1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

The dreaded rebuild!

Discussion in 'Software' started by Rostros22, Oct 26, 2005.

  1. Rostros22

    Rostros22 Kilobyte Poster

    321
    5
    54
    Hello all,

    As the title suggests I am trying to avoid the dreaded rebuild!

    I have a mates machine from work which is riddled with viruses / spyware that basically stop anything from running when the machine boots. I cannot install any virus software or spyware removal software as the machine locks up the minute it loads into XP.

    Last known good config shuts down the machine as a vssppcmp.exe (looked for this on google and nothing was found so no idea what it is) error pops up and shuts the machine down again. Started in safe mode and removed as much rubbish as I can find but the problem still occurs and obviously I can’t install anything in safe mode.

    Is there any other way of checking and removing these viruses and spyware programs?

    In the long term I think a rebuild will be the best option and get him to get a firewall and virus software package on the machine, but just wanted to know if anyone had any other ideas.

    Cheers :biggrin
     
    Certifications: ITIL Certs, F.A.S.T Auditor Certs
    WIP: None - Application with Police
  2. tripwire45
    Honorary Member

    tripwire45 Zettabyte Poster

    13,493
    179
    287
    I can't find that error by Googling either or on Microsoft's XP support page. Last known good config starts the computer using information that was saved to the Registry during the last shutdown. If you are getting an error in Last Known Good that shuts down XP, I'd say you have a major glitch somewhere in the Registry.

    About the closest I came to finding an answer of any sort was this:

    http://support.microsoft.com/kb/244905/

    It describes a situation where an imcompatible driver is stopping Windows from being loaded. Maybe it can work here, too. Hope it helps.
     
    Certifications: A+ and Network+
  3. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    Try downloading and installing the ewido suite. (It has a free 15 day evaluation period. After that the functionality is somewhat reduced.) Run it first and then run HijackThis and post the log from it, or at least post the log in an attachment as they can get pretty long.

    We'll see if we can't get it figured out.

    I've just lately come across the Ewido suite, and it seems to be pretty good. However, there is one caveat. You need to delete each bad piece of malware individually or it will get rid of some needed Active X programs on a Windows computer. Or, you can just reinstall all the needed software that goes missing after you let it get rid of everything automatically.

    It is amazingly thorough as I've cleaned up a couple of badly infected computers with it. It is about the only anti-malware/spyware software available that will find and kill the junk that lives in memory rather than on the hard disk.
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  4. Rostros22

    Rostros22 Kilobyte Poster

    321
    5
    54
    Down loading now

    My only concern is how to get it onto the infected machine as I am having difficulty installing anything.
     
    Certifications: ITIL Certs, F.A.S.T Auditor Certs
    WIP: None - Application with Police
  5. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    Try booting into safe mode. Or, try running HijackThis first and we'll go through it. That may get you enough time to be able to install ewido.
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  6. Rostros22

    Rostros22 Kilobyte Poster

    321
    5
    54
    Tried safe mode before but I will give it another go

    Just downloading hijack-this and I will give it a go

    Thanks for the help freeloader
     
    Certifications: ITIL Certs, F.A.S.T Auditor Certs
    WIP: None - Application with Police
  7. Rostros22

    Rostros22 Kilobyte Poster

    321
    5
    54
    Running the ewido suite now, already found 38 infected objects!

    I was trying to install the microsoft anti-spyware software before and would not let me in safe mode. Ewido has installed and is running.

    Hijack-this stopped and threw out an error report which I will attach later on once the ewido suite has finished scanning. :)
     
    Certifications: ITIL Certs, F.A.S.T Auditor Certs
    WIP: None - Application with Police
  8. zimbo
    Honorary Member

    zimbo Petabyte Poster

    5,215
    98
    181
    nod32 mate!! install in safe mode... never failed me once!there is a trial version so it wont cost you! :biggrin
     
    Certifications: B.Sc, MCDST & MCSA
    WIP: M.Sc - Computer Forensics
  9. Rostros22

    Rostros22 Kilobyte Poster

    321
    5
    54
    Thanks Zimbo

    Just running the ewido at the moment over in the test lab!

