Safe mode (and variations) and Last known good config not working

  • Thread starter Thread starter Jock McSquiggle
  • Start date Start date
J

Jock McSquiggle

Dell C521 running XP Pro (SP3) got hit by fake anti-vir malware (XP defender
2010 I believe). Followed all advice from forums but could not rid the PC
of this and attempted a repair install. Now I cannot get into any of the Safe
Mode options and Last Known Good Config just sends me round in a loop i.e. I
get back to the selection screen again. I am now concerned this may be h/w
related but I would welcome any suggestions. Thanks in advance.
 
Dell C521 running XP Pro (SP3) got hit by fake anti-vir malware (XP defender
2010  I believe).  Followed all advice from forums but could not rid the PC
of this and attempted a repair install. Now I cannot get into any of the Safe
Mode options and Last Known Good Config just sends me round in a loop i.e.. I
get back to the selection screen again. I am now concerned this may be h/w
related but I would welcome any suggestions. Thanks in advance.

http://www.xp-vista.com/spyware-removal/remove-total-pc-defender-2010
Go to "how to remove.....manually"
 
Dell C521 running XP Pro (SP3) got hit by fake anti-vir malware (XP defender
2010  I believe).  Followed all advice from forums but could not rid the PC
of this and attempted a repair install. Now I cannot get into any of the Safe
Mode options and Last Known Good Config just sends me round in a loop i.e.. I
get back to the selection screen again. I am now concerned this may be h/w
related but I would welcome any suggestions. Thanks in advance.

I do not see how visiting a WWW page with instructions on how to
remove what Jock believes to be XP Defender 2010 will help if the
computer will not boot.

Depending on the sequence of events in troubleshooting there could be
many things wrong - especially after an attempted Repair Install. If
there have been other efforts (the all advice from other forums), they
can prevent booting too - we do not know what "all advice from other
forums" means.

The computer must be booted on something to attempt repairs.

Remember we cannot see your computer.

Please describe what "sends me around in a loop" means to you.

Pick one Safe Mode option and describe what happens when you select
it.

Describe what happens when you try to boot normally.

If you observed an

Do you have a genuine bootable XP installation CD that matches the
Service Pack of the afflicted system. This is not the same as any
System or Recovery type CDs that may have come with your system.

If you are not sure what you have, I would suggest you create a
bootable XP Recovery Console CD. Then you have a known environment -
the XP Recovery Console and from there you start troubleshooting.

I would start here:

You can create a bootable XP Recovery Console CD when no XP media is
available:

http://www.bleepingcomputer.com/forums/topic276527.html

For each of your hard disks, you should then run:

chkdsk /r

For example, from the Recovery Console prompt, enter:

chkdsk c: /r
 
In
Jose said:
I do not see how visiting a WWW page with instructions on
how to remove what Jock believes to be XP Defender 2010
will help if the computer will not boot.

Depending on the sequence of events in troubleshooting
there could be many things wrong - especially after an
attempted Repair Install. If there have been other efforts
(the all advice from other forums), they can prevent
booting too - we do not know what "all advice from other
forums" means.

The computer must be booted on something to attempt repairs.

Remember we cannot see your computer.

Please describe what "sends me around in a loop" means to
you.

Pick one Safe Mode option and describe what happens when
you select it.

Describe what happens when you try to boot normally.

If you observed an

Do you have a genuine bootable XP installation CD that
matches the Service Pack of the afflicted system. This is
not the same as any System or Recovery type CDs that may
have come with your system.

If you are not sure what you have, I would suggest you
create a bootable XP Recovery Console CD. Then you have a
known environment - the XP Recovery Console and from there
you start troubleshooting.

I would start here:

You can create a bootable XP Recovery Console CD when no XP
media is available:

http://www.bleepingcomputer.com/forums/topic276527.html

For each of your hard disks, you should then run:

chkdsk /r

For example, from the Recovery Console prompt, enter:

chkdsk c: /r

Not certain, but I think /r only works from the Recovery
Console, right? If you decide to do it from a Command Prompt
use /f instead if the /r won't work.

HTH,

Twayne`
 
Thanks for posting back, and my apologies for the vagueness of the original
post. Perhaps I can elaborate further?

