a couple glitches. any help problems
Posted 06 September 2008 - 06:42 PM
Posted 07 September 2008 - 03:52 AM
You are most likely beyond a few glitches and well into infection territory.
There are a few ways to handle an infection. The usual way is in realtime (while working on the infected computer). This may or may not be successful depending on how many viruses are alive and spawning. I'll let someone else explain the steps of disabling startup apps, safe-mode, floppies, etc. You should definitely have a copy of Startup Control Panel standalone EXE handy.
Another way is via UBCD and other special boot cdroms which is better since the virus is not actively running. You must first alter the BIOS so that the HDD is given later priority than the CDROM drive. One problem here is that the antivirus definitions are likely to be outdated relative to a very current infection.
Finally, IMHO this way is the fastest: Yank that system drive and install it as a slave in a working computer which has the necessary tools: updated Antivirus (McAfee/AVG/etc) *and* anti-Spyware (SpybotSD/Adaware/etc). Manually scan the slave drive from this safe platform (change settings to ALL files not just program files and enable heuristics), delete the problem files, verify by scanning again until clean, and yank the drive and put it back the way it originally was (umm, be sure you do not execute any files on the slave disk while it is connected in the clean computer!). You're not done yet: on the original computer, you still have to scan one more time with both sets of tools in order to clean the registry and to remove all bad apps hooked into the Win9x startup points. Theoretically no virus should be able to survive this procedure provided the antivirus definitions are up to date. In practice it could be an undefined variant. In this case, put that particular HDD on ice for a couple of weeks and get later definitions for the antivirus and SpybotSD programs and repeat.
BTW, this is not necessarily a problem in itself. It could just mean that either or both of these registry settings exist:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer] "DesktopProcess"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer] "DesktopProcess"=dword:00000001
It simply forces each Explorer instance into a separate thread (which IMHO is a good thing). The root folder instance right after bootup is a only a strange by-product. But, it is possible a virus might intentionally do this so that if one infected Explorer crashes or is killed by Process Explorer, it does not bring down any other infected instances which will then respawn a new thread. So, the way I see it, on an uninfected Win9x computer these settings can add stability, but on an infected one they can help to preserve certain nasty viruses. Just change those DWORDs to all zeroes to prevent this behaviour.
EDIT: fixed that "alter the BIOS so that the HDD is given later priority". It said "disable HDD". Doh! Too many beers.
This post has been edited by CharlotteTheHarlot: 08 September 2008 - 04:24 AM
Posted 07 September 2008 - 12:00 PM
I'd recommend CodeStuff Starter for checking/disabling startup items and watching/killing processes.
Also, Dr.Watson can provide on demand a report including all currently loaded modules. Similarly, HiJackThis (now under TrendMicro's umbrella) is able to provide a report (and clean the registry) of ActiveX controls, BrowserHelperObjects and other nasties that may plague your system. A little bit of intuition plus searching the web for suspect filenames could save the day.
Of course, a nasty infection may require a reboot in DOS mode and manual deletion of infected files. Careful what you delete though, as you may render the system unusable. Always back up the allegedly infected files before deleting them, for safety.
Posted 07 September 2008 - 01:58 PM
If you are not interested in what kind of infection there is, restore a backup of the \Windows\ directory from a time when the suspicious behaviour did not occur, & you'll most likely have gotten rid of the bugger. There are exceptions like boot sector viruses, but deleting \Windows\ & restoring a good backup of it has worked well for me in malware situations.
This post has been edited by Multibooter: 07 September 2008 - 02:25 PM
- ← Direct connect or DC++ client for Windows98
- Windows 9x / ME
- Windows 98SE 2GB RAM Out of memory when opening DOS command prompt →