Solved Virus as administrator (can not do ANYTHING with computer)

[Resolved] Virus as administrator (can not do ANYTHING with computer)

Hello all,

I am a mac techie that finally sold his last mac (after fifteen years of nothing but Mac) and got an IBM thinkpad T43. I macked it (skins all legal) and loved it and then forgot I wasn't on a mac and a coupe d' etat has now occured.

I'm pretty sure it's antivirus 2008 and before you get ****** for me posting the same thing that everyone else has posted, let me say this... I have NO WAY of getting in this **** machine.

This was the chronological order:

1. An automatic download suddenly appeared in firefox (I never clicked anything)
2. Three new desktop icons, all anti-virus related
3. Star bar went from Leopard skin to classic windows
4. Preferences disabled
5. Taskbar disabled
6. Virus warning pop ups (ignored all 482 of them)
7. Downloaded spyware doctor (Found 22 high risk files)
8. Clicked to purchase "the doctor" computer crashed.
9. Tried again, computer crashed.
10. Scanned with Avira, deleted files. Restarted.
11. Leopard skin for the start bar returned... computer crashed.
and finally...
12. Safe mode with networking jams, safe mode jams, "guest" option gone, will not even load to any desktop of any kind and right now (in the 8th hour of trying everything I humanly can...) I am staring at a black screen that says "safe mode" in all four corners with an hourglass... it has been dropping sand for the last two hours.

I would give you my logs but I have no way of downloading anything. My USB drives won't work, etc...

Now... if this matters... there are only two files that are important to me... if I could somehow get those off of the computer I don't mind blowing the thing out. One is a Final Draft document (screenwriting) and the other is a photo (the only copy I own now, sadly)

Of course... I'd rather not have to rebuild everything, but dammit... if I have to, I have to.

Thanks, in advance, for your responses.

 

Do not delete these files (shlwapi.dll, wininet.dll) yet, you will lose the use of Internet Explorer and access to the internet, not that really seems to matter now.
This infection does not get started up at the usual startups, but is buried much deeper.
I would recommend taking your harddrive out of the machine and connect to a working machine, then copy the files off of it that you want to keep.
Or wait for one of the qualified virus removal folks here.

 

I do not have an original boot disc. It is a certified legal copy of XP pro (service pack 3) but I do not have a boot disc.

I knew I should have stuck with mac

UPDATE: I managed to boot into IBM's "access IBM" mode where it finally read my USB stick and I saved my files. I would still prefer not to wipe out my system, however, if it comes to it at least my valuable information is now safely copied. I would still love other advice though.

 

http://www.windowsbbs.com/malware-virus-removal/announcements.html
http://www.windowsbbs.com/malware-virus-removal/67767-useful-information.html

 

I wish I could download the recommend programs on the computer. That would be a blessing if I could.

 

I'm checking something out that may get you going again. In the meantime, are you able to burn a cd? Is the operating system your working from a Windows operating system (I don't know if it really matters though )?

 

Yes. Windows XP service pack 3. I went into my "thinkvantage" system to wipe out the harddrive and now it says "Product Recovery could not find file X:\Utils\Convert.cmd

In other words... it won't let me do jack diddily

 

Download and install the ISO Recorder. Use the XP SP2 version (after selecting the XP SP2 link, click the red text labled Here is the current 32 bit build).


Download and install the Microsoft Diagnostics and Recovery Toolset, choosing the Typical installation during setup

Insert a blank cd into your cd/dvd burner. Browse to C:\Program Files\Microsoft Diagnostics and Recovery Toolset and right click erd50.iso, then select Copy image to CD. Follow the instructions in the following link to finish creating the bootable cd.

http://isorecorder.alexfeinman.com/HowTo.htm

Once finished, restart the PC with the cd in the drive and boot to the cd.
At the prompt, select your Windows installation as the operating system to connect to.
When ERD Commander finishes loading, click Start>System Tools>System Restore.
Select a restore point prior to the infection and click Next.
When it completes, click Start>Log off and eject the cd immediately upon restart.

