"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news:iu0q0501rh@news6.newsguy.com:

> From: "Li'l Abner" <blvstk@dogpatch.com>
>
>> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
>> news:iu0i4i0plk@news3.newsguy.com:
>>
>>> From: "Li'l Abner" <blvstk@dogpatch.com>
>>>
>>>> This is a Windows 7 laptop. It boots up to a momentary "Safe Boot"
>>>> screen which soon goes away and is replaced by "Windows Stable Work".
>>>> Control-Alt-Delete + Start Task Manager pops something up which goes
>>>> away before you can read it and then it goes bck to the main screen
>>>> which still has Windows Stable Work on it. If you let it scan and
>>>> then tell it to Fix Errors, then you finally get to the point where
>>>> you can close it and the Windows Desktop. Most anything you try to do
>>>> pops up a "Warning" with the name of an infection and a choice to
>>>> Deny or Enable Protection. Of course I didn't pursue this. That can
>>>> be closed with Alt-F4. Regedit won't run. A reg file won't run. Batch
>>>> files won't run. They're all intercepted by that warning popup. I can
>>>> open My Computer and browse everything on the drive and on my thumb
>>>> drive. A text file will open in notepad. Pictures will open. Renaming
>>>> exe to com doesn't cut it either. And I get the same exact results in
>>>> Safe Mode. If it were XP, I could probably log in to the
>>>> Administrator account and get around it. But Windows 7 doesn't have
>>>> an Administrator account.
>>>>
>>>> What do I do now?
>>>>
>>>> Of course, the restore to factory option is there, but as before I'd
>>>> like to avoid that if possible.
>>>>
>>> Have you tried removing the hard disk from the affected computer and
>>> placing on a surrogate computer ?
>>>
>>> Then you can scan the affected hard disk and/or manually cleanout TEMP
>>> folders, EXE files that don't belong in %appdata%, etc....
>>
>> OK. I need to get the drive out of it anyway so I can get the guy's data
>> backed up anyway.
>>
>> Actually, I had already planned to slave it, but I never thought about
>> being able to repair it that way. If getting rid of the offending files
>> will allow it to run again, then maybe it will allow mr to run regedit
>> when I put it back.
>>
>> Thanks for that suggestion. That's what I'll do next!
>>
>
> That's the spirit :-)

I got the necessary data files copied, but I couldn't find anything
suspicious in the appdata folder.

So I put the drive back in the laptop and booted up to the now activated
Administrator account. Thanks to From The Rafters for that lead. From there
I was able to clean it up. MBam, then SAS, then I could boot into the users
account where I ran both those again. Uninstalled the already expired
Norton IS, installed Avira, turned off System Restore, am running full scan
with Avira now. And then will turn system restore back on!

Thanks for your much respected advice as usual!

That was one hell of a virus!
©I just Couldn't resist

--
--- Everybody has a right to my opinion. ---