Al iniciar win xp sale un gestor de arranque (SOLUCIONADO)

[cristianjoan]

Hola amigos escribo por que creo que esta es mi ultima opcion
al iniciar mi sistema windows xp sp2 me sale algo parecido a un gestor de arranque, mejor dicho como si iniciara con las opciones de inicio avanzado de win xp, solo que las opciones dicen lo siguiente:
AUN usas windows . . ?
Linux . . . busca un reto
el sistema funciona y arranca windows utilizando cualquiera de las dos opciones y aunque aparentemente no hace nada mas no confio mucho en ello, ademas es molesto.
Agradezco inmesamente toda la colaboracion que me puedan brindar.

P.D. ya pase el spyboot, el avast, el panda online, el delpsguard, y el ccleaner.
cuando corria el avast aparecio un hechicero de caricatura al lado derecho de la pantalla que con una inscripcion decia cuidado ahi viene el antivirus! (o algo asi) y sale por el borde de la pantalla.

De nuevo muchisimas gracias

[msc hotline sat]

Sí, está controlado por McAfee desde el mes pasado como W32/BOOTMERLIN:

http://vil.mcafeesecurity.com/vil/content/v_141514.htm

La madre del cordero es un CSRSS.EXE que se crea en C:\windows\system , ojo, no en system32, que hay el CSRSS.EXE del sistema !

Envianos muestra de este fichero y desarrollaremos una utilidad para su eliminacion

recuerda: viewtopic.php?f=2&t=45334

y nos has de enviar c:\windows\system\csrss.exe

Como comentario, se propaga a traves de memorias USB, lo cual se está poniendo de moda, e infecta los PC por solo insertar en ellos una memoria USB infectada con este virus.

saludos

ms, 21-03-2007

nota: descripcion de McAfee:

McAfee > Theat Center > Virus Detail Page
Navigation
Content
Extra Content
Footer
Navigation
Utility Navigation
Search Contact Us About McAfee Threat Center Global Sites
Australia Brasil China Deutschland Espana France Hong Kong Italia Japan Korea Latin America Singapore Taiwan United Kingdom United States Segment Navigation
Home & Home Office Small & Medium Business Enterprise Partners
Section Navigation
.

Content
W32/BootMerlinType Virus SubType Win32 Discovery Date 02/19/2007 Length Varies Minimum DAT 4966 (02/19/2007) Updated DAT 4966 (02/19/2007) Minimum Engine 4.4.00 Description Added 02/20/2007 Description Modified 02/22/2007 6:06 AM (PT) Type
Type of threat.
SubType
Additional type information.
Discovery Date
Date that AVERT discovered this threat.
Length
File size, in bytes, of the threat.
Minimum DAT
McAfee DAT files contain detection and repair information for threats. The Minimum DAT field specifies the lowest/oldest DAT version that is capable of detecting the first incarnation of a threat, and the release date. The highest/newest DAT version should always be used for the most complete protection and are available on the Anti-Virus Updates page.

Each description displays the minimum, fully tested, DAT version that includes regular detection for a particular threat. These fully tested DATs are released on a daily basis. If necessary, they are also released when a Medium, Medium On Watch, or High risk threat is discovered. An EXTRA.DAT will also be posted for these more prevalent threats, if necessary.

For each description listed, detection is always available. In the event that the DAT version specified is not yet available, an EXTRA.DAT file may be downloaded via the McAfee AVERT Extra.dat Request Page. Alternatively, minimally tested HOURLY BETA DAT files are available for downloading.
Updated DAT
McAfee DAT files are constantly being updated to enhance detection capabilities. The Updated DAT field specifies the released DAT version that contains the most up to date detection.
Minimum Engine
The scan engine uses the DAT files to detect threats. The Minimum Engine field specifies the lowest/oldest engine version that is capable of detecting this threat. The highest/newest engine version should always be used for the most complete protection and are available on the Anti-Virus Updates page.
Description Added
Date/time this description was published using Pacific Time.
Description Modified
Date/time this description was last modified using Pacific Time.
Risk Assessment
Corporate User Low
Home User Low Tab Navigation
Overview Characteristics Symptoms Method of Infection Removal Variants All Information Overview
This detection covers a virus written in MS VisualBasic that modifies the C:\Boot.ini file to display a message at boot time.





Characteristics

This detection covers a worm written in MS VisualBasic that modifies the C:\Boot.ini file to display a Spanish message at boot time.



