62 replies to this topic

[MeNeedHelpz]

I run a Windows Xp Home Edition. My computer also has Norton Security Suit v.4.3.0.5. Recently my computer got a virus. Norton Anti-Virus detected a virus. When i clicked for more details, it said the virus was called suspicious.mystic and that it had quarantined a file called temp.tmp in the system32 folder as well as a file called explorer.exe. Now when i reboot my computer, there is no task bar, start menu, and desktop icons and i have to run everything from task manager. Norton also continually detects the virus and quarantines the file "temp.tmp" but when i go to the system32 folder, there never is a temp.tmp file. Also, norton comprehensive scan comes up with nothing. Also my internet connection sometimes abruptly teminates and occasionally when i click on one of the google search links, it redirects. Please help.

[MeNeedHelpz]

For some reason I can't copy paste the hijack this log on. Whenever i hit submit, it takes me to a "internet cannot display the webpage" page. Also it seems that im not able to upload the log as a text file.

[CatByte]

Hi It would appear as though Norton has quarantined your explorer.exe file do you have your installation disk handy, from where we can copy a good one? what Service Pack do you have installed?

[MeNeedHelpz]

Yes i have the installation disk. The installation disk is "Microsoft Windows XP Home Edition Including Service Pack 1a" Im not sure if it will work though. It seems that i have the same problem as hxxp://forums.whatthetech.com/index.php?showtopic=114548&st=0 except im running a different OS.

[MeNeedHelpz]

The following is from the hijackthis.exe log but i cant copy the whole thing: Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal

[CatByte]

Please do the following:

Insert your XP Installation disk

then you will need to do the following:

In task manager go to file > new > type cmd > OK

This will open the command prompt window.

Now type in the following red text exactly as seen at the command prompt. (if your cd drive is not D - change it to the appropriate letter)

expand D:\i386\explorer.ex_ C:\explorer.exe
expand D:\i386\winlogon.ex_ C:\winlogon.exe


(take note of the spaces, especially the space between .ex_ and C:\ - it needs to be there)

Please let me know that the command executed properly - you should see something like "expanded to {xxxxxx} bytes, {xx}% increase"

(if you did not get this message do not continue but report back with the error message)

If you received verification the files expanded successfully please do the following:



We need to boot into the recovery console - if you have the recovery console already installed then

Restart your computer

Before Windows loads, you will be prompted to choose which Operating System to start (be fast you only have a couple of seconds)

Use the up and down arrow key to select Microsoft Windows Recovery Console

You must now enter which Windows installation to log onto. (usually 1) Type 1 and press enter.

When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER

A command prompt will open:


If Recovery Console is not already installed, then you will need to access the Recovery Console from your Installation CD

• Insert the Windows XP cd in your computer.
• Restart your computer so you are booting off of the CD.
• When the Welcome to Setup screen appears, press the R button on your keyboard to start the Recovery Console.
• The Recovery Console will start and ask you which Windows installation you would like to log on to. If you have multiple Windows installations, it will list each one, and you would enter the number associated with the installation you would like to work on and press enter. If you have just one Windows installation, type 1 and press enter.
• It will then prompt you for the Administrator's password. If there is no password, simply press enter. Otherwise type in the password and then press enter.
• you will now be presented with a C:\Windows> prompt and you can start using the Recovery Console.

At the C:\Windows prompt, type the following bolded text, and press Enter:

ren C:\windows\explorer.exe explorer.bad
ren C:\windows\system32\winlogon.exe winlogon.bad
copy C:\explorer.exe C:\windows\explorer.exe
copy C:\winlogon.exe C:\windows\system32\winlogon.exe

take note of the spaces

make sure you get the message that the file(s) were copied successfully.


If you did not get a message that the files were copied successfully you will have to name explorer.bad & winlogon.bad back to .exe or the computer will not boot.


Note: Your explorer.exe may actually be missing from where it is supposed to be, in which case, you will not be able to rename the old one, but as long as the new one is copied to the correct location, you will be good.

Once you are done type exit to leave the recovery console and reboot.


Print out these instructions before you start > if you have any questions about this procedure, please ask.


Let me know if you can now boot to your desktop normally


If you can run the following diagnostic programs

Hi,

Please do the following:


Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.

• Disable any script blocking protection
• Double click dds to run the tool.
• When done, two DDS.txt's will open.
• Save both reports to your desktop.

---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.


NEXT


Download GMER Rootkit Scanner from here to your desktop. It will be a randomly named executable.

• Double click the exe file.
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.
  
  
  Click the image to enlarge it
  
• In the right panel, you will see several boxes that have been checked. Ensure the following are unchecked
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop, and attach it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

[MeNeedHelpz]

So I did the expand commands in the command prompt and they worked. However when I start te computer and press f12 for the boot menu, there is no recovery console

[MeNeedHelpz]

Nvm I got it to work. I'll update u on the status asap. Using my itouch to stay on the forum while I do what u said

[MeNeedHelpz]

Did the recovery thing and it copied both files successfully. However, now when I boot, after the windows loading screen, where the select user account screen should be, I get a black screen with the mouse cursor.

[CatByte]

what message did you receive in the recovery console when you copied the explorer.exe to c:\windows?

[MeNeedHelpz]

I got the message "1 file(s) copied." for both of them.

[MeNeedHelpz]

Also, when I boot up, after I get the black screen, about 10 seconds later, the computer "clicks" and the fan turns off, however the computer is still on. (the power button is still lit)

[CatByte]

take the XP CD out of the tray and reboot normally do not press any key to boot from CD will it boot now?

[MeNeedHelpz]

Still a black screen after the blue "windows is starting up" screen

[CatByte]

OK Put the XP CD back into the tray and reboot but do NOT press any key to boot from the CD - just have it in the tray...see if it boots, if not we will rename winlogon back as the issue now seems to be with that file, when you copied the file did you copy it to the c:\windows\system32 folder or just to c:\windows