I am fixing a DELL P4 that has been overrun by Spyware, Trojans, etc. Boots up with "Dangerous low system resources" and "SAS" errors. I can only guess that from talking to the client without patching it that it is being bombarded with all kinds of stuff. It will not even let me boot into safe mode. I did get in once and tried a "clean boot" but the system continues to "lock up". Any ideas on booting this thing in DOS or does a Spyware DOS boot disk exist? How 'bout a stinger boot disk? This is the worse I've seen and have been doing this a while. Would like to get up and running to get a good read on what' all is in there, as I'm sure it wouldn't be pretty. Any ideas guys and gals?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
DELL PC Overrun
- Thread starter mlack
- Start date
- Thread starter
- #3
Thx IFRS for the reply. It locks up in Safe mode. I also can not run any programs because of the Virtual memory thing. I cannot browse folders as the harddrive is "hidden". Properties of the harddrive = "0" kb and "0" used. The owner had told me yesterday that they were receiving a lot of "run dll" errors and the browser was going to "about:blank" all the time. I know its a hijacker and trojan horse, but can't seem to get in to do anything. Hmmm..anyone have any ideas? Any dll's ore exe's I can delete from DOS to get this thing up and workable to fix? Just looking for ideas. My 1st thought is to take the harddrive out and throw it in my pc, see it as another drive, then scan with Adware, Spybot, Antivirus and HiJack this.
mlack
If you slave the hard drive and run HijackThis, it will report on your setup. It is not possible (to my knowledge) to get it to scan the registry on the second hard drive, which is unfortunate in this instance, because it only uses the active setup.
Having said that, running a good virus and spyware scanner over it is a very good idea, once you have done that and cleaned it up (and backed up the data just in case), reinstate it in the original machine and try again.
Wiping and reinstalling I only do as a very last resort, but in this case I can think of another option that is available to you if the machine runs NT, 2K or XP:
Boot from the operating system CD and install a second copy of the OS in, for example
C:\WINNT2
and then boot the WINNT2 setup, and clean the system from there. Reboot into the first setup and try again. Clean up, patch and see how it goes.
John
If you slave the hard drive and run HijackThis, it will report on your setup. It is not possible (to my knowledge) to get it to scan the registry on the second hard drive, which is unfortunate in this instance, because it only uses the active setup.
Having said that, running a good virus and spyware scanner over it is a very good idea, once you have done that and cleaned it up (and backed up the data just in case), reinstate it in the original machine and try again.
Wiping and reinstalling I only do as a very last resort, but in this case I can think of another option that is available to you if the machine runs NT, 2K or XP:
Boot from the operating system CD and install a second copy of the OS in, for example
C:\WINNT2
and then boot the WINNT2 setup, and clean the system from there. Reboot into the first setup and try again. Clean up, patch and see how it goes.
John
AcquisitiveOne
Technical User
Im not sure if you know but there are Linux Distributions that will run an OS from a cd and allow you to access Windows Partitions. It might take a little research and toying around with to be able to access the hard drive but it can possibly done. Do a search in Google for Knoppix or even SUSE Linux. They have distributions that run directly from a CDROM. Meaning the OS is never installed to the HardDrive! It runs off a bootable CDROM. You pop in the CD a GUI Linux OS will start and you should be able to access any Harddrives that the OS detects. (Including your Windows Partition). Note: Im not sure if you can access NTFS Partitions although Im sure there is something out there that will allow it. If the data is vital that it be recovered this is a possible solution, although I have to warn you that this will take some time and research. Once your data is recovered, Blast that computer and reinstall your software. Presto good as New!
Acquisitive_One
MCSA, A+
Acquisitive - 1. Characterized by a strong desire to gain and possess. 2. Tending to acquire and retain ideas or information
Acquisitive_One
MCSA, A+
Acquisitive - 1. Characterized by a strong desire to gain and possess. 2. Tending to acquire and retain ideas or information
- Thread starter
- #7
Thx all! I do not have alot of time invested in this one yet, and wanted to keep it that way!
Funny thing is that I made Emergency Boot Disks with the Norton AV 2004 product and they didn't work. Tried to boot to DOS but the C: drive is not available.
The Linux boot thing is a great idea but might be too time consuming for the amount of time I have on this one (but what isn't with computers
Wish there was another boot disk option or AV boot disk solution to use, but not sure if it would see the drive anyway. THANKS!
Funny thing is that I made Emergency Boot Disks with the Norton AV 2004 product and they didn't work. Tried to boot to DOS but the C: drive is not available.
The Linux boot thing is a great idea but might be too time consuming for the amount of time I have on this one (but what isn't with computers
Wish there was another boot disk option or AV boot disk solution to use, but not sure if it would see the drive anyway. THANKS!
mlack
Try the Ultimate Boot CD ( - it contains the DOS version of F-Prot and NTFS read/write software. It certainly won't pick everything up, but it may clear some of the infections up.
John
Try the Ultimate Boot CD ( - it contains the DOS version of F-Prot and NTFS read/write software. It certainly won't pick everything up, but it may clear some of the infections up.
