Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost recycler bootex autorun? Some sort of virus!


  • This topic is locked This topic is locked
13 replies to this topic

#1 bubbshjs

bubbshjs

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 26 September 2011 - 07:34 AM

We have an old laptop running Windows 2000 that is infected with something. I can't run everything suggested (more details below), so I'm going to do my best to explain the problem in the hopes that someone will be able to help please.

Laptop is running Windows 2000 and is probably not up-to-date on anything. It has one account only - administrator.

I wasn't doing anything particularly risky - I clicked on a link supposedly to amazon.co.uk through google shopping and a different website appeared. Then two black windows (command windows?) appeared with C:\WINNT\svchost.exe as the title (could have been scvhost.exe). I frantically tried to close everything but all hell had broken lose! I can't remember whether it was after I shut down and rebooted or as I was trying to shut down, but the laptop seemed to be doing a dump. When the laptop rebooted the two black windows appeared again and reappeared every time I closed them. After several reboot attempts it dawned on me that the laptop was still connected to the wireless network (no shared files fortunately) - once I took out the wireless card the black windows stopped appearing.

Most of windows itself still seems to be working fine - explorer, word, search etc all seem to work. Nothing else does though (malware programs, acrobat reader etc). Run doesn't work and neither do a number of options from the control panel such as adminstrator tools. Task manager is displaying processes, but it doesn't appear to be possible to stop any processes (though it's just possible that's because they are all genuine system processes that should be running).

Pressing F8 during the boot process brings up the menu but on selecting safe mode results in a blue screen - inaccessible boot device. Rebooting now brings up an error message that the system log is full (can't see it because admin tools are blocked).

Obviously I can't download and run the suggested programs in the 'malware post' - sorry.

We have a boot disk and were planning on trying that, but we realised that my daughter hadn't backed up any of her files recently. So we stupidly put in a memory stick to take the files off (and fortunately were not so stupid as to put it in somewhere else!). The following were added to the memory stick: 4 short cuts (Copy of shortcut to [1] to [4]), RECYCLER, BOOTEX and autorun, and these are constantly replaced if you attempt to remove them.

I hope that's enough information for someone to help. Please can anyone tell me what virus we have (or maybe more than one?), can I get rid of it and if so how, and how do I 'disinfect' the memory stick to save my daughter's stuff?

Thanks very much.

Edited by bubbshjs, 26 September 2011 - 07:35 AM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,622 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:54 PM

Posted 01 October 2011 - 07:35 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/420527 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:02:54 PM

Posted 03 October 2011 - 03:14 AM

Greetings bubbshjs and Welcome to the forums,

Microsoft Windows 2000-based systems are no longer supported after July 13, 2010. This date coincides with the end of the Extended Support phase for Windows 2000.

For more information about the Support Lifecycle policy, please visit the following Microsoft website:
http://support.microsoft.com/lifecycle

All that aside, anything we would suggest for that system isn't going to be much more than a hope and a prayer. What you might try, is a free trial of the Sohpos Computer Security scan. You will have to register with proper credentials and an email will be sent to you from Sohpos with activation codes. Those codes will be a unique user name and password especially for your system alone. Follow the instructions in that email to perform the scan. Please post back your results. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#4 bubbshjs

bubbshjs
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 03 October 2011 - 05:18 AM

Thanks very much for taking the time to reply. I was afraid the answer would be something like that!

I'm probably being a bit dense here, but are you suggesting that I put the wireless card back in and allow internet connections to download Sophos? I could download it to this pc, but I tried to copy SuperAntiSpyware on to the infected laptop that way and all I got for my trouble was another infected USB stick - SuperAntiSpyware wouldn't run.

Is there any way of recovering the USB sticks and the files that we copied onto one of them from the infected pc? I wasn't sure whether a pc running a good enough anti-malware program would be able to disinfect them.

Thanks again.

#5 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:02:54 PM

Posted 03 October 2011 - 11:08 AM

As you recall, I did say:

...All that aside, anything we would suggest for that system isn't going to be much more than a hope and a prayer...

There are flash drive disinfecting applications out there, but I know of none that run on Windows 2000...not these days.

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#6 bubbshjs

bubbshjs
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 03 October 2011 - 04:40 PM

Thanks, I know it's a long shot, just not sure which to try - downloading it on another pc and copying it over, or trying to download direct to the infected laptop?

We have other pcs/laptops running windows xp - is there something we could download to one of those that would mean it was safe to plug the infected flash drives in there to be disinfected please?

Thanks again for your help.

#7 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:02:54 PM

Posted 03 October 2011 - 07:17 PM

Thanks, I know it's a long shot, just not sure which to try - downloading it on another pc and copying it over, or trying to download direct to the infected laptop?

Well, you won't be able to copy that over...you'll need to install that directly to the infected laptop. And, you're right, it is a long shot but hurts nothing to try.

...We have other pcs/laptops running windows xp - is there something we could download to one of those that would mean it was safe to plug the infected flash drives in there to be disinfected please?

Thanks again for your help.

Ok, it's a different ball park now. I was under the distinct impression we had just the Windows 2000 to deal with. You can try either of these:
MCShield --- which I recommend more so than, Panda USB Vaccine
Let us know which one worked best for you.

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#8 bubbshjs

bubbshjs
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 04 October 2011 - 12:13 PM

I'll have to wait until OH gets back at the weekend to try MCShield etc.

Will try downloading sophos tonight on the infected laptop and report back.

Thanks again.

#9 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:02:54 PM

Posted 10 October 2011 - 09:59 AM

Still with us bubbshjs?

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#10 bubbshjs

bubbshjs
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 11 October 2011 - 01:39 AM

Sorry, still here. Everyone was ill last week so I haven't done anything yet I'm afraid.

I want to make sure we can disinfect the flash drives and then finish removing the photos my daughter has stored on the laptop, which will have to wait until next weekend again now unfortunately. Or is it safe to try and run the Sophos scan before I've removed the photos?

Thanks again for all your help and for checking up on me : )

#11 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:02:54 PM

Posted 11 October 2011 - 08:30 AM

Yes...leave the photos in place and run the scan.

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#12 bubbshjs

bubbshjs
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 12 October 2011 - 02:06 AM

Practically everything seems to have stopped working on the laptop including the ability to get a network connection and load a browser so couldn't run Sophos unfortunately. Running out of options here I think! Any thoughts?
Thanks as always for your help.

#13 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:02:54 PM

Posted 12 October 2011 - 09:05 AM

Referring back to post #3, I'm afraid I have to agree with you...looks like "game over" to me.

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#14 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:02:54 PM

Posted 15 October 2011 - 08:52 AM

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to anyone of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic
in a new thread. Thanks!


The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users