One Nasty Virus/Trojan - Kills all virus scanners

[Lynn210]

To All

You have bombarded me with all these instructions..

How about putting some order to things for me..
What should I do first and so on.

Remember.. I cannot get out of repair to boot the computer.
and I do want to get WindowsXP running again.

[Tarq57]

I understand your bewilderment.
Essexboy is the trained malware eliminator; I'd be inclined to follow his instructions, if you can.
(You may have noticed I stopped posting to the thread once he started to. He knows about these things. )

[edifyguy]

OK .. I do use F12 to get to the boot menu

I don't have a "Connect" icon on my desktop

Will this mess up my connection for Windows?

If I could get this to run.. will that give you what you need to know what
to do to get rid of the viruses and trojans?

Then there remains getting the computer to boot up WIndowsXP

Naturally. You don't have a "connect" icon on your desktop because you haven't booted from the Puppy CD yet.  

This will not harm Windows XP in any way unless the viruses already have. Here's how the LiveCD works: it boots up into a working, virus-free Linux operating system entirely from the CD, making no changes to the hard drive in the process. You are ABLE to change the hard drive as needed, so you can scan it for viruses and fix problems found.

Once you boot from the CD, you'll actually be able to access the web still with the "browse" button on the desktop to give us updates and such as to your status on the repair process. I'd like it if you booted from the CD, got connected to the internet ("connect") then used "Browse" to let me know you did, and what icons you see at the bottom of your screen (sda1, sda2, sda3, etc.) I'll help you with the specifics of XFProt, too.

[edifyguy]

To All

You have bombarded me with all these instructions..

How about putting some order to things for me..
What should I do first and so on.

Remember.. I cannot get out of repair to boot the computer.
and I do want to get WindowsXP running again.

What's-his-face may be trained, but I do this for a living. I'm taking some time on a Saturday night to help you out of the goodness of my heart. If you want me to go away, that's fine, but I'm not going to be told off by a third party.

The difference between my approach and that of Essexboy is that Essexboy is attempting to repair this from within the Windows framework. Because of the way Windows works, and the way tough viruses work, this is not always possible, and in this case it's clearly very difficult. My approach takes a fix-it-offline approach, which allows all files to be inspected with none of them in use, and repairs can be made much more easily that way.

If you want my help, I'll be happy to walk you through the whole thing step-by-step. I'll fire up a dummy computer with the same stuff you've got and help you specifically through. It's not really difficult, just different.........but this virus has opened your eyes to a whole new world of "different" already, hasn't it? 

[edifyguy]

To All

You have bombarded me with all these instructions..

How about putting some order to things for me..
What should I do first and so on.

Remember.. I cannot get out of repair to boot the computer.
and I do want to get WindowsXP running again.

When you say you cannot get out of repair to boot the computer, I presume you mean that you booted into a repair from the recovery CD? If not, which repair are you in?

It sounds as though my approach will likely be the only one that will work, as it can eliminate the viruses without the need to boot into Windows.

If possible, here's what I'd like to see you do:

1. Download the .ISO file that I linked, as well as BurnatOnce, on a different, clean computer. Install BurnatOnce and use it to burn the .iso file to a (must be completely blank) CD.

2. Put the newly-burned CD in the CD drive on the problem computer and then turn it off. Don't worry about the repair in progress.

3. Turn the problem computer back on, and use F12 to get the boot menu. Instruct it to boot from CD. Puppy will ask a few basic questions (what kind of mouse, keyboard layout, video) and the defaults should get you to happy glacier background with a "connect" button!

4. Use the connect button to establish a connection to the internet ("Internet by Network....." option, then "eth0" button, then "auto DHCP" should get you on. You don't need to save the configuration.

5. Close the network wizard, click the "browse" button, come back here and let me know you've gotten that far.

Fair enough? That will have you in an internet-connected Linux environment that I can use to get this virus off your computer.

[edifyguy]

Well, it appears that everyone else has gone to bed or something. I need to soon as well.

Lynn, if you really want to get this fixed without a reformat, I'm quite certain that I can help you do that. Just let me know if you want my help. As you can see from my last post, I can be very specific and detailed, and guide you the whole way through. Just let me know how I can serve you. I know it's tough to be at the mercy of malicious software and the sometimes overly-technical instructions of strangers.

[Lynn210]

I have been trying to get the sick computer to boot from the CD..
so far no luck

I must be doing something wrong...

I got the ISO file from the link..

I did not use the burnatonce because my computer seemed to do it ok

but if I have to use that burner then I will..

I dont know if I can find another empty CD .. I dont use CDs
I use DVDs

I am going to try turning off the sick computer as you said and just turn it on and see what happens. When I go into the boot menu it asks
1. Onboard or USB FLoppy Drive
2  Sata Drive (not present)
3 Onboard or USB CD-ROM Drive
and so on

I tried 1 and 3 with no luck.. will give it another try.

