Please help recover from possible virus attack

[zulu9812]

I've included a description of my original problem, which I am now on the road to fixing.

Windows XP Pro SP2, full updates
AVG Antivirus 7.5.476
COMODO Firewall Pro 2.4.18.184

First of all, logging in takes an unusually long time, with a relatively lengthy period when there is only a blank desktop - no icons, no taskbar, and only 12 processes running. After a while, the desktop icons and the taskbar appears, more process run (totalling 22, which seems normal)
I have no audio, only system bleeps. Device Manager says that the XiFi sound card is working properly, but the Control Panel says that I have no audio device. My Computer shows the presence of a floppy drive, but there is no floppy drive. I mean: there is no floppy physically present in the case.
There are several problems with Windows Explorer. Open Windows (from any program) don't appear in the taskbar. I cannot copy or move files (but I can delete them). Initially, quick launch had been turned off in the task bar, but I was able to re-enable it. My anti-virus is AVG. Upon logging into Windows, AVG tells me that "Alert Manager connection to component failed". When I open the AVG Control Centre and do anything, e.g. right-click on something, I get a further error message "Email scanner is not fully functional". I ran a full virus scan, which detected on trojan, which was moved to the vault.

In terms of the internet, I am connected. Internet Explorer won't run, and thus neither will Windows Update. Opera will run, but cannot access any page. Only Firefox is able to access the internet (it's what I'm using now). In Control Panal > Administrative Tools > Services, the extended tab is blank. The standard tab does show the windows services. Alerter, Clipbook, Human Interface Device Access, Messenger and Telnet are disabled (all others are either on manual or automatic). I can start some services (maybe a case of working out dependencies), but I cannot right-click on any of them or go to their properties, and thus can't change if they're Disabled, Manual or Automatic.

Noteably, I cannot start Remote Procedure Call (RPC) at all. I get this error message when i try to do so:

"Could not start the Remote Procedure Call (RPC) service on Local Computer.
Error 193: 0xc1"

Upon accessing the Windows Security Centre, I got the following error message:

"The Security Center is currently unavailable because the "Security Center" service has not started or was stopped. Please close this window, restart the computer (or start the "Security Center" service) and then open the Security Center again."

Needless to say, restarting the computer has no effect. I went into the Services part of the Control Panel and attempted to start the Security Center service, but got another error message:

"Could not start the Security Center service on Local Computer.
Error 1068: The dependency service or group failed to start"

In terms, of accessing files, it's a mixed bag. Archives, such as .rar and .iso seem to be working normally. Images cannot br previewed in Windows Fax and Picture Viewer, but can be edited in Paint. Windows Media Player cannot play any files - "Can't perform operation, low on memory". Creative MediaSource is similarly disabled - "Unable to open the necessary device(s) for playback. It may be in use or unavailable". WinAmp and GOM Player simply won't launch at all.

I tried reinstalling AVG, but got the following error message:
"Local machine: installation failed
	Initialization:
		Warning: Windows Firewall activity checking failed.
			The RPC server is unavailable.  (1722)
	Installation:
		Error: Action failed for file avgemc.exe: starting service....
			The dependency service or group failed to start.  (1068)"

I also ran CHKDSK, which detected and repaired one error.

I have also run scans from specialist tools, such as anda Anti-Rootkit v1.08.00, McAfee AVERT Stinger v3.4.9 and MS Malicious Software Removal Tool - all of which have come up blank.

Fast User Switching is set to manual, and cannot be started (it's dependent on something else that has also stopped). When I logged in again, COMODO Firewall pro gave 2 errors:

"The Comodo Network Monitor is not active. Reinstalling the application may fix the problem."
"the Comodo Application Monitor is not active. Reinstalling the application may fix the problem."

Since then, I have been able to re-enable Remote Procedure Call, and that got a bunch of other services working again. I configured my services according to instructions found at http://www.blackviper.com/WinXP/servicecfg.htm. I also reinstalled AVG. Most things about my computer are working again, with a few exceptions.

I still cannot have 2 users logged in at the same time. Additionally, the welcome screen does not show if a user is logged in.

Win XP's built-in CD-burning facility won't work. I can drag files onto the blank CD, but when I go through the finalising wizard, I am told that there is no disc present. I can burn disks with Nero no problem.

Windows Explorer is still showing the presence of a floppy drive, when I physically have no such drive.

In terms of media files, I normally use GOM Media Player for video and WinAMP for audio. However, double-clicking these files will not launch them (despite the correct program showing as the default player). I can launch both programs and manually open a media file from within one of those 2 programs, I just can't open media files with these programs via Windows Explorer. Note: I can do so if I right-click on the file and select 'play with windows media player' - the file opens in WMP fine.

Can anyone help?

Edited July 12, 2007 by zulu9812

[TheFlash428]

Honestly--I would have ditched the whole campaign a while ago and reinstalled the OS (if possible). In the long run, you'll save yourself a lot of headaches.

If this isn't possible, let this be a lesson--always have OS and/or restoration CD's available for your PC! Backing up, formatting, and re-installing is usually easier than correcting serious virus issues, plus you get the added security of knowing that the virus has been eliminated.

[Kelsenellenelvian]

Your screwed whichever one you got infected with really did a number on you...

Reinstall is goanna be your only bet to fully recover.

[zulu9812]

Your screwed whichever one you got infected with really did a number on you...

Reinstall is goanna be your only bet to fully recover.

Well, actually, this happened before. I reformatted and now just a few days later the same problems have occurred. Thus, I don't want to do a reformat without understanding what's gone wrong - chances are it'll just happen again.

Incidentally, I was able to fix the 193:0xc1 error I was getting when trying to start Remote Procedure Call by going into the registry and looking at the following path:

HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > RpcSs

and changing the ImagePath from a relative one (%SystemRoot%\system32\svchost.exe -k rpcss) to an absolute (C:\WINDOWS\system32\svchost.exe -k rpcss).

I have been getting the same error code when attempting to start the following services:

Terminal Services

DCOM Server Process Launcher

I tried changing their ImagePaths to absolutes as well, but that had no effect.

Can anyone help? Or direct me to somewhere else?

[Dextrovix]

I experienced the exact issue as described above, including the inactive taskbar and the slow boot. I know this post has been around for a while, but thought I'd confirm I fixed it with the below:

I found that there was a file called "SVCHOST" around 2kb in length in the same folder as the "SVCHOST.EXE" executable in %systemroot%\SYSTEM32. Having opened this file in Notepad because it had no extension, it appeared to refer in the jumble of characters in a shortcut to an application I had installed on the previous boot.

I've not idea why this file was created, but once I'd removed it by bringing up a Command Prompt window from Task Manager (one of the few things I could get XP to display correctly) I was able to first move, then delete the file. Once I'd rebooted, everything came back correctly.

I originally just wanted to run System Restore once I'd identified the slow boot process, but that service wouldn't start even in Safe Mode, which pointed me to a dependency that couldn't start either, which led me to the "Could not start the Remote Procedure Call (RPC) service on Local Computer. Error 193: 0xc1" prompt.

I guess the same applies if their is a file called "WINDOWS" in the root of C:, or a file called "SYSTEM32" in the Windows folder etc. Whether this is the same for other services as above in this post I don't know, but I hope this helps somebody as it did me, as this error only gets four Google hits today!