Can't run antivirus/malware to clean system

[Dave]

Hello

I"m working on a PC with terrible virus issues. When booted normally, the
Start bar and desktop icons flash on then off every ~60 seconds, and the
system will not allow interaction with apps like Windows Explorer. When I do
Ctrl-Alt-Del TaskMgr comes up and I can see lots of unfamiliar apps taking a
lot of CPU time. I can't launch aps from TaskMgr.

When booted in Safe Mode, the GUI doesn't work. When booted in Safe Mode
Command Line, I can interact with the system for 1-2 minutes, then it
displays a warning about low system resources and responds slowly, then 1-2
min later it blue screens.

The result is that I can't run any antivirus apps to clean it. At this
point I think I'll settle for using Recovery Console to copy off irreplacable
files, format and reload.

Any other suggestions?

Thanks - Dave

 

[Pegasus [MVP]]

Hello

I"m working on a PC with terrible virus issues. When booted normally, the
Start bar and desktop icons flash on then off every ~60 seconds, and the
system will not allow interaction with apps like Windows Explorer. When I
do
Ctrl-Alt-Del TaskMgr comes up and I can see lots of unfamiliar apps taking
a
lot of CPU time. I can't launch aps from TaskMgr.

When booted in Safe Mode, the GUI doesn't work. When booted in Safe Mode
Command Line, I can interact with the system for 1-2 minutes, then it
displays a warning about low system resources and responds slowly, then
1-2
min later it blue screens.

The result is that I can't run any antivirus apps to clean it. At this
point I think I'll settle for using Recovery Console to copy off
irreplacable
files, format and reload.

Any other suggestions?

Thanks - Dave

There is a misunderstanding here. The primary purpose of anti-virus programs
is to *prevent* an infection. Most have an ability to repair some of the
damage done by viruses but there is no guarantee here. Sometimes it works,
sometimes it doesn't. Here are a couple of options:
- Connect the disk as a slave disk (or in a USB disk case) to another WinXP
PC, then try to repair the damage there.
- Boot the machine with your WinXP CD, allow the disk to be formatted, then
reload Windows.

Note also:
- It is unlikely that you can repair the machine while in Recovery Console
mode.
- If you go for the format option, you will lose all personal files.
- If this was my machine then I would consider it compromised. I would
reload Windows.

 

[PA Bear [MS MVP]]

There is a very good chance that you are seeing the effects of a hijackware
infection!

NB: If you have no anti-virus application installed or the subscription has
expired and/or the machine's not been kept fully-patched at Windows Update,
don't waste your time with any of the below: Format & reinstall Windows. A
Repair Install will NOT help!.

1. See if you can download/run the MSRT manually:
http://www.microsoft.com/security/malwareremove/default.mspx

NB: Run the FULL scan, not the QUICK scan! You may need to download the
MSRT on a non-infected machine, then transfer MRT.EXE to the infected
machine and rename it to SCAN.EXE before running it.

2. [WinXP ONLY!! =>] Run the Windows Live Safety Center's 'Protection' scan
(only!) in Safe Mode with Networking, if need be:
http://onecare.live.com/site/en-us/center/howsafe.htm

3. Run a /thorough/ check for hijackware, including posting the requested
logs in an appropriate forum, not here.

Checking for/Help with Hijackware
http://aumha.net/viewtopic.php?f=30&t=4075
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://www.elephantboycomputers.com/page2.html#Removing_Malware

**Seek expert assistance in
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://forums.spybot.info/forumdisplay.php?f=22,
http://www.dslreports.com/forum/cleanup, http://aumha.net/viewforum.php?f=30
or other appropriate forums.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.

 

[Dave]

Pegasus,

Thanks for the quick response. The PC was running McAfee -- I don't know
what happened.

Do you know if Recovery Console will work with a USB drive? If it does, it
will save the time and risk of taking the drive out and trying to access it
from a different system. If Recovery Console doesn't support USB drives, is
there any other way to copy the files off the hard drive before
formatting/reloading?

Thanks again -- Dave

 

[Patrick Keenan]

Hello

I"m working on a PC with terrible virus issues. When booted normally, the
Start bar and desktop icons flash on then off every ~60 seconds, and the
system will not allow interaction with apps like Windows Explorer. When I
do
Ctrl-Alt-Del TaskMgr comes up and I can see lots of unfamiliar apps taking
a
lot of CPU time. I can't launch aps from TaskMgr.

When booted in Safe Mode, the GUI doesn't work. When booted in Safe Mode
Command Line, I can interact with the system for 1-2 minutes, then it
displays a warning about low system resources and responds slowly, then
1-2
min later it blue screens.

The result is that I can't run any antivirus apps to clean it. At this
point I think I'll settle for using Recovery Console to copy off
irreplacable
files, format and reload.

