Avast stopped working, virus?

[oldman]

@ BJS

I looked at the documentation again and it looks as follows

ntfsboot.txt is the documentation

ntfsboot.exe is for making a bootable floppy (maybe accounts for the a:\ drive)

ntfsboot.iso is a boot disc

ntfswcdd.iso is also a boot disc if you want to add files you would use this one. It has cd drivers so you can copy files to your hd. The files have be added to the iso file itself, not just to the disc.

So you can make a bootdisc using either file.

I see the instruction for adding files to ntswcdd.iso using Ultraiso, but none for nero. The file, in this case,ntoskrnl.exe, should show up as being on R:\. So if you know how to add files in nero this the file to burn.

If you are still willing to continue, and your files are still usable, I suggest the following

Open nero and burn ntfsboot.iso We know either windows security or a critter is preventing access to the driver cache folder, but you could at least run checkdisk  chkdsk(space)c:   if mauserme thinks it worthwhile. there some switches that can be used to fix,report,etc

If you can figure out how to add a file to an .iso with nero, then ntfswcdd.iso would be the way to go.

I think the reason the author says xcopy may work better is that it is capable of copying a o byte file where copy is unable to do so. The author states that the iso file doesn't change size when files are added to it.

There is a free trial version of ultraiso available, the only limitation I see for it is file size. Can't seem to find what the sixe is.

As to why the second disk didn't work, I'd say if you put all the files on the cd, ntoskrnl may be trying to run.

[oldman]

It looks like you are going the over install route. That's okay, it's probably is the best choice. What we where doing may or may not have worked. Once I get my xp machine going, I intent to try what you where doing. It's mostly curiosity to see if one can do quick patch jobs, just to get going again.

Any way for what's it's worth, the above post is my take on what the files are.

[mauserme]

It looks like you are going the over install route. That's okay, it's probably is the best choice.

I think its going to come to this in the end, so we might as well make it the plan now.


@Tech™ - Since when did you get trademarked? 

[Lisandro]

@Tech™ - Since when did you get trademarked? 

I hate imitations

[BJS]

Once I get my xp machine going, I intent to try what you where doing. It's mostly curiosity to see if one can do quick patch jobs, just to get going again.

Oldman, I could send you the files for the bootdisk if you want to try it out...

[oldman]

Thanks, I'd appreciate that. I'd like to try it out and see just how much you can do from dos. There might be a something there for people caught like you. I'm in the same boat, xp, but the disk(used) looks like it was used for a coaster or a frisby.

Can you just email them please? I'll pm my address. Thanks again and let us know when you get the disk.

[Badr]

I found this thread through a Google search whilst dealing with a terribly infected PC with this rootkit you are dealing with here. First of all, thanks all of you for the log files in this thread. They really helped me figure out what was going on. I was called out to fix a computer that crashed while booting (just like the system discussed here) and kept on rebooting automatically in safe boot (regardless of the do-not-automatically-reboot option being on or off).

I found all these bogus drivers like srosa.dll/sys and other files, just in the log files. I use this Utility CD by a guy called ASM51 as an emergency boot cd (the Utility CD can be found on the forums of sharevirus.com or generally on the edonkey network). With that I managed to remove those files and registry entries beloning to the rootkit. But all to no avail, the system kept on crashing.

Until it hit me, ntoskrnl.exe wasn't deleted in this case. I could find it in windows\system32 but when I went to check the dates on the file, I saw it was created/modified on august the 14th, the day the PC got infected. Bull's eye.

Luckily there were other copies of ntoskrnl.exe on the harddrive, because of service pack updates and corresponding backups done earlier. Using the Utility CD interface, I copied one of those ntoskrnl.exe to the windows\system32 folder after renaming the infected file et voila, the systeem started up like normal! Hope it may be of some help to others with similar problems!

[mauserme]

Thank you Badr, and welcome to the forum.

Can you post direct links?

[Badr]

Thanks!

If you're referring to the Utility CD, I can post links, just don't know if it's allowed:
ed2k://|file|UTILITY%20CD%208cm%20(asm51)%20v11.30%20ISO.zip|163954088|961803D3205658917520F36D635EF9F1|/

I've been using it since the earlier versions, it always comes in handy. I do believe however the same can be accomplished with BartPE, WinPE or similar boot-of-the-cd solutions. The Utility CD uses Winternals ERD Commander 2005, which is no longer sold as such since being taken over by Microsoft.

