Recently someone bought their WinXP desktop computer with a serious infection, a fake anti-virus called System Security. I couldn't do anything in Windows and decided to try to start up in safe-mode. that wouldn't work so I had to dig out my boot cds, UBCD4Windows in particular.
As usual Superantispyware of the CD was my first choice. If nothing else it usually cleans it out enough for me to get control of the system to either go into safe-mode or to start up the computer completely. In fact in this case it did not, it just kept rebooting.
I assumed system files may have been corrupted or damaged so I booted of a Windows CD to go into the recovery console -
http://support.microsoft.com/kb/314058
- to run a chkdsk on the hard drive. Then rebooted . It didn't work.
I figured it was a damaged boot record, so back to the recovery console, and ran both of these commands fixboot and fixmbr. Still did not work. So I tried the bootcfg /rebuild. It keep saying something about not being able to find a Windows install...I wasn't sure where to go from there so I eventually decide to boot of UBCD4Windows. I could access the hard drive and files no problem so I decided to edit the boot.ini manually.
According to Microsoft's website ( http://support.microsoft.com/kb/289022) it should read something like this:
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows Home" /fastdetect
There was extra info there that I deleted. Restarted the system and finally it started up normally. The virus seemed to be taken care of. The system still seemed to be slow. I ran another scan with Superantispyware, reset Internet Explorer downloaded and ran the cleaners offered by CCleaner - http://www.piriform.com/ccleaner.
After all of this I had to uninstall the anti-virus because it was not working properly. I kept geting an error about it not being able to start up. It was a version they where paying from their IP service. I decided to just install Avira for the time being.
Avira - http://www.avira.com/en/avira-free-antivirus
It installed Ok and ran a scan no problem and found a few other things including a file called gxqyitde.exe. My gut feeling told me there was still something wrong. I like to do research on the virus I encounter and some info online indicated a possible root-kit virus. So I decided to try a root-kit scanner - Sophos Anti-Rootkit - http://www.sophos.com/en-us/products/free-tools/sophos-anti-rootkit.aspx
It found nothing suspicious. After 2 days I decided to leave it at that, called the owners and...only time will tell....
....Time did tell. A little over a day later they bought it back infected again. I offered to clean it again at no extra charge. A part of me was sure I didn't get it all the first time. One program I noticed running in the background called gxqyitde.exe, confirmed that. I did research online about this program and found nothing. Not surprising since a virus would probably pick a name and number at random to try and defeat the scanners.
After running numerous scanners of CDs like UBCD4Windows, Dr Web - http://www.freedrweb.com/livecd/?lng=en, Avira - http://www.avira.com/en/support-download-avira-antivir-rescue-system , Microsoft Security Scanner (wouldn't run because I couldn't update it), the system is still infected. I also ran Combofix - http://www.bleepingcomputer.com/combofix/how-to-use-combofix and other numerous rootlkit scanners.
But there is a few files I cannot get rid of. They are named gxqyitde.exe - one in the root c:, one in a program folder called xrymxqtq and one in the Start folder on the start menu. It as a media-player like icon.
I deleted these files manually by booting of UBCD4Windows but they keep coming back. I think the reason why it was so hard is because of the registration entry: HKLM\software\microsoft\windowsnt\currentversion\winlogon\userinit.exe, c:\programs files\xrymxqtq\gxqyitde.exe.
I could delete it within windows but it keeps coming back. I can't remove it through Autoruns or Hijackthis because it claims the file is in use. And I still couldn't boot into SafeMode.
I have tried to edit the registry through the utilities on the UBCD but no luck. Tried a CD called
PCRegedit- http://www.pcregedit.com/product.html It creates a bootable CD/DVD that in theory gives you the ability to edit the registry, but the mouse and keyboard kept going dead just after booting.
Some of theses visru also infect the MBR-Master Boot Record. I fixed the master boot record just in case it was one of those infections but still no dice.
The downside to using a boot cd like UBCD4Windows is that the utilities on it are designed only to work on the main boot system, and when you boot of a cd/dvd it is the main boot system. Getting them to work properly is a hit or miss affair. Unfortunately, more misses than hits. After 2 more days of fooling around with it I suggested a format and reinstall. Something I would have done from day one if it was my computer. Thy agreed, I did, end of story.
I would have preferred a way to remove, in case I come across this problem again.
I had better luck with the next XP laptop bought to me. Safe-mode did work this time so it made my job a little bit easier. Can't mind the name of the infection but when I got rid of it all of the files on the hard drive where hidden and all the program shortcuts in the Start menu where gone.
There is a small utility called unhide.exe - http://download.bleepingcomputer.com/grinler/unhide.exe
or: http://www.bleepingcomputer.com/forums/topic405109.html
Unfortunately, it didn't fix the start menu. The program folders where back but the shortcuts to start the programs where still gone. I decided to try to fix it with a System Restore. It seemed to have worked. Then still, I got another call, someone else with an XP desktop, same type of infection, same fixes applied. (LivePCCare was the name of it)
The only problems here where that I could not boot of a CD/DVD because the drive was completely dead. And I couldn't get it to boot of my flash drive. Safe-mode again worked in this case so I booted up Safe mode with Networking and ran Superantispyware and Spybot directly of my flashdrive. As I pointed out, same start menu problems fixed with a system restore. I had to restore from May month. Funny there was no restore points between May and November.
No one has called back you complaining so I'm taking it as a good sign. :-)
My Sister's laptop conked out at the same time someone gave me two old laptops both had bad hard drives so I transplanted the hard drive from their laptop to one of the laptops given to me, worked like a charm. Then my neighbours daughter smashed her laptop and I did the same thing with the second one. I didn't gain much personally with the laptops but both operations where a complete success. :-)
Someone bought me their laptop. Another older model IBM Thinkpad 1831. It would not boot up. It gave an error message of:
I didn't need to go online to know that the hard drive was history (but I did anyway). Strange thing is I couldn't boot of any CD/DVDs to run any scans. The only way I was able to do that is by removing the hard drive.
Another woman called who was having problems with her printer, turned out to be a bad USB cord. I also noticed that her DVD drive wasn't working. The solution was to delete some registration entries: http://support.microsoft.com/kb/314060
A neighbour called because their computer was beeping all the time and would not start up. Fixed this one a few times in the past, the problem, not the computer. Just removed the memory chips and but them back in.
And I couldn't share my printer in Windows 7.
I was getting the following error when trying to share my printer: Error 0x000006d9.
What I had to do was to re-enable the Windows firewall.
Then go to Control Panel, Devices and Printers, right click on your printer name and from the menu chose Printer properties (NOT the one labled Properties), check the option to share the printer and most cases you are good to go.
Most of the times to fix Network problems you have to turn off the Firewall, this time... Microsoft???:-)
You go to open a picture and it will not open or print or you get some error message. Here are some simple ways to fix corrupted picture files.
They have all worked for me over the years. Some of these methods will work with other file types as well.