    Will try your suggestion as well :biggrin
     
    Certifications: ITIL Certs, F.A.S.T Auditor Certs
    WIP: None - Application with Police
  10. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    You need to run this after you finish running the ewido tool. If you don't it will be a huge waste of time because we'll be looking at stuff that doesn't exist anymore.
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  11. Rostros22

    Rostros22 Kilobyte Poster

    321
    5
    54
    Roger that!

    Ta mate
     
    Certifications: ITIL Certs, F.A.S.T Auditor Certs
    WIP: None - Application with Police
  12. Rostros22

    Rostros22 Kilobyte Poster

    321
    5
    54
    Just want to say a big thank you to all that helped on this problem.

    Freeloader - Ewido did the trick mate as I can now boot into windows properly, cheers.

    If you would still like to view the reports let me know and I will post them.

    Many thanks to all :biggrin
     
    Certifications: ITIL Certs, F.A.S.T Auditor Certs
    WIP: None - Application with Police
  13. Boycie
    Honorary Member

    Boycie Senior Beer Tester

    6,281
    85
    174

    Yeah, i would like to see the reports and i am sure others would too. :)
    Well done on sorting it out. Grab yourself a beer. :biggrin
     
    Certifications: MCSA 2003, MCDST, A+, N+, CTT+, MCT
  14. tripwire45
    Honorary Member

    tripwire45 Zettabyte Poster

    13,493
    179
    287
    I think posting the report as an attachment would be a good idea. I hate to be a bit of a pessimist but you can't be sure you got everything...just the junk that was causing the worst set of problems. There could be more critters lurking in the woodworks.
     
    Certifications: A+ and Network+
  15. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    Yup. That's why I recommended running HijackThis and posting the log. Do post it as an attachment though as they can be really long depending on what all is running on the computer.
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  16. Jakamoko
    Honorary Member

    Jakamoko On the move again ...

    9,915
    60
    229
    Yup - just to add:

    Copy the output from the report into a .txt file, then upload that as an attachment. Works a treat, and saves our server space and bandwidth at the same time :)
     
    Certifications: MCP, A+, Network+
    WIP: Clarity
  17. Rostros22

    Rostros22 Kilobyte Poster

    321
    5
    54
    I am currently running the hijack program and once that is complete I will attach the reports so you can have a browse over them! :D
     
    Certifications: ITIL Certs, F.A.S.T Auditor Certs
    WIP: None - Application with Police
  18. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    8,871
    167
    256
    I believe it is virtually impossible to eradicate all malware from a badly infected PC. You need to use a variety of removal tools, the ones mentioned here, as well as Spybot S&D, Lavasofts Adaware, Microsoft's anti-spyware beta and whatever else you can get your hands on for free.

    The logs that Highjackthis produce are very difficult to decipher, there are forums on the net that have experts totally dedicated to analysing them. We can certainly give it our best shot but there is a likelihood that some evil critter could still be resident. I suppose as long as the computer is usable you have done your job.

    The only way to be absolutely sure that your windows computer is free from malware is to re-install the OS.

    Malware is becoming more complex and devious every day. As PC support professionals we need to be aware of the various threats and have a game plan for getting rid of them and blocking them in the future.

    I always install Spyware Blaster (google the name it is free) on my customers machines. It is not a removal program but it blocks known sites and known weaknesses in both Firefox and IE from being compromised in the first place.
     
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)
  19. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    I agree with this. If the computer needs to be trusted, then rebuilding it is the only way to go. If it's just used for casual surfing and email it's not as big a deal. But, if it's used to purchase things online, do online banking, and other tasks such as that the only way it can truly be considered trustworthy is wipe out the system drive and start over.

    It was a mistake on my part not to point this out as this is what I do with my own computers and those that I work on for people who need to trust theirs.
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  20. Rostros22

    Rostros22 Kilobyte Poster

    321
    5
    54
    Report files

    Hijack would not let me have the full report as it wasn't a full registered version.

    Installed microsoft anti-spyware beta but as you said a re-install is the best solution.

    Just happy I can now make a backup of his data files that he wants to keep. This is his home machine and he has a flash drive that he uses at work, will be having a 'quiet' word with him tomorrow as that flash drive could affect our network is he takes it home.
     

    Attached Files:

    Certifications: ITIL Certs, F.A.S.T Auditor Certs
    WIP: None - Application with Police

Share This Page

Loading...