Help!

Big Jim

Big Jim

Well-Known Member
Reaction score
183
Location
Derbyshire, UK
Got a machine in here.
Customer reports it not running correctly after a crash yesterday which he beleives is heat related (cleaned the H/sink out and it was pretty covered in lint/dust etc.)

Fire up windows and it is painfully slow.
Vista SP1 32bit 2gb ram dual core cpu so should be slow but not this bad.

Audio service not working
network service not working
cannot run an .exe reports "Specified service does not exist as an installed service"
device manager, services, msconfig, computer management all the same
I plug the USB stick in and it flashes like it normally would when connected (my usb stick does not light up unless it is either installing or installed) but does not show up anywhere that I can gain access to.


Can run various programs in safe mode.
device manager though is empty.
TDSS killere finds nothing
D7's various fixes haven't reolved it
combofix hasn't resolved it.


I am pretty sure this is a virus of some sort that has screwed the system over.
Eset found and removed 11 objects.
Win32/Kryptik.APTQ.trojan
Iframe.B.Gen virus
being the only 2 worth mention

Malwarebytes found various mywebsearch and mypupsearch nothing exciting.

I think Mcaffee may have done this but the report on the customers machine says last scan was clean and won't let me look at anything results past that one although it does report some stuff has been removed in the past.

Any ideas what avenue to travel down next ?
 
Here's what i'd be looking at...

- Check the HD for errors
- Run SFC
- Replace HD or try a restore point.

If still an issue...

- Backup user data
- N&P
- Reinstall
 
a couple of simple things.
did you reboot after combofix? sometimes you get the "Specified service does not exist as an installed service" error until you do.

does it still have macafee?
if so, can you remove it and try the d7 audio and network fixes again?
 
Last edited:
HDD has passed error checking
ram has passed memtest
system restore does not work
rebooted after combofix
tried D7s fixes again
cannot uninstall anything as it wont work (assume that uninstaller is an exe)
 
I don't think you can boot off a Vista DVD and run an upgrade install. You can only do it if Vista is running.

You could boot from the DVD and use System Restore to get back to the point where services work, but you'd still be infected. Still, it might give you a toehold on the system.

Aside from that, to avoid spending more time on the system than the customer can afford, slave the drive and use DataGrab or Fab's Autobackup 4 Tech to get the good stuff, then nuke and pave.
 
FremontPC said:
I don't think you can boot off a Vista DVD and run an upgrade install. You can only do it if Vista is running.

You could boot from the DVD and use System Restore to get back to the point where services work, but you'd still be infected. Still, it might give you a toehold on the system.

Aside from that, to avoid spending more time on the system than the customer can afford, slave the drive and use DataGrab or Fab's Autobackup 4 Tech to get the good stuff, then nuke and pave.
Click to expand...

He said he was was in the OS? Might have to start a few services manually, worth a go if you don't want to N&P.
 
Yes, if he can start the needed services, worth a shot. Still, it's tempting to flatten it, if the customer's apps are available for reinstall.
 
I would remove the drive and scan in a bench system or do a Kaspersky LiveCD scan. I suspect you have a rootkit that is hiding on there and even though you ran TDSSKiller items can still hide from within the OS. I would run another pass of Malwarebytes and SAS while it is attached to a bench system as well. Worst case image/backup the drive and do a wipe/reload.
 
Good points, skdmaster. In that case, it would be a good idea to boot on a Linux Live CD and check for mystery partitions too. Excellent time to take a look at the SMART attributes for the drive too, just so your hard work doesn't get placed on an unreadable sector.

Big Jim, have you imaged this drive?
 
Hi Guys,

Drive has been imaged after most of the above has been done.

It will boot to windows, it runs a lot better in safe mode.
The services that aren't running will not start.
any .exe that you try to run will throw up the same error.

the eset and malwarebytes scan were done from a bench machine with the drive slaved.


I don't think there is actually that much wrong with it to be fair, one small change in the registry to allow executables to run again. having said that I think nuke and pave is going to be suggested so as not to waste any more time.
 
You must log in or register to reply here.

Similar threads

Velvis
Cleaned up a scammed computer and a weird command prompt window showed up
2
Replies
26
Views
3K
Markverhyden
Markverhyden
Appletax
[SOLVED] Can't remove fake BSOD that might use mshta.exe
Replies
5
Views
861
NviGate Systems
NviGate Systems
frase
Macbook pro 2017 External HDD ISSUE
Replies
19
Views
2K
fincoder
fincoder
HCHTech
Slow opening times for files on a network drive
Replies
10
Views
2K
trevm999
trevm999
HCHTech
Email authentication help
Replies
7
Views
2K
Sky-Knight
Sky-Knight
Back
Top