[Lisandro]

Code: [Select]

ed2k://|file|UTILITY%20CD%208cm%20(asm51)%20v11.30%20ISO.zip|163954088|961803D3205658917520F36D635EF9F1|Is this edonkey link is infected or of a pirated file, better not posting it here...

[oldman]

Well that does look promising, though the permissions may still be an issue in BJS's case.

There are should two files in cab folders in the i386 folder. One in spx.cab (x=sevice pack installed) and one other.  These where the ones we where trying to get to but alas the access denied error.

Which file did you use?

I checked on an xp machine and found the following:

The two files are different in size, the one in the spx.cab was about 2300b and the other about 1900b. I think the smaller was the origninal ntkrnl.exe installed and the larger a reflection of the service pack installed.

BJS did say he downloaded a copy of ntoskrnl.exe. This would probably a xp no sevice pack version and would be the same that would be extracted from an xp disk.

I think using Ultraiso to add that file to ntfswcdd.iso and burning just that iso to a cd may produce similar results as Badr had.

If BJS send me the files, I'll try it. Or if he's willing to give it one more try....

[BJS]

OK, I found someone nearby that has a XP disc with an oem number.
I have never overinstalled XP.  We have ALL of our family pictures on my wifes PC and my wife is worried that the overinstall will erase all of them.  When I put the XP disc in the tray, will it automatically install? or will it give me some options? How can I make sure we keep all our documents and programs?
 I don't want to try anything yet before I am informed about the process.

Thanks

[Lisandro]

When I put the XP disc in the tray, will it automatically install?

Choose repair or update options. Do not format your disk and you won't lose anything (just windows updates that you can download again later).

How can I make sure we keep all our documents and programs?

Do NOT format the disk and your files will remain there.

[BJS]

Hello, I chhose the repair option and after scanning some files, it took me to a dos command prompt.
It said "which windows installation would you like to log onto? (to cancel press enter)"

The option for repair was "r" but when we entered that in the DOS screen it said invalid.

When we pressed enter is just tried to boot but nothing was fixed.

What would I enter at the prompt?

[BJS]

>Below is from another forum (in RED).  He had the same question as me. I guess I choosing "repair" to early.
Now I am at the screen in which I have 3 choices. Here they are.

1: To set up XP press enter

2: To create a partion an unpartioned space, press C

3: To delete selected partion press D


 




 I've never had a problem running "Repair" with XP installation disk on my
> old computer but on my month old Dell I'm running into a problem... On my
> old computer I would just type "R" and it would go into the repair mode..
> Now with my month old Dell 8400with XP Home SP2 included I run the repair
> as I previously did I press "R" I get a:
>
> "Microsoft Recovery Console "Typr Exit to quit Recovery Console.
> 1:C:\Windows
> Which Windows installation would you like to log onto
> (To cancel, Press ENTER)"
> I found typing 1 and enter brings me to:
> "Type Admin. Password"
> I have no password set so I just hit enter and I get:
> "C:\Windows>"
>
> Below is the procedure I usually used to repair on my old computer..
> ------------------------------------------------------------------------------------------------
> "Boot with the Windows XP CD and at the Setup Screen press the Enter Key
>
> You will be taken to the Windows XP Licensing Agreement. After reading the
> agreement press F8 to proceed
>
>
>
> The next screen gives you the option to do a fresh (clean) install or to
> "Repair the selected Windows XP installation." Press "R"
>
> Windows XP will copy the necessary files to your Hard Drive to begin the
> installation and will then reboot. You will see the message that informs
> you to "Press any key to boot the CD". Do not press any keys this time
> just
> wait a few seconds and the Windows Startup Screen will be displayed.
> Following this you will be greeted by the Windows XP Setup Screens.
>
>


You're selecting "Recovery Console - Repair" too early in the process. Be
patient and continue to press "enter/proceed" as if you planned to perform a
clean install.

You eventually reach a 4th or 5th menu which allows you the true "repair"
option w/o the recovery console.

I suspect this is what you're seeing.

hth


Stew


 
 
PaulT
2005-05-19, 4:46 pm
 
 SLewis your on the money,,,, my bad.. thank you....