The PC is my brother-in-laws who is not computer literate (he wouldn't mind
me saying this btw..) His PC was struck by a fake a/v alert virus and it is
similar to "XP Shield". I say similar, because the problem I have is that it
is not always evident what virus has struck, or if more than one has struck.
I also could not find an exact match on the name (XP Defender Pro 2010) in
the list maintained by Symantec at the following link
http://www.symantec.com/security_response/threatexplorer/azlisting.jsp?azid=X

However I satisfied myself that it was one of those listed by Bleeping
Computers at the following link
http://www.bleepingcomputer.com/virus-removal/remove-antivirus-vista-2010

Their description of the behaviour of this virus matched exactly what was
happening on the infected PC. Additionally I could not use Task Manager which
was disabled, and also I could not boot into Safe Mode or run Malwarebytes.

At this stage I decided to attempt a repair install which appeared to go
99.9% okay except that towards the very end it 'hung' on the Windows XP
splash screen with the message 'please wait' So I did. And waited and
waited, and nothing appeared to be happening. At this stage I took the only
option that I thought was open to me and I pressed the power button to turn
the PC off. When I rebooted I was immediately met with the screen that says
there has been a problem and lists the options open to me namely Safe mode,
with n/working and with command prompt and Last Known Good config. selecting
any of these sends me round in a loop. I.e. the system reboots and gives me
the same message and the options open to me. But none of them work i.e. I
can't boot into Safe Mode or other options.

The disc I was using for the 'Repair' install was one shipped with the PC
and is called "Re-installation CD Microsoft WindowsXP Professional Service
Pack 2"

I also used the Dell diagnostics for the problem "PC won't boot the OS" and
all checks that were done passed okay, so I am a bit of a loss as to what is
happening here. The PC's data was backed up to D: drive prior to doing the
'repair' install and if needs be I can do a clean install, but was hopeing I
wouldn't have to.
 
Thanks for posting back, and my apologies for the vagueness of the original
post. Perhaps I can elaborate further?

The PC is my brother-in-laws who is not computer literate (he wouldn't mind
me saying this btw..) His PC was struck by a fake a/v alert virus and it is
similar to "XP Shield".  I say similar, because the problem I have is that it
is not always evident what virus has struck, or if more than one has struck.
I also could not find an exact match on the name (XP Defender Pro 2010) in
the list maintained by Symantec at the following linkhttp://www.symantec.com/security_response/threatexplorer/azlisting.js...

However I satisfied myself that it was one of those listed by Bleeping
Computers at the following linkhttp://www.bleepingcomputer.com/virus-removal/remove-antivirus-vista-...

Their description of the behaviour of this virus matched exactly what was
happening on the infected PC. Additionally I could not use Task Manager which
was disabled, and also I could not boot into Safe Mode or run Malwarebytes.

At this stage I decided to attempt a repair install which appeared to go
99.9%  okay except that towards the very end it 'hung' on the Windows XP
splash screen with the message 'please wait'  So I did. And waited and
waited, and nothing appeared to be happening. At this stage I took the only
option that I thought was open to me and I pressed the power button to turn
the PC off. When I rebooted I was immediately met with the screen that says
there has been a problem and lists the options open to me namely Safe mode,
with n/working and with command prompt and Last Known Good config. selecting
any of these sends me round in a loop. I.e. the system reboots and gives me
the same message and the options open to me. But none of them work i.e. I
can't boot into Safe Mode or other options.

The disc I was using for the 'Repair' install was one shipped with the PC
and is called "Re-installation CD Microsoft WindowsXP Professional Service
Pack 2"

I also used the Dell diagnostics for the problem "PC won't boot the OS" and
all checks that were done passed okay, so I am a bit of a loss as to whatis
happening here. The PC's data was backed up to D: drive prior to doing the
'repair' install and if needs be I can do a clean install, but was hopeing I
wouldn't have to.

Heh-heh...

I am still standing by my original advice - make a bootable Recovery
Console CD.

It sounds like the CD you have in not a genuine bootable XP
installation CD - it is some kind of manufacturer installation/
reinstallation CD which, if you use it, may get your system running
(maybe not) and would set your system to an as shipped from the
factory configuration (this may not be your desire).

If you have to do a clean install, I would not use the manufacturer CD
anyway because it is going to be dated. If you must decide you must
do a clean install, it would be worth it now and worth it later to
just make a copy of a genuine bootable XP installation CD (Home or
Pro) and slipstream SP3 into it and make yourself a real XP
installation CD that is at least sort of up to date (that is another
fun project for another day perhaps). First, fix what you have.

