148 replies to this topic

[wilma1313]

Hi

It worked

HEre is the combofix log. I will post back and let you know how things are running in a day or probably sooner, that will give husband time to use it and let me know. thanks so much for the help.

ComboFix 11-06-15.02 - Owner 06/16/2011 19:38:36.1.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1648 [GMT -5:00]
Running from: c:\documents and settings\Owner.Miguel\Desktop\jgh.exe
Command switches used :: c:\documents and settings\Owner.Miguel\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\Owner.Miguel\WINDOWS
c:\windows\system32\config\systemprofile\WINDOWS
D:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-05-17 to 2011-06-17 )))))))))))))))))))))))))))))))
.
.
2011-06-16 22:28 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-06-15 02:14 . 2011-06-15 02:14 0 ---ha-w- c:\documents and settings\Owner.Miguel\Local Settings\Application Data\BIT7.tmp
2011-06-14 01:12 . 2011-06-14 01:12 -------- d-----w- C:\_OTL
2011-06-11 22:29 . 2011-06-11 22:29 -------- d-----w- c:\windows\system32\wbem\Repository
2011-06-11 13:26 . 2011-06-11 13:26 -------- d-----w- c:\program files\iPod
2011-06-04 21:28 . 2011-06-04 21:28 -------- d--h--w- c:\documents and settings\Owner.Miguel\Local Settings\Application Data\Garmin
2011-06-04 21:22 . 2011-06-04 21:28 -------- d--h--w- c:\documents and settings\Owner.Miguel\Application Data\GARMIN
2011-06-04 21:19 . 2011-06-04 21:19 -------- d-----w- c:\program files\Garmin
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-02 15:31 . 2006-06-17 09:38 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 16:19 . 2006-06-17 09:23 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11 . 2006-06-17 09:23 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2006-06-17 09:23 43520 ------w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2006-06-17 09:23 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2006-06-17 09:23 385024 ------w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2006-06-17 09:23 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-04-14 19:01 . 2010-11-18 00:13 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-04-14 19:01 . 2010-11-18 00:12 141792 ----a-w- c:\windows\system32\mfevtps.exe
2011-04-14 19:01 . 2010-11-18 00:12 95824 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-04-14 19:01 . 2010-11-18 00:12 88736 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-04-14 19:01 . 2010-11-18 00:12 84488 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-04-14 19:01 . 2010-11-18 00:12 84200 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-04-14 19:01 . 2010-11-18 00:12 52320 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-04-14 19:01 . 2010-11-18 00:12 387480 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-04-14 19:01 . 2010-11-18 00:12 314088 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-04-14 19:01 . 2010-11-18 00:12 153280 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-04-14 19:01 . 2010-11-18 00:12 56064 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-04-06 21:20 . 2011-04-06 21:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 21:20 . 2011-04-06 21:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK370]
@="{bff4e73d-267c-bcf4-4da5-d1acf704e06f}"
[HKEY_CLASSES_ROOT\CLSID\{bff4e73d-267c-bcf4-4da5-d1acf704e06f}]
2010-10-20 06:40 3491128 ----a-w- c:\program files\McAfee Online Backup\MOBK370shell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3702]
@="{79f9dbf4-54df-187d-6044-a5a7749063fc}"
[HKEY_CLASSES_ROOT\CLSID\{79f9dbf4-54df-187d-6044-a5a7749063fc}]
2010-10-20 06:40 3491128 ----a-w- c:\program files\McAfee Online Backup\MOBK370shell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3703]
@="{967bbfb6-5c39-7f69-f270-ff9bb7956f30}"
[HKEY_CLASSES_ROOT\CLSID\{967bbfb6-5c39-7f69-f270-ff9bb7956f30}]
2010-10-20 06:40 3491128 ----a-w- c:\program files\McAfee Online Backup\MOBK370shell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"gStart"="c:\garmin\gStart.exe" [2008-08-13 1891416]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-03 45056]
"SigmatelSysTrayApp"="stsystra.exe" [2005-12-27 413696]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-05-24 573440]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-11-12 1236992]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-04-05 1195408]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
McAfee Online Backup Status.lnk - c:\program files\McAfee Online Backup\MOBK370stat.exe [2010-10-20 3653432]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\ses2_client_bin_2_8_13g\\seswiz.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
S1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [11/17/2010 7:12 PM 84200]
S1 MOBK370Filter;MOBK370Filter;c:\windows\system32\drivers\MOBK370.sys [3/7/2011 7:19 PM 54776]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/24/2010 10:22 PM 136176]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/10/2008 8:41 PM 206096]
S2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [11/17/2010 7:12 PM 271480]
S2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [11/17/2010 7:12 PM 271480]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [11/17/2010 7:13 PM 188136]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [11/17/2010 7:12 PM 141792]
S2 MOBK370backup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBK370backup.exe [10/20/2010 1:40 AM 216888]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [11/17/2010 7:12 PM 56064]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [9/24/2010 10:22 PM 136176]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [11/17/2010 7:12 PM 314088]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [11/17/2010 7:12 PM 88736]
S3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [11/17/2010 7:12 PM 88736]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [11/17/2010 7:12 PM 84488]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 17:34]
.
2011-06-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-25 03:21]
.
2011-06-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-25 03:21]
.
2006-11-08 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-06-17 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyServer = ibahn:80
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Gateway Game Console - c:\program files\WildTangent\Apps\Gateway Game Console\Uninstall.exe
AddRemove-KB913433 - c:\windows\system32\MacroMed\Flash\genuinst.exe
AddRemove-McAfee Uninstall Utility - c:\progra~1\McAfee.com\Shared\mcappins.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-16 20:01
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(256)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(896)
c:\windows\system32\WININET.dll
c:\program files\McAfee Online Backup\MOBK370shell.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\progra~1\mcafee.com\agent\mcagent.exe
.
**************************************************************************
.
Completion time: 2011-06-16 20:11:25 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-17 01:11
.
Pre-Run: 107,666,509,824 bytes free
Post-Run: 108,491,137,024 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /usepmtimer
.
- - End Of File - - 9005E54E529AC07BFDB81CEA806C7F39

