W2K infected, won't boot

Viruses and worms
1

Hi,

My sister’s W2K system got infected with a virus, worm or Trojan (for ease, I’m going to use “virus” from this point on). She used Avast v.?? and it detected a virus and deleted it (technically, I don’t know if it was deleted or moved to a safe folder, etc., probably whatever Avast defaults to). She said that after removal she was only able to stay connected to the web (DSL) for a few minutes and then had to reconnect.

She also told me that it (Windows?) was reporting that there were missing files. I presume these were drivers, vxd’s, dll’s, etc.?? when she tried to call-up new programs or functions. Anyway, she reinstalled W2K attempting to overwrite the corrupted files and, now, “It won’t do anything”.

I was planning on going over with a Win98 Start Up disk and seeing if I can get it to boot. Then run Avast and, at least, tell you what version it is, and/or running it to see if it can find any infected files. Good/Bad Plan?

Also, I don’t know what files, or exactly what, to look for. I figure I could start in an Avast log file look for the name of the virus and then do a web search on the name and look for a removal tool? But I’m thinking that won’t work anyway because of the FAT32/NTFS difference. Can I do it from a 98 Start disk? Should I back up the registry before doing anything? Can I do that from a 98 Start disk?

I’ve got and old laptop (PII 64RAM, W2K) I can use to take over there to read/post to the board. It doesn’t have a floppy drive, but it does have a CD-ROM. If I need to download a diagnostic program, cleaner, etc. I’ll have to drive home and copy it to a floppy and drive back. If it helps somehow: There is a Cat5-type (RJ-22?) port on the laptop and I have some Cat5 cable, but I’ve never used it and don’t know if it would be more of problem just trying to get the computers to talk to each other, than just driving home and copying the needed stuff to a floppy.

By the way, she didn’t write down the name of the virus, what missing files Windows was looking for, etc.

I’ve searched the net but I didn’t find anything specific enough to get me through this (an overwhelming amount of data on the subject, though). I did find a few that told me what to do in Win95/98, but not to do it in W2K, XP… I presume because you can’t get to a DOS prompt?

Anyway, I don’t really know where to go from here or if you need more information before you can diagnose the problem/effect a solution.

Thank you for your time!

Her system: P4, W2K (don’t know Service Pack status), 500MB-RAM, need anything else?

2

Welcome to the forum!

You could try here for a boot disk for ntfs

http://www.ntfs.com/boot-disk.htm

More info on w2k machine would be helpful.

Have a read here to before you go!

http://www.ntfs.com/missing-corrupted-system-files.htm

3

Thanks, inthewildteam! I’ll read up on those see what happens.

4

You’re welcome,

check back before you get amongst it, I’m sure others will have some other ideas for you.

5

You don’t need a bootdisk, the Win2k cd is bootable. Boot from it and see if you can track down the cause and solve it.

6

Cool…Thanks, Eddy!

I was able to get it to boot LATE last night. It looks like the graphics driver was corrupted, and I got errant errors seemingly unrelated to what the system was doing at the moment.

I’ll head back over there later today to see if I can determine the virus’s name either by running Avast again and/or checking its log file. Then do a name search (Here? Google? Symantec site? Norton site?) and find removal/repair instructions for that particular virus.

Does that sound like a decent plan or is there something more effective, efficient, etc.?

7

Okay, I ran Avast; it didn’t seem to ID the virus precisely: Win32:Trojan-gen {Other}

I did a few searches and, apparently, it was too generic because I got a list of different viri with the above parameters minus “{Other}”

I clicked “Move to Chest” and… “Virus Server Chest is not running. RPC communication failed.”

I then attempted to download the current virus database (x4) but it kept aborting. The current version: 0503-0, 1/18/05. So maybe that is up to date.

Avast reported:

File Name: C:\ProgramFiles\CommonFiles\WinTools\WToolsS.exe

Since it wouldn’t move it to the chest I just clicked Repair and it did its scan, etc. and reported another virus:

Virus Name: Win32:Exdl [Adw}
File Name: C:\Winnt\System32\exdl.exe

Clicked Move to Chest —> Virus Found:
exdl1.exe (that’s exdl and the number one)

Clicked Move to Chest —> Virus Found:
mqexdlm.srg

Clicked Move to Chest —> Result of last scan:
1: File succesfully repaired
2-4: File successfully moved to chest.

Question: Avast recommened moving to chest rather than repair, but it did repair it should I go ahead and try to repair the other 3?

And, I have no idea why those 3 were able to go to the chest and the 1st was not. I didn’t reboot, etc. It was during the same session.

I read a number of things about false virus reports. Might one or more of these be false? How do I check?

I thought I was dealing with one virus and repair routine but, now, I’m really not sure what the right thing do is from here.

Thanks, again!

Also, if it’s of any use, Windows reports an error:
winnt\drivers\intel\graphics\ialmnt5.sys

And, it keeps asking for MS Office 2000 Premium disk, which, of course, I don’t have with me. :slight_smile:

Update: I forgot mention that there are two DOS-like boxes that popped up: “Internal Error” on the Windows label, but the body of the message is unreadable.

W2K v5.00.2195, Don’t know how to check for service packs. Does the .2195 indicate the service pack? If not, please let me know where to find it and I’ll get it posted.

Avast v4.??, unless you need it beforehand I’ll wait until further instructions before I try to get off the the “Results of last scan” report/dialog screen, and back to a screen where I can access the about feature.

Is there anything else you need to diagnose it?

Also, I gotta go out and get something to eat, so I may not be back to check messages for a while, but I appreciate your reply in the meantime.

8

Wow… what a long story…

RPC error is most likely correct by this procedure:
Go to Control Panel > Add/Remove programs > avast! antivirus > Remove
Then choose Repair function in the pop up window (Repair).

Last VPS is 0504-0 1/25/05…
What do you mean by ‘aborting’? What is the error message?

Are you using Windows XP?
Can you schedule a boot-time scanning?
Start avast! > Right click the skin > Schedule a boot-time scanning
Select for scanning archives.
Boot.

Submit the file to Jotti and let us know the results, i.e., if it is or not a false positive.
If you are getting a virus warning that you believe is a false positive, then if you can zip and password protect (‘virus’, will do) the suspect file and send it to virus (at) avast.com.
Give a brief outline of the problem, the fact that you believe it to be a false positive and include the password in the body of the email. Some info on the avast version and VPS number (see About avast: right click avast icon) will also help.

9
10

Ok, you got two problems here.
1] System is infected
2] Windows is corrupt. (video drivers and perhaps some other things also)

1] Delete wintools, it is malware.
Delete all other infected files.
(only a legitimate file that is infected with a true virus can be repaired)

2] Reinstall the video drivers, make sure you have the latest.

This may solve the problems.