys (type: rootkit: hidden file)
c:\WINDOWS\system32\drivers\gmwnydiwyxv.sys (type: hidden services)

Looks like CF will have something to fix. Just to confirm the steps:
1) Disable On Access Protection
2) Make sure Avast Self Defense is disabled
3) Run Combo-Fix from a command window with the /killall option

Sound right?

[tetonbob]

Yes, that's right.