Hi Patrick - Try this: When it starts to shutdown, go to Start|Run and
enter shutdown -a to stop the reboot.
Go to Start/Run and type in: services.msc. Scroll down to Remote Procedure
Call (RPC)/Recovery/First Failure/Restart the Service (instead of Restart
the Computer which it probably is now).
#########IMPORTANT#########
Show hidden files and run all of the following removal tools from Safe mode
or a "Clean Boot" when possible. Reboot and test if the malware is fixed
after using each tool.
HOW TO Enable Hidden Files
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339
Clean Boot - General Win2k/XP procedure, but see below for links for other
OS's (This for Win2k w/msconfig - you can obtain msconfig for Win2k here:
http://www.3feetunder.com/files/win2K_msconfig_setup.exe ):
1. StartRun enter msconfig.
2. On the General tab, click Selective Startup, and then clear the 'Process
System.ini File', 'Process Win.ini File', and 'Load Startup Items' check
boxes. Leave the 'boot.ini' boxes however they are currently set.
3. In the Services tab, check the "Hide All Microsoft Services" checkbox,
and then click the "Disable All" button. If you use a third party firewall
then re-check (enable) it. For example, if you use Zone Alarm, re-check the
True Vector Internet Monitor service (and you may also want to re-check
(enable) the zlclient on the Startup tab.) Equivalent services exist for
other third party firewalls. An alternative to this for XP users is to
enable at this time the XP native firewall (Internet Connection Firewall -
ICF). Be sure to turn it back off when you re-enable your non-MS services
and Startup tab programs and restore your normal msconfig configuration
after cleaning your machine.
4. Click OK and then reboot.
For additional information about how to clean boot your operating system,
click the following article numbers to view the articles in the Microsoft
Knowledge Base:
310353 How to Perform a Clean Boot in Windows XP
http://support.microsoft.com/kb/310353
281770 How to Perform Clean-Boot Troubleshooting for Windows 2000
http://support.microsoft.com/kb/281770/EN-US/
267288 How to Perform a Clean Boot in Windows Millennium Edition
http://support.microsoft.com/kb/267288/EN-US/
192926 How to Perform Clean-Boot Troubleshooting for Windows 98
http://support.microsoft.com/kb/192926/EN-US/
243039 How to Perform a Clean Boot in Windows 95
http://support.microsoft.com/kb/243039/EN-US/
#########IMPORTANT#########
Sometimes the tools below will find files which they are unable to delete
because they are in use. A program called Copylock, here,
http://noeld.com/programs.asp?cat=misc#CopyLock can aid in the process of
"replacing, moving, renaming or deleting one or many files which are
currently in use (e.g. system files like comctl32.dll, or virus/trojan
files.)" Another is Killbox, here:
http://www.downloads.subratam.org/KillBox.zip
A third which is a bit different but often useful is Delete Invalid File,
here:
http://www.purgeie.com/delinv.htm which handles invalid/UNC
file/folder name deleting, rather than the in use problem
Download and run Stinger.exe, here:
http://download.nai.com/products/mcafee-avert/stinger.exe or from the link
on this page:
http://vil.nai.com/vil/stinger/ ME/XP users be sure to read:
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
Download sysclean.com , from Trend Micro, here:
http://www.trendmicro.com/download/dcs.asp along with the latest pattern
file, here:
http://www.trendmicro.com/download/pattern.asp Be sure to read
the "How-to" info here:
http://www.trendmicro.com/ftp/products/tsc/readme.txt (You might also want
to get Art's updater, SYS-UP.Zip, here for future updating of these:
http://home.epix.net/~artnpeg/). The updater files plus a short tutorial on
using them and SysClean are also available in one package here:
http://www.ik-cs.com/Programs/virtools/SYSCLEAN UTILITY.exe (If you
download and use the updater from the beginning, it will automatically
handle downloading the other files.) Place them in a dedicated folder after
appropriate unzipping.
Show hidden and system files (HowTo here:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339)
If you're using WindowsME or WindowsXP, SysClean (and the other cleaning
tools below) may find infections within Restore Points which it will be
unable to clean. You may choose to disable Restore if you're on XP or ME
(directions here:
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm) which will
eliminate ALL previous Restore Points, or alternatively, you can wait until
cleaning is completed and then use the procedure within the *********'s
below to delete all older, possibly infected Restore Points and save a new,
clean one. This approach is in the sprit of "keep what you've got" so that
you can recover to an at least operating albeit infected system if you
inadvertently delete something vital, and is the approach I recommend that
you take.
Then boot to Safe mode or a Clean Boot as above (HowTo here:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
Read tscreadme.txt carefully, then do a complete scan of your system
and clean or delete anything it finds. Reboot and re-run SysClean and
continue this procedure until you get a clean scan or nothing further can be
cleaned/removed. Now reboot to normal mode and re-run the scan again.
This scan may take a long time, as Sysclean is VERY extensive and thorough.
For example, one user reported that Sysclean found 69 hits that an
immediately prior Norton AV v. 11.0.2.4 run had missed.
Download and run the free or trial version of A2 Personal, here:
http://www.emsisoft.com/en/ Run from a Clean Boot or Safe Mode with Show
Hidden Files enabled as above.
--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP
In
