Archief - Windows recovery mode admin password help!

Het archief is een bevroren moment uit een vorige versie van dit forum, met andere regels en andere bazen. Deze posts weerspiegelen op geen enkele manier onze huidige ideeën, waarden of wereldbeelden en zijn op sommige plaatsen gecensureerd wegens ontoelaatbaar. Veel zijn in een andere tijdsgeest gemaakt, al dan niet ironisch - zoals in het ironische subforum Off-Topic - en zouden op dit moment niet meer gepost (mogen) worden. Toch bieden we dit archief nog graag aan als informatiedatabank en naslagwerk. Lees er hier meer over of start een gesprek met anderen.

krawler

Legacy Member
jow,

recent een rootkit virus binnegekregen.. heb lang zitten sukkelen maar ik heb de oplossing gevonden.
nu het het probleem is dat ik op de recovery mode moet geraken.
boot vanaf cd... check
R drukken voor recovery mode... check
en dan moet ik kiezen welke windows installatie(D:is de backup) ik voer C in
en dan vraagt hij het Adminstrator passwoord.
Er is maar 1 account op deze pc en dat is de mijne. en ik heb een paswoord op mijn account staan. is dat het correcte paswoord?
ik geef het in en hij zegt dat het invalid is.. ik verander het toetsenbord layout naar belgian dutch... nog steeds... ik probeer met hoofdletters, geen effect.
ik ga terug naat windows en verander mijn paswoord van mijn account en probeer het opnieuw. Nada... werkt niet

iemand een oplossing?
sorry voor deze crappy beschijving... heb vannacht niet geslapen! Damn you rootkit B...

jow

vinteg

Legacy Member
al is geprobeerd om op enter te drukken zonder iets in te geven?

krawler

Legacy Member
vinteg zei:
al is geprobeerd om op enter te drukken zonder iets in te geven?

Net gedaan.
en dat werkte!
wow... absurd simpel.
ma hartelijk bedankt!

joow

Exit

Legacy Member
administrator is standaard op elke xp installatie maar bij home versie enkel in veilgie modus bruikbaar(zichtbaar)
en voor recovery console moet ge die dus gebruiken.

meestal zit er oo kgen pw op tenzij er 1 is opgegeven tijdens de windows installatie

krawler

Legacy Member
merci voor de feedback allebei.
nu ik krijg het virus er dus niet af...
dus ik denk aan een format.
is het wijs om mijn belangrijke files(muziek,school en foto's etc..) over te zetten naar een externe en dan te formatten?
of te risky?
het is duidelijk dat het virus vooral in mijn System32 map is.
ik was vrij overtuigt dat het ruststock b was... ma de fix ervoor werkt niet.
(het is trouwens het befaamde Stop: 0x0000008e probleem)

edit: even Anti vir report bij gedaan.

Avira AntiVir Personal
Report file date: vrijdag 28 november 2008 22:46

Scanning for 1038808 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: macin
Computer name: MACIN2

Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 08:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 07:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 12:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 07:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 11:30:36
ANTIVIR1.VDF : 7.1.0.56 411136 Bytes 11/9/2008 16:57:13
ANTIVIR2.VDF : 7.1.0.89 221184 Bytes 11/16/2008 16:16:47
ANTIVIR3.VDF : 7.1.0.97 45056 Bytes 11/17/2008 16:38:59
Engineversion : 8.2.0.31
AEVDF.DLL : 8.1.0.6 102772 Bytes 10/14/2008 10:05:56
AESCRIPT.DLL : 8.1.1.15 332156 Bytes 11/11/2008 14:00:07
AESCN.DLL : 8.1.1.5 123251 Bytes 11/7/2008 15:06:41
AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 13:58:38
AEPACK.DLL : 8.1.3.4 393591 Bytes 11/11/2008 09:41:39
AEOFFICE.DLL : 8.1.0.30 196986 Bytes 11/7/2008 15:06:41
AEHEUR.DLL : 8.1.0.71 1487222 Bytes 11/7/2008 15:06:41
AEHELP.DLL : 8.1.1.3 119157 Bytes 11/7/2008 15:06:41
AEGEN.DLL : 8.1.1.0 319859 Bytes 11/7/2008 15:06:41
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 10:05:56
AECORE.DLL : 8.1.4.1 172405 Bytes 11/7/2008 15:06:41
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 10:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 08:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 09:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 7/31/2008 12:02:15
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 11:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 08:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 12:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 17:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 12:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 12:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 13:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 13:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, D:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: vrijdag 28 november 2008 22:46