[oldman960]

Hi wilma1313,

Are all the missing programs now visible?

Next, Double click on OTL.exe

• Under the Custom Scans/Fixes box at the bottom, paste in the following
• Do Not copy the word CODE
• please note the fix starts with the :

:Services

:Files
C:\Documents and Settings\All Users\Application Data\~17162020
C:\Documents and Settings\All Users\Application Data\nmqkFApeDId.exe
C:\Documents and Settings\Owner.Miguel\Start Menu\Programs\Windows XP Restore

:Commands
[createrestorepoint]

Then click the Run Fix button at the top

• Let the program run unhindered
• Please save the resulting log to be posted in your next reply.
• Reboot your computer

Please post the OTL fix log.

Download and save to your desktop Malwarebytes Anti-Malware

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Pleae post back with

• OTL fix log
• MBAM log

How's the computer?

[wilma1313]

I think everything is normal as far as his stuff is back. He gets constant redirects and it does not matter which search engine he uses, although I think google will never take him anywhere he wants to go now. I can't do the next steps tonight. My next opportunity will be tomorrow afternoon or evening, but I will get on it then. thanks

[oldman960]

Hi wilma13,

He gets constant redirects and it does not matter which search engine he uses, although I think google will never take him anywhere he wants to go now

We will need to look deeper.

Which browser is he using? or does it happen with all browsers?


Please run the OTL fix but hold off on the MBAM scan for now.

Next

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

• The application window will appear
• Click the Disable button to disable your CD Emulation drivers
• Click Yes to continue
• A 'Finished!' message will appear
• Click OK
• DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Next

Go HERE to get a randomly named copy of GMER. Scroll down to the Download section and click Download EXE. Save it to your desktop.

Before scanning with GMER, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

• Double click on the file you downloaded. If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  
  
  Click the image to enlarge it
  
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop, and post it in your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

If GMER will not run in normal windows, please run it in Safe Mode


Please post back with the

• OTL fix log
• GMER log

Thanks

[wilma1313]

