105 replies to this topic

[oldman960]

Hi Alantb,

Thanks. There is another location we can check

From the C:\Windows> prompt type the following and hit enter

cd servicepackfiles\i386

note the space after cd

If the new command pompt changes to c:\windows\servicepackfiles\i386> please continue. If not let me know if you recieved an error.

Type the following and hit enter

copy winlogon.exe C:\Windows\System32

note: there is a space after copy and a space after .exe

You should recieve a message similar to 1 files(s) copied

If you recieve any other message please let me know.

If the file copy went according to plan type exit and hit enter. If you have set your computer to boot from the harddrive as well as the CD, your computer should now attempt to load windows. Let me know if the computer booted to windows and we'll continue.

[Alantb]

Thanks Oldman; I've had email problems (not a bug, just line prob) - I'll get back when I've done this. I have a fungus exhibition to do today so it may be Monday. Cheers, Alan

[Alantb]

Yes, well, that sort of worked. It seemed to boot up and even gave me the 'enter your password' page, accepted this and then stopped - at first displaying the desktop picture (only - no shortcuts) but then going into the screen-saver routine. In my case this is a small file of pictures. So something is working but not much. I've unplugged the internet cable because I saw the modem lights flicker and I wondered if the box had been taken over by something and was transmitting malware. Cheers, Alan

[oldman960]

Hi Alantb,

Try booting to Safe Mode.

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

[Alantb]

Hi Oldman; Yes - I should have thought of that myself - Safe mode boots and after signing on I get a black screen with 'safe mode' at the corners. I can open Task Manager which shows 14 processes are active, all execs ; 3 of these are avgchsvx., 3 are sychost; the rest are:- services taskmgr csrss winlogon lsass smss System System Idle Process - this is 99% of the usage. No Users are listed, surely this is wrong, because I have signed on. The screen saver still runs. Any help?

[oldman960]

Hi Alantb,

Open task manager, click file > New task (run)

Type explorer.exe and hit enter. Did the desktop appear?

Don't make any changes just let me know.

[Alantb]

Nope, 'Windows can't find the file . .. ..' but the Browse function works. and will list the Desktop. Avg seems to be active, now and then it gives the Task Manager screen a twitch and the Memory Usage alters.

Edited by Alantb, 25 October 2010 - 08:36 AM.

[oldman960]

Hi Alantb,

Let's do this from either normal windows or safe mode with networking as I think it may be quite a chore transfering files without explorer. I prefer you try it from normal windows if possible.

Open Task Manager with ctrl,alt,del as you have been doing.

• In Task Manager, click the Options button
• check mark Allways on Top
• This will keep Taskmanager from disappearing when you click on anything else.
• Using your left mouse button, click on the top blue portion of Task Manager and slide it down to the lower part of your screen so these instructions are visible.

In Task Manager

• click file
• click New Task(Run...)
• type the following line into the open: field
  
  iexplore.exe
  
  
• click ok

Internet explorer should launch. Return to this thread with the infected computer so you can complete the rest of the instructions.

It is important that you do not minimize your browser, taskmanager or the tool I'm going to have you download. If you do you will loose them and will need to start over.

Note: When you download this tool to the specified location, it will not be visible to you. We will launch it via the run command.

Please download SystemLook from one of the links below by

• right clicking the link and clicking Save Target As
• In the Save As window, using the dropdown menu set the Save In box to Local disk (C:)
• make sure the filename is SystemLook.exe and the type is Application
• click Save

Download Mirror #1
Download Mirror #2

Next

• Holding down your left mouse button, highlight all the text in the codebox below.
• Do not copy the word CODE , please note the script starts with the :
• right click the highlighted text and choose copy

:filefind
explorer.ex*

In Task Manager

• click file
• click New Task(Run...)
• type the following line into the open:
  
  
  C:\Systemlook.exe
  
  
• click ok

SystemLook should appear on your screen.