Not being able to run Task Manager or MBAM is a very common symptom of
a malware infection and it is generally a simple process to outsmart
the malware so you can run those things. First, you need to boot on
something so you have some maneuvering room.

Understand that malware will afflict your system in ways that will
prevent you from removing it. The malware knows about things like TM,
regedit, explorer, a command prompt and very especially it knows about
MBAM and it knows that those are the tools that you will use to find
and remove it.

It does not want you to find and remove it - it wants you to think you
need to reinstall XP. It will not let you run those things, the
afflicted user will eventually give up and reinstall (or Repair), but
you can outsmart it. It is almost laughable, but it's working pretty
good, huh? The malware is really laughing at you (and sometimes me).
You're doing fine so far so don't misunderstand my bluntness, but you
gotta think like malware.

Did your troubleshooting methods involve using msconfig in any way?
Malware knws about that too. Why? Because it knows you can/will/
might use msconfig to help you get your system going when it is
infected, so the malware will break that part too.

If you boot RC, you can at least run chkdsk /r - and you really need
to run chkdsk /r if you had to resort to the power button. It does
not make sense to start trying other things until the integrity of
your file system has been verified and chkdsk /r can probably fix that
for you. Maybe it is fine, maybe not but if you boot RC and run
chkdsk /r, you will not be wondering about it.

When that is done, then you can continue troubleshooting...
 
It's quite possible the malware was never completely removed. More
comments inline.

Jock said:
Thanks for posting back, and my apologies for the vagueness of the
original post. Perhaps I can elaborate further?

The PC is my brother-in-laws who is not computer literate (he
wouldn't mind me saying this btw..) His PC was struck by a fake a/v
alert virus and it is similar to "XP Shield". I say similar, because
the problem I have is that it is not always evident what virus has
struck, or if more than one has struck. I also could not find an
exact match on the name (XP Defender Pro 2010) in the list maintained
by Symantec at the following link
http://www.symantec.com/security_response/threatexplorer/azlisting.jsp?azid=X

However I satisfied myself that it was one of those listed by Bleeping
Computers at the following link
http://www.bleepingcomputer.com/virus-removal/remove-antivirus-vista-2010

Their description of the behaviour of this virus matched exactly what
was happening on the infected PC. Additionally I could not use Task
Manager which was disabled, and also I could not boot into Safe Mode
or run Malwarebytes.

At this stage I decided to attempt a repair install which appeared to
go
99.9% okay except that towards the very end it 'hung' on the Windows
XP splash screen with the message 'please wait'

If the malware is still there, a Repair Install won't work.

(The CD you described contains Recovery Console, which ordinarily can be
a useful tool. However, if a Repair Install won't work, the system is
very likely compromised to the point that a Clean Install is warranted.)

Since you have the correct XP installation CD, I would make sure all the
data is backed up and perform the Clean Install. It's guaranteed to work
and will probably take less time in this particular situation.

Before you perform the Clean Install, make sure you have the following:

1. All the data securely backed up

2. All the installation files, CDs, etc. for all the programs

3. SP3

4. Drivers specific to that model




So I did. And waited
 
Again, thanks for posting back and here is an update to my original post. I

managed to get round the 'Safe Mode looping' scenario, by using the Recovery

Console from the disc I mentioned and followed the instructions at the

following link. http://www.geekstogo.com/forum/Cannot-complete-WindowsXP-

repair-install-Safe-Mode-t92558.html

This at last allowed me to boot into Safe Mode and I managed to complete my

repair install. (this still hung at the Windows XP splash screen but from

what I have read on other forums this may be a video driver problem but I

still have to check this out).

I then ran MBAM which reported a whole host of threats, 24 in total, which I

quarantined and deleted. Or so I thought. On re-running MBAM it still

reported on 4 registry keys and although choosing to quarantine and delete

them, on rebooting to remove them, and re-scanning, they are still there!!

I have not tried to remove these via regedit, but do you think that would

work? With regards to creating a Recovery Console disc, if I can use the one

from my original shipped disc, is that not the same program? Also as part of

the Dell diagnostics, I used their troubleshooting menus to check out memory

and the hard drives, and all passed okay. Does CHKDSK do something different

from Dells diagnostics? I appreciate you taking the time to post back.
 