Yes. Don't bother woth the recovery console, as in its default state it
won't give you access to user files.

Instead, remove the drive, attach it to another *protected* XP system with
enough space, and copy the files off. If you're going to wipe it, remove
the partition while it's connected this way, it will save you a step later.

You might also want to try scanning the drive from that other system, first
locating and clearing all of the Temp and Temporary Internet Files folders.
That alone may take you a very long way towards fixing it, though it's
likely that malware will have been copied to the windows\system32 folders
from their launchers in the TIF folders.

HTH
-pk

 

[Dave]

Robear,

Thanks for the rsponse. I can't launch applications, including Windows
Explorer, when the PC is booted normally, in Safe Mode, or in Safe Mode
Command Line. If I can't launch apps, I don't think I can perform any of the
steps listed in your message. If that's true, I think I'm left with trying
to copy off irreplacable files, formatting and reloading.

Pegasus offered that the drive could be mounted in a USB casing and read by
a different PC. I'm trying to save those steps by using Recovery Console to
copy the files on the hard drive to a USB drive --- then format and reload
the hard drive.

Do you know if Recovery Console can be made to work with a USB drive?

Thanks - Dave

There is a very good chance that you are seeing the effects of a hijackware
infection!

NB: If you have no anti-virus application installed or the subscription has
expired and/or the machine's not been kept fully-patched at Windows Update,
don't waste your time with any of the below: Format & reinstall Windows. A
Repair Install will NOT help!.

1. See if you can download/run the MSRT manually:
http://www.microsoft.com/security/malwareremove/default.mspx

NB: Run the FULL scan, not the QUICK scan! You may need to download the
MSRT on a non-infected machine, then transfer MRT.EXE to the infected
machine and rename it to SCAN.EXE before running it.

2. [WinXP ONLY!! =>] Run the Windows Live Safety Center's 'Protection' scan
(only!) in Safe Mode with Networking, if need be:
http://onecare.live.com/site/en-us/center/howsafe.htm

3. Run a /thorough/ check for hijackware, including posting the requested
logs in an appropriate forum, not here.

Checking for/Help with Hijackware
http://aumha.net/viewtopic.php?f=30&t=4075
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://www.elephantboycomputers.com/page2.html#Removing_Malware

**Seek expert assistance in
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://forums.spybot.info/forumdisplay.php?f=22,
http://www.dslreports.com/forum/cleanup, http://aumha.net/viewforum.php?f=30
or other appropriate forums.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

I"m working on a PC with terrible virus issues. When booted normally, the
Start bar and desktop icons flash on then off every ~60 seconds, and the
system will not allow interaction with apps like Windows Explorer. When I
do Ctrl-Alt-Del TaskMgr comes up and I can see lots of unfamiliar apps
taking a lot of CPU time. I can't launch aps from TaskMgr.

When booted in Safe Mode, the GUI doesn't work. When booted in Safe Mode
Command Line, I can interact with the system for 1-2 minutes, then it
displays a warning about low system resources and responds slowly, then
1-2
min later it blue screens.

The result is that I can't run any antivirus apps to clean it. At this
point I think I'll settle for using Recovery Console to copy off
irreplacable files, format and reload.

Any other suggestions?

Thanks - Dave

 

[Patrick Keenan]

Pegasus,

Thanks for the quick response. The PC was running McAfee -- I don't know
what happened.

Do you know if Recovery Console will work with a USB drive?

In its default state, the RC allows access to only a few system file
locations, not to user folders or external drives.

If it does, it
will save the time and risk of taking the drive out and trying to access
it
from a different system.

This is actually a quick and low-risk approach as long as the other system
is properly protected with up-to-date antivirus software *and* if you don't
attempt to run files from the attached drive.

The RC is a command line utility, and even if you have already re-configured
the scope of the RC, you will spend a lot of time typing. It won't be a
fast process.

If Recovery Console doesn't support USB drives, is
there any other way to copy the files off the hard drive before
formatting/reloading?

Yes, and it's attaching the drive to another, protected system. This is a
normal approach.

As well, it's common to use this external-attachment method to clear out the
main hiding places of malware without running the compromised Windows
install.

HTH
-pk

 

[PA Bear [MS MVP]]

Repost:

Robear,

Thanks for the rsponse. I can't launch applications, including Windows
Explorer, when the PC is booted normally, in Safe Mode, or in Safe Mode
Command Line. If I can't launch apps, I don't think I can perform any of
the steps listed in your message. If that's true, I think I'm left with
trying to copy off irreplacable files, formatting and reloading.

Pegasus offered that the drive could be mounted in a USB casing and read
by
a different PC. I'm trying to save those steps by using Recovery Console
to
copy the files on the hard drive to a USB drive --- then format and reload
the hard drive.

Do you know if Recovery Console can be made to work with a USB drive?

