Jump to content

Recommended Posts

My other computer has been taken over by the XP anti virus malware. I cannot run any programs. I tried downloading rkill to my flash drive and then running it on the infected computer but it only makes the virus start its scan of the computer again. I tried running malwarebytes from my flash drive, it also will not work. I cannot even open a browser. Please help!

Link to post
Share on other sites

  • Replies 57
  • Created
  • Last Reply

Top Posters In This Topic

Hello and :welcome:

Note: If using Firefox right-click on any download links and choose Save As

Please download OTH to your desktop

Please download OTL to your desktop

Double click the OTH file to run it and click Kill All Processes, your desktop will go blank.

OTH_Main.gif

Then select Start OTL. OTL will now run

  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

    [*]Click the Internet Explorer button, post these logs in your Virus Removal topic.

Link to post
Share on other sites

The virus on that computer prevents me from accessing the internet, so per your instructions I downloaded those programs to my flash drive on my good pc and then put them on the infected one's desktop. I got it to start scanning and everything seemed to be working, but stepped away for a second and when I came back the virus had started its "scan" of the computer again. It is listed as jpt.exe in my task manager so I clicked end process tree on it to get it to stop. The OTL said scan complete but there are no logs that I can see anywhere. The desktop is still blank other than the task manager, the OTH and the OTL. I am awaiting further instructions, thanks.

Link to post
Share on other sites

That computer has Windows XP, might be SP2 not exactly positive since I can't look at it's stats right now. I found a disk in my closet that possibly goes to that computer, is there a way to match up any of the codes on the back of the disc sleeve to the infected computer? I know it's not for my computer because I have win 7 on this one...it is labeled "operating system re installation cd windows xp professional service pack 2.

Link to post
Share on other sites

Hi, please try the following:

Let's try to boot your computer using a Boot CD.

Please print this guide for future reference!

You will need a blank CD, your Windows XP install disc, a clean computer and a flash drive.

Please follow the steps below and let me know if you were successful. Please tell me what error messages you got and/or what steps you got hung up on.

1. Download the PE Builder to your desktop

http://www.nu2.nu/download.php?sFile=pebuilder3110a.exe

  • Double-Click on the PE Builder that you just downloaded to your desktop.
  • Follow all of the instructions/prompts that come up.

2. Insert your XP CD with SP1/SP2/SP3 into a CD Rom drive

  • Double-Click on PE Builder.exe located on your desktop.
  • Click NO to Search for Windows Installation Files
  • Make the following selections from the Main Screen that pops up:
    • Builder
      • Source:(path to Windows installation files)
        • Enter the path to the drive where your XP CD is located.
        • You can click on the "..." button on the right to navigate to the path as well.

        [*]Custom: (include files and folders from this directory)

        • No information is necessary, leave blank.

        [*]Output:

        • Keep the default

    • Media output
      • Choose Create ISO image

      • Do not choose Burn to CD/DVD
        • Download the RunScanner plugin and save it to your desktop

        http://www.paraglidernc.com/Files/RunScanner10025.cab

        Please note: You will be prompted for the folder that it shall be saved. By default it appears as runscanner10025. It should be modified to just runscanner <--- Important!!!

        • Press the Plugin button on the PE Builder interface
        • Press the Add button and navigate to the location of the RunScanner plugin to install
        • Please note: If you are using a Windows XP disc with sp2 then highlight RpsSS needs to launch DComLaunch and then press Enable

        [*]When your done press Close and the PE Builder interface will re-appear

    3. Click on the "Build" button

    • You will see the Windows EULA message. Click on I Agree
    • You will now see the Build Screen. Let it run it's course
    • When the Build is finished you can click close, then exit

    4. Burn your ISO file to CD

    ==========

    Next........

    From your clean computer..

    Please download OTLPE.zip and save it to a flash drive.

    http://oldtimer.geekstogo.com/OTLPE.zip

    http://www.itxassociates.com/OT-Tools/OTLPE.zip

    Double click and unzip OTLPE.zip to its own folder on your flash drive. Name it OTLPE <-- Important!!

