Virus blocking fix on XP....

[Dennis]

Trying to salvage my nephew's business pc. His daughter used it when
hers went down and got it loaded with viruses. One is Spyware Guard
among several I believe. A new user named "minada" was added. I can
not run scan disc or regedit or delete some files. I can not install
a fix, I get a message "The system Administrator has set policies to
prevent this installation". I get this message even in Safe Mode. I
tried renaming the file and it still won't allow it. The user I'm
logged in under has administrative permission. I was able to delete
the new user added.

I got it so it will boot up using Hard Drive Regenerator. It fixed a
bad segment on the hard drive which must have contained the boot info.

McAfee has been scanning since Thursday evening and it still scanning
C:\documents and settings and has quarantined 6,331 files so far.

It is a Dell Dimension 8400 pc with XP Professional Service pack 3.

 

[Alias]

Trying to salvage my nephew's business pc. His daughter used it when
hers went down and got it loaded with viruses. One is Spyware Guard
among several I believe. A new user named "minada" was added. I can
not run scan disc or regedit or delete some files. I can not install
a fix, I get a message "The system Administrator has set policies to
prevent this installation". I get this message even in Safe Mode. I
tried renaming the file and it still won't allow it. The user I'm
logged in under has administrative permission. I was able to delete
the new user added.

I got it so it will boot up using Hard Drive Regenerator. It fixed a
bad segment on the hard drive which must have contained the boot info.

McAfee has been scanning since Thursday evening and it still scanning
C:\documents and settings and has quarantined 6,331 files so far.

It is a Dell Dimension 8400 pc with XP Professional Service pack 3.

Probably quicker - and for sure, surer - to reinstall XP. I trust a back
up is already in place.

Alias

 

[PA Bear [MS MVP]]

1. See if you can download/run the MSRT manually:
http://www.microsoft.com/security/malwareremove/default.mspx

2. Run this online scan (in safe mode w/networking, if need be):
http://onecare.live.com/site/en-us/center/howsafe.htm

3. Run additional checks for hijackware, including posting your hijackthis
log to an appropriate forum.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/page2.html#Removing_Malware

When all else fails, HijackThis v2.0.2
(http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use (in
conjuction with some other utilities). HijackThis will NOT fix anything on
its own, but it will help you to both identify and remove any
hijackware/spyware with assistance from an expert. **Post your log to
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://forums.spybot.info/forumdisplay.php?f=22,
http://aumha.net/viewforum.php?f=30, or another appropriate forum for review
by an expert in such matters, not here.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.

 

[Pegasus \(MVP\)]

Trying to salvage my nephew's business pc. His daughter used it when hers
went down and got it loaded with viruses. One is Spyware Guard
among several I believe. A new user named "minada" was added. I can
not run scan disc or regedit or delete some files. I can not install
a fix, I get a message "The system Administrator has set policies to
prevent this installation". I get this message even in Safe Mode. I
tried renaming the file and it still won't allow it. The user I'm
logged in under has administrative permission. I was able to delete
the new user added.

I got it so it will boot up using Hard Drive Regenerator. It fixed a
bad segment on the hard drive which must have contained the boot info.

McAfee has been scanning since Thursday evening and it still scanning
C:\documents and settings and has quarantined 6,331 files so far.

It is a Dell Dimension 8400 pc with XP Professional Service pack 3.

With more than 6,000 infected files, a rebuild is the only safe course of
action for you. I would do this:
1. Connect the disk as a slave disk to some other PC.
2. Back up all data files.
3. Back up all EMail files.
4. Check that the backups are complete and readable.
5. Check that you can open the backed up mail files.
6. Return the disk to your nephew's machine.
7. Perform a new Windows installation. Allow the disk to be repartitioned
and reformatted.
8. Install all applications.
9. Restore all data files.
When finished, discuss with your nephew his decision of letting his daugher
use his business PC. You should also find out what virus scanner he uses, if
it was up-to-date and how it was possible that the machine got so badly
infected.

 

[Dennis]

Thanks a bunch. I appreciate some suggestions to try. Even if
Windows has to be reinstalled, I think it would be better to get
the virus(es) off the machine first so the new installation is
safe. He admits he's been lax on anti-virus updates and scans
and backups. So that everyone knows, all this happened the day
Limewire was installed to download one song needed as part of a
Christmas gift. I believe he has learned his lessons...
I will let you know the outcome...

 

[Kelly]

Dennis,

In this case you wouldn't want to do a repair install. You would want to do
a clean format/install.

--

All the Best and Happy Holidays,
Kelly (MS-MVP/DTS&XP)

Taskbar Repair Tool Plus!
http://www.kellys-korner-xp.com/taskbarplus!.htm

 

[Dennis]

Yes, I know. I would zero out then format the drive before any
reinstall.

Is there a need for a user named Administrator if both other users
have full administrative privileges? I not sure that wasn't added
by a virus or changed by the virus.

 

[Jim]

Yes, I know. I would zero out then format the drive before any
reinstall.

Is there a need for a user named Administrator if both other users
have full administrative privileges? I not sure that wasn't added
by a virus or changed by the virus.

The administrator account was added when you installed XP. It cannot be
deleted. You should leave the account alone.
Jim

 

[Dennis]

I have two computers with XP professional on them and neither one
has a user accounted named Administrator.

 

[Alias]

I have two computers with XP professional on them and neither one
has a user accounted named Administrator.

Reboot and hit F8 and go into Safe Mode and see what users you get to
choose from. You should have a password for the Administrator accounts
but you probably don't.