Upon execution, it can also be displaying a Wizard animation "speaking" in the Spanish language.


W32/BootMerlin can make copies of itself bearing the MS Word icon, in the following location(s):

%Windir%\System\csrss.exe %Windir%\System32\dllcache\G-Vulcan-III.exe X:\Recuerda que te quiero.exe X:\LINEAS TELEFONICAS SIJIN VIEJA.exe X:\PODER SALDARRIAGA1.exe X:\SOLICITUD A MI GENERAL.exe X:\SEGURO BTA EQUIPOS.exe X:\CURSO CONSTITUCIONAL.copia.exe(Where X: are the drive letter(s) used on the infected machine; %Windir% is the Windows folder, e.g. C:\Windows. A legitimate copy of csrss.exe may reside in %Windir%\System32 which is a part of the Windows operating system)

It installs the following registry key(s) to start at Windows boot up:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ "WinSound" = "%Windir%\System\csrss.exe"The C:\Boot.ini should be restored manually to the original settings (see removal section).




Symptoms

Wizard animation advocating anti-Microsoft messages in Spanish C:\Boot.ini modified Anti-Windows or Anti-Microsoft messages displayed by Windows Boot Manager at boot up time. Presence of the file(s) mentioned. Presence of the registry key(s) mentioned.




Method of Infection

W32/BootMerlin is a worm that can make copies of itself over mounted network drives. It may infected other systems using the same network drives.




Removal

This virus can C:\boot.ini to display anti-MS Windows messages in Spanish. These messages can be removed using a text editor, for example:

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="AUN Usas Windows..?"/fastdetect

edit it to become:

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="{your original operating system name}" /fastdetect {your original boot up options where applicable}

Do not modify any other parts of the C:\boot.ini file. Also check under My Computer->Properties->Advanced->Startup and Recovery Settings that It is pointing to the default operating system that was originally configured for.


Variants
Variants
N/A

All Information
Overview -

This detection covers a virus written in MS VisualBasic that modifies the C:\Boot.ini file to display a message at boot time.






Characteristics
Characteristics -

This detection covers a worm written in MS VisualBasic that modifies the C:\Boot.ini file to display a Spanish message at boot time.



Upon execution, it can also be displaying a Wizard animation "speaking" in the Spanish language.



W32/BootMerlin can make copies of itself bearing the MS Word icon, in the following location(s):

%Windir%\System\csrss.exe %Windir%\System32\dllcache\G-Vulcan-III.exe X:\Recuerda que te quiero.exe X:\LINEAS TELEFONICAS SIJIN VIEJA.exe X:\PODER SALDARRIAGA1.exe X:\SOLICITUD A MI GENERAL.exe X:\SEGURO BTA EQUIPOS.exe X:\CURSO CONSTITUCIONAL.copia.exe(Where X: are the drive letter(s) used on the infected machine; %Windir% is the Windows folder, e.g. C:\Windows. A legitimate copy of csrss.exe may reside in %Windir%\System32 which is a part of the Windows operating system)

It installs the following registry key(s) to start at Windows boot up:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ "WinSound" = "%Windir%\System\csrss.exe"The C:\Boot.ini should be restored manually to the original settings (see removal section).




Symptoms
Symptoms -

Wizard animation advocating anti-Microsoft messages in Spanish C:\Boot.ini modified Anti-Windows or Anti-Microsoft messages displayed by Windows Boot Manager at boot up time. Presence of the file(s) mentioned. Presence of the registry key(s) mentioned.




Method of Infection
Method of Infection -

W32/BootMerlin is a worm that can make copies of itself over mounted network drives. It may infected other systems using the same network drives.

[cristianjoan]

Efectivamente este si era el problema lo solucione en primer lugar pasando el panda en linea el cual detecto el virus y lo elimino pero la entrada del boot.ini debi arreglarla manualmente, hasta el momento el equipo funciona correctamente y el problema fue solucionado.

Agradezco inmensamente su ayuda.

[msc hotline sat]

Pues es una pena que antes no nos enviara lo que le pediamos:

La madre del cordero es un CSRSS.EXE que se crea en C:\windows\system , ojo, no en system32, que hay el CSRSS.EXE del sistema !

Envíanos muestra de este fichero y desarrollaremos una utilidad para su eliminación

Hizo un flaco favor al foro al eliminarlo sin enviarnoslo !

Solucionado "su" problema, procedemos a cerrar el Tema

ms.