Helping a friend with a virus, but ... it's XP SP1 !!!

[sonoferu]

A friend runs a computer in the office of a small church organization, not a very busy machine, even just has a dialup connection! But she checks the organization's emails there, and unfortunately got a virus from an email pretending to be from UPS - said they had tried to deliver, but could not, so you should print this form and bring it to the UPS office and get your package.

Well, that loaded in the virus, and now she's stuck. It's one I have seen before, it pops up from the systray saying there is a virus attack and do you want to activate your antivirus protection.

Oh, yeah - there IS no antivirus on this machine. Sigh ...

So I am working on it, I brought it home with me, and my first idea worked - I hoped that if I logged off as her logon, and logged in as Administrator, the popups would stop. YAY! that worked. So my plan was [past tense - was ... ] to then get AVG Free 2011 installed and let it run and clean things up. That's what I did about a year ago with another friend with a similar virus.

BUT .... BUTTTT!!! this one is XP Pro 2002, SP1. And now I discover that AVG wont run on anything less than XP2. And you can't get SP2 any more, at least from Microsoft. And when I tried for SP3, it said there was a problem and it could not.

Probably because I am in Safe Mode. The thing is, if I am not in Safe Mode, there is no Administrator login that I can find. Just her "Susan" login.

So ...

* Are there any other free antivirus apps I can try? I have used AVG for years, threw out Norton long ago. Notron's free version really isnt free, I have to give my card and they will bill me after 30 days, etc etc hassle, hassle.

* Is there anywhere I could find XP SP2? That I could trust?

* Is there some way to find the Administrator login icon when not in Safe mode? That's a real puzzler

any help much appreciated

 

[sonoferu]

of course, any other tips about this virus would help. Among the clues:

Any program I tried to open when logged in as Susan, got a popup saying that program was corrupted and could not run. I wanted to open TaskManager to see what was running. Dismissed it right away. And the same with cmd.exe, regedit, etc. This thing hides in the registry, right? And it restores any files you can find and delete, so it refreshes itself

Right now there is a file that cant be deleted - permission denied

C\Doc~\Susan\Local Settings\Temp\marrwa\kxfiiouxsik.exe

 

[lxskllr]

AVG isn't that great. I suggest Avira, but I don't know if it supports SP1. Boot to a Linux liveCD and install Linux... whoops, I mean get rid of the files you want to get rid of :^P

Once you get it cleaned up, fully update it, then image the drive.

 

[sonoferu]

Also, I am wondering why, when I am in as Administrator, I cant get to that file that I cant delete when in as Susan. The LocalSettings dir is not showing for Administrator. How come?

 

[Steltek]

XP Service Pack 2 download:
http://www.microsoft.com/downloads/...be-3b8e-4f30-8245-9e368d3cdb5a&displaylang=en

 

[sonoferu]

Well, at least I have a bit of my thinking cap on. I just dont do much with user accounts. I went into the Administrator acct, in Safe mode, and created a new acct for myself, as admin rights. In there I saw where it says Adminstrator only shows in Safe, or if there are no other user accts to display at the welcome page.

I tried for Avira, and it too wont run on XP SP1 so I am trying Avast which at least lets me install

 

[stahlhart]

Use MalwareBytes instead.

Take the HD out, slave it into a good system that has fully updated MalwareBytes installed, scan the drive with it. Won't clear out everything, but should clear out enough that when you put the drive back into the original system, the virus won't boot up (you removed the registry keys it needed to boot with the first scan). Now install MB here, and run a full scan -- this should enable you to locate and remove the rest of the virus.

 

[Steltek]

Well, at least I have a bit of my thinking cap on. I just dont do much with user accounts. I went into the Administrator acct, in Safe mode, and created a new acct for myself, as admin rights. In there I saw where it says Adminstrator only shows in Safe, or if there are no other user accts to display at the welcome page.

I tried for Avira, and it too wont run on XP SP1 so I am trying Avast which at least lets me install

You've got PM.

 

[sonoferu]

Well, Avast installed but it keeps stopping. The Service wont finish Start, it says it has nothing to do ....

So trying MalwareBytes now .... it installed and updated itself and is cranking away now

 

[Chiefcrowe]

are you going to fully update the machine and all software after removing the virus?

I also think you should scan it with an AV boot cd such as from Avira and then scan it with several other programs just in case (and in safe mode if you have to)

 

[JackMDS]

I also think you should scan it with an AV boot cd such as from Avira and then scan it with several other programs just in case (and in safe mode if you have to)

+1

 

[nemesismk2]

are you going to fully update the machine and all software after removing the virus?