John
This may be of use work:
-Slave the drive in your PC.
-Fire up regedit (regedt32 for Win2k)
-Select HKLM
-Load a hive
-Browse to the 'bad' drive %SystemDir%\config\software
-This will get you to the HKLM of the bad drive and you can start hacking unwanted stuff out of the run key.
-Make sure you unload the hive to save the changes when you are done.
As I said - This MAY work - never used it like this but I do use it to modify RIS image registry settings.
Q-
-Slave the drive in your PC.
-Fire up regedit (regedt32 for Win2k)
-Select HKLM
-Load a hive
-Browse to the 'bad' drive %SystemDir%\config\software
-This will get you to the HKLM of the bad drive and you can start hacking unwanted stuff out of the run key.
-Make sure you unload the hive to save the changes when you are done.
As I said - This MAY work - never used it like this but I do use it to modify RIS image registry settings.
Q-
- Thread starter
- #10
mlack,
RIS is Remote Installation Service.
RIS is a method of easily installing operating systems on lots of computers via your network. Needs Win2000/2003 server with AD, DNS and DHCP running, clients need PXE enabled network adapters (or you need to use a boot floppy/CD manually).
John
RIS is Remote Installation Service.
RIS is a method of easily installing operating systems on lots of computers via your network. Needs Win2000/2003 server with AD, DNS and DHCP running, clients need PXE enabled network adapters (or you need to use a boot floppy/CD manually).
John
Yeah... if I need to add new drivers to a RIS Image I load the 'software' registry file as a hive on my desktop machine from the image stored on the server.
You can trick Windows into searching more than one place automatically for drivers by changing the CurrentVersion\DevicePath key (how sysprep works). I'm sure this is an unsupported way of changing a RIS image but I'm lazy and it works.
More info on RIS in case you don't know what it is:
We don't prestage clients since we are lazy.
Since we starting using RIS we cut our number of images down from 100+ to about 8
You can trick Windows into searching more than one place automatically for drivers by changing the CurrentVersion\DevicePath key (how sysprep works). I'm sure this is an unsupported way of changing a RIS image but I'm lazy and it works.
More info on RIS in case you don't know what it is:
We don't prestage clients since we are lazy.
Since we starting using RIS we cut our number of images down from 100+ to about 8
- Thread starter
- #13
Just an update:
Loaded Drive as slave in another PC, ran AV, Adware and SB S&D. Seemed to have found over 170 trojans and 250+ spyware. Cleaned best I could. Re-installed drive in regular PC..same result. Getting "adjusting Virtual Mamory" errors" (oops, I mean memory..heehee), "App error failed to initialize userinit.exe" errors, etc. If I could just get in and disable the "restore" utility, and run task manager I might be alright. Unable to boot to Ultimated Boot CD (must have dl the wrong version?). Locks up on safe mode boot.
Loaded Drive as slave in another PC, ran AV, Adware and SB S&D. Seemed to have found over 170 trojans and 250+ spyware. Cleaned best I could. Re-installed drive in regular PC..same result. Getting "adjusting Virtual Mamory" errors" (oops, I mean memory..heehee), "App error failed to initialize userinit.exe" errors, etc. If I could just get in and disable the "restore" utility, and run task manager I might be alright. Unable to boot to Ultimated Boot CD (must have dl the wrong version?). Locks up on safe mode boot.
At this point, I suspect that so many exe's, dll's and the registry have been corrupted that it might be best to do a format and reinstall.
Still, if you have the time, it might be interesting to try a recover just to see what happens. You could then post here with the steps you used. Might be a good FAQ.
James P. Cottingham
[sup]
There's no place like 127.0.0.1.
There's no place like 127.0.0.1.
[/sup]
Still, if you have the time, it might be interesting to try a recover just to see what happens. You could then post here with the steps you used. Might be a good FAQ.
James P. Cottingham
[sup]
There's no place like 127.0.0.1.
There's no place like 127.0.0.1.
[/sup]
- Thread starter
- #15
I am in safe mode but have no taskbar or desktop. I can get into task manager which has a run utility I can use. Does anyone know how I can disable the System Restore utility in DOS command? Or better yet, the .exe that runs the "My Computer" utility to disable it? Loooking to disable the restore utility before running Fixit apps (for the 3rd time).
p.s. Happy B-Day to me!
p.s. Happy B-Day to me!
- Thread starter
- #16
Thanks 2ffat for the reply.
Latest news: I was able to run the "Explorer.exe" from the task manager which returned the Desktop. From there I was able to get to Restore Utility and disable.
Hopefully the end is near or there is now a light at the end of the tunnel. I'll be back with the results and possibly a step by step on a final resolution.
Latest news: I was able to run the "Explorer.exe" from the task manager which returned the Desktop. From there I was able to get to Restore Utility and disable.
Hopefully the end is near or there is now a light at the end of the tunnel. I'll be back with the results and possibly a step by step on a final resolution.
- Status
Similar threads
- Locked
- Question