Cannot access laptop in safe mode.

[Guest]

Archived from groups: microsoft.public.windowsxp.newusers (More info?)

I'm having trouble getting into my son's Toshiba laptop. He came home
from Uni with his PC riddled with Trojans and worms and not able to log
on to the machine, it went through the motions, then announced it was
saving settings and then logged off. I managed to get into it in safe
mode but after the admin login the desktop remained empty. I started
task manager and fired up explorer and his desktop appeared and I then
ran his AV which found infections in explore.exe,
iexplore.exe,rundll.32.exe and userinit.exe.
The AV software (AVG 7 Pro) "healed" said infections, but on a restart
the same problems were there, only now I cannot log in safe mode, either
with Dos prompt or network support, no matter what flavour I choose it
comes up with the Welcome screen, which tries to log me in but then goes
into its "logging off and saving settings" routine
I have also tried to boot from the CD and run the recovery console but
this then asks for an admin password and as far as I know, none has been
set ( the PC was bought "up and running" from a supplier).
How can I get into this PC, so as he can get his work off it? It isn't
fitted with a floppy drive and it is no use using a USB drive as the
drivers would not be loaded even if I could get into it. It's obvious
that there is still a serious infection on this machine and probably the
only thing to do would be a reformat and reinstallation, but that would
lose him a lot of work. Backups? We're talking student here
Any help with this gratefully received.
Mike H

 

[Guest]

Archived from groups: microsoft.public.windowsxp.newusers (More info?)

This takes about 15 minutes as compared to 15 hours of troubleshooting
trojans, worms and viruses

Boot on a floppy or into safe mode with command prompt
delete the c:\program files
reboot on the XP CD and reinstall XP into a NEW directory like: C:\WinXP
Reboot and deltete the old: C:\Windows

It takes about 15 minutes as compared to 15 hours of troubleshooting
trojans, worms and viruses

"Mike Hyndman" <mike@tmphyndman.demon.co.uk> wrote in message
news:defcv0l7rrtta7r4gi9sq5pk0d7qco6a9r@4ax.com...
> I'm having trouble getting into my son's Toshiba laptop. He came home
> from Uni with his PC riddled with Trojans and worms and not able to log
> on to the machine, it went through the motions, then announced it was
> saving settings and then logged off. I managed to get into it in safe
> mode but after the admin login the desktop remained empty. I started
> task manager and fired up explorer and his desktop appeared and I then
> ran his AV which found infections in explore.exe,
> iexplore.exe,rundll.32.exe and userinit.exe.
> The AV software (AVG 7 Pro) "healed" said infections, but on a restart
> the same problems were there, only now I cannot log in safe mode, either
> with Dos prompt or network support, no matter what flavour I choose it
> comes up with the Welcome screen, which tries to log me in but then goes
> into its "logging off and saving settings" routine
> I have also tried to boot from the CD and run the recovery console but
> this then asks for an admin password and as far as I know, none has been
> set ( the PC was bought "up and running" from a supplier).
> How can I get into this PC, so as he can get his work off it? It isn't
> fitted with a floppy drive and it is no use using a USB drive as the
> drivers would not be loaded even if I could get into it. It's obvious
> that there is still a serious infection on this machine and probably the
> only thing to do would be a reformat and reinstallation, but that would
> lose him a lot of work. Backups? We're talking student here
> Any help with this gratefully received.
> Mike H

 

[Guest]

Archived from groups: microsoft.public.windowsxp.newusers (More info?)

On Tue, 25 Jan 2005 08:01:27 -0600, <Lsu Edu @ msn.com> wrote:

>This takes about 15 minutes as compared to 15 hours of troubleshooting
>trojans, worms and viruses
>
>Boot on a floppy or into safe mode with command prompt
>delete the c:\program files
>reboot on the XP CD and reinstall XP into a NEW directory like: C:\WinXP
>Reboot and deltete the old: C:\Windows
>
>It takes about 15 minutes as compared to 15 hours of troubleshooting
>trojans, worms and viruses

Many thanks for your reply, but as I said earlier, as soon as I log in
in safe mode it immediately saves settings and logs out again. This
happens no matter what flavour of safe mode I use, command prompt,
networking etc. I am thinking of making a Win98 "boot CD" (no floppy
drive on this PC) and seeing if this will let me access the hard for the
purpose of file extraction but where to is the problem.
Again, many thanks
Mike H

 

[Byte]

Archived from groups: microsoft.public.windowsxp.newusers (More info?)

