I am trying to clear a client's computer of a virus storm. When he called his Windows XP was restarting continuously. I was able to bring up the desktop restoring from a previous registry, however when I tried to initialize a Norton Anti-virus scan it crashed. When XP reboots there is a brief flash of a blue screen with some looking like, maybe, a command file. I am able to reboot in Safe mode. From there I have updated the virus difinitions and run several scans. The computer was evidently infected with ex.exe. I removed all files and edited the registry to eliminate ex.exe commands. These were identified as something risk.downldr. I checked, also, for the close.exe file. Also reviewed (and deleted) and file called "cmd.exe" in the root directory. Somewhere along the line a separate administrators account was established using Administrator, client's name.000. Hope this is detailed enough - I am really stumped.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Windows XP virus problem, restarts continuously 1
- Thread starter mgigypsy
- Start date
-
1
- #2
firewolfrl
Technical User
use a virus scan (I prefer avast) and rename the scanner from .exe to .com before you copy it to the client's machine....with my experience with that type of virus ...any and every .exe file (including the norton) is infected by the virus.
the .com extension works because the virus attacks the .exe extensions
that trick has not failed me.
be warned...it's alot easier to just save the client's data (cleaned of virus) and reload windows.....you are maybe looking a whole computer that almost every .exe file is infected.
that creates alot of corrupt files and a flaky running windows
the .com extension works because the virus attacks the .exe extensions
that trick has not failed me.
be warned...it's alot easier to just save the client's data (cleaned of virus) and reload windows.....you are maybe looking a whole computer that almost every .exe file is infected.
that creates alot of corrupt files and a flaky running windows
firewolfrl
Technical User
forgot... the separate admin acount is because the virus (or the client) corrupted the profile and windows cannot load it so it creates a separate account. this is an automatic feature
RMGBELGIUM
MIS
boot with a bootable cd to get to a dosprompt with cdrom support.scan the pc with a commandline scanner ( eg mcafee commandline scanner)
regards,
R.
regards,
R.
- Thread starter
- #5
Thanks for all the quick input! I did try to come up on a bootable disk - however I couldn't get to drive C:! A, B, no C - never happened to me before so I have no idea what was going on.
As far as starting over - this is our second go-round on this system. I replaced the hard drive about 6-8 weeks ago. We made sure nothing went back on the system that was not checked and things ran fine for a month or so. I had Norton on auto update and scheduled to run every Monday night. The client is on cable - not DSL or dial-up but I have never had this kind of trouble keeping a machine clear. He is ready to ditch the thing in the bay and get a laptop, but I am asking him to wait until we find out why he is such a target. He has spent quite a bit trying to protect his system, but it doesn't seem to do the trick - any suggestions?
As far as starting over - this is our second go-round on this system. I replaced the hard drive about 6-8 weeks ago. We made sure nothing went back on the system that was not checked and things ran fine for a month or so. I had Norton on auto update and scheduled to run every Monday night. The client is on cable - not DSL or dial-up but I have never had this kind of trouble keeping a machine clear. He is ready to ditch the thing in the bay and get a laptop, but I am asking him to wait until we find out why he is such a target. He has spent quite a bit trying to protect his system, but it doesn't seem to do the trick - any suggestions?
erikhertzel
MIS
You won't get to your drive C because it's probably formatted with NTFS file system. You need to follow what "firewolfrl" said.
Does the client has a firewall installed, or the XP firewall enabled? I doubt the client is being specifically targeted (though it's always possible), I would say it was just bad luck.
You need to reload Windows and make sure all security settings are in proper order.
Hope this helps,
Erik
Does the client has a firewall installed, or the XP firewall enabled? I doubt the client is being specifically targeted (though it's always possible), I would say it was just bad luck.
You need to reload Windows and make sure all security settings are in proper order.
Hope this helps,
Erik
Hi i think you will find also that nortons as been infested, i have worked on computers with nortons and i find it easier to uninstall and wipe very trace of nortons from the computer.
A good antivirus you could install for the customer and its one i install on all my customers computers is avast it is free has a good backup forum wise you or customer has to register it but that is only to obtain a reg key so that he can carry on using it, it is updated every day or because i am always on line and i have the pro, it has been known to update twice a day.
THEN download microsoft antispyware, lavasoft adaware se, and trojan hunter and Xoftspy.
If you run each one of these, after installing them, if there is any bugs, etc left these will find them.
See my own website at backed up by all updates, and sercurities.
A good antivirus you could install for the customer and its one i install on all my customers computers is avast it is free has a good backup forum wise you or customer has to register it but that is only to obtain a reg key so that he can carry on using it, it is updated every day or because i am always on line and i have the pro, it has been known to update twice a day.
THEN download microsoft antispyware, lavasoft adaware se, and trojan hunter and Xoftspy.
If you run each one of these, after installing them, if there is any bugs, etc left these will find them.
See my own website at backed up by all updates, and sercurities.
firewolfrl
Technical User
From my experience with the web surfing behavior of some of my client's...some of them go to sites they really should not go to. and they click yes to active X sites that they should not be saying yes too and the email flood they get they open every email....LOL (Smack my head...job security)
sometimes its worth it to do some web surfing training to the client.
shopping pages are some times worse that any porn page.
just so you know if you do wipe the drive. Format is not good enough.
you have to Zero out the drive with the HD manufaturer's HD utility. as a boot floppy make sure the floppy is read only. the type virus you have part of it sits in the boot sector. and it is network aware.
there are some real nasties out there.
sometimes its worth it to do some web surfing training to the client.
shopping pages are some times worse that any porn page.
just so you know if you do wipe the drive. Format is not good enough.
you have to Zero out the drive with the HD manufaturer's HD utility. as a boot floppy make sure the floppy is read only. the type virus you have part of it sits in the boot sector. and it is network aware.
there are some real nasties out there.
- Thread starter
- #9
Geez, why me. I'm going to try the Avast renamed to .com and see if that helps at all. I think I need to get him to call the seond anything seems strange - not two or three days later after we have major cancer, multiplied with every restart. We have had the "where one should or should not go on the web" talk. This is on cable (as I may have mentioned), I haven't had this problem with DSL or dail-up and the cable company just says - well, duh, we don't know. Does Avast have a firewall - several of you seem to be recommending the product. Since I have been working with Norton for ever, it seems, that's where I sent my clients - easy updates and fairly easy to understand settings (at least until recently). We'll see where we go from here. I do have the free download from Avast, I didn't notice they had a free version. He's pretty tired of spending money on programs that don't seem to protect him.
Hi me again avast has a forum so if you see him and tell him if he gets trouble again, and he goes to the forum, we will help him, yes i started using avast 3 years ago, and have had it free up until 4 weeks ago, when i decided to pay for it to help people who can't afford it. xp has its own firewall if sp2 is installed, then put microsoft antispyware, they also have a software malicious, all these are free, but you must know that nortons have to be completely removed.
Hope that helps you.
See my own website at backed up by all updates, and sercurities.
Hope that helps you.
See my own website at backed up by all updates, and sercurities.
- Thread starter
- #11
Well folks, Avasta didn't find anything. I guess our only option is a low level format and start over. I have asked that he call the second something odd shows up so we can catch things before it goes ballistic. We have loaded Stopzilla, will that work for spyware, adware etc? I will check into the Avasta subscription requirements.
- Status
Similar threads