Hey guys, I'm in a bit in panic mode because a virus screwed with something and now I can't do anything beyond logging in and seeing a wallpaper (even in safemode). This was right after I did another scan which caught the viruses again and assumingly got rid of them... So with that being said I need some help..

Is there anyway to save any of my files? Got a quite a bit of files I do not want to lose. And being able to save them would be awesome. While I got the reformat part covered thanks to my dad, I need to know that part. I swear some people have no lives... Some people really need to get off their asses and find something else to do than ruin someone elsea things. :|

Thanks for any help!

-via blackberry

you can run the windows installer and install windows onto the same drive, and your entire windows installation will be moved to a folder called windows.old where you will be able to access all of your files. (make sure it actually says that its going to do that)

keep in mind that will keep any infected files as well, so you need to be careful.

or you can always just burn your needed files onto a dvd-r.

Start up taskmanager and go to run and type explorer.exe
Odd's are, its just a registry fuckup that removed that from startup, if it doesnt work, try to get a buddy to send you a copy of it.
Good luck!

Boot from a Live Linux CD such as Ubuntu (http://www.ubuntu.com/) (running from the LiveCD will not install Ubuntu), then in Ubuntu, go to the Places menu at the top and click your Windows hard drive. It should mount and pop up a window with the contents listed. Navigate to the files you want to keep, and copy them to a USB drive as needed (Ubuntu will automatically mount a USB drive if you plug it in).

You can burn the downloaded ISO image to a CD using a program such as Deepburner (http://www.deepburner.com/)

Once you've got all the files you need, use the Shut Down option in the top-left and boot your Windows CD for a reformat.

Thanks for the advice guys. Gonna try out your advice Jelly, looks like it's probably down to that since I can't get into the recovery console (apparently "forgot" my admin password despite it being the same for years....)..

Did you try what I suggested?

Yes, the virus messed it up so now I don't have explorer...

Try to get a copy from a friend, what OS do you use?

Could you try launching your virus scanner .exe from new task in task manager?

It's be helpful if you knew what virus you had. If you find a way to access your C drive then program data, that's usually where all my viruses and cookies from the internet are.

If you can post anything at all like a HijackThis or even the processes running in your taskmanger that would help. Hell, even posted your startup log in Ccleaner would be some help.

Managed to save the files I wanted, so I'm pretty pleased with the progress so far. Although at the moment I'm at a bit of a road block because I misplaced my product key for XP... Although I believe a coworker might have a spare key and CD that hasn't been used so I'll see how that goes...

As far as what I had, here's only a taste of it. This right from when I scanned it in safemode. Figured I'd copy it and save it to my external for you guys to see. There were some that the scan didn't detect while in safemode:

AVG 8.5 Anti-Virus command line scanner
Copyright (c) 1992 - 2009 AVG Technologies
Program version 8.0.300, engine 8.0.339
Virus Database: Version 270.12.53/2156 2009-06-05

\\?\globalroot\systemroot\system32\UACcuscqelnortk iew.dll Virus found Win32/Cryptor Object was moved to Virus Vault.

C:\WINDOWS\system32\svchost.exe (1532) Virus found Win32/Cryptor Object was moved to Virus Vault.
\\?\globalroot\systemroot\system32\UACcuscqelnortk iew.dll Virus found Win32/Cryptor Object was moved to Virus Vault.

C:\WINDOWS\system32\svchost.exe (1664) Virus found Win32/Cryptor Object was moved to Virus Vault.
\\?\globalroot\systemroot\system32\UACcuscqelnortk iew.dll Virus found Win32/Cryptor Object was moved to Virus Vault.

C:\WINDOWS\system32\svchost.exe (1760) Virus found Win32/Cryptor Object was moved to Virus Vault.
\\?\globalroot\systemroot\system32\UACcuscqelnortk iew.dll Virus found Win32/Cryptor Object was moved to Virus Vault.

C:\WINDOWS\system32\svchost.exe (1844) Virus found Win32/Cryptor Object was moved to Virus Vault.
\\?\globalroot\systemroot\system32\UACcuscqelnortk iew.dll Virus found Win32/Cryptor Object was moved to Virus Vault.

C:\Program Files\Internet Explorer\iexplore.exe (1708) Virus found Win32/Cryptor Object was moved to Virus Vault.

C:\Documents and Settings\All Users\Application Data\96591086\96591086.exe Trojan horse FakeAlert.KM Object was moved to Virus Vault.

C:\Documents and Settings\Kyle\My Documents\Downloads\GameCam\RegPatch\gamecam130x.e xe Runtime packed fsg (No comment)

C:\hgjokgc.exe Trojan horse SHeur2.AHFL Object was moved to Virus Vault.

C:\lquq.exe Trojan horse Generic13.BCIA Object was moved to Virus Vault.

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C1Q3SH6V\17[1].exe Trojan horse FakeAlert.KM Object was moved to Virus Vault.

