- Oct 23, 2000
- 9,200
- 765
- 126
Since I know it will be suggested, and I would prefer to do it myself, let me start by saying that wiping the hard drive and reinstalling Windows on this computer isn't an option. I did manage to back up all of the important documents and files, but the installation disks for several applications that the user needs have been discarded so I can't reinstall them and he won't let me reimage the machine without them. 
One of my "special" clients decided to click on the link in a Hallmark e-Card scam email that has been circulating, and when it popped up a message saying that a virus was detected on his computer and he needed to "Activate your anti-virus software to secure Windows" he clicked on the accept button which then appears to have installed a very ugly virus on the computer.
When Windows starts, it boots up and presents the login prompt normally, but it does not load Explorer so the Desktop and Task Bar are never displayed. The only thing that is displayed is the same "Virus Detected" window that installed the virus initially and the window cannot be closed and only responds if you click on the link to install the virus again (I did not click the link, by the way..). This happens in normal and Safe mode.
Right-clicking the desktop does not do anything when the virus warning window is displayed. At this point, I can access the Task Manager but the virus program does not show up under the Processes list, and even Process Explorer doesn't show anything suspicious. I can run programs from within the Task Manager using the "New Task" menu option. However, attempts to manually start explorer.exe from there return a message that the file doesn't exist, even though it does exist in the correct location and I have even replaced it with a copy from another XP Pro machine. Renaming explorer.exe to something else will let it run from the New Task menu in Task Manager so it appears that the virus is actually blocking Explorer from starting up.
Using the Task Manager, I can load and run scans in the installed anti-virus and spyware software (eTrust Anti-virus and SuperAntiSpyware). I watched the scans and actually saw both of them detect the virus but the instant they did so, Windows crashed with a blue screen error "PAGE_FAULT_IN_NONPAGED_AREA". It does the same thing in normal and Safe mode. I've never seen this before but it almost seems as if the virus detects that it has been detected and crashes Windows so that it can't be removed. I did find some suspicious (random character) entries in the RUN keys in the registry so I deleted all of them.
I loaded up my Ultimate Boot CD and ran through scans using ALL of the included anti-virus and anti-spyware software and multiple copies of a trojan.dropper virus were found and removed as well as one item identified as a "generic root kit". After all removal tools reported that the system was clean, I booted back into Windows XP and immediately got the virus screen again and the random character registry entries had been replaced with new entries that were similar but with some different characters.
Booting with the UBCD again found new instances of the virus which I again removed but Windows still won't load properly.
I suspect that a root kit is hiding on the system but I ran a couple of root kit removal tools and they all say that the system is clean so I don't know how I can get rid of it and I would really appreciate some advice!
One of my "special" clients decided to click on the link in a Hallmark e-Card scam email that has been circulating, and when it popped up a message saying that a virus was detected on his computer and he needed to "Activate your anti-virus software to secure Windows" he clicked on the accept button which then appears to have installed a very ugly virus on the computer.
When Windows starts, it boots up and presents the login prompt normally, but it does not load Explorer so the Desktop and Task Bar are never displayed. The only thing that is displayed is the same "Virus Detected" window that installed the virus initially and the window cannot be closed and only responds if you click on the link to install the virus again (I did not click the link, by the way..
). This happens in normal and Safe mode. Right-clicking the desktop does not do anything when the virus warning window is displayed. At this point, I can access the Task Manager but the virus program does not show up under the Processes list, and even Process Explorer doesn't show anything suspicious. I can run programs from within the Task Manager using the "New Task" menu option. However, attempts to manually start explorer.exe from there return a message that the file doesn't exist, even though it does exist in the correct location and I have even replaced it with a copy from another XP Pro machine. Renaming explorer.exe to something else will let it run from the New Task menu in Task Manager so it appears that the virus is actually blocking Explorer from starting up.
Using the Task Manager, I can load and run scans in the installed anti-virus and spyware software (eTrust Anti-virus and SuperAntiSpyware). I watched the scans and actually saw both of them detect the virus but the instant they did so, Windows crashed with a blue screen error "PAGE_FAULT_IN_NONPAGED_AREA". It does the same thing in normal and Safe mode. I've never seen this before but it almost seems as if the virus detects that it has been detected and crashes Windows so that it can't be removed. I did find some suspicious (random character) entries in the RUN keys in the registry so I deleted all of them.
I loaded up my Ultimate Boot CD and ran through scans using ALL of the included anti-virus and anti-spyware software and multiple copies of a trojan.dropper virus were found and removed as well as one item identified as a "generic root kit". After all removal tools reported that the system was clean, I booted back into Windows XP and immediately got the virus screen again and the random character registry entries had been replaced with new entries that were similar but with some different characters.
Booting with the UBCD again found new instances of the virus which I again removed but Windows still won't load properly.
I suspect that a root kit is hiding on the system but I ran a couple of root kit removal tools and they all say that the system is clean so I don't know how I can get rid of it and I would really appreciate some advice!
Facebook
Twitter