Again, thanks for posting back and here is an update to my original post.I

managed to get round the 'Safe Mode looping' scenario, by using the Recovery

Console from the disc I mentioned and followed the instructions at the

following link.http://www.geekstogo.com/forum/Cannot-complete-WindowsXP-

repair-install-Safe-Mode-t92558.html

This at last allowed me to boot into Safe Mode and I managed to complete my

repair install. (this still hung at the Windows XP splash screen but from

what I have read on other forums this may be a video driver problem but I

still have to check this out).

I then ran MBAM which reported a whole host of threats, 24 in total, which I

quarantined and deleted. Or so I thought. On re-running MBAM it still

reported on 4 registry keys and although choosing to quarantine and delete

them, on rebooting to remove them, and re-scanning, they are still there!!

I have not tried to remove these via regedit, but do you think that would

work?  With regards to creating a Recovery Console disc, if I can use the one

from my original shipped disc, is that not the same program? Also as partof

the Dell diagnostics, I used their troubleshooting menus to check out memory

and the hard drives, and all passed okay. Does CHKDSK do something different

from Dells diagnostics?  I appreciate you taking the time to post back.

That's good.

If we had used the RC CD (you might have made one) and run chkdsk /r
and still not booting, I would have then suggested using RC to just
delete the likely afflicted boot.ini file (XP does not need one to
start), then boot, then repair/recreate the boot.ini. If some malware
detects you are tying to remove it by adjusting your boot.ini, it will
fix your system so it will never boot again in any mode. Sound
familiar? That is why I asked about did you use msconfig in your
troubleshooting. The solution: boot RC, chkdsk /r, delete/rename the
suspicious boot.ini, reboot without one, continue... That is what
your article does essentially - create a new boot.ini (still need RC
to do it though). I am quite hung up on fixing these silly problems
starting with RC, aren't I.

MBAM is good, but no scanning software knows everything so I would do
this too:

Perform some scans for malicious software, then fix any remaining
issues:

Download, install, update and do a full scan with these free malware
detection programs:

Malwarebytes (MBAM): http://malwarebytes.org/
SUPERAntiSpyware: (SAS): http://www.superantispyware.com/

They can be uninstalled later if desired.

MBAM and SAS should run clean eventually. Do not run MBAM in Safe
Mode if it is ever suggested - and it will be (read their
documentation).

If you still have some leftovers it would be prudent to get a second
opinion before just editing the registry to delete them - sometimes
you have to and sometimes the messages from MBAM are a little
misleading - it says registry something or another, but that may not
the best way to fix it when you know how to interpret what the report
really is trying to tell you. You have to interpret the messages and
report sometimes.

If you have leftovers, post up your MBAM report of just the items of
interest and we can help you decide what to do.

I still don't know what CDs you have. Manufacturer CDs fairly good
coasters. I would rather make my own emergency CDs so I know what I
have with certainty. When you get done, install RC as a boot option
on your system and you will not have so much trouble if you get in a
jam again some other day.

I thought of some other things malware will do to convince you to do a
Repair Install or total reinstall - it will fix System Restore so it
doesn't work and it knows you are likely to use Google or Bing to
research your problem so it will fix your browser so it either doesn't
work at all or fix it so if you try to go to google.com, you will end
up where it wants you to go instead. That way, you cant research it
figure out how to remove it and "think" or be told you must reinstall.

It is all just a trick. I have never done a Repair Install (except to
practice) or a total Reinstall for anything - ever. The malware will
not win over here.
 
I did as you suggested and ran chkdsk /r but from the recovery Console as
supplied on the disk I mentioned in my previous post. (I cannot create a RC
CD just now as you suggested as I do not keep handy any blank CD's as I do
not download/burn music/movies, and all my backup is done to an external
500GB hard drive. This PC is also at my home so I do not have an internet
connection currently). Chkdsk took a while to run and had me worried as I was
watching its overall progress and at one stage it went from 71% complete back
to 50% complete, but it then continued on and finished with statistics being
displayed. I exited RC and rebooted.

I then signed back on and searched for a boot.ini file but it could not find
one on my c:drive. Should there be? Also at no stage have I used msconfig in
my troubleshooting. I also have SuperAntiSpyware loaded and have run that and
quarantined what it found. Additionally I have SpyBot installed and have also
run/deleted what it found. Coming back to MBAM I have run this again and
again but despite trying to delete what it has found, some of them seem to be
persistent and cannot be removed. I can post details of these entries back to
you if you wish.

