[l337killa07]

Hey guys

I'm new to the forum, and I joined so I could get some advice.

Ok heres the situation......not yesterday but the day before, I turned on my computer in the morning time and it just wouldnt load. I don't know why...I would get the boot screen, the Windows XP screen, I'd enter my password, and BAM it'd freeze...

Luckily for me I have a 2nd partition on which I had steam games installed (cuz of some conflicts with the default video settings on full xp install) so it was a custom xp install that my bro made with BartPE. Anyways, i got on there, scanned my main partition (C for viruses and adware, and even ran a 45-min long chkdsk from cmd prompt. I found a virus or 2, and as soon as I deleted the virus my computer loaded...ONCE...then it wouldnt load again.

And right now I'm using the 2nd partition to send this request for some HELP! The virus scan returned results saying that a few archives were infected and that they cant be un-compressed and deleted, so that may be the problem....but why is it that one night it works, and the very next morning a few hours later XP just stops working?

ANY help is appreciated. Oh yea i forgot to mention, like a dumba$$ i have my files PRIVATE (i think) so i cant access any files on the other partition.....i dont think they are private though, but when i click properties it just shows "SIZE = 0 bytes" even for a folder that has 2 gigs worth of music in it.....so i think the virus is somehow restricting file access? Is there some way to bypass this so i can back up my stuff? I have BartPe to use as a last (very slow) resort to manually backup all my files.

Would I be able to make a windows recovery disk and try using that to startup the C: partition?

Again, any help appreciated, and I hope to resolve this without having to clean-install windows all over again...(How hectic!)

Thanks.

Killa

 

[OldGrayGary]

Hi l337killa07

. . . and Welcome to the Tech Support Forums!

It would be a good idea to make sure the rascals are completely gone as a first step, and then proceed to help get your system files healthy again. Take a look at some of the tools and procedures in the 5-Step Security Checklist - whether you decide to post a HiJackThis log or not --- http://www.techsupportforum.com/sec...lease-read-before-posting-hijackthis-log.html . Include a rootkit scan (or two) along with your virus scans --- http://www.pcsupportadvisor.com/rootkits.htm . The symptoms you describe match up pretty well with damage to system files due to malware (though other possibilities exist).

[Part of the removal procedure might be to temporarily disable System Restore - which will delete all your current restore points - but will kill any infections hiding in restore points (I'd guess it's a good chance that the virus-infected files were in a restore point in the "System Information" folder)]

Once the system scans clean consistently, see if you can boot into the now-clean partition, and try a run of the Windows File Protection program (like an XP version of the System File Checker). From the Start/Run box, type "sfc /scannow" (without the quotes). The program may prompt for your Windows CD, or need to be pointed to the location of the Windows installation files (.cabs) on your hard drive. The program runs in the background, only coming to the foreground if it requires your reply. You can check on the details of it's work in EventViewer, as it will leave an entry there both when it starts and when it is finished [Start/Control Panel/Performance and Maintenance/Administrative Tools/EventViewer]. Right click and item in a log and select "Properties" to see the details of the event.

If you can't boot into normal mode, you can try Safe Mode for the SFC run - but you'll need the .cab files on the hard drive if Safe Mode can't reach your CD drive.

Another tactic to try on the damaged partition is to use the "Last Known Good" Configuration choice from the Boot Menu (to access the Boot Menu, start tapping the F8 key as the computer is powering on).

To see the files on the damaged partition, try gaining ownership of them --- http://support.microsoft.com/default.aspx?scid=kb;en-us;308421

Best of luck
. . . Gary

 

[l337killa07]

Hey Gary thanks for the response.

Honestly speaking, ya kinda lost me there....I mean I'm not computer illiterate but the post kinda confused me

I can tell you what steps I've taken so far....

I've used an online virus scan, used AdAware, I still need to use a regular antivirus....I've also done Scandisk from windows and chkdsk from Dos. I've tried to boot the computer many many times in safe mode, last known good, everything. Those were actually the first things I did, but nothing worked.

The sad thing is is that I have about 10 gigs worth of important information that I really dont have the means to back up at this point.....I don't have an external source big enough...I can use my brothers USB external drive but I gotta convince him first....

Oh and trying to "gain ownership" of my files through that microsoft article didnt work, I dont have that 'Security' tab when I click the properties of any file.

Anyways, thanks again for the reply, but if there are any other things I can do, Please let me know. In the meantime, I'm going to install a virus scanner, and start scanning and backing up my files folder-by-folder.