Hi, I do not think OTL did what it was supposed to ,seemed only to create a restore point. I checked a couple times to make sure I copied and pasted everything in the command. I will post that log. Defogger went well til the end. IT never told me to reboot though. I didn't get an error message, but it did create a log. I will post that and OTL log. GMER ran a good 2 hr and then shut the computer down. No log of any kind. It was very difficult to get the computer running again. Eerything seems very slow now. Not the internet, but the actual computer. I've been tryng to get up and running to post this for a good hour. Dying to get to bed.!! Anyway here are two very short logs. I do not believe I was very productive. HE uses multiple browsers. All are redirecting most of the time, google redirects everytime, can't use that one at all. ITs alot of scour.com redirects. Sometimes its mevio. Sometimes its just really weird random pages. have a good night. I'm guessing I have to try to run GMER in safe mode tomorrow when I pick this up again?? ========== SERVICES/DRIVERS ========== ========== FILES ========== File\Folder C:\Documents and Settings\All Users\Application Data\~17162020 not found. File\Folder C:\Documents and Settings\All Users\Application Data\nmqkFApeDId.exe not found. File\Folder C:\Documents and Settings\Owner.Miguel\Start Menu\Programs\Windows XP Restore not found. ========== COMMANDS ========== Restore point Set: OTL Restore Point (0) OTL by OldTimer - Version 3.2.24.0 log created on 06182011_182827 defogger_disable by jpshortstuff (23.02.10.1) Log created at 18:43 on 18/06/2011 (Owner) Checking for autostart values... HKCU\~\Run values retrieved. HKLM\~\Run values retrieved. Checking for services/drivers... -=E.O.F=-

[oldman960]

Hi wilma1313, That's fine, OTL shows us the files are not present so that part of the infection is gone. The Defogger result would indicate that there are no CD emulator programs to interfere with the scan results. Try GMER in Safe Mode. Thanks

[wilma1313]

HI, GMER shuts down the computer even faster in safe mode. Went less than a half hour. what next?

[oldman960]

Hi wilma1313,

Let's give this a try.

Reboot your computer. When it restarts you should see a screen with startup choices. Please choose Microsoft Windows Recovery Console

1. You should now see a list of installations and the prompt "Which Windows Installation would you like to log on to?"
2. Select the appropriate number for the Windows installation that you want to repair. If you only have one, press 1.
3. When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.

You should now have a C:\windows> prompt

type the following commands hitting enter after each one:

cd system32\drivers
ren volsnap.sys volsnap.old
copy C:\WINDOWS\ServicePackFiles\i386\volsnap.sys


*Note*First line

• there is a space after cd
• a new command prompt, C:\windows\system32\drivers should appear

Second line

• there is a space after ren and one after .sys
• cursor should move down one line

Third line

• there is a space after copy
• you should recieve a message "1 file(s) copied"

If all went as expected type exit and hit enter. Your computer will now restart in Windows.

If you did not see the expected actions or recieve any messages please Stop there and let me know what happened.

How's the computer?

[wilma1313]

Ok I will do this tomorrow, probably evening. To get to this screen.... It takes more than a reboot right? do you get there by pressing F8 like for safe mode? Also I assume I only have one windows to repair, but how do I know for sure? thanks.

[oldman960]

Hi wilma1313,

To get to this screen.... It takes more than a reboot right? do you get there by pressing F8 like for safe mode?

No, just reboot. A screen should be presented to you that looks like (yours will say Media Center)

Also I assume I only have one windows to repair, but how do I know for sure?

Yes according to the boot.ini you only have one.

[wilma1313]

I do not get that screen on reboot. I get the regular desktop with all his regular stuff?

[oldman960]

Hi wilma1313, It's quick. It will only be displayed for 2 seconds.

[wilma1313]

Hi, To get to the C:\Windows promt I had to hit 2 rather than 1. 1 took me to D:miniNT. First Line was fine. SEcond line was fine. Third line asked me if I wanted to overwrite volsnap.sys. yes/no and something else I now can't remember were the options. I stopped because that was not addressed in your directions. It wouldn't let me just exit so I turned off the computer, which I hate doing. The computer is really slowing down. It takes 20 minutes or longer just to get it up and running now and everything takes forever. Let me know what to try tomorrow. \ thanks and goodnight.

[oldman960]

Hi wilma1313,

To get to the C:\Windows promt I had to hit 2 rather than 1.

What was choice 1? I believe MININT is part of Windows PE .

Third line asked me if I wanted to overwrite volsnap.sys. yes/no and something else I now can't remember were the options.

That's strange. If the second line was successful then you shouldn't have been asked if you wanted to overwrite the file as the file would no longer exist with the .sys extension.

[wilma1313]

Hi, Hmmm I had replied to this much earlier and somehow it did not post. Anyhow. #1 was D:MiniNT #2 was C:\Windows The first step I got the new command prompt I was supposed to The second line I got the cursor down 1 line The third line I got teh overwrite option .... don't know why, but line 1 anD 2 both did as they were supposed to do. Computer is horribly slow and it takes long long time to load windows and open programs.