Recovering from malware overload

Hi all,

Recently two of my acquaintances have requested urgent help because they both neglected to update their anti-viruses and firewalls with the result that neither now has a working computer. Being a Compaq and an HP, neither of them has a Windows CD, and both of them have all their data in one partition, so that using the provided restoration tools will risk destroying all their data, photographs, etc.. I am unable to save any of their data to CD or DVD because the machine stops responding too quickly.

Both are displaying the same symptoms - very slow booting, freezing completely after about two minutes, and unable to go on line.
Something is blocking all attempts at virus scanning, I have tried Spybot, HJT, Ad-Aware, and the Sasser removal tool from my USB key, all without success. Neither will even boot into Safe mode. This evening I will try the Blaster and Slammer removal tools.

I am beginning to think that the only thing to do now is to use the "Back to factory settings" restore provided by Compaq and HP, does anybody have any other suggestion that I could try?

Roger

Forgot to say - both are on XP Home and I am unable to check their update status.

 

When you say that neither will boot into safe mode, have you tried to force safe boot, from MSCONFIG?

From the Start menu's Run dialog, enter the command MSConfig. Click on the BOOT.INI tab and check the /SAFEBOOT box. Now when you boot, Windows will go into Safe mode. Naturally, when you no longer need Safe mode, you'll repeat the process and uncheck that box. One caveat: Don't experiment with the other settings on this tab. You could wind up unable to get back into MSConfig to undo your changes.

This may allow you to run some scans, provided that the machines continue to run.

You may also try this, offline scanner, which I beleive fits on a floppy:

Create a folder on your desktop called Sysclean.
Go to http://www.trendmicro.com/download/dcs.asp and download sysclean package to the folder you made.
Go to http://www.trendmicro.com/download/pattern.asp and download the Official Pattern Release for windows to your desktop.
This file will be called lptXXX.zip (XXX represents the version number)
Unzip lptXXX.zip and you'll get the file lpt$vpn.XXX.
Move the lpt$vpn.XXX to that Sysclean-folder you created on your desktop.

Turn off your antivirus which is installed on your system because it can interfere with the Sysclean-scan.

Open the sysclean-folder and doubleclick sysclean.com.
Check: Automatically clean or delete detected files.
Click scan.
When the scan is finished, open your sysclean-folder and copy and paste the contents of sysclean.log in your next reply.

 

Hi Pete,

I had thought of it but I was reluctant:
I tried to access the files using Knoppix and an XP Live disc, but neither would let me move the files, I don't know why. In the end I put the contaminated HD in my Linux machine as slave, and good old SuSE 10 let me move the files and photos to two DVD's.
The HP restoration disk restored XP OK afterwards, and the important files were still accessible, so I needn't have bothered. Live and learn, but well done HP!

Roger