UPS Virus problem...

Hi all. One of my buddies, expecting a package, opened the ups virus.

Ug.

So he brought it to me.

When he brought it to me, booting go thru the bios phase, and then when it tried to start windows, it would tell me that ntoskrnl.exe was missing or corrupt.

He is running xp sp3 on a machine with 2 HDDs set in a Raid1. Which makes this harder. I slipstreamed the raid driver into a new windows install disk, and I can get into the recovery window and run dos on the computer. Sometimes it lets me log into D and sometimes into C.

I have run chkdsk /r a ton. Runs for hours. Doesn't get me back in.

I have copied the ntoskrnl from C:\windows\i386 onto the c:\windows\system32 and now am getting a bit further.

When I try to boot the machine I get to the screen where I can select safe mode or last known good or normal etc.

But no matter which I select, it starts to load and reboots.

Is there a disk I can make that will get me into windows? Thoughts or ideas?

Ug.

Chkdsk is running right now. After it is done, I am thinking of doing a bit of digging for Buritos.exe and seeing if I can find and delete some copies, but I am kinda at a loss without being able to even get into windows to try to run some AV in safe mode.

Any suggestions are welcome!

Slider

 

You might try running bootcfg, fixboot, and fixmbr from the Recovery disc.

If you know what files this malware typically uses, you can use a bootable disc like Hiren's with miniXP to manually remove the bad files....and then probably run the recovery disc commands again.

Otherwise, you need to do at least a Repair / install in Place (IIRC) with Microsoft XP CD.

Ooops, TimW's the boss around here - do what he suggests...

 

Sorry about being in the wrong place. I took a guess.....

I will make the Kaspersky disk and see what I can do and post the results.

Thanks for the help!!!

Slider

 

So I loaded and ran Kaspersky Recovery Disk. It didn't find anything. (darnit!)

Rebooted. Same result.

I rebooted with my windows cd into the recovery mode, and ran a couple of searches for Katrina and Buritos in the C:\Windows and C:\Windows\System32 folders. Nothing.

Any ideas for a next step?

Should I re-start this thread in malware?

Thanks

Slider

 

Dr Web CureIT Live CD is very good at removing infections. You may want to try it if you cannot do a repair install. Just burn the iso and boot from the CD.

 

Thanks for the ideas. I am running a repair install right now and will post the results when it finishes... (fingers crossed...)

 

Ok. So I ran the reinstall. Went thru the usual install screens, entered the key etc. The reinstall process rebooted the machine. Got to a black screen with a windows logo on it and below that it says 'please wait'. Um, been waiting bout 10 minutes. I don't remember it taking that long. I am concerned it might be hung there, but I have never done a reinstall like this. Also, the mouse is still responding, so it isn't totally frozen.

Thoughts?

 

Well over 20min with the same screen. Mouse still responds but this doesn't look good.

Absent specific advice to reboot, I am gonna leave it going for now. It is almost time to go home, so worst case, I will leave it overnight.

Any other suggestions are appreciated.

Slider

 

A quick thought. Would Windows run chkdsk during a reinstall? Chkdsk /r was taking about 3 to 4 hours to run when I was in the recovery screen, aka dos. The mouse icon is the dreaded hourglass as well...

 

Ok, so came in today and computer was still saying please wait. So I hard-booted it.

Windows loaded and I got in.

Started updating Malwarebytes, SpyBot, SuperAntiSpyware, and MSE. Um, MSE couldn't update. Like it was being blocked. I downloaded the manual update for it. I also downloaded AVG Free and installed and updated it.

The whole time, I am watching my network card Status. The sent packets kept climbing. It wasn't going up like the national debt or anything, but I wasn't sending anything. It was going up at half the rate of the received packets. Don't know if that is normal for a program download or not.

Plan now is to re-boot into safe mode and run all of the above in safe mode, and see what I find. I think I am going to go download CCLEANER too...

Or am I better off running thru the std malware protocol that ya'll suggest?

Thanks

Slider

 

Will do.

Interesting side note.

Downloaded the ccleaner exe on my computer, put the file on a zip, and moved it to the desktop of the possibly infected computer. It wouldn't install. It would get to the install screen where it will pimp the google taskbar, and that would never fully display. Clicking BACK or INSTALL crashed it. (feeling a bit paranoid..)

Thanks again.

Slider

 

Further adventures...

I think I have seen a pattern to my mess. I think a lot of the troubles have been because this system has a raid1.

When I hop in with my slipstreamed Win xp install disk and head to recovery console, it would let me choose 1 windows installation, drive D.

c:
would move me to c, but it couldn't read the drive to do a dir command. It tried, but ran into a problem.

Running chkdsk /r on the D: drive didn't seem to do much.

If I tried to do a repair install of windows in this condition, it would see a copy of windows in C and in D. So it was seeing the two drives, not a raid1.

BUT if I switched to the c: drive and ran chkdsk /r, the next time I hopped into the recovery console I would be allowed to log into the windows on C:, and it couldn't see D at all. No disk in D.

So then I restarted and went to the install part of the disk, and it only saw 1 install of windows, and gave me the option to repair the install.

Seems that I am fighting with the system seeing two disks or one.

Also, for what it is worth, after running chkdsk /r on the C drive from the C drive windows console, I got a bit further in a std boot. Took me to the screen where windows didn't close normally last time (no kidding???) and lets me select to start windows normally or safe etc. But no matter what option I select, it gets thru the first couple of drivers and reboots. DARN!

So the repair install is running right now. Hopefully that will get me in far enough to start running the programs so I can post the logs.
(fingers crossed)

Hope someone else finds this interesting or helpful. Any thoughts are welcome!

If this doesn't work soon, we are gonna just format the drives and start from scratch. This is getting old...