I have a Dell laptop running XP SP2. It belongs to a friend and came to me running so slowly that it took several minutes to just bring up the START window. It wouldn’t connect to the internet either.
I started it up in SAFE MODE and ran updated versions of ADAWARE and then SPYBot S&D. Both scanners removed tons of junk rated critical or malicious. Both said there were some files that were in use and couldn’t be removed until a restart was done.
After another restart or two, I started receiving a pop-up message during the startup process saying “DCOM server process launcher service terminated unexpectedly” with a 60 second timer counting down the seconds to a shutdown. When the time was up, the system shutdown and during the startup, even in SAFE MODE, it would begin again with that same pop-up message.
I researched this message and found on some forum that this pop up is caused by a virus called Trojan.Patcher.B and that MS had a removal tool for this hard-to-remove virus called MS malicious software removal tool. The forum also gave a temporary workaround whereby I had to quickly change the system clock by rolling it back a few hours. It worked and I usually only had a few seconds left to do this. After resetting the clock and adding more time to the counter before the shutdown occured, I installed and ran the removal tool I got from MS. This tool found the following virus:
It said this file was in use and it couldn’t be removed until it restarted. So I did that.
By the way, the workaround of resetting the clock only resets the counter for that session, after a restart, it’s back to it’s 60 second countdown to shutdown. The problem now is that the shutdown popup starts counting down a lot sooner than it originally did and windows doesn’t have a chance to finish starting up before the timer is up. Hence, I don’t know how to stop it if I can’t get to the desktop anymore. So, now I want run AVAST and I can’t do anything.
Is there anything I can do from DOS ?
I don’t have an XP startup disk and there isn’t a floppy. I’m not as familiar with XP as I was with 98 or 2000 and I’m at a loss right now as to how to get back into the system.
Any help will be appreciated. My friend has a ton of pictures that she can’t lose.
avast should be able to deal with MyDoom, but Windows in its infinite wisdom protects files in use (even malware) or in system folders, so it is likely that avast! can’t delete or move files in use. So schedule boot-time scan in avast’s menu if you have XP, win2k or NT, otherwise boot into safe mode and run an avast scan. This should ensure that the file isn’t in use and avast should be able to deal with it.
If you have XP or Win2k, you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, Menu, ‘Schedule boot-time scan…’
If you can get into windows for any time you could try and use a command line to schedule a scan on the next boot, Windows, Start, Run and type, C:\Program Files\ALWIL Software\Avast4\sched.exe /A:*
This does a scan outside of windows so MyDoom shouldn’t be active.
Since I couldn’t get into the system under SAFE Mode (virus shutdown the system during startup), I tried “last known good configuration”. I was finally able to get back in and roll the clock back to stall the worm’s shutdown counter.
Now, I have a few more questions:
Can I install and run AVAST without being in SAFE mode ? If so, should I do anything in particular besides closing all apps ?
right now, I only have the administrator user. Should I create another user with restricted access and logon as a guest ? If so, how do I give AVAST the ID-Password for the adminstrator as suggested in the HTML doc you referred to earlier ?
Will copying off pictures and documents to my flashdrive infect it, too ? How about moving those items onto my other PC for a backup ? I’m not copying any .exe files or applications, just docs & pics, but I’m worried about infecting my desktop.
1 & 1st 2. If you mean from a normal windows boot Yes, Install as user with admin rights and enter registration key with same account, avast will then be available for other users, limited users can’t do program updates.
If you mean outside of windows No.
2nd 2. avast is a resident scanner that and should scan files created on your flash drive (depending on the standard shield settings it scans created/modified files). Or the reverse files transferred/copied from your flash drive would be scanned. However, the best thing would be to run a scan of your flash drive before transferring files, using the explorer context menu, right click on the flash drive ans select scan.
If you need to buy some time to get the program installed, do this very quickly after the computer boots but don’t issue the command until the count down starts
Click Start > Run
Type shutdown -a in the empty field and click OK (note the space between shutdown and -a).
I think I’m finally getting somewhere !!! The shutdown command suggested above worked to get that pop up off (thanks mauserme). I first installed and ran the AVAST virus cleaner program shown in the link you gave me in your first reply, it didn’t find anything. Then, I realized you were talking about a different program, AVAST 4. So, I downloaded and installed it. During installation it asked if I wanted a boot scan done at restart, I said yes. After restarting, it performed the boot scan and reported the following:
This file…
c:\winnt\system32\micro1\a3.exe is infected with win32:Small-AHY [trj]
It now is giving me the following options (Delete, del all, move, move all, etc.).
Which one do I pick ?
Will the laptop be clean after this ?
Isn’t it the option move to Chest? It is the safest.
If a virus is replicant (coming and coming again), you should:
Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After boot you can enable System Restore again after step 3).
Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).
I’m having such a hard time removing the worm/trojan/virus whatever it is that’s bringing up that shutdown popup. I have installed and run the AVAST4 boot scan 2 times already. The first time it found around 12 trojans and other adware. The second time it found 2. Both times I selected to move all the infected file to the chest. Both times when it finally built the desktop, the popup reappeared again. Also, it somehow damaged AVAST. This is the message I received:
ashAvast - error basIntLibrary - initialization of basic library faile ! Check INI file or install program again, please - Ok.
I uninstalled and re-installed and rebooted with the scan turned on. It scaned a 3rd time, went into the desktop and the blasted shutdown popup was back !!!. What else can I do, this virus won’t go away !!!
After installation and reboot open the program and click Security > Tasks > Scan for Known Applications. Close the program when prompted and start it back up again. You may be notified that various programs are now trying to access the internet. Carefully review these (using Google if necessary) and block any that you can identify as malicious. Post the names and locations of anything supicious. If you’re in a network you should also click Define A New Trusted Network at some point, though you don’t want this computer networked to others right now.
[b]EDIT - Forget to put this step in:
Make sure you have Windows Update KB823980 installed. There are 2 versions available for XP
Next, open Add/Remove Programs in the Control Panel, highlight avast! Antivirus and click the Change/Remove button. A window will appear giving you the option to repair avast!. Highlight that option, make sure you’re connected to the internet, and “Next” your way through the process.
Now run the AVG Antispyware and SuperAntiSpyware scans suggested by Tech. Make sure to quarantine whenever possible, and save and post the logs in your next response.
After these scans download Deckard’s System Scanner (DSS) to your Desktop.
[*]Close all applications and windows.
[*]Double-click on DSS.exe to run it, and follow the prompts.
[*]The scan may take a minute. When the scan is complete, a text file will open - Main.txt Extra Note: When running DSS, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags DSS as suspicious. Please allow the Deckard’s System Scanner to run and don’t let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)
Post the main.txt from the C:\Deckard\System Scanner folder into your next reply too.
These logs may be long and will not fit in a single post. Feel free to break them into pieces and use multiple posts in order to give us all the information.