This PC is still infected because I tried using the inbuilt Help and Support
but it is not loading. I am now at the stage where I think a clean install is
required to rid this PC of these persistent objects/entries, unless there is
anything I have missed or have done incorrectly.

PS I have previously done a re-install of XP Home on my brothers PC so I am
not too worried if I have to do on on this PC, but it would be nice if I
didn't have to!!
 
I did as you suggested and ran chkdsk /r but from the recovery Console as
supplied on the disk I mentioned in my previous post. (I cannot create a RC
CD just now as you suggested as I do not keep handy any blank CD's as I do
not download/burn music/movies, and all my backup is done to an external
500GB hard drive. This PC is also at my home so I do not have an internet
connection currently). Chkdsk took a while to run and had me worried as Iwas
watching its overall progress and at one stage it went from 71% complete back
to 50% complete, but it then continued on and finished with statistics being
displayed. I exited RC and rebooted.

I then signed back on and searched for a boot.ini file but it could not find
one on my c:drive. Should there be?  Also at no stage have I used msconfig in
my troubleshooting. I also have SuperAntiSpyware loaded and have run thatand
quarantined what it found. Additionally I have SpyBot installed and have also
run/deleted what it found. Coming back to MBAM I have run this again and
again but despite trying to delete what it has found, some of them seem to be
persistent and cannot be removed. I can post details of these entries back to
you if you wish.

This PC is still infected because I tried using the inbuilt Help and Support
but it is not loading. I am now at the stage where I think a clean install is
required to rid this PC of these persistent objects/entries, unless thereis
anything I have missed or have done incorrectly.

PS I have previously done a re-install of XP Home on my brothers PC so I am
not too worried if I have to do on on this PC, but it would be nice if I
didn't have to!!

Chkdsk does sometimes seem to run backwards - my advice it to be
patient and it is impossible to tell how long it will take, how big is
your drive, how much used, free, what kind of problems, etc. It can
be frustrating but if it is not totally stuck, I would just leave it.

The boot.ini is a hidden system file, so if you are using Explorer
navigate to c:\ and click Tools, Folder Options, View and enable SHow
hidden files... and UNcheck Hie extensions for known file types. You
will see a few more curious things and your c:\boot.ini if you have
one.

You also have to tell Windows Search to look at these hidden system
files or it will not find them. If Search doesn't find it, it doesn't
mean something is broken - maybe it is not set up to search for these
kinds of files.

You do not need a boot.ini file to boot a general purpose XP box - XP
will complain but still boot, so there answer is there should be, but
there doesn't have to be.

Malware will sometimes afflict your system in such a way that it will
not boot, or if you add certain options using msconfig, you will not
boot either. It is still trying to trick you into reinstalling. Of
course you would want to have a good boot.ini file just to not see the
complaint!

It is just a text file and here is an example of a basic one from C:\:

[boot loader]
timeout=5
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP
Professional" /fastdetect /NoExecute=OptIn


When you say Inbuilt Help and Support, do you mean when you click
Start, Help and Support it does not work or gives you an error? What
is the error.

Help and Support is also a popular target for malware, but not too
hard to fix.

The scanning programs MBAM and SAS do a good job, but they can't tell
if something has been turned off or disabled on purpose or by malware,
so instead of just changing the settings that might not make sense to
it, they leave them alone. Depending on the severity of the findings,
sometimes they will at least show the
suspicious item to you and let you decide what to do.

If malware really wanted to be malicious, it would really do some
damage - like delete your My Documents folder or something like that.
Instead, it just tries to annoy you. The only time folks seem to lose
things is when they think there is no other option and then they give
up and choose to reinstall XP - but the malware didn't delete their
stuff....

I would be very interested in seeing your MBAM logs. Sometimes things
are not problems, but noteworthy and MBAM is just calling it to your
attention.
 
Pasted below is the log from my last MBAM scan and I hope this may help you.
I searched as you suggested for boot*.*using the 'search for hidden files
and foldrs' option. It did find various file including boot.ini.CAB but not
one actually called just boot.ini. the contents of this file are as follows

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP
Professional" /noexecute=optin /fastdetect


Help and Support is accessed thru the Start Menu but is not accessible which
makes me believe the PC is still infected. Chkdsk appears to have run and
fixed some disc errors successfully.