Appreciate the help... I am just very very tired.. I have been at it for
nearly 36 hours now..

[Lynn210]

No luck
When I try to boot to the CD ROM drive it says boot device not available.

Does that mean there is something wrong with my CD drives now?
When Dell starts up it does show the 2 CD DVD drives as being there..

[edifyguy]

36 hours???!!! Wow, you're very dedicated! Wow........!

Option 3 is what you need. The problem is likely that you simply burned the file to the CD as a file, not as an image. The file you downloaded is a CD image which contains many files and a boot image in one image file.

If you burned it properly, it should show about 7 files present on the CD, not one. If it only shows one, you burned it as a file, not an image, and I suspect that this is in fact what happened.

You can't simply drag the file onto the CD layout in Roxio (familiar enough with it to know that); there should be a menu item which says something to the effect of "burn CD from image" or "burn .iso to CD" or something like that.

Otherwise, there's always BurnatOnce.......all it does is burn image files, so you can't get it wrong, which is why I suggested it.

My example box is ready to help you with the next steps once you get it booted from CD!

[edifyguy]

If you need a blank CD, let's see how far I can frisbee.....better still, I'll burn it first.  

Where are you, and what time is it? I hope you at least have taken a brief time-out from your 36-hour marathon to sleep.....?

EDIT: I'm going to take a shower. I'll be back in 15-20 minutes or so. Hopefully by then you'll be booted into Puppy.

[Lynn210]

Ok ... redid the CD and it seems to be booting up ok
so far


And to answer your question about the repair setup

I was attempting to repair Windows XP with the original disk
The repair function .. not the recovery console

Anyway.. Puppy is up and running

OK I am up and running and connected to the internet

Icons at the bottom are:
fd0  sda1  sda2   sdb1   sdc1   sdd1   sde1   sr0   sr1


I have thought about switching to a linux OS many times.. just have not had
the time to re learn ... so I have stuck with windows even though it is a real pain
in the butt

If you are still there I am waiting next instruction..

If you are gone .. to bed or whatever.. I could sure use some sleep too!!

I will check back on and off

[Lynn210]

I am in Florida .. still hot and sticky in November!!!
and it is now 10PM

I did get some sleep around 5am till 7:30

I am going to take a break and sit down for a while

and relax..

[edifyguy]

Ah, yay! Phase 1 complete! A non-crippled Operating System running on the computer and connected to the Internet.

OK, then, Phase 2.

From the Puppy Menu, (can't be the Start Menu, because that's a M$ trademark) under utilities, select XF-Prot virus scanner. It will give you a red warning about it not being installed, connect to the internet and hit ok or enter or whatever. Tell it to go, and it will download the installed for f-prot antivirus. Then press enter for default installation, and it will download the latest updates.

While it's doing that, click on the "sda2" hard drive icon at the bottom, and verify that it appears to contain folders named "windows," "Documents and Settings," etc., indicating that this is (as I suspect) the partition on which Windows is installed.

EDIT: Please log back into the forum with the "Browse" button in Puppy, as this will allow us to continue this discussion on the computer being repaired. This is not critical, but it'd be a good idea.

[edifyguy]

It looks like you've either gone to bed (probably a good idea! 36 hours.......ouch) or logged off. Anyway, I'm on a Puppy computer and have XF-prot up and have reminded myself about its functionality (haven't had to use it in a bit)

Once you get it downloaded, find out which drive icon contains the infected Windows installation. I believe it will be sda2 in your case. In the process of verifying where Windows lives, you'll mount the drive so that Linux can access it. If it proves to be sda2 where Windows lives, type "/mnt/sda2" without the quotes in the box that says "Path to scan" on XFPROT 1.23. Leave the box below it unchecked or it won't scan most of it. I'd suggest you change the "Report file" location from "/root/.xfprot/xfprot.log" to "/mnt/sda2/xfprot.log" as this location will be easier to find later and will be permanent (on the hard drive.) Don't use quotes in any dialog box, I'm just using them to help clarify my instructions.

I suggest (for now) checking the box that says "report only" so that it doesn't actually change any files, then select the button that says "F1 scan" at the bottom. After that......give it time. It will sit there and "scanning" for awhile, possibly hours. I suggest you let it scan and go to bed. Once it's done, it'll show the beginning of the report in the scan window, and we'll go from there. Once it gets to that point, you should attach the report file to a post here so we can go over the results. I'll help you with that if you have difficulty once we get to that point.

[Lynn210]

I have a warning from XFPROT
it says you are running  xfprot as root Continue?

Yes or No?