Thanks,
Killa

 

[<SKATER]]

you can use BartPE to reset file permissions. when you go to do a virus scan chances are it will not scan in the protected files. my personal recommendation is to use either trendmicro or norton anti-virus. Trend Micro has a free online virus scan at http://www.trendmicro.com/hc_intro/default.asp after the virus scan removes the virus again, boot up to the normal partition and turn off system restore to clear out the restore points. I know that many viruses (due to them being programs or scripts) tend to be backed up in the restore files.

 

[OldGrayGary]

Hi again

Skater's recommendation of using a Bart's PE CD is a handy one: I recommend it also = it's a very flexible tool. The funny part is that you mentioned that your brother did a customized Bart PE install for the 2nd partition that is currently the only one working.

When you tried the Microsoft procedure to gain ownership, were you logged in as Administrator? If not, try that (it doesn't work unless you have Administrator rights = the Administrator is the co-owner of all files on a Windows XP machine, private or not). Use the Administrator user account visible in Safe Mode, if you can reach Safe Mode.

Don't forget to scan for rootkits as well as viruses. From the tools in the article I linked you to in my 1st reply, I'd recommend using both BlackLight and Rootkit Revealer. BlackLight's trial term ends in a few weeks (unless the F-Secure folks extend its trial period again), so you might want to run that first. The article in the link explains how rootkits can completely hide malware from your antivirus tools.

If you continue to have trouble gaining access to the large files on the troubled partition, as a last resort you can point PC File Inpector at that partition, and it should be able to recover the files for you --- http://www.pcinspector.de/file_recovery/uk/welcome.htm

Best of luck
. . . Gary

[... and: do you need more information on how to run the "sfc /scannow" command from the Start/Run box? That procedure can restore system files that have been damaged by infections. I recommend that you try a run.]

 

[l337killa07]

you can use BartPE to reset file permissions. when you go to do a virus scan chances are it will not scan in the protected files. my personal recommendation is to use either trendmicro or norton anti-virus. Trend Micro has a free online virus scan at http://www.trendmicro.com/hc_intro/default.asp after the virus scan removes the virus again, boot up to the normal partition and turn off system restore to clear out the restore points. I know that many viruses (due to them being programs or scripts) tend to be backed up in the restore files.

Hey Skater thanks for the reply.

I have tried to use Trend Micro, but on that particular day my internet was spazzing out so it wasn't completely run. I'll run it again tonight.

As far as using BartPE, how can you reset file permissions using it? I'm not aware of that function of that program.

Hi again

Skater's recommendation of using a Bart's PE CD is a handy one: I recommend it also = it's a very flexible tool. The funny part is that you mentioned that your brother did a customized Bart PE install for the 2nd partition that is currently the only one working.

When you tried the Microsoft procedure to gain ownership, were you logged in as Administrator? If not, try that (it doesn't work unless you have Administrator rights = the Administrator is the co-owner of all files on a Windows XP machine, private or not). Use the Administrator user account visible in Safe Mode, if you can reach Safe Mode.

Don't forget to scan for rootkits as well as viruses. From the tools in the article I linked you to in my 1st reply, I'd recommend using both BlackLight and Rootkit Revealer. BlackLight's trial term ends in a few weeks (unless the F-Secure folks extend its trial period again), so you might want to run that first. The article in the link explains how rootkits can completely hide malware from your antivirus tools.

If you continue to have trouble gaining access to the large files on the troubled partition, as a last resort you can point PC File Inpector at that partition, and it should be able to recover the files for you --- http://www.pcinspector.de/file_recovery/uk/welcome.htm

Best of luck
. . . Gary

[... and: do you need more information on how to run the "sfc /scannow" command from the Start/Run box? That procedure can restore system files that have been damaged by infections. I recommend that you try a run.]

Hey thanks again for the reply. In regards to what I said about BartPE, I had mis-worded it. He used a program called nLite to make a custom windows install (aka get rid of all the extra proprietary crap that M$ adds with regular windows). I mistakenly said he used BartPe.

As far as the procedure regarding ownership, yes I am logged in as an Admin on this computer (it being my computer and all) and I am on the safe partition, so how effective it would be for me to try and access those protected files, I'm not sure. It's similar to trying to do something in your neighbors yard when you're on the other side of the fence...

And regarding rootkits, yes I read that very informative article. Turns out, my sisters computer is infected (due to an error on my half) and McAfee (Amazingly) was able to detect a rootkit on her computer! I will run all the software that I can as soon as I have a chance, but with my busy schedule it isn't as feasible.

With that being said, I'm gonna wipe out some of this work for school, run multiple virus tests, and update you guys on the results.