The log from MBAM (it says these have been deleted but re-scanning shows
they are still there)

+++++++++++++++

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

06/04/2010 08:18:50
mbam-log-2010-04-06 (08-18-50).txt

Scan type: Quick scan
Objects scanned: 135354
Time elapsed: 4 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Internet Explorer\js.mui (Trojan.Downloader) -> Quarantined
and deleted successfully.
C:\Documents and Settings\John Etherson\Local Settings\Temp\wmpscfgs.exe
(Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\wmpscfgs.exe (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\Documents and Settings\John Etherson\ctfmon.exe (Trojan.Agent) ->
Quarantined and deleted successfully.

end

++++++++++++++++

--
O++++++++++++&++++++++++++O


Jose said:
I did as you suggested and ran chkdsk /r but from the recovery Console as
supplied on the disk I mentioned in my previous post. (I cannot create a RC
CD just now as you suggested as I do not keep handy any blank CD's as I do
not download/burn music/movies, and all my backup is done to an external
500GB hard drive. This PC is also at my home so I do not have an internet
connection currently). Chkdsk took a while to run and had me worried as I was
watching its overall progress and at one stage it went from 71% complete back
to 50% complete, but it then continued on and finished with statistics being
displayed. I exited RC and rebooted.

I then signed back on and searched for a boot.ini file but it could not find
one on my c:drive. Should there be? Also at no stage have I used msconfig in
my troubleshooting. I also have SuperAntiSpyware loaded and have run that and
quarantined what it found. Additionally I have SpyBot installed and have also
run/deleted what it found. Coming back to MBAM I have run this again and
again but despite trying to delete what it has found, some of them seem to be
persistent and cannot be removed. I can post details of these entries back to
you if you wish.

This PC is still infected because I tried using the inbuilt Help and Support
but it is not loading. I am now at the stage where I think a clean install is
required to rid this PC of these persistent objects/entries, unless there is
anything I have missed or have done incorrectly.

PS I have previously done a re-install of XP Home on my brothers PC so I am
not too worried if I have to do on on this PC, but it would be nice if I
didn't have to!!

Chkdsk does sometimes seem to run backwards - my advice it to be
patient and it is impossible to tell how long it will take, how big is
your drive, how much used, free, what kind of problems, etc. It can
be frustrating but if it is not totally stuck, I would just leave it.

The boot.ini is a hidden system file, so if you are using Explorer
navigate to c:\ and click Tools, Folder Options, View and enable SHow
hidden files... and UNcheck Hie extensions for known file types. You
will see a few more curious things and your c:\boot.ini if you have
one.

You also have to tell Windows Search to look at these hidden system
files or it will not find them. If Search doesn't find it, it doesn't
mean something is broken - maybe it is not set up to search for these
kinds of files.

You do not need a boot.ini file to boot a general purpose XP box - XP
will complain but still boot, so there answer is there should be, but
there doesn't have to be.

Malware will sometimes afflict your system in such a way that it will
not boot, or if you add certain options using msconfig, you will not
boot either. It is still trying to trick you into reinstalling. Of
course you would want to have a good boot.ini file just to not see the
complaint!

It is just a text file and here is an example of a basic one from C:\:

[boot loader]
timeout=5
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP
Professional" /fastdetect /NoExecute=OptIn


When you say Inbuilt Help and Support, do you mean when you click
Start, Help and Support it does not work or gives you an error? What
is the error.

Help and Support is also a popular target for malware, but not too
hard to fix.

The scanning programs MBAM and SAS do a good job, but they can't tell
if something has been turned off or disabled on purpose or by malware,
so instead of just changing the settings that might not make sense to
it, they leave them alone. Depending on the severity of the findings,
sometimes they will at least show the
suspicious item to you and let you decide what to do.

If malware really wanted to be malicious, it would really do some
damage - like delete your My Documents folder or something like that.
Instead, it just tries to annoy you. The only time folks seem to lose
things is when they think there is no other option and then they give
up and choose to reinstall XP - but the malware didn't delete their
stuff....

I would be very interested in seeing your MBAM logs. Sometimes things
are not problems, but noteworthy and MBAM is just calling it to your
attention.



.
 
Back
Top