PDA

View Full Version : Infection has deleted SafeBoot



Quincy
2008-01-24, 19:14
An infection has deleted SafeBoot from Registry. HKEY-LOCAL-MACHINE\SYSTEM\CurrentControlSet\Control\

Running Spybot or Hijack This returns the message - not a Win32 application.

When I try to run CA AntiVirus I get as far as its control panel but it will not run a scan.

I can run XoftSpySE and it detects Bagle IX Worm and Downloader Bagle GI Trojan, it lets me delete them but they come straight back again.

I am running XP Pro. I have an old System Backup archive on a seperate drive along with a floppy boot as a last resort.

Any help will be most gratefully recieved!

Blade81
2008-01-27, 21:52
Hi

You've got most likely Bagle there.

Download and install TrendMicro HijackThis (http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe)
* Once installed open HijackThis by clicking Start > Programs > HijackThis and click the button labeled
Do a system scan only

* Click the scan button in the lower left hand corner of the interface and HijackThis will quickly scan your system.
* Once the scan is complete the scan button will now read save log. Click this button to save the log file to your PC. Once you select where you would like to save the file it will open in your systems default text editor. Typically this application is Notepad. Post the log here.


Download GMER (http://www.gmer.net/gmer.zip) and save it your desktop:
Extract it to your desktop and double-click GMER.exe
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log in your reply (post as attachment if it doesn't fit in your post).

Blade81
2008-02-01, 19:26
Due to inactivity, this thread will now be closed.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.