• Right click anywhere in the white field and choose paste.
• the text you copied earlier should appear
• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan.

Please post this log in your next reply.

If you loose the notepad before you can post the contents, you may retrieve it copying and pasting this command in the Task Manager open box.
"%userprofile%\desktop\SystemLook.txt"

Please post the log.

Thanks

[Alantb]

Sorry, Oldman. The PC will not connect to the internet. Iexplore worked but I get a message saying this service cannot run in Safe Mode, so I tried in Normal but that just started a lot more processes.. Message under Networking in Task Manager - 'No Active Network Adapters Found' Cheers, Alan

[oldman960]

Hi Alantb,

Ok do you have a usb storage device such as a flashdrive? We may be able to use a CD.

If you are going to use a flashdrive run this program on your clean computer with the usb device attached first.


Download Flash_Disinfector.exe by sUBs and save it to your desktop.

• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
• Wait until it has finished scanning and then exit the program.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.



Download SytemLook to your good computer and copy it to your USB device or CD.

Attach the usb device or insert the CD in your infected computer.

In Task Manager

• click file
• click New Task(Run...)
• type the following line into the open: field
  
  cmd
  
  
• click ok

A black command window will open.

Type copy x:\SystemLook.exe "%USERPROFILE%\Desktop\SystemLook.exe"

Hit enter.


note the letter X represent the drive your computer recognizes the usb device or cd as.

These is a space after copy and a space after .exe

The quote marks are required.

Next

In Task Manager

• click file
• click New Task(Run...)
• type the following line into the open:
  
  
  "%USERPROFILE%\Desktop\SystemLook.exe"
  
  
• click ok

SystemLook should appear on your screen.

• in the white field type the following lines hitting enter after the first one
  
  :filefind
  explorer.ex*
  
  
• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan.

Please post this log in your next reply.

Note: the script starts with a :

If you loose the notepad before you can post the contents, you may retrieve it typing this command in the Task Manager open box.
"%userprofile%\desktop\SystemLook.txt"

You should be able to save the log to the media you used to transfer SystemLook to the computer with by clicking file at the top of the notepad and clicking save as. Set the Save in field to the device and click save.

Thanks

[Alantb]

Hi Oldman; Sounds like a good idea - I do have USB pendrives so I'll try it later, right now I'm taking a bunch of people round the woods looking at fungi. Does this Flash Disinfector clean all the drive or just check it out for malware? Because if it clears it out I may have to get a new one - also after we load on to the drive will the info on it be write-protected? All the best, Alan

[oldman960]

Hi Alantb, You need to use Flash Disinfector on the clean computer and the flashdrive before attaching it to the infected computer. Flash Disinfector will not change any of the data on the drive. It will place a file at the root of all drives attached when the tool is ran. This will help prevent the drive from becoming infected with an autorun infection. A blank flashdrive is the best to use. You can try using a CD first.

[Alantb]

Hi oldman. Now the beast can't find the usb, so it won't copy the Systemlook exec.. I've tried using the 'Vol [x:]' command and get a 'no such device' response to any of the possible drives, including C which we know exists and the pc is actually using in a fashion Am I doing it wrong? Is there somewhere I can look using Regedit to see if the pc can't find the disks because something has removed them or the usb sockets from the Registry? So it goes.... Alan

[Alantb]

Hi Oldman; I find that I can run programs which are already installed, even though the Start button and the tray are not displayed - by using the Browse function in Task Manager and pulling out the .exe file for the prog.. I haven't tried to get the Control Panel yet, which ought to help or at least give us some more information. Also, I now find that I can access the F drive for Systemlook. Where were we? Cheers, Alan

Edited by Alantb, 27 October 2010 - 08:09 AM.

[Alantb]

Hi Again Oldman Herewith the text file, if I did it correctly:-

Attached Files

•  SystemLook_alantb_log.txt   1.76KB   139 downloads