The problem is in Restore. Anti-virus applications do not scan Restore Points.
When you reboot all the virus are right back into your system files. You
must deactivate Restore first before shutting down.
Delete all Restore points and reboot. You should set your BIOS to boot on the
CD-Rom in that you do not have floppy drive. If the entire system is that
infected, you may need to do a complete clean install of XP.

Accessing Motherboard BIOS
http://michaelstevenstech.com/bios_manufacturer.htm

Clean Installation XP
http://www3.telus.net/dandemar/cleanxp.htm

"Mike Hyndman" wrote:

> On Tue, 25 Jan 2005 08:01:27 -0600, <Lsu Edu @ msn.com> wrote:
>
> >This takes about 15 minutes as compared to 15 hours of troubleshooting
> >trojans, worms and viruses
> >
> >Boot on a floppy or into safe mode with command prompt
> >delete the c:\program files
> >reboot on the XP CD and reinstall XP into a NEW directory like: C:\WinXP
> >Reboot and deltete the old: C:\Windows
> >
> >It takes about 15 minutes as compared to 15 hours of troubleshooting
> >trojans, worms and viruses
>
> Many thanks for your reply, but as I said earlier, as soon as I log in
> in safe mode it immediately saves settings and logs out again. This
> happens no matter what flavour of safe mode I use, command prompt,
> networking etc. I am thinking of making a Win98 "boot CD" (no floppy
> drive on this PC) and seeing if this will let me access the hard for the
> purpose of file extraction but where to is the problem.
> Again, many thanks
> Mike H
>

 

[Guest]

Archived from groups: microsoft.public.windowsxp.newusers (More info?)

Hi, Mike.

Your choices, in order:

1. Get a Windows expert to clean all the malware off the computer. This
could take days, judging from reports I've seen from some MVPs, who make
their livings from doing this for clients.

2. Do it yourself - but only if you have plenty of time and a pretty good
understanding of Windows. Start by running Ad-Aware SE Personal and
Spybot - Search and Destroy, and all the other malware cleanup programs that
are mentioned several times a day in these newsgroups.

3. Boot from the WinXP CD-ROM and do a Repair Install as described by
Microsoft in this KB article:
How to perform an in-place upgrade (reinstallation) of Windows XP
http://support.microsoft.com/default.aspx?scid=KB;en-us;q315341

Or see MVP Michael Stevens' version of the same instructions:
How to Perform a Windows XP Repair Install
http://michaelstevenstech.com/XPrepairinstall.htm

This will reinstall WinXP itself, but will leave your installed applications
and data. Unfortunately, this means that much of the malware might survive,
too. But you should be able at least to boot into WinXP and backup all the
irreplaceable data.

4. Boot from the WinXP CD-ROM and do a clean install, including a reformat
of the HD. This will get rid of the bad stuff, but it will also get rid of
the good stuff, so you will have to reinstall all applications that you want
to keep. Even if you decide to do this, you might want to try the in-place
upgrade first so that you can backup his "lot of work". Don't bother to
backup WinXP, because you'll be reinstalling that from the CD. Don't bother
to backup applications, because you'll be reinstalling those from their CDs
or other original media so that their install processes can write the proper
entries into your new Registry; just having their files on the HD is not
enough to enable them to run. You'll want to download drivers, etc., from
the Internet again so that you'll have the current versions.

After any of these, be sure that you've installed SP2 and any later updates,
plus a good 2-way firewall and a good antivirus.

And for gosh sakes, especially if he is a student, teach him how - and how
important it is - to practice "safe hex"! In fact, the best approach might
be #2 - and make HIM do it! ;<}

RC
--
R. C. White, CPA
San Marcos, TX
rc@corridor.net
Microsoft Windows MVP

"Mike Hyndman" <mike@tmphyndman.demon.co.uk> wrote in message
news:defcv0l7rrtta7r4gi9sq5pk0d7qco6a9r@4ax.com...
> I'm having trouble getting into my son's Toshiba laptop. He came home
> from Uni with his PC riddled with Trojans and worms and not able to log
> on to the machine, it went through the motions, then announced it was
> saving settings and then logged off. I managed to get into it in safe
> mode but after the admin login the desktop remained empty. I started
> task manager and fired up explorer and his desktop appeared and I then
> ran his AV which found infections in explore.exe,
> iexplore.exe,rundll.32.exe and userinit.exe.
> The AV software (AVG 7 Pro) "healed" said infections, but on a restart
> the same problems were there, only now I cannot log in safe mode, either
> with Dos prompt or network support, no matter what flavour I choose it
> comes up with the Welcome screen, which tries to log me in but then goes
> into its "logging off and saving settings" routine
> I have also tried to boot from the CD and run the recovery console but
> this then asks for an admin password and as far as I know, none has been
> set ( the PC was bought "up and running" from a supplier).
> How can I get into this PC, so as he can get his work off it? It isn't
> fitted with a floppy drive and it is no use using a USB drive as the
> drivers would not be loaded even if I could get into it. It's obvious
> that there is still a serious infection on this machine and probably the
> only thing to do would be a reformat and reinstallation, but that would
> lose him a lot of work. Backups? We're talking student here
> Any help with this gratefully received.
> Mike H