Thanks - Dave

There is a very good chance that you are seeing the effects of a
hijackware
infection!

NB: If you have no anti-virus application installed or the subscription
has
expired and/or the machine's not been kept fully-patched at Windows
Update,
don't waste your time with any of the below: Format & reinstall Windows.
A
Repair Install will NOT help!.

1. See if you can download/run the MSRT manually:
http://www.microsoft.com/security/malwareremove/default.mspx

NB: Run the FULL scan, not the QUICK scan! You may need to download the
MSRT on a non-infected machine, then transfer MRT.EXE to the infected
machine and rename it to SCAN.EXE before running it.

2. [WinXP ONLY!! =>] Run the Windows Live Safety Center's 'Protection'
scan
(only!) in Safe Mode with Networking, if need be:
http://onecare.live.com/site/en-us/center/howsafe.htm

3. Run a /thorough/ check for hijackware, including posting the requested
logs in an appropriate forum, not here.

Checking for/Help with Hijackware
http://aumha.net/viewtopic.php?f=30&t=4075
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://www.elephantboycomputers.com/page2.html#Removing_Malware

**Seek expert assistance in
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://forums.spybot.info/forumdisplay.php?f=22,
http://www.dslreports.com/forum/cleanup,
http://aumha.net/viewforum.php?f=30 or other appropriate forums.**

If the procedures look too complex - and there is no shame in admitting
this isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

I"m working on a PC with terrible virus issues. When booted normally,
the
Start bar and desktop icons flash on then off every ~60 seconds, and the
system will not allow interaction with apps like Windows Explorer. When
I
do Ctrl-Alt-Del TaskMgr comes up and I can see lots of unfamiliar apps
taking a lot of CPU time. I can't launch aps from TaskMgr.

When booted in Safe Mode, the GUI doesn't work. When booted in Safe
Mode
Command Line, I can interact with the system for 1-2 minutes, then it
displays a warning about low system resources and responds slowly, then
1-2
min later it blue screens.

The result is that I can't run any antivirus apps to clean it. At this
point I think I'll settle for using Recovery Console to copy off
irreplacable files, format and reload.

Any other suggestions?

Thanks - Dave

 

[Elmo]

Hello

I'm working on a PC with terrible virus issues. When booted normally, the
Start bar and desktop icons flash on then off every ~60 seconds, and the
system will not allow interaction with apps like Windows Explorer. When I do
Ctrl-Alt-Del TaskMgr comes up and I can see lots of unfamiliar apps taking a
lot of CPU time. I can't launch apps from TaskMgr.

When booted in Safe Mode, the GUI doesn't work. When booted in Safe Mode
Command Line, I can interact with the system for 1-2 minutes, then it
displays a warning about low system resources and responds slowly, then 1-2
min later it blue screens.

The result is that I can't run any antivirus apps to clean it. At this
point I think I'll settle for using Recovery Console to copy off irreplacaeble
files, format and reload.

Any other suggestions?

Thanks - Dave

Try this download to a working machine. You burn the image to a blank
CD then boot the infected machine to it; it clears out the malware
without Windows running so the malware can't get control. This is
software from Avira.

http://forums.techarena.in/tips-tweaks/1157825.htm

Just download the .exe rather than the ISO.

 

[Lem]

Hello

I"m working on a PC with terrible virus issues. When booted normally, the
Start bar and desktop icons flash on then off every ~60 seconds, and the
system will not allow interaction with apps like Windows Explorer. When I do
Ctrl-Alt-Del TaskMgr comes up and I can see lots of unfamiliar apps taking a
lot of CPU time. I can't launch aps from TaskMgr.

When booted in Safe Mode, the GUI doesn't work. When booted in Safe Mode
Command Line, I can interact with the system for 1-2 minutes, then it
displays a warning about low system resources and responds slowly, then 1-2
min later it blue screens.

The result is that I can't run any antivirus apps to clean it. At this
point I think I'll settle for using Recovery Console to copy off irreplacable
files, format and reload.

Any other suggestions?

Thanks - Dave

If for some reason you don't want to remove the drive and attach it to
another system, you can always use a bootable "live" CD that will let
you access the files you want to save and copy them to some external media.

Two that come to mind are Bart's PE and Knoppix.
http://www.nu2.nu/pebuilder/
http://www.knopper.net/knoppix/index-en.html
http://www.knoppix.net/

I like Knoppix, but several posters in this newsgroup have suggested
that they find Bart's PE easier to use.

--
Lem -- MS-MVP

To the moon and back with 2K words of RAM and 36K words of ROM.
http://en.wikipedia.org/wiki/Apollo_Guidance_Computer
http://history.nasa.gov/afj/compessay.htm

 

[Kayman]

Hello

I"m working on a PC with terrible virus issues. When booted normally, the
Start bar and desktop icons flash on then off every ~60 seconds, and the
system will not allow interaction with apps like Windows Explorer. When I do
Ctrl-Alt-Del TaskMgr comes up and I can see lots of unfamiliar apps taking a
lot of CPU time. I can't launch aps from TaskMgr.

