toniok

Quarantined & now won't boot! Help!

Recommended Posts

I hope someone here can help me. I'm running XPSP2 with an updated a-squared Free. Did a scan and made the mistake of saying "quarantine" to the 38 problems it found. PC now makes it through the Windows splash screen to the desktop, but desktop is devoid of all items including Start menu.

Safe mode and restore last known good are no help. Can I extract quarantined files on another PC by running the hard drive externally? If so, how do I know where to restore them too?

Please..!?

Tony

Share this post


Link to post
Share on other sites

I hope someone here can help me. I'm running XPSP2 with an updated a-squared Free. Did a scan and made the mistake of saying "quarantine" to the 38 problems it found. PC now makes it through the Windows splash screen to the desktop, but desktop is devoid of all items including Start menu.

The problem is most likely that your "explorer.exe" ended up infected by a virus and was therefore quarantined. You can fix it using the following steps:

  1. When you are looking at the empty screen press the following keys simultanously on your keyboard: CTRL ALT DEL.
  2. After that the Windows task manager should appear. Click on "File", "New task" to get a command prompt.
  3. Click on "Browse", browse to your a-squared directory and select "a2free.exe".
  4. After clicking "OK" a-squared should show up. Just restore the items from the quarantine.
  5. As soon as you have done that restart the PC by using the "Shutdown" menu of the Task Manager.

It would help if you could give further details about the infections found. Preferably the name of the malware that was detected.

Share this post


Link to post
Share on other sites

Hi Tony and welcome to the forum,

I hope that the advice given by Fabian Wosar , will work for you and or probably already worked.

But if you haven't done the restoration by a-squared yet, I may add to what Fabian asked

... It would help if you could give further details about the infections found. Preferably the name of the malware that was detected.

When and if you see the quarantine list, before Restoring, please use "Save quarantine list" and post or attach the content here.

This way the developers will be able to see the locations/file names/detection names of what was flagged

My regards

P.S. Read this [sticky] That is posted into every section of the forum and may help in the future

Share this post


Link to post
Share on other sites

My thanks to both of you. Your diagnosis was right on the money, and I have learned my lesson about hitting "quarantine" without paying particular care. And yes, I did read the "sticky".

In my defense it was 4am and I was taking care of a a sick wife, a 2yo, and a 6mo baby, and obviously my attempt at multitasking was stretched a tad far... :)

It's a compliment to a-squared that it found the infection when Malwarebytes, Superantispyware, Adaware, and Antivir did not. I have to say I've never seen explorer.exe infected before, that's a new one on me.

Sadly it's my own fault, I got suckered into, believe or not, paying for Limewire - something I would never knowingly install on my own. I'm going to re-run a-squared and see how it turns out now, and if necessary will post a followup.

Many thanks!!

Tony

Share this post


Link to post
Share on other sites

Hi Tony,

First and most important we hope your wife is fine and we wish her well.

Then, you are welcome. Are you communicating from your (previously unworkable) PC?

If so, were you able to save quarantined items for review?

As for LimeWire if you paied for it - you was caught in a kind of scheme because as far as I know it is free GNU GPL project http://en.wikipedia.org/wiki/LimeWire

or rather "paying" was - figuratively speaking.

Let's hope the report will show what you've got there.

My regards

Share this post


Link to post
Share on other sites

Hi Lynx.

All are doing better, thank you. It was just a nasty cold, but when you have two little ones, especially a 6mo who. has minor breathing issues anyway, it makes for very long days and nights.

I'm writing from my wife's PC. I sat and waiting the last ~2 hours for a scan to finish, walked away and came back to the login screen and "windows has recovered from a serious problem" message. So I don't know yet what's going on, but suspect I'm not done yet...

I didn't capture the initial report, having not read that in time. I booted into safe mode a bit ago and am re-running the scan now; not surprisingly it's going much faster. I did notice two things under c:\I386\, MPLAY32.EX_/mplay32.exe and WEXTRACT.EX_/wextract.exe. Don't know if those mean something to you - other than trouble.

And yes, I did get suckered, big time, in not only paying for limewire but installing it. Seems even a relatively knowing and suspicious guy like myself can get taken.

When the scan finishes I'll post the results.

Tony

Share this post


Link to post
Share on other sites

Tony,

Let's wait until the whole report is produced.

We should not hurry with any conclusions without all information

mplay32.exe and wextract.exe by names are legit Microsoft files (old basic MS media player

and Cabinet files (<>.cab) Extractor respectively).

And there are several instances of each here and none is flagged

Files with underscore are usually used as packed files for installations

But saying all that are not adding any value at the moment

If flagged, those could be FPs or compromised files and most likely it would be necessary to submit them for analysis

I hope that the scan will finish successfully

Please save and attach the report, don't copy/paste into the thread

My regards

Share this post


Link to post
Share on other sites

Well, running in safe mode the scan finished fine. I've attached the report as requested. After quarantining the hits I've started another scan (in safe mode again) just to see if it comes up clean.

I'm going to bed now; I really appreciate the input. The PC is what I use for school and it would be <unpleasant> for me to have a problem 4 weeks before finals.