I also think you should scan it with an AV boot cd such as from Avira and then scan it with several other programs just in case (and in safe mode if you have to)

+2

 

[sonoferu]

Ok, MB ran overnite and found the bad guy

C\Doc~\Susan\Local Settings\Temp\marrwa\kxfiiouxsik.exe

and removed him. And now I can boot into the Susan acct and none of the old problems.

BUT ... BUTTTT!!!

The new problem is something is screwed in that acct. Everything I click on, every shortcut icon, says it cannot find 'C:\***\***.exe, make sure I typed it correctly

????

I went into my own new acct that I fixed it from and that is ok

????

 

[sonoferu]

I wondered if it was because I deleted all the files in

C\Doc~\Susan\Local Settings\Temp\

That was the first thing I did. Why would any temp files matter?

But now I restored them all, and the message changed. Now when I click to start something I get

C\***\***.exe
The specified path does not exist. Check the path and try again

So whatever the OS uses to find paths is damaged?

 

[sonoferu]

Now I find that if I click the menu to "Run As" and run as Administrator, I can start things.

???

I'm not dumb, I'm just ignorant. These are things I never mess with

 

[sonoferu]

And when I go into my own acct I get a popup saying

Error loading C\Doc~\Susan\Localsettings\Temp\iibh.j
Specified module cannot be found

so there is maybe a rundll problem? But what would be in her localsettings\temp for that?

 

[ViRGE]

Is there any reason you aren't just blowing away the whole OS and starting anew? With modern malware, it's basically impossible to tell if you've actually removed it if the malware's author wants to put in the effort to be sneaky.

It seems like you're creating a lot of work for yourself by trying to repair the OS rather than putting it out of its misery.

Edit: This should fix your EXE problem (but don't hold me to that). As for the DLL, check MSConfig. The malware probably created a startup item to load a DLL in that location

 

[Emulex]

virus? start over man. install o/s all over. only way to be clean for sure.

get a new drive or external and copy his stuff over like docs/etc. then nuke the drive.


only way to go.

 

[Matt1970]

Use MalwareBytes instead.

Take the HD out, slave it into a good system that has fully updated MalwareBytes installed, scan the drive with it. Won't clear out everything, but should clear out enough that when you put the drive back into the original system, the virus won't boot up (you removed the registry keys it needed to boot with the first scan). Now install MB here, and run a full scan -- this should enable you to locate and remove the rest of the virus.

Yes, use Malwarebytes. Try booting in safe mode and running it.

 

[VirtualLarry]

For future reference, to access the "hidden" Administrator account, at the welcome screen that normally displays the account names, hit CTRL+ALT+DEL, twice. This will pop up a login dialog that will prompt you for username and password. Type in Administrator, and leave the password empty. That should get you in.

 

[jjmIII]

virus? start over man. install o/s all over. only way to be clean for sure.

get a new drive or external and copy his stuff over like docs/etc. then nuke the drive.

only way to go.

...and in the end, it's faster too. Trying to scan and pick out viruses takes too long compared to a clean install. The machine will run like new again.

 

[vailr]

Copy the entire contents to an external USB drive.
Create (or otherwise obtain) a slipstreamed XP SP3 install disc, using whatever XP version disc and MS serial number that came with the machine. Then do a fresh install with that new XP SP3 disc.

 

[VirtualLarry]

Copy the entire contents to an external USB drive.
Create (or otherwise obtain) a slipstreamed XP SP3 install disc, using whatever XP version disc and MS serial number that came with the machine. Then do a fresh install with that new XP SP3 disc.

This!!! Best advice yet!

(Or perhaps move them to Windows 7?)

 

[sonoferu]

I bet all those ideas really might give the best outcome, but they are a bit over my head, I'm afraid. This isnt my computer, I just brought it home because I have cable internet here and the office where the machine lives only has dialup, and I couldnt work on it and at the same time go hunting the internet for information. I dont know what some of the terminology you guys suggested even means, and I doubt Susan has the original install disk around anyway. I know enough to do what I have done, and I know enough to come to Anandtech if I get stuck. SUCH a big help I have gotten here over the years.

So it all adds up to going on with what I was trying to do - I did get malwarebytes to remove the offender [apparently] and someone at work suggested going back to an earlier Restore Point, which I did and now it can start programs without the error saying Windows doesnt know the path.

Right now I am doing the update to SP3, and I will then turn it back over to Susan who swears she will never open an email attachment again. I will even leave the Internet Explorer at version 6.

The machine doesnt hardly get used at all, just once or twice a week someone checks emails, and some subscription lists for the organization's mailing list get updated, things like that.

 

[ViRGE]

So it all adds up to going on with what I was trying to do - I did get malwarebytes to remove the offender [apparently] and someone at work suggested going back to an earlier Restore Point, which I did and now it can start programs without the error saying Windows doesnt know the path.

Keep in mind there's a good chance you restored the malware with the restore point.