• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

At a stalemate with XP laptop

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.

Sorin

Member
Joined
Mar 7, 2004
Location
Phoenix, since 03/2014
I'm trying to fix my friend's laptop. One of her sisters ended up letting some spyware in and now it's screwed up to an extremely impressive level. I've never encountered a problem I couldn't fix in the past with enough Google searching, but I'm at a standstill with this one.

It's a Gateway W730-K8X (AMD) running XP Home SP2 and it appears to at least have this.

All of my normal avenues of attack are blocked. First of all, it blocks exes from being run, so no taskmanager, virus/malware scans, custom removal tools, or anything else useful that would fix it.

Second, whenever I try to get into regedit (in general; although part of the fix includes adding something to the registry), I get "registry editing has been disabled by your administrator". The user IS administrator with full rights. I read about changing this via Group Policy Editor, but XP Home doesn't come with it. So I read about how to add it to XP Home, but after I did that, same story. The legit regedit exe seems to be there and there's no regedit.com anywhere (I read that com files have priority over exe files?).

Third, no safe mode. Whatever file tries to load after agpcpq.sys fails and the computer reboots into normal mode. I read that ntbtlog.txt is a log that would show which files loaded and which files failed, but I can't find this file anywhere (which is supposed to be in C:\).

So, no exes, no taskmanager, no regedit, and no safemode (unless I can figure out what file is failing and fix it). chkdsk with various flags is clean. I've never seen a computer so massively and completely crippled.

I know that at this point one should just reinstall XP and that might be what I end up having to do, but, I really want to figure this out for the principle of the matter, for peace of mind, and for the experience.

So, I'm at a loss at the moment, and any help is appreciated. If I could just get either regedit or safemode working, I'd be ok.
 
RUN Ultimate boot CD, and then delete the folder that program sits in..

Done!

Reboot.

You may get a few registry errors, not something CRAP CLEANER cant fix...

Install AVAST, and then do a boot time defrag, I'm sure you'll get a few hits!

It's that simple.
 
I second UBCD4Win. That's an invaluable tool that everyone should take the time to compile. The one issue I've found, is it's hard to get everything to fit on a CD anymore after updating. It would probably be best to make a lean compile for CD(to use on older machines), then make a nice fat one for USB, or DVD.
 
That would work if everything was all neatly contained in one nice little directory, but who writes good malware like that (not sure you guys read the link :p)? This thing is all over the place and has no home directory. If you simply delete the program, ave.exe, it comes back.

I also forgot to mention that Folder Options is missing from everything, including control panel, so to see hidden files and system files I have to use the command prompt.
 
If you compile that disc, you'll have access to all the directories plus various disk and malware tools. The viruses won't be able to do anything to stop a bootable CD.
 
If you compile that disc, you'll have access to all the directories plus various disk and malware tools. The viruses won't be able to do anything to stop a bootable CD.

I did, no dice. I used that avira ntfs4dos thing on the CD and deleted the main exe file, but it's back.

I also tried the bootable AVG antivirus disc, but as is apparently common with this particular malware, it wasn't and isn't detected by virus scanners. It did not find the main exe, but it found 39 other bogus/infected files all over the system, so I'd have to ntfs4dos my way through all that.

If there was more information about this trojan, I could delete the main exe and whichever files cause it to respawn, but I can't find such details.
 
... simplest and easiest and quickest way is to just format and reinstall xp when it gets as far as it sounds. You can easily copy over documents if necessary in a live cd of linux or bartpe.
 
Boot it up and ignore the prompts. Right click on the taskbar and close the multiple windows that are open. If it is not connected to the net you can get ahead of the popup windows at least enough to get a usb stick to load. Install End it All. Run it and disable system restore(important). Install Spybot with the latest version and defs you can get. Run it, install MSE and run it at the same time, it will get some fast hits. When spybot asks to allow it to run at startup click yes but allow MSE to fix at least the one exploit before rebooting(usually a file containing the logon name in it). What spybot misses MSE will get Uninstall all the crap that shouldn't be there, toolbars, weatherbug, anything that you don't like. Win files are not usually damaged and it has probably missed a lot of MS updates, so get them.

