Question regarding my neighbor's computer

[TilDeath]

Okay. So let me make sure I have this correct so that I don't make errors.

I'm going to install NOD32 onto the removable drive, no special folders? So just straight to the E:\ drive? Want to make sure I get this right the first time. And when it boots, do I have to do anything other than tell the BIOS to boot off the USB stick? Or will the AV automatically start scanning?

Depends on your install.  I would install on the USB drive from a clean computer the NOD32 take the USB to the infected computer and run the software.  If that does not clean it, then make a USB boot disk with NOD32 installed and run it.

Agreed with Fulmar about a new drive they are cheep and this is the least time intensive, but if you have data that is needed on the current drive you could risk losing it making it a slave or second SATA drive after a new OS install.

[Denholm]

Alright, working on that now. In the case that this doesn't work, how would I go about making the USB boot disk?

[DREDIOCK]

Not uncommon for a virus to disable task manager.
Happened to me a few time

Couple of ways to re-enable task manager

BTW if it wont let you do this normally.
Try it in safe mode

http://www.pchell.com/support/taskmanagerdisabled.shtml

Task Manager Has Been Disabled, How to Fix It?
Many times when working on a computer that has been infected with a virus, trojan, or piece of spyware I find myself with the Task Manager being disabled. Malware creators like to disable Task Manager so it makes solving the problem and removing the issue difficult.

If this happens you'll normally have to edit the Windows registry to fix the problem. A restriction has been placed on the user to not allow them to run Task Manager, this might be ok in an office environment where the IT department wants to control things, but in a home office this can cause major problems trying to fix a malware or virus issue.

Listed below you will find the many ways to reenable Task Manager along with an automatic method that works wonders.    

To open the Task Manager, you normally would do one of the following:

    * Press CTRL-ALT-DEL on the keyboard
    * Press CTRL-SHIFT-ESC on the keyboard
    * Right-click on a blank area on the start bar and choose Task Manager
    * Click on Start, Run and type TASKMGR in the run box and press Enter

Sometimes instead of Task Manager opening you'll see the following screen. In these cases, you'll have to follow the methods below to re-enable access to the Task Manager.
Task Manager has been disabled by your administrator

First we'll begin with the various registry modification methods for correcting this problem.

Method 1 - Using the Group Policy Editor in Windows XP Professional

   1. Click Start, Run, type gpedit.msc and click OK.
   2. Under User Configuration, Click on the plus (+) next to Administrative Templates
   3. Click on the plus (+) next tSystem, then click on Ctrl+Alt+Delete Options
   4. Find Remove Task Manager in the right-hand pane and double click on it
   5. Choose the option "Not Configured"  and click Ok.
   6. Close the Group Policy Window

Method 2:  Change the Task Manager Option through the Run line

   1. Click on Start, Run and type the following command exactly and press Enter

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

Method 3: Change Task Manager through a Registry REG file

   1. Click on Start, Run, and type Notepad and press Enter
   2. Copy and paste the information between the dotted lines into Notepad and save it to your desktop as taskmanager.reg

------------------------------------
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000
-------------------------------------

      3. Double click on the taskmanager.reg file to enter the information into the Windows registry

Method 4: Delete the restriction in the registry manually

   1. Click on Start, Run, and type REGEDIT and press Enter
   2. Navigate to the following branch

      HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies\ System

   3. In the right pane, find and delete the value named DisableTaskMgr
   4. Close the registry editor

[DREDIOCK]

After you've done that.
Download and install Easycleaner

http://personal.inet.fi/business/toniarts/ecleane.htm  (GREAT little program)

It helps if your intimate with what is supposed to be running on boot up
But often I've found the offending program is obvious

Once Easycleaner is running.
Click the startup box. and look for the offending program.
If you see anything unusual.

Google search it to double check it
And/or click Remove.
then try installing your Antivirus

[RTHolmes]

+1 for "Don't spend more than 30 minutes on it" advice.

When I'm not writing for a magazine, I'm a professional computer consultant. I clean off about 10 computers a month, and lately I've been encountering more and more machines that just can't reliably be cleaned from the infected machines themselves. I can usually pull the drive and use another machine to clean it to the point where it can run antivirus and antispyware utilities on its own again, and then have a reasonable chance of success against whatever's on it, but even that is no guarantee. And even then, it takes 3 or 4 hours of work.