Thanks for the help once again,
Killa

*EDIT* Ok well I re-read through the file ownership article, and I've run into two problems. The partition which I'm currently on is running a full version of Windows XP Home, and when I try to gain ownership of a folder even on this partition, I don't see the "security" tab. I clicked to the other mentioned article, "How to disable simplified file sharing," but unfortuneately that doesn't apply to Windows Home Edition. So as of right now, were that security tab to appear when I click the properties of the folder, I would be able to try that method. I'm going to do some Google-ing and see what I can find..

 

[l337killa07]

Hey guys,

Ok sorry to double post, but it won't allow me to edit my post twice. Right now I'm logged into SAFE MODE and I can see the security tab for the folders. I don't want to make any false moves and end up locking myself out, so if someone can give some step-by-steps? Or point to a website which has more specific directions?

I am also confused about one of the users listed in the list....There is myself, which is OWNER and this one, S-1-5-21-789336058-842925246-17085337768-1004, which I'm thinkin is the virus. It has full permission to every single thing, even more so than the Owner, and I don't trust that this is a legitimate thing. Should I risk deleting it? Or keeping it? At this point in time, I don't want to risk anything without advice first, so I'm gonna go and run some of the virus and spyware scans, and let you guys know whats going on. I will post if I have more news or discover something.

Thanks,
Killa

*EDIT* Ok guys, good news. I took ownership of ALL my files in my user directory (C:\Documents and Settings\username\) and it worked. I can access all my files again! I tried to log onto the other partition and am still having no luck. Luckily, this current partition is about 10 gigs, so what I'm going to do is transfer all my critical files to this partition and use a few CD-RW's and burn some backups, as well as using my other hard drive (which I have for backup purposes, is only 4 gigs). What I would LIKE to do is somehow partition the unused space in my other partition (which is about another 10 gigs) and use that as backup too, but I'm not sure if you can partition part of a hard drive which is currently being used.

Anyways, one of the major problems is out of the way, so if any advice can be given on these minor details, I'd appreciate it.

Thanks,
Killa

 

[<SKATER]]

in windows disk manager you can partition an un-partitioned portion (say that 5 times fast if you can) of an HD that is in use.

 

[l337killa07]

in windows disk manager you can partition an un-partitioned portion (say that 5 times fast if you can) of an HD that is in use.

hey thanks for the reply, ill try to partition it and master saying that 5 times fast

 

[l337killa07]

Ok guys I'm having even MORE problems now!

At around 8 tonight (12/14/06) I had turned off my comp so I could get some hw done. Right now I'm running in safe mode. Thats because when I turned my comp on just a few mins ago it kept rebooting at the windows password screen! I tried last known good and it still rebooted. Only safe mode works. And I cant install norton in safe mode, so this very second im about to download AntiVir and maybe AVG, and install one or the other, and get rid of this virus that has dominated my computer!

I'll post again after everything is clean, wiped out, and reinstalled. If I post sooner, it's because I'm having ANOTHER problem!

Killa

 

[<SKATER]]

I don't think that you can install software while in safe mode. you can however goto www.antivirus.com and run the free online scan and see what it finds.

 

[OldGrayGary]

Hi again

Make sure to completely uninstall any currently installed antivirus before installing another. I like to recommend avast! for moderately powerful Windows XP computers (I recommend AVG for computers with less "horsepower"). Whatever antivirus tool you choose, make sure to download the most current virus definitions beforehand (I believe both avast! and AVG allow direct downloads of their most recent definition files). This way, you can install the antivirus and be able to update it immediately without having to connect to the Internet to do so (you'd be vulnerable during that window of time).

Run your scans on as "thorough" or "High" a setting as the scanner allows - most have advanced user settings that allow scanning within hidden files, within compressed files, and will scan all partitions, plus the Bios and files currently in system memory.

Regarding the constant rebooting -
Yes, it could be a virus, but it could also be a "Stop error" that you aren't seeing because you have the Windows-XP-default-setting of "automatically restart" on encountering a fatal system error. To check on the error: when booted in Safe Mode, go to Control Panel/Performance and Maintenance/Administrative Tools/Event Viewer - and look for errors that coincide with the restarts.

You can also change the "automatically restart" setting. Go to your Start Menu, and right-click on "My Computer", then select "Properties"/"Advanced"/"Startup and Recovery"/"Settings"/"System Failure"... and remove the checkmark from the box in front of "automatically restart".

Keep us posted if any more surprises pop up.
. . . Gary

_____________
[P.S. -Skater - many programs install OK in Safe Mode: in fact, some gaming software houses (like Riverdeep) recommend installing some of their more intricate titles in Safe Mode, to avoid conflicts with background processes. In Windows 95/98/98se/Me the CD-Rom was usually unavailable, without altering Safe Mode to include the optical drive's drivers]