Reformatting and reinstalling XP, btw, will not only get rid of all the
viruses but everything else that's currently on the hard drive.

Alias

 

[Kayman]

Trying to salvage my nephew's business pc. His daughter used it when
hers went down and got it loaded with viruses. One is Spyware Guard
among several I believe. A new user named "minada" was added. I can
not run scan disc or regedit or delete some files. I can not install
a fix, I get a message "The system Administrator has set policies to
prevent this installation". I get this message even in Safe Mode. I
tried renaming the file and it still won't allow it. The user I'm
logged in under has administrative permission. I was able to delete
the new user added.

I got it so it will boot up using Hard Drive Regenerator. It fixed a
bad segment on the hard drive which must have contained the boot info.

McAfee has been scanning since Thursday evening and it still scanning
C:\documents and settings and has quarantined 6,331 files so far.

It is a Dell Dimension 8400 pc with XP Professional Service pack 3.

My best suggestion to you is to flatten and rebuild.

How To Clean Install
http://michaelstevenstech.com/cleanxpinstall.html
http://www.elephantboycomputers.com/page2.html#Reinstalling_Windows - What
you will need on-hand

Good luck

 

[niteowl]

I have two computers with XP professional on them and neither one
has a user accounted named Administrator.

it doesn't show up until you access it the first time...

at the signon screen, do a Ctrl/Alt/Del twice to access the administrator
account.

 

[Jim]

I have two computers with XP professional on them and neither one
has a user accounted named Administrator.

Yes, you do. XP hides the account from the login screen when you have other
accounts available for use (not certain if there must be at least two others
or whether only one would suffice). The administrator account is present in
the administrative tools section of the control panel.
Jim

 

[Dennis]

1. See if you can download/run the MSRT manually:
http://www.microsoft.com/security/malwareremove/default.mspx

2. Run this online scan (in safe mode w/networking, if need be):
http://onecare.live.com/site/en-us/center/howsafe.htm

3. Run additional checks for hijackware, including posting your
hijackthis log to an appropriate forum.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/page2.html#Removing_Malware

When all else fails, HijackThis v2.0.2
(http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use
(in conjuction with some other utilities). HijackThis will NOT fix
anything on its own, but it will help you to both identify and remove
any hijackware/spyware with assistance from an expert. **Post your log
to http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://forums.spybot.info/forumdisplay.php?f=22,
http://aumha.net/viewforum.php?f=30, or another appropriate forum for
review by an expert in such matters, not here.**

If the procedures look too complex - and there is no shame in admitting
this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/

Here is what happened:

Hard Drive Regenerator made the drive accessible.
Smitfraud fix made it possible to install programs.
SuperAntiVirus found 128 Viruses, Downloaders, and Malware files.
Ten were Trojan Horses with four in memory. Ran again it found
28 more.
Malwarebytes found 40 more files.
After a reboot, scandisk said the drive was dirty and ran three
scans which repaired an error.
SuperAntivirus found 22 more malware files.
There are still two files under each user containing 2.93 gig of
junk files that I'm having trouble deleting.

I told him to get what he wanted off it and wipe the hard drive clean.

 

[PA Bear [MS MVP]]

Here is what happened:

Hard Drive Regenerator made the drive accessible.
Smitfraud fix made it possible to install programs.
SuperAntiVirus found 128 Viruses, Downloaders, and Malware files.
Ten were Trojan Horses with four in memory. Ran again it found
28 more.
Malwarebytes found 40 more files.
After a reboot, scandisk said the drive was dirty and ran three
scans which repaired an error.
SuperAntivirus found 22 more malware files.
There are still two files under each user containing 2.93 gig of
junk files that I'm having trouble deleting.

I told him to get what he wanted off it and wipe the hard drive clean.

You're one wise uncle, Dennis! <eg>

 

[Gardier]

he administrator account was added when you installed XP. It cannot be
deleted. You should leave the account alone. Jim

The administrator account was added when you installed XP. It cannot be
deleted. You should leave the account alone. Jim

Well you can delete it but it will just be recreated. I tried this and
what happens is, the account is deleted and then when windows next
restarts and it's recreated as a default blank version without passwords.
This actually does work in breaking some viruses' hold. Of course you
still have the complication of actually deleting all the files, but it
can be done this way.

A foolproof way to remove all traces of the virus is to boot up from a
Linux live CD such as Mandriva 2009 which reads and writes NTFS file
systems.

Then use the live CD to copy your data to a network destination. Mandriva
comes with SMB enabled and this allows you to use the Live system to copy
the data, while being certain it can't be corrupted by the virus.

If you want to be paranoidly certain the virus is gone, you could boot
into Dban and wipe the whole disk, but be aware this will remove all
data, even hidden and factory partitions.

http://www.mandriva.com/
http://www.dban.org/

 

[Gardier]

Well you can delete it but it will just be recreated. I tried this and
what happens is, the account is deleted and then when windows next
restarts and it's recreated as a default blank version without
passwords. This actually does work in breaking some viruses' hold. Of
course you still have the complication of actually deleting all the
files, but it can be done this way.

Almost forgot before you can do this you need to type this in a cmd box

net user Administrator *

Then when you restart you can delete the Administrator account as if it
was an ordinary Admin account.

 

[Dennis]

You're one wise uncle, Dennis! <eg>

I figured if I threw enough stuff at it something would hit... lol
Being one who can't afford paying someone to fix things makes one
more determined to come out ahead...