Windows Recovery Console

[Cameron]

I cant play DP anymore for this particular reason:

Recovery console: Very useful for deleting viruses in C:\Windows and C:\Windows\System32 but the worst resort if you are trying to delete something out of Documents and Settings or Program Files.  I was given a virus of a USB, completely slows the computer down, cant play dp and more because it chews up so much memory that i cant play dp anymore.  Error messages pop up everywhere and so on.  I've deleted resfix32v.exe which kept on starting a new process, gradually getting about 100 in the task manager.  Then other messages popped up saying something about cxsrss.exe or something.  That is found in C:\Program Files\Internet Explorer\  and the problem is that i cant get in there with the recovery console.  I cant delete it using windows for number one reason it says Access is Denied and number 2 it slows the computer down as well so its really hard to get 2 that location without restarting the computer.  Yes, i have tried killing them in the Task Manager but it doesnt work. 

Anyone have any ideas or programs to use to remove it because this is irritating and I CANT PLAY!!!

[KnacK]

Get or build a Knopix Live CD on another computer.

Boot to the cd.

Run update virus scanner so it gets the latest virus defs.

Then point the scanner at your windows hdd.

[ViciouZ]

I think if you run windows in safe mode, the run-on-startup programs don't start, so you could delete it, but I'm not sure.

And csrss.exe is to do with windows client/server runtime, according to google.

[KnacK]

you can also boot in to safe mode and run msconfig and look for programs that run at startup that you are sure about, disable them, then reboot.

[Zorchenhimer]

Get or build a Knopix Live CD on another computer.

Boot to the cd.

Run update virus scanner so it gets the latest virus defs.

Then point the scanner at your windows hdd.

Knoppix has a virus scanner on the live CD?

[KnacK]

yuppers the last time I used it there was.

[Cameron]

I think if you run windows in safe mode, the run-on-startup programs don't start, so you could delete it, but I'm not sure.

And csrss.exe is to do with windows client/server runtime, according to google.

The program runs in safe mode and gives you about 10 minutes before the computer goes blue screened (found it in the registry as well but deleted it, it was in the run section of Windows).
Also yes i know csrss.exe is Windows thing but this is cxsrrs.exe or cxsrss.exe, ive found info on both but dont know where they are at all.

Get or build a Knopix Live CD on another computer.

Boot to the cd.

Run update virus scanner so it gets the latest virus defs.

Then point the scanner at your windows hdd.

Will do, i'll b back in about 1 week (goin on holidays) and then i'll get it.

[sk89q]

Get autoruns (from Sysinternals). It'll show you every program that starts up, including hooks, drivers, and all that jazz. It is far better than msconfig. (Once you get a clean installation, you might want to take a snapshot of your startup lists in autoruns so you can compare it at a later date.) Not sure if this will be any useful to you, but have this around.

A good (but slow to start up) replacement for Task Manager is Process Explorer (also from Sysinternals). I don't know how well it will help you either in this situation, but it's a good idea to have it laying around too.

And that's how I survive without anti-virus. (That is, if I ever get a virus in the first place.)

[KiLo]

You could also try Avast Antivirus. It has a nice boot time scan. Meaning that it scans the hard drive before the operating system boots up.

[Cameron]

Just realised that on the other computer (this is my mums laptop) it has no burner at all, REALLY OLD, runs win 2k.  Would Ubuntu on the infected computer be of use, i forgot to mention that, had it for about 6 months.

Plus i dont really want to use boot CD's but i could burn them under ubuntu.  Rather just use it to find it but will use the boot CD's if nessacery.  Already got the Knopix  ready to burn and the Autoruns thing. 

If i do some editing in Ubuntu PLEASE GIVE ME THE NAME OF SOMETHING THAT I CAN INSTALL TO ALLOW ME TO EDIT NTFS.

[KiLo]

Did you even try what I suggested?!

[Cameron]

I only just got back last night, scrolled down the page and only had time for 2 of them before i went 2 bed.  I'll try that as well when I get on the other comp and download it.

[sk89q]

ntfs-3g is what you can use for NTFS read/write.

[Cameron]

ntfs-3g is what you can use for NTFS read/write.

thx, needed that 4 other things as well.

[Cameron]

Ok, used AutoRuns and scrolled down the HUGE LIST and found some stuff from other viruses as well.  It was able to find cxsrss.exe or cxsrrs.exe (cant remember which one), not exactly sure if it has completely removed it.  I also found HKCU\Software\Microsoft\Internet Explorer\Plugins (not sure about plugins in the registry but its there in program files).  Now i know where it is can i PLEASE get told how to use ntfs-3g so i can delete it!!! (referring to sk89q).  Now, knoppix i will use next but i really just want to SEARCH AND DESTROY!!!!  Problem is i have found resfix32v.exe (easy to find) but the problem is once deleted it somehow comes back.  Very annoying and especially annoying since it doesnt show up in AutoRuns.

[Herron]

www.castlecops.com

[sk89q]

You will have to lookup how to install ntfs-3g because I don't remember. I have never tried it on a live boot either.

If it keeps coming back, that means there are other things running with the virus that you don't know about. It would be in autoruns, but you probably couldn't recognize it if you tried.

You can try to use Process Explorer -> Find -> Find process or handle to try to find what program opens a handle to resfix32v.exe to recreate it after you delete it (that is, if it is recreated right when you delete it). You can also try to open that file in Notepad, blank it, and then set the NTFS permissions so you can't edit it (and likewise hopefully the virus can't either).

===

Edit:
I just Googled resfix32v and found that it "Registers a Windows APPINIT DLL To be loaded in all processes," meaning that indeed there is something else in autoruns. However, given that it runs with every program you start, deleting it from Windows would be impossible (unless it's a dumb virus and won't re-add the appinit, which I wouldn't bet on or waste my time trying).

Find out what this DLL is (with Google or by looking for it by yourself). Load up a portable Windows installation like BartPE, open up its registry editor, load up your main Windows' installation registry hive, and delete the entry (both the DLL and the resfix32v).

===

Edit: Just in case you haven't done your research, have you tried this yet?
http://forum.securitycadets.com/index.php?showtopic=5185

[Cameron]

Ok, just looking at that site i regignised a file from AutoRuns that said it was a Microsoft App or something.  Its sysloader32v.dll.  Sorta sounds like the virus itself.  I'll do a bit of research on it.  Also i found how 2 use ntfs-3g.  I just used terminal with "sudo aptitude install ntfs-3g".  Took a while to learn how 2 use it but i think i removed cxsrrs.exe. 

[Cameron]

OK, COMPUTER IS FIXED.

Files Removed:
-resfix32v.exe
-cxsrrs.exe
-sysloader32v.dll
-sysfixmsi.exe

What happens is that sysloader32v.dll starts resfix32v.exe and keeps making multiple copies.  When you deleted resfix32v.exe somehow sysfixmsi.exe would sit there watching the file.  If deleted it would replace it.  Cxsrrs.exe was just something sitting in the plugins in internet explorer, dunno wat it was doing.

Ty 4 all of u that helped.