C:\WINDOWS\system32\yhafd78auhd.dll Trojan horse Downloader.Generic8.ARTQ Object was moved to Virus Vault.

C:\WINDOWS\Temp\oow67b3p.exe Trojan horse SHeur2.AHFM Object was moved to Virus Vault.

C:\WINDOWS\Temp\rdl20.tmp Trojan horse Agent2.ITZ Object was moved to Virus Vault.

C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\2ZAY5EJ6\urrssgxk[1].htm Trojan horse Small.AU Object was moved to Virus Vault.

C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\2ZAY5EJ6\vsstg[1].htm Trojan horse Generic13.BCIA Object was moved to Virus Vault.

C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\KMV02TAM\zvwwno[1].htm Trojan horse Small.AU Object was moved to Virus Vault.

C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\RZVSY9II\lrfstkx[1].htm Trojan horse Small.AU Object was moved to Virus Vault.

C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\WO8LDNPF\zfttgh[1].htm Trojan horse SHeur2.AHFL Object was moved to Virus Vault.

C:\WINDOWS\Temp\wpv961244228079.exe Virus identified Win32/Cryptor Object was moved to Virus Vault.

C:\WINDOWS\Temp\zjhufhdfe.exe Trojan horse SHeur2.AHFM Object was moved to Virus Vault.

C:\WINDOWS\Temp\_A00F8512C5.exe Trojan horse Generic13.BCIA Object was moved to Virus Vault.

------------------------------------------------------------
Objects scanned : 398404
Found infections : 25
Found PUPs : 0
Healed infections : 25
Healed PUPs : 0
Warnings : 0
------------------------------------------------------------

As far as what my task manager gave me, the three processes that caught my eye were B.exe, C.exe, and something among the lines of PinkblastA. There was even one/more fake svcost.exe on it but of course it was hard to figure out which was real.. Oh well, at least those are gone. Glad things worked out well so far. Just need a stupid Product Key of course :rolleyes:

I'll keep you guys posted on how things go.

How did you get 25 viruses?

The old PC my dad had was full of links to porn sites and cookies with porn picks, and he had 7 folders worth of pics and 100s of links and all these downloads....and he only had 7 viruses.

because I misplaced my product key for XP...


if you can get in safe mode there are several programs that reveal your key.

No idea at all... I think I went on an attack site (not sure which one) and got completely nailed. AVG went insane when pop-ups were popping left and right.

And yea I knew that Bacon. The problem is, my drive has already been reformatted. :|

oh :|

Shit, too late. :|


What I would have said was...

Can you boot into safe mode with command prompt? You would be able right there to tell if explorer.exe even exists.

When the prompt is open, type dir C:\WINDOWS and look for explorer.exe

If it is there, try executing it by just typing in C:\WINDOWS\explorer.exe

Also, try doing a tasklist to see if it is even running, and what is.

If the command prompt works, you should also be able to run Firefox. Open that by typing in the file path ( "C:\Program Files\Mozilla Firefox\firefox.exe" ) and then copy and paste everything you get back from tasklist into a post.


Edit: I noticed this too: C:\Program Files\Internet Explorer\iexplore.exe (1708) Virus found Win32/Cryptor Object was moved to Virus Vault.

I guess chances are now that explorer.exe was infected or overwritten like Internet Explorer was. This virus looks like a bitch.

Edit 2: Look at this: http://www.geekstogo.com/forum/Win32-cryptor-Possible-explorer-exe-issue-t218236.html

that's why you shouldn't use IE :p

Explorer was indeed infected and vaulted... As was IE (even though I never used the thing :|). I decided to just go ahead with the reformatting because of the problems it was causing. I tried to get into the recovery console but of course MS decides to tell me my admin password was wrong. Yea MS, it's been the same password for years so how can it suddenly be something different. :downs:

And I forgot to mention, it's payload was even set up to not allow programs such as Spybot to load up... Thankfully the virus is now long gone after reformatting. I felt there were more problems than AVG was letting on. B.exe, C.exe, or PnkblastA (something like that)? Figured I'd just start over. Been over 4 years since I reformatted anyway.. Just need to find that stupid key and I'll be set. :p

Hopefully soon because this laptop is horrible.. Freezes nonstop over everything. Stupid Dell.

Avg is a decent AV but not the best. Go buy Kaspersky or something as good.
Malwarebytes http://malwarebytes.org/ should be installed then updated and run every 2 or 3 days.

Use the following:
Avast or Avira
Malwarebytes
Superantispyware
Spybot Search And Destroy (It has a cool feature where it will block bad products in your browser!)

All of them are free and do a great job.
Are you still experiencing problems?

Can't say for sure until I finish installing windows and such but I'm pretty the virus is long gone now. Unless of course it has a payload of surviving a hard drive being reformatted. :|

And thanks for the suggestions of protections. Once had Norton but felt that the only things it was good at was starting up a scan at the worse times and wasting resources... Next time I'll be more prepared for stuff like this.. Keep the suggestions coming if you have more, anything helps. Thanks!

-via blackberry