Share this post


Link to post
Share on other sites

Tony,

1) that is not necessary to run a-squared in Safe Mode all the time

Than is used in some rare special occasions...

but most importantly Last update: 11/6/2009 11:34:24 PM

Please update

Can you run your PC in Normal Mode now?

If so rerun the scan after updating in Normal Mode

My regards

P.S. Were you running ComboFix and/or other removal Tools by your own?

C:\Qoobox\Quarantine\C\WINDOWS\system32\8HQSrch.vbs.vir detected: Trojan-Dropper.Agent!IK

Please be very careful with that. Running such Utilities without supervision could be dangerous and could render you PC inoperable

Share this post


Link to post
Share on other sites

Hi Lynx.

that is not necessary to run a-squared in Safe Mode all the time. Than is used in some rare special occasions...

Maybe not, but running in safe mode was the answer to the reboot-before-scan-finishes-problem; it worked!

but most importantly Last update: 11/6/2009 11:34:24 PM Please update

Well, it was up to date when I started this mess 48 hours ago! I have never used any s/w that had such a large update after such a short time. Kinda scary/amazing to see that!

Can you run your PC in Normal Mode now? If so rerun the scan after updating in Normal Mode

Can and did. Looks good now; I had one "high risk" piece of untested software (Reimage Repair) I manually deleted, and two other "low risk" apps that I'm pretty sure are ok, an XP key changer it lists as a hack tool and a Vista (now Seven) Transformation Pack that makes XP look like the new versions. So I think I'm good now.

Were you running ComboFix and/or other removal Tools by your own? Please be very careful with that. Running such Utilities without supervision could be dangerous and could render you PC inoperable.

Please tell me about that. It was the first time I used ComboFix, and yes I did it solo. I thought it was quite easy, I just followed the bleepingcomputer guide. There were no user parameters to be set prior to running it, more a "point and click" application. Now interpreting the results for manually making subsequent changes would be quite another thing altogether...

I realize of course that it could cause the same kind of issue I ran into with a-squared, where it "fixes" something (quarantines it) causing a state of non-operation. Is there more to be worried about than that?

I'm attaching the latest report below though I think it is now uninteresting.

Thank you for all your thoughts and inputs.

Tony

Share this post


Link to post
Share on other sites

Hi Tony,

The main thing we are glad to hear that your PC seems to be back to normal (... mode :) )

You got rid of ReimageRepair.

I made a very quick observation, not a thorough investigation by any means, plus we cannot tell just by knowing the name.

There are quite different opinions out there if you Google - from safe (Tall Emu) to “cloaked malware” (Prevx).

Or if that is the Software you had you may read Reimage Online PC Repair Review - Is Reimage Repair a Scam?

Probably you could've submitted it 1rst, but if it's unneeded – there is nothing to say at the moment – if it's gone, it's gone.

Transformation Pack (TP):

that is Offtopic , therefore just a short note – that is not the best Software for transformation (I am using different one).

In the past there were complaints that TP has adware or alike.

In any case if that is version 4 that is not the latest one as far as I know.

XP-KeyChanger and the detection as “Riskware":

Key Finders, Password Recovery, Code Hacking Tools, etc. flaggings will most likely stay (“never fixed” by signature updated) and that is your decision say placing those into the White List, since not used for malicious purposes and you are considering them trusted.

Riskware is not necessarily dangerous

Read more about What is Riskware

and you may search old forum as well – there were discussions about that.

Since you confirmed using ComboFix

... yes I did it solo ...I thought it was quite easy, I just followed the bleepingcomputer guide...
not much I can add to what I said.

Reading different instructions out there and performing actions advised to others is wrong and dangerous. Certified Professional Specialist (malware fighter) always reviewing every given case and situation on individual basis. You may see similarities but you may not see crucial differences

Other than that - it is you level of experience and that's your own PC to mess with, if that is your choice.

My regards

Share this post


Link to post
Share on other sites

Hi Lynx.

I hope you didn't take my comment about using ComboFix as an insult, it certainly wasn't meant that way. I was actually looking for guidance as to how to avoid misusing it. I am a relatively experienced user (think Fortran and punch cards :), been editing registries for 10 years+ without error, and loaded my own TCPIP stack back in the Win3.1 days, long before AOL even came into existence. I also maintain a number of people's PCs (for free), and need to know as much as I can to help others.

I (obviously) don't specialize in malware removal, only deal with it as necessary. My question about ComboFix was serious; I don't want to (can't afford to) cause problems, on my machine or others, but I can't afford to completely ignore a tool either - unless I determine it just isn't in my interest to learn... and that is possible. If you don't have the time or if this is not the right forum to ask that question please tell me where to go to learn more.

And again, thank you for all your help.

Tony

Share this post


Link to post
Share on other sites

Tony,

There were no reasons for taking “ComboFix issue” as an insult. Why would I?

So there is no problem whatsoever – no worries ;)

In addition, needless to say, that I was not evening-out the level of your experience about which had no idea. Those were “common sense” remarks (taking in consideration initially described troubles)

Then, despite every thread has “individual flavour” – it's intended to be read by any member or guest in open forum

As for the questions and comments regarding the said Tool (and/or other) there is no better person to answer that and similar than ShadowPuterDude.

You can create new thread in the OffTopic and if he will find some time (which cannot be guarantied) he may comment and provide some guidelines.

Cheers!

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.