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'jucheck.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'UAService7.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'PnkBstrA.exe' - '1' Module(s) have been scanned
Scan process 'NinjaVideo Helper.exe' - '1' Module(s) have been scanned
Scan process 'CTSVCCDA.EXE' - '1' Module(s) have been scanned
Scan process 'mscorsvw.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'CCC.exe' - '1' Module(s) have been scanned
Scan process 'DLG.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'CTDetect.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'MOM.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'WLTRAY.EXE' - '1' Module(s) have been scanned
Scan process 'stsystra.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'BCMWLTRY.EXE' - '1' Module(s) have been scanned
Scan process 'WLTRYSVC.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
39 processes with 39 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '58' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8RSTCDWX\mss32[1].exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49a36782.qua'!
C:\Documents and Settings\macin\Local Settings\Temp\TDSS79ef.tmp
[DETECTION] Is the TR/Patched.CL Trojan
[NOTE] The file was moved to '49836844.qua'!
C:\Documents and Settings\macin\My Documents\SFTPMSI.exe.part
[0] Archive type: NSIS
--> ProgramFilesDir/setup.exe
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\macin\My Documents\My Games\sysshock2.zip
[0] Archive type: ZIP
--> Sshock2.exe
[1] Archive type: ACE SFX (self extracting)
--> 00000409.016
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\WINDOWS\SoftwareDistribution\Download\0a120212db9f8797932f46def01672fc\BIT16.tmp
[0] Archive type: CAB (Microsoft)
--> _sfx_0002._p
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\WINDOWS\system32\ahbokwk.dll
[DETECTION] Is the TR/Fakealert.abz.6 Trojan
[NOTE] The file was moved to '49928577.qua'!
C:\WINDOWS\system32\svchost.exe:ext.exe
[DETECTION] Is the TR/Agent.wyi.1 Trojan
[NOTE] The file was moved to '499385d7.qua'!
C:\WINDOWS\system32\TDSShrxx.dll
[DETECTION] Contains a recognition pattern of the (harmful) BDS/TDSS.adb back-door program
[NOTE] The file was moved to '498385a8.qua'!
C:\WINDOWS\system32\TDSSoiqt.dll
[DETECTION] Contains a recognition pattern of the (harmful) BDS/TDSS.JW back-door program
[NOTE] The file was moved to '48f851e9.qua'!
C:\WINDOWS\system32\TDSSvkql.dll
[DETECTION] Contains a recognition pattern of the (harmful) BDS/TDSS.acs back-door program
[NOTE] The file was moved to '498385aa.qua'!
C:\WINDOWS\system32\drivers\ati4msxx.sys
[WARNING] The file could not be opened!
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!
C:\WINDOWS\system32\drivers\TDSSpqlt.sys
[DETECTION] Contains recognition pattern of the RKIT/TDss.G.22 root kit
[NOTE] The file was moved to '4983864a.qua'!
C:\WINDOWS\Temp\BN2.tmp
[DETECTION] Is the TR/Proxy.GHY Trojan
[NOTE] The file was moved to '4962866d.qua'!
C:\WINDOWS\Temp\BN3.tmp
[DETECTION] Is the TR/Proxy.GHY Trojan
[NOTE] The file was moved to '4963866d.qua'!
C:\WINDOWS\Temp\BN38.tmp
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '4818522e.qua'!
C:\WINDOWS\Temp\BN39.tmp
[DETECTION] Is the TR/Proxy.GHY Trojan
[NOTE] The file was moved to '4963866e.qua'!
C:\WINDOWS\Temp\BN4.tmp
[DETECTION] Is the TR/Proxy.GHY Trojan
[NOTE] The file was moved to '4964866e.qua'!
C:\WINDOWS\Temp\BN5.tmp
[DETECTION] Is the TR/Proxy.GHY Trojan
[NOTE] The file was moved to '4965866e.qua'!
C:\WINDOWS\Temp\BN6.tmp
[DETECTION] Is the TR/Proxy.GHY Trojan
[NOTE] The file was moved to '4966866f.qua'!
C:\WINDOWS\Temp\BN7.tmp
[DETECTION] Is the TR/Proxy.GHY Trojan
[NOTE] The file was moved to '4967866f.qua'!
C:\WINDOWS\Temp\BN8.tmp
[DETECTION] Is the TR/Proxy.GHY Trojan
[NOTE] The file was moved to '4968866f.qua'!
C:\WINDOWS\Temp\BN9.tmp
[DETECTION] Is the TR/Proxy.GHY Trojan
[NOTE] The file was moved to '49698670.qua'!
C:\WINDOWS\Temp\BNA.tmp
[DETECTION] Is the TR/Proxy.GHY Trojan
[NOTE] The file was moved to '49718670.qua'!
C:\WINDOWS\Temp\BNB.tmp
[DETECTION] Is the TR/Proxy.GHY Trojan
[NOTE] The file was moved to '49728671.qua'!
Begin scan in 'D:\' <RECOVERY>


End of the scan: zaterdag 29 november 2008 01:03
Used time: 2:17:09 Hour(s)

The scan has been done completely.

11300 Scanning directories
490515 Files were scanned
20 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
20 files were moved to quarantine
0 files were renamed
3 Files cannot be scanned
490492 Files not concerned
2581 Archives were scanned
6 Warnings
20 Notes

D--Amo

Legacy Member
Misschien best even in de HiJackThis Logs sectie een logje posten. Zij gaan je daar zeker kunnen verder helpen.
Het archief is een bevroren moment uit een vorige versie van dit forum, met andere regels en andere bazen. Deze posts weerspiegelen op geen enkele manier onze huidige ideeën, waarden of wereldbeelden en zijn op sommige plaatsen gecensureerd wegens ontoelaatbaar. Veel zijn in een andere tijdsgeest gemaakt, al dan niet ironisch - zoals in het ironische subforum Off-Topic - en zouden op dit moment niet meer gepost (mogen) worden. Toch bieden we dit archief nog graag aan als informatiedatabank en naslagwerk. Lees er hier meer over of start een gesprek met anderen.
Terug
Bovenaan