Member Avatar for ownedswax

Hello! I need alot of help with cleaning up this hard drive, Its a friend that said he needed some help with cleaning up his computer so i brought it over to my house and to my suprise it barely even starts up. (at first it did not) so i mounted his hard drive into my PC which is how i have it right now. when i first started it up windows it told me that it needed to check the hard drive and it did so after that i put it back into his computer and it actually started up... but it had many problems which i will list below.

Regedit is disabled by admin

Task manager is disabled by admin (I found a prgram to re enable but it only works for a limited amount of time)

The desktop background is locked and cannot be changed (the background is a fake warning that he needs to download an antivirus and that his computer is infected)

the taskbar has disappeared (i tried unlocking taskbar in properties and moving it up, windows key does not reaveal start menu)

multiple errors come up when the computer is booted

The PC restarts itself when the windows folder is up but i can access it and regedit from my PC when his is the slave drive so that is how i have been working on it.

and the computer obviously has alot of worms and trojans on it.

I hope you can help me out a bit... thank you for your time :)

  • 3 Contributors
  • 8 Replies
  • 283 Views
  • 1 Week Discussion Span
  • Latest Post Latest Post by pushkar honey

Recommended Answers

All 8 Replies

Member Avatar for PhilliePhan

Are you able to scan the drive with MBA-M and HJT as per the linky below?
http://www.daniweb.com/forums/thread134865.html

Give that a go, if possible. Post the logs and I'm sure someone will be happy to assist you further - bear in mind the holiday weekend here in the States......

--- It may be that a reformat would be the easiest option. Perhaps you could carefully save any important data on his HD beforehand - Of course this is risky.....


Best Luck :)
PP

Member Avatar for ownedswax

I can run a MBAM scan and did do that before i posted, but is there anyway i can set my HJT to a path so it scans the E: drive and not C: ??

and also I thought about doing a reformat and putting his data he wants still on my HD then transferring it back but i do not have the windows disks to do it :(

Member Avatar for PhilliePhan

I can run a MBAM scan and did do that before i posted, but is there anyway i can set my HJT to a path so it scans the E: drive and not C: ??

Oops! I am so used to writing that sentence in various forums that I didn't even think about that!
HJT would have to be installed on the infected drive. Also, there are a few other tools at our disposal if need be.

Can you post the MBA-M Log so we can see what has been detected/removed?

I'll be away for most of the weekend, but I imagine one of the other volunteers will be able to assist you further.

Cheers :)
PP

Member Avatar for ownedswax

ok so now i put the hard drive back in the infected computer because i was going to get a HJT logs because I could not figure out how to run the log to the slave drive and when it loads up i get to the windows login screen and when i click on the name to login it says loading personal settings then flashes to my desktop background for a short moment then says saving personal settings and goes back to the login screen, I tried safe mode, logging on as admin, pressing ctrl alt delete twice at login and logging in that way... any ideas??

Member Avatar for PhilliePhan

... any ideas??

Yes, but it involves a little work ;)

One option is to burn a bootable Recovery Console CD. Here is a link to the ISO:

http://www.thecomputerparamedic.com/files/rc.iso

You'll then be able to poke around a bit for malware and run some commands such as CHKDSK etc....
See Also:
http://support.microsoft.com/kb/314058/


Frankly, I think you'll have better luck cleaning the HD with Trinity Rescue Kit
Again, you'll need to burn the bootable CD to use on the ill computer.
This will put many more options at your fingertips - Virus scans, pulling data off the drive and more. This would probably be the route I'd go. I'm not sure if there is any way to access System Restore via TRK, but that might be worth looking into. You'll probably need to explore the TRK site for usage options.


Let us know how you fare.

Best Luck :)
PP

Member Avatar for ownedswax

im sorry for the delay to post back, i was on vaction... what type of disk would i use for that i have never made a bootable...

Member Avatar for PhilliePhan

im sorry for the delay to post back, i was on vaction... what type of disk would i use for that i have never made a bootable...

A CD should suffice.

If you need a tool to burn the ISO, I swear by:
http://www.imgburn.com/

Best Luck :)
PP

Member Avatar for pushkar honey

HI...........I think u r infected by viruses............
try "regrun" software to clean automatically or follow this manual procedure............

first open ur comp. in safe mode. then try to open "gpedit.msc" from run.If it open then see in "User configuration->Administrative Templates-> System->" u find many fields like "Prevent access to registry " etc. open it and click first disabled-> apply -> not configured-> apply->ok..
TaskManager field may find in ctlr+alt+del option which is above the system.
If this is not worked then open ur comp. in safe mode with command prompt.Go to c:\windows\system32 .see hidden files as dir /ah if no of hidden file is more than 7(these 7 are .manifest files) delete all except these 7 (.manifest files plz do not delete this...). No. of hidden directory should be 2 (dllcache and grouppolicy) also delete other directory except these.
for deleting hidden files.---------------
type in cmd ---------
attrib -s -h -r file_name
del file_name
u may to write these command every time....
U have to also disable process from msconfig then try above method for registry ,taskmanager,taskbar,cmd etc.
u also kill the process from cmd----------
tasklist
this will show all running processes...
tskill process_name(without .exe extension).
this will kill that prtcular process...

now if u have open ur registry then go to....

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
u may find userinit and shell .
double click in userinit.Delete all except "C:\windows\system32\userinit.exe" and in Shell delete all except "Explorer.exe"

be care full when doing these...


If u use regrun software ( search in google)
then u don't have to do these manually......


for more help....i m here...

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.