 

[Guest]

Archived from groups: microsoft.public.windowsxp.newusers (More info?)

Dear Byte
Many thanks for your reply

>The problem is in Restore. Anti-virus applications do not scan Restore Points.
>When you reboot all the virus are right back into your system files. You
>must deactivate Restore first before shutting down.
>Delete all Restore points and reboot. You should set your BIOS to boot on the
>CD-Rom in that you do not have floppy drive. If the entire system is that
>infected, you may need to do a complete clean install of XP.
this is what I ended up doing but to a different directory, this allowed
me to get in quickly and remove his work then did a reformat and
reinstalled from the Tosh set up discs.
He has promised not to let it happen again, yea right!

again many thanks.
Mike H

 

[Guest]

Archived from groups: microsoft.public.windowsxp.newusers (More info?)

Regardez RC


>Hi, Mike.
>
>Your choices, in order:
>
>1. Get a Windows expert to clean all the malware off the computer. This
>could take days, judging from reports I've seen from some MVPs, who make
>their livings from doing this for clients.
Not an option due to a state of penury (father of a student)
>
>2. Do it yourself - but only if you have plenty of time and a pretty good
>understanding of Windows. Start by running Ad-Aware SE Personal and
>Spybot - Search and Destroy, and all the other malware cleanup programs that
>are mentioned several times a day in these newsgroups.
Can't log into it, it logs off immediately after logging in.
>3. Boot from the WinXP CD-ROM and do a Repair Install as described by
>Microsoft in this KB article:
>How to perform an in-place upgrade (reinstallation) of Windows XP
>http://support.microsoft.com/default.aspx?scid=KB;en-us;q315341
Tried that but I was asked for an Admin password and as far as I know
none was set, the PC was bought up and running from a "superstore" It
let me have three guesses at the PW and then sulked and wouldn't talk to
me any more.
>
>Or see MVP Michael Stevens' version of the same instructions:
>How to Perform a Windows XP Repair Install
>http://michaelstevenstech.com/XPrepairinstall.htm
>
>This will reinstall WinXP itself, but will leave your installed applications
>and data. Unfortunately, this means that much of the malware might survive,
>too. But you should be able at least to boot into WinXP and backup all the
>irreplaceable data.
This is what I ended up doing, but I had to "borrow" (since returned) a
dedicated XP disc as the Tosh only ships with mirror discs.

>After any of these, be sure that you've installed SP2 and any later updates,
>plus a good 2-way firewall and a good antivirus.
He had SP2 installed and thought he had a decent AV but I think he has
been frequenting some dodgy music sharing sites and downloaded something
he hadn't bargained for. He also spends a lot of time on the well known
virus propagation utility known as MSN.
>And for gosh sakes, especially if he is a student, teach him how - and how
>important it is - to practice "safe hex"! In fact, the best approach might
>be #2 - and make HIM do it! ;<}
safe hex eh? I like that
He promises to be good in future ;-)
Again many thanks
Mike H

 

[Guest]

Archived from groups: microsoft.public.windowsxp.newusers (More info?)

On Tue, 25 Jan 2005 12:55:52 +0000, Mike Hyndman
<mike@tmphyndman.demon.co.uk> wrote:

Sorry to all for not getting back sooner, but after several attempts to
get into the PC (logs off immediatley after logging off in all manners
of safe and normal modes) I borrowed an XP disc (the Tosh PC only ships
with "mirror" discs which compleatly "wipes" the hard drive before
restoring the PC to its original condition)
I installed (TEMPORARILY) the op system to a "Windoze" directory and was
then able to log in as normal, remove all his work, docs, music!! etc.,
to CD which I then scanned an another PC for infections, then
reformatted the laptop and reinstalled the Toshiba disks, leaving him
with it in the condition it was when it left the shop.
Thanks to all
Mike H