    ==========

    Plug your flash drive into your sick computer now and do as instructed below..

    ==========

    1. Restart Your sick Computer Using the PE Builder ISO CD That You Have Created

    • Insert the CD in to one of your CD/DVD drives.
    • Restart your computer.
      • The computer should choose to boot from the CD automatically. If it doesn't and you are asked if you want to boot from CD, then choose that option.

      [*]Once the desktop appears, you will receive a message asking: Do you want to start Network support?

      • Click on No

      [*]After it loads press the Go button in the lower left and do this....

      • Go
      • System
      • Display
      • Screen Resolution
      • 1024x768

      Next choose....

      • Go
      • Programs
      • A43 File Management Utility

    ==========

    In A43File Management you should see your flash drive

    Navigate to the OTLPE folder that you saved to your flash drive.

    Open the OTLPE folder and double click Start.cmd.

    • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
    • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
    • OTLPE should now start
      Change the following settings
      • Change Services, Drivers, Standard and Extra Registry to Use Safelist
      • Uncheck LOP and Purity check

      Please note: Stay with your computer during the course of the scan. If "Entry Point Errors" are encountered simply press "ok" and allow the program to continue. <-- Important!!

      [*]Push runscanbutton.png

      [*]A report will open named "OTL.tx"t and another will be minimized to the system tray named "Extra.txt". Save both log's to your flash drive. Copy and Paste them in your next reply.

Link to post
Share on other sites

Am I correct in that you want me to download and create this disc with the windows xp disc on my good computer? because I cannot access the internet on the bad one because of the virus. And if so, inserting the windows xp disc into my machine that has win 7 won't cause a problem?

Link to post
Share on other sites

Yes, you are right. :)

The worst thing that can happen when popping in the XP disk in your win7 computer is that the XP setup interface will come up, which you can close easily by clicking the X. It is not possible to actually start XP setup from within Windows 7, so no worries there.

Link to post
Share on other sites

Ok, while creating the build file it said ISO image not made, 2 errors and 11 warnings. first error said " Error:loadKey() failed:

second error says: Error: closeHive() failed: RegUnLoadKey (key="PEBuilder.exe-C:/PEBUILDER3110A/BARTPE/1386/SYSTEM32/CONFIG/petmphive")returned error 0: Acess is denied

I am leaving it all open and awaiting further instructions

Link to post
Share on other sites

ok, did as instructed, it completed the scan and the virus did not pop up. however, it did not open notepad with the logs, and since the desktop is still blank the only way i can search for a file is through the task manager. I went to browse C and I don't see the files listed just under C. Are they in a certain folder, like program files or something?

Link to post
Share on other sites

Please try the following scan and then redownload and rerun unhide.exe

COMBOFIX

---------------

Please download ComboFix from one of these locations:


Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Link to post
Share on other sites

ok, after putting combofix on the infected pc's desktop i double clicked on it to run it and a window is popping up asking me what I want to open the program with. Also, AVG is not in the system tray I think because the virus is preventing it from loading, however, in the task manager there are several things running that start with avg, not sure which will end them all. awaiting instructions

Link to post
Share on other sites

Please rename combofix.exe to combofix.com (right click on the download link and select "save link/target as...").

Also, you'll most likely have to uninstall AVG. You can do that by running AVGRemover (also, if you have trouble running it, rename it to AVGremover.com).

You can run all these tools directly from a flashdrive. No need to put them on the desktop first.

Link to post
Share on other sites

ok, had to go into IE on my comp to save target as because I use firefox and it automatically downloads, can't click on save as. After right clicking save target as i retyped the name and saved to my flash. when i tried to run the avg remover that i renamed avgremover.com, the window still popped up asking me what I want to open AVGremover.com.exe wtih. if it's renamed, should it have the .com and .exe or did I do something wrong?

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.