 

Noah,

Thank you for the information. Sadly I can't get the CD to work. I did the ISO off of another computer but I can't get the **** thing to boot on my T43. I did however finally manage to get Spybot onto the T43. It scanned my entire system and found 84 viruses. It claimed it deleted them all, I noticed an immediate change (for the better) in my system, including being able to access my task manager but, unfortunately, all of my programs are still hidden, I still can't boot into safe mode. It won't let me on the internet and continues to crash.

I tried to wipe the harddrive out (now that the viruses are gone) and it said that that same file (I listed above) is still not available. I guess the virus deleted it.

UPDATE: Realized that the other computer I am working from is Windows Vista. It won't let me downlad the ISO for XP SP2.

 

NEW UPDATE: My internet finally started working on my T43. I managed to download the ISO recorder for XP SP2 and then I tried to download the Windows pack but Firefox would crash so I used Wyzo. It downloaded it. But your next step is to go into C:/Program files and right click a file... well I can't access my C: This is a bad day. haha. Oh... the T43 just crashed when I tried to find "run" in order to access C:

 

Whoa!! I was under the impression this machine would not boot, hence my previous instructions. Scratch those.

Get that machine up and running again.

• Click here
• If it launches a file download dialog for download_file.exe from noahdfear.net, click Save and save it to your usb drive, then transfer it to the desktop of the infected machine.
• Double click the file and download_file.vbs should appear on the desktop, and shortly there-after a renamed copy of ComboFix.exe should appear .
• Please note that the vbs file is recognized by some security programs as a Trojan-Downloader.JS and may try to block it. I assure you, the file is safe.
• If successful, shut down all open windows and programs, double click the renamed ComboFix and follow the prompts.
• It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

Ok. Here is a problem. It is now, after about being up for two minutes, will go to a blue screen saying it has to force shut down or else damage will be done and then it reboots and this has happened about five times in a row now. Ugh... I will download that file to my USB stick right now

 

Please open the side of the case and verify that the fans are working, and that there isn't an excessive amount of dust buildup. Try leaving the machine off for 15 - 30 minutes before attempting anything else.

 

Ok. I will look up how to do that (sorry for my PC stupidity) and try the logs. I won't post again without those logs. Thanks for all your help thus far.

 

There's no need for apologies. We're all here learning.

 

Noah,

Ok. I turned it off for awhile, allowing it to cool down. I dusted the fans (at least to the best of my ability) and it still crashed. I failed to mention just before it crashes this happens:

A warning window pops up saying: failed to execute C:\WINDOWS\system32\orxwcopw.dll

I click "ok" (or not, it doesn't matter) and then it either crashes to the aforementioned blue screen or it opens up command and it says "Welcome to Darwin" then displays a file name but I never get the chance to write it down because it always crashes before I can (usually about five of these windows pop up before the fifth one finally says "welcome to, etc." and then the crash.

 

Will probably need the bootable cd then.
For Vista you need to download the ISO Recorder v3.
Please try to create the cd as described previously. Frankly, I don't know if the Diagnostics and Recovery Toolset will install on Vista, but it's worth a shot. You only need the one file required to create the cd.

 

Ok. I got combofix to work. It has just said there is something wrong with my roots and has to reboot. Combofix has rebooted the system. It seems that twenty times in a row it crashes my system and then the 21st time (or so) it decides it will work and the internet becomes lightning fast and everything works fine (except Firefox... which can't read my internet or respond to anything after the home page tries to load) again Wyzo saved me. Got your file on the desktop, etc... Again thank you thank you thank you

 

ComboFix probably detected a rootkit and required a reboot to remove it. It should begin running again upon logon.

BTW, just tried to install the Recovery Toolset on Vista ....... no go.
ISO Recorder v3 works though.

 

Oh it was rebooting to get rid of it? Crud... when my computer rebooted my Avira antivirus kept showing me a bunch of "viruses" to delete but I ignored them because I thought those were the files you were referring to to ignore. My gut told me to let Avira delete it... ugh.