When booted in Safe Mode, the GUI doesn't work. When booted in Safe Mode
Command Line, I can interact with the system for 1-2 minutes, then it
displays a warning about low system resources and responds slowly, then 1-2
min later it blue screens.

The result is that I can't run any antivirus apps to clean it. At this
point I think I'll settle for using Recovery Console to copy off irreplacable
files, format and reload.

Any other suggestions?

Preferred practice is to 'flatten' and rebuild a computer that has been
exposed to malware.
http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx
http://technet.microsoft.com/en-au/library/cc512595.aspx

Clean Install Windows XP
http://www.elephantboycomputers.com/page2.html#Reinstalling_Windows - What
you will need on-hand
--and--
http://www.michaelstevenstech.com/cleanxpinstall.html
--or-- (even better because its illustrated and more reader friendly)
How Do I Install WindowsXP
http://xphelpandsupport.mvps.org/how_do_i_install_windows_xp.htm

It is defenitely advantageous to create an 'image' of the operating system
and create a data/file backup of the affected PC.
The image can then restored to the impacted PC and the user's data/file is
subsequently restored to the operating system.

An experienced and properly prepared user can do that in substantial less
time than scanning with complex and sophisticated AV applications.

Alas, since many users are less prepared and/or lacking the experience;
Scanning with an AV apps. is the only option, unless the user consults a
computer technician.
If you're one of the many less-experienced users, try to go through the
succeeding steps 1-4:

1.Clear the (IE) temporary Internet files and the history cache.
Click 'Start' and then click 'Run'... then type (or copy/paste)
"inetcpl.cpl" (w/out quotation marks) into the box, then click the 'OK'
button.
In Internet Properties panel 'General' tab, under 'Browsing history', click
'Delete...'button, in 'Delete Browsing History' panel, click the 'Delete
all...' button then place a checkmark into the box beside 'Also delete
files and settings stored by add-ons', Click 'Yes' and exit the Internet
Properties panel by clicking the 'OK' button.

2.Clean HDD
Click 'Start' and then click 'Run...' then type (or copy/paste) "cleanmgr"
(w/out quotation marks into the box, then click the 'OK' button. Select
your drive (presumably WinXP (C and click OK.
http://support.microsoft.com/kb/310312

3.Using a surrogate computer, download:
http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html

3a.Insert the rescue disk into the infected computer and scan the system
for virus infections.

After successful execution:
4.Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

Please, do not post HJT logs to this newsgroup.
Fora where you can get expert advice for HiJack This! (HJT) logs.

http://www.thespykiller.co.uk/index.php?board=3.0
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.tomcoyote.org/index.php?showforum=27
http://www.bleepingcomputer.com/forums/forum22.html
http://www.malwarebytes.org/forums/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://www.theeldergeek.com/forum/index.php?s=2e9ea4e19d3289dd877ab75a8220bff6&showforum=29

NOTE:
Registration is required in any of the above mentioned fora before posting
a HJT log and read the 'stickies' (instructions/guidelines) for the
respective HJT forum.

Additional references:
Malicious Software Removal Tool
http://www.microsoft.com/security/malwareremove/default.mspx
(Skip: Run an Online Scan of Your PC for Malicious Software).

How to optimize or reset Internet Explorer
http://support.microsoft.com/kb/936213
Applies to: Windows Internet Explorer in Windows Vista

How to use Reset Internet Explorer Settings (RIES)
http://support.microsoft.com/kb/923737
Read: "What you must know"
Applies to: Windows Internet Explorer for Windows XP and
Windows Internet Explorer 7 in Windows Vista

GMER - is an application that detects and removes rootkits.
http://www.gmer.net/index.php

For additional assistance in relation GMER scan results consult either:
http://www.thespykiller.co.uk/index.php?board=3.0
--or--
http://antirootkit.com/forums/index.php?sid=9e746bb696ac0bb38781ffe4361c3a17

CCleaner - Free
Cleans temporary internet files, cookies, history, recent urls, application
MRUs, etc. ...(*Tune out the registry scanning/fixing option!*)
http://www.ccleaner.com/download/builds/downloading-slim

If Windows Defender is utilized go to Applications, under Utilities
uncheck "Windows Defender" (so it won't delete the history of WD).
If you wish, click 'Options' button the 'Settings' [check] 'Run CCleaner
when the computer starts'.
--or--
Setup CCleaner to Automatically Run Each Night in Vista or XP
http://www.howtogeek.com/howto/wind...-automatically-run-each-night-in-vista-or-xp/

Routinely practice Safe-Hex.
http://www.claymania.com/safe-hex.html

Good luck