BleepingComputer.com: Windows won't boot, cycling after Windows Security bug

So Windows Vista, 64-bit, won't boot in my Toshiba Satellite laptop. It all started with a bug I thought I had fixed. It was that Windows Security 2012, I think, in which a window pops up and looks like it's scanning the computer. It has that shield logo thing that replicates the genuine Windows Security shield. And when I try to open the Windows security section in the control panel, it goes to a fake security window that says firewall is disconnected. The handful of times I've gotten infected with something in the last 7 years or so, it's always this same type of thing. I have a usual protocol that I follow and it has always worked. (Recently, my mom's laptop had the same thing and I fixed it using my method, no problems.) First I immediately turn off the internet switch so I will be disconnected. Then I end whatever processes seem related and I feel I should. Because this thing disables certain functions such as system restore, I go and create a new user account with administrator abilities. I log off of the user acct I was on while infected, and go into the new acct. From there I would open system restore and go back to a safe date. Then I would run all scans to double check. (The protection I have now and had the last time this happened, over a year ago, is Windows Defender, Advanced Care, and Iobit Malware Fighter) Usually the scans would come up clear. This time, after doing the system restore, the Windows Defender picked up something, I remember it said "rogue" in the title and was a trojan and rating was severe. So I cleared it. Now this had been a few hours after the whole thing began. Everything seemed normal. Then I noticed and hit an "Onscreen Keyboard" shortcut link in my recently used items on the start menu (which I had recently used). It seemed different than usual because it asked if I would allow the program to open, and I couldn't remember for sure but I thought it usually didn't ask that. But it said "osk.exe" so I thought it must be fine. But the keyboard didn't pop up after I allowed it. I had also finally just turned back the internet switch to on, and opened firefox, which I was on when the bug first popped up. Stupid firefox auto reopened all the tabs I had open on the one browser when it happened ( I didn't think it would reopen the same tabs if I had logged off of my account, but I guess it does now?!) There wasn't any weird or questionable sites open though when this happened. Anyway, so now the fake scan windows had popped up again. This time I actually had my Iobit Malware Fighter running so it was protecting me, and before I hadn't had it running (normally I dont keep it running, stupidly, because I never did anything "risky" seeming online, so I wasn't worried). The Iobit Malware Fighter was giving me warnings of attempted registry changes so I blocked them. So then I went to my usual protocol that I mentioned above. The difference this time, is that I already had system restore opened, so it wasn't disabled by the infection. So I didn't have to create a new user acct to do restore from; I went to restore right from the infected acct. I think that was my mistake- maybe. I restored it to the time a set point created automatically when the Windows Defender detected the trojan. I'm not sure now if it was created right before it cleared the trojan- I'm guessing it was. I should have just gone for an earlier time. So as it's restarting after system restore, Windows wouldn't boot up. The usual Toshiba start screen shows, then it goes to the black screen that is always there for a few seconds before Windows boots. Except now it's just cycling from the Toshiba start screen to the black screen and back to the Toshiba start screen, in a continuous loop.

I'm completely freaked out since I haven't backed up important files in a year or so. I only didn't because that was when I stopped going to those risky sites to watch free movies and TV shows, and stopped using a free file-sharing music downloading program. So I just wasn't worried.

Pressing F8 to get into safe mode didn't make a difference, Windows still wouldn't boot. I can access the startup menus that are on the Toshiba opening screen (F2 and F12), but I really have no idea what to do in there. The Toshiba tech guy said to try pressing "0" holding it down before turning on the comp again, then letting go when Toshiba screen comes on. What happened after that was that it goes to a black screen which looks like one line of words is trying to pop up, but the line is so small that it's unreadable and it just stays stuck on that black screen until I shut the thing off. I think one word in there is "capacity," if that means anything. With the Toshiba tech guy on the phone, we also tried completely discharging and removing the battery and using it with just the adapter.

This post has been edited by hamluis: 05 January 2012 - 09:50 AM
Reason for edit: Moved from Vista to Am I Infected.

When I said "end whatever processes," I meant open task manager and end/ shut down the windows which were the virus/ fake scans, and firefox and IE browser. I shut them (the browsers) that way because viruses can open browser windows that are sort of hidden, so if ending the browser in task manager, it will auto shut every browser window. In case it sounded like I meant I just randomely shut down any old processes- no, that wasn't what I meant.

Hello, lets first have a look at the Master Boot Record of the drive.

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer

• Run GETxPUD.exe
  
• A new folder will appear on the desktop.
  
• Open the GETxPUD folder and click on the get&burn.bat
  
• The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  
• Click on Start and follow the prompts to burn the image to a CD.
  
• Remove the USB & CD and insert it in the sick computer
  
• Boot the Sick computer with the CD you just burned
  
• The computer must be set to boot from the CD
  
• Gently tap F12 and choose to boot from the CD
  
• Follow the prompts
  
• A Welcome to xPUD screen will appear
  
• Press File
  
• Expand mnt
  
• sda1,2...usually corresponds to your HDD
  
• sdb1 is likely your USB
  
• Click on the folder that represents your USB drive (sdb1 ?)
  
• Press Tool at the top
  
• Choose Open Terminal
  
• Type the following and press enter:
  
  dd if=/dev/sda of=mbr.bin bs=512 count=1
  
  
  
• Press Enter
  
• After it has finished a file will be located on your USB drive named mbr.bin
  
• Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.

This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

Thanks for the reply, however I'm still not able to try this method.

Just to add- there's something I forgot to include in my description. When I first saw the virus scan windows pop up (a few hours before the second time it popped up and before Windows wouldn't boot at all), I did actually have a problem booting Windows after doing System Restore the first time. What happened is as it was turning on automatically after doing Sys Retore, it turned on like normal first showing the Toshiba screen, but then, when normally it next shows a black screen before Windows boots, it showed a black screen with a bunch of white words going so fast across the screen as if it was scanning something. And it wouldn't go to the Windows screen. I turned it off then on and same thing, then think it cycled a couple times back to Toshiba screen, F8 or F10 wouldn't work, then I turned it off. When I turned it back on next, I was able to start Windows and in safe mode. So a similar booting problem happened a few hours before too, except with white words going fast across the screen, and after a bit it just worked that time.

This post has been edited by WorldInMyEyes: 10 January 2012 - 12:34 AM

Why aren't you able to follow the xPUD instructions?

Lack of the "clean" computer. When I first posted my issue, it was from another person's computer. As it is now, I'm using my small tablet. So I'm hoping to be able to use someone else' s computer ASAP.

I'm sure it is infected though. Can this xPUD thing fix anything or just diagnose? (Never heard of it before so I'm really cluless.)

This post has been edited by WorldInMyEyes: 10 January 2012 - 03:12 PM

We can use it to diagnose as well as fix, however it depends a bit on the problem. At this point I'd like to see an MBR dump. Would it be easier to create a bootable USB drive instead?

I see.
And you mean like with those little flash drive sticks, right? Probably would be easier.

This post has been edited by WorldInMyEyes: 14 January 2012 - 02:37 PM

Yes, a flashdrive.

Download http://unetbootin.sourceforge.net/unetboot...dows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer

Insert your USB drive
Press Start > My Computer > right click your USB drive > choose Format > Quick format
Double click the unetbootin-xpud-windows-387.exe that you just downloaded
Press Run then OK
Select the DiskImage option then click the browse button located on the right side of the textbox field.
Browse to and select the xpud-0.9.2.iso file you downloaded
Verify the correct drive letter is selected for your USB device then click OK
It will install a little bootable OS on your USB device
Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
After it has completed do not choose to reboot the clean computer simply close the installer

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.