This thing is everywhere, I have done three in the last week. Tell them to only top right click any popup that says they are infected, close IE and restart it.
 
download a program called ComboFix. Boot in safe-mode with networking. run combofix, let it get the updates it needs and let it install Microsoft Restore Services (or whatever it's called). it takes anywhere from 30 seconds - 10 minutes to run it's scan. It will reboot your system for you (probably back to safemode), then reboot into Protected (regular) mode and voila. The worst of the nasties are gone.

Combofix doesn't get everything. Just the MOST COMMON nasties of today.
 
MalwareHelp.org: FakeRean
Microsoft Malware Protection Center Encyclopedia Entry: FakeRean


This thing is everywhere, I have done three in the last week. Tell them to only top right click any popup that says they are infected, close IE and restart it.

You mean you've done this exact one, FakeRean three times this week?

I'm going to try the USB thing, but I don't anticipate it to work, since the installer is an exe, and this program stops exes from being run.

I downloaded the windows version of UBCD so I'll try a few things from that.

download a program called ComboFix. Boot in safe-mode with networking. run combofix, let it get the updates it needs and let it install Microsoft Restore Services (or whatever it's called). it takes anywhere from 30 seconds - 10 minutes to run it's scan. It will reboot your system for you (probably back to safemode), then reboot into Protected (regular) mode and voila. The worst of the nasties are gone.

Combofix doesn't get everything. Just the MOST COMMON nasties of today.

...

All of my normal avenues of attack are blocked. First of all, it blocks exes from being run, so no taskmanager, virus/malware scans, custom removal tools, or anything else useful that would fix it.

Third, no safe mode. Whatever file tries to load after agpcpq.sys fails and the computer reboots into normal mode.

From what I've read, apparently this malware loads up in safe mode anyway.
 
Yea, same one. On Vista it is Vista Security tool and on XP it was XP Security. They are slightly different as Vista simply deletes passwords and takes over while the XP blacked out the desktop and menu. The pop ups seem to be timed so that you have to get ahead of them before you can actually get anything done. I have a big screen so I could move a few out of the way. The Vista infection actually used the user name as the file name for the trojan. I think it more tries to use up all available memory and CPU cycles during activity then actually block all exe's or perhaps it only blocks the ones it knows to be a threat. I also think that it might be using system restore as some kind of active replicator but I could be wrong. Once I got End it All to run I could do whatever I needed to.
 
Old thread, but it's mine, so whatever.

Since it was 2½ months ago, I forget what I did. But it wasn't anything I had read about or tried. I just fired it up at some point and got an exe working, and I went from there.

Anyway, long story short is that the virus/malware/whatever it was seemed to be gone, although windows update and some other microsoft sites seemed to be inaccessible. Automatic updates still worked, so it had to be some leftover browser hijacking remnant that didn't get fixed. I tried fixing the hosts file, but that didn't work. Anyway, I gave the laptop back because it seemed fine other than that.

Fast forward to yesterday when my friend brought it back over so I could fix that remaining problem and try to speed it up a little. Windows Update via any web browser was still broken, so I tried crap cleaner. Nada. Tried reg cleaner. Nada. Previous scans with McAfee also failed.

Not sure what to do, I axed McAfee and downloaded Microsoft Security Essentials. After installing, I did a full scan. DAMN. All remaining problems fixed in one fell swoop. It found an eliminated one dormant, leftover piece for each of a virus and two trojans that McAfee and everything else either missed or couldn't fix. Whatever was wrong with the registry and the inaccessible-from-internet-browser Windows Update thing was also fixed. I guess no one knows Windows better than Microsoft itself, right.

As an aside, getting rid of McAfee, AOL, and HP and Lexmark driver/software suites dropped the running processes from 70 down to 35. Installing MSE added just two processes (12 for McAfee vs 2 for MSE!?! Wow).

Just thought I'd mention that this was resolved.
 
Back