In less time, I can usually connect another hard drive, boot with a Linux LiveCD, pull off any data files, erase the hard drive (or even better, install a fresh one - these things are usually 3 or 4 years old anyway, and 5 years is an average HD lifespan) and reinstall windows (or use the vendor's restore CD), and copy the data files back, and the result is a guaranteed clean system. With a new hard drive (that's probably lots faster than the original), the resulting machine is faster too.

And it costs the client less overall.

-Llama

+1, great advice

[Denholm]

After you've done that.
Download and install Easycleaner

http://personal.inet.fi/business/toniarts/ecleane.htm  (GREAT little program)

It helps if your intimate with what is supposed to be running on boot up
But often I've found the offending program is obvious

Once Easycleaner is running.
Click the startup box. and look for the offending program.
If you see anything unusual.

Google search it to double check it
And/or click Remove.
then try installing your Antivirus

That's going to be quite useful if I can manage to install it, I already know what I'm looking for. Going to try MSCONFIG first, if it doesn't work I'll install this.

[MrRiplEy[H]]

Although it's ages I had to reinstall XP for any problem outside swapping major hardware, I always partition my harddrives so that I have a completely separate C: partition for the OS. That way I can dump the partition without a second thought if necessary leaving all my personal data intact on the other partition.

Lately I've also started putting Raid5 or 10 to my boxes to make sure a single drive failure won't destroy my data. Lost 80Gb with my first raid0 experiment - never again I say. 

[republic]

Often I find that Virus's are aware of the installer names for the popular antivirus/antispyware programs.  Sometimes changing the name of the setup program will work.  I've seen this many times when trying to use Super Antispyware/Spybot/Grisoft AVG.  I usually add a 1 at the end of the file name and it installs fine.

I usually try to avoid wiping the hard drive if at all possible when working with client computers, even though its how I fix my own, and the only sure fire way to fix the problem.  There's always some program they've lost the disk to, some obscure thing they were "just sure it was there" that wasn't, and the list goes on.

[DREDIOCK]

That's going to be quite useful if I can manage to install it, I already know what I'm looking for. Going to try MSCONFIG first, if it doesn't work I'll install this.

If you know what it is your looking for.You can also do a search on its name and manualy remove all instances of it.
Even if it doesnt get rid of it.
It sometimes disables it long enough for you to get an AV installed

[Getback]

At this point...wipe that puppy and start anew.

[Denholm]

Often I find that Virus's are aware of the installer names for the popular antivirus/antispyware programs.  Sometimes changing the name of the setup program will work.  I've seen this many times when trying to use Super Antispyware/Spybot/Grisoft AVG.  I usually add a 1 at the end of the file name and it installs fine.

I usually try to avoid wiping the hard drive if at all possible when working with client computers, even though its how I fix my own, and the only sure fire way to fix the problem.  There's always some program they've lost the disk to, some obscure thing they were "just sure it was there" that wasn't, and the list goes on.

I was in your state of mind when working on the system, refraining from wiping the drive. However renaming the installer didn't do anything because the virus disabled every service there was listed in the services.msc region. And since windows installer was disabled, I couldn't install NOD32. Also attempting to run NOD32 from a flash drive didn't work since ekrn.exe (the scanner service) couldn't initiate.

Anyways, I got tired of trying to fight it because I wasn't getting anywhere. I tried all I knew and all that was suggested to no avail. The disk was wiped and has Windows installed fresh. Now I'm just waiting for them to get their confirmation of acceptance into the ESET NOD32 Smart Security Trial before I install it for them.

Thanks again guys, you were all helpful in a way. (Yes, even you Fulmar.)

[Fulmar]

LOL FINALLY!

[Denholm]

Well, it was bound to happen. I simply didn't want to do it because my Windows Installer has a few corrupt entries which causes .WMV read errors and a few other bugs. Now they'll have to live with it.

[Getback]

WOW finally! Tell them to start backing that stuff up and lay off certain sites.

[Denholm]

Well, it's mainly their teenagers that use the system. The parents only use it to check email and bank accounts (Yeah, I know, bad idea considering teenagers use the same computer.) However they don't store anything on that computer that they absolutely require, which made reformatting a breeze. I asked them if they required any files to be backed up before formatting the system. They imply told me, "Hmmmm.... No."

That certainly was a relief, considering the 20 minute start up time. And yes, I did talk to the teenager that downloaded the virus recommending that he stop using a certain application.