Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Will Not Boot


  • Please log in to reply
15 replies to this topic

#1 Doc Watson

Doc Watson

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 17 April 2009 - 01:44 PM

Hello. I've encountered a problem with a friend's computer that has me stumped. I belong to Woody's Lounge and have asked all the experts there for ideas and we've come up short.

I've never run into a problem that stumped me like this one has. I spent a few hours at my friend's store Wednesday and thought it was a System Guard 2009 infection. But the computer would not allow me access. The only way in was Safe Mode and once in, AVG was crippled and the system would not clear the infection.

I then tried what I thought was a utility to remove System Guard 2009, that I had downloaded before going there, and ended up installing Spyware Doctor. It comes without any virus data and must be updated to run. Not an easy task in Safe Mode with a virus problem on the system. I ran the System Guard 2009 removal tool I had brought along without success and ended up removing it via the uninstall option in the program. Still no joy. Ended up bringing the box home, pulled the drive and slaved it to my system and ran Avast! Removed 20 odd trojans and .dll's with Avast and also ran Malwarebytes and removed another 19 items (Vunudo and it's variants were the primary infections, but there were many other trojan downloaders). Installed Spyware Doctor on my system and found that there was no option to scan anything but the computer it is installed on and not any of the USB connected or slaved drives. Removed it from my system. Running Avast again found 3 more problems in the System Restore files and removed them.

I reinstalled the drive in it's box and tried to start it, but the result was the same. It's set to boot to the desktop, but flashes the Welcome screen and then his wallpaper and then back to the welcome screen after a few long moments and then presents him with his profile name to click. Clicking that brings a quick log-in and then it logs out without getting past the Welcome screen.

My plan is to reinstall the drive and start in Safe Mode and maybe do a System Restore back to the middle of March, before he noticed problems, but am reluctant because of all the trojans and other infections I removed and not knowing when they got onboard. Otherwise, I suppose that the best course might be to try and manually remove any registry entries and other files related to this nasty. But I can't be sure what the real problem is and that is the main roadblock to getting the system clean.

The SR files were scanned with Avast when I had the drive slaved to my machine and most of the infections were found there. Of course they were copies of the infections that were on the system, stored in each restore point since the problem began.

Just tried booting to Safe Mode and now it's exibiting the same behavior in Safe Mode. Won't log into his profile or Administrator. Now it doesn't even flash his wallpaper, but just cycles from starting to saving settings and then logging off.
I did some more poking around with the drive slaved to my system and found a file in the guys Documents & Settings folder "GoToAssist_phone__317_en.exe" that I didn't like the look of and Googled it. It's part of a trojan so I renamed it and then went into the drive's System Restore folder and ran a Spybot S&D scan that turned up another .ini nasty so I deleted the entire restore point. I was going to run scans on all the restore points, but that would be tedious to say the least. The more I poke around, the more it looks like the worst of this started on or about April 1st, so I'm thinking of manually deleting all restore points manually, or at least all back to April first. Any reason why I shouldn't do this ?? I don't expect that it will clear the infection, but should clear any old traces of infections still remaining. I'm at a loss as to what to do next.

Thoughts ?? Thanks in advance.

Here are the 2 malwarebytes logs I got one on the 15th & one on the 16th.

Malwarebytes' Anti-Malware 1.36
Database version: 1987
Windows 5.1.2600 Service Pack 2

4/15/2009 4:21:47 PM
mbam-log-2009-04-15 (16-21-47).txt

Scan type: Quick Scan
Objects scanned: 53984
Time elapsed: 1 hour(s), 36 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 19

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
g:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\202FJYKU\srm_free_setup[1].exe (Rogue.SpywareRemover) -> Quarantined and deleted successfully.
g:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\202FJYKU\srm_free_setup[2].exe (Rogue.SpywareRemover) -> Quarantined and deleted successfully.
g:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\7WQ82LP7\promo[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.
g:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\7WQ82LP7\srm_free_setup[2].exe (Rogue.SpywareRemover) -> Quarantined and deleted successfully.
g:\System Volume Information\_restore{5240FF09-BB26-4FF2-8F99-4FB419FD4C4D}\RP136\A0009503.exe (Trojan.Agent) -> Quarantined and deleted successfully.
g:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1919\A0278968.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
g:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1919\A0279962.exe (Trojan.Katusha) -> Quarantined and deleted successfully.
g:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1920\A0286024.exe (Rogue.SpywareRemover) -> Quarantined and deleted successfully.
g:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1920\A0286026.exe (Rogue.SpywareRemover) -> Quarantined and deleted successfully.
g:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1920\A0286028.exe (Rogue.MalwareRemover2009) -> Quarantined and deleted successfully.
g:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1920\A0286029.exe (Rogue.SpywareRemover) -> Quarantined and deleted successfully.
g:\WINDOWS\promo.exe (Trojan.Agent) -> Quarantined and deleted successfully.
g:\WINDOWS\msa.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
g:\WINDOWS\msb.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
g:\WINDOWS\SYSTEM32\userinit.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
g:\WINDOWS\SYSTEM32\hudwirpt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
g:\WINDOWS\SYSTEM32\lijueu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
g:\WINDOWS\SYSTEM32\pgggia.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
g:\WINDOWS\SYSTEM32\naqqdfng.dll (Trojan.Vundo) -> Quarantined and deleted successfully.


Malwarebytes' Anti-Malware 1.36
Database version: 1987
Windows 5.1.2600 Service Pack 2

4/16/2009 6:59:52 PM
mbam-log-2009-04-16 (18-59-52).txt

Scan type: Quick Scan
Objects scanned: 54114
Time elapsed: 4 hour(s), 22 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by Doc Watson, 17 April 2009 - 04:16 PM.


BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:56 AM

Posted 18 April 2009 - 10:18 AM

The userinit has to be replaced, you might find a clean copy in several locations
Chewy

No. Try not. Do... or do not. There is no try.

#3 Doc Watson

Doc Watson
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 18 April 2009 - 02:57 PM

Thanks for picking up the thread. :thumbsup:

Can I simply transfer the userinit file from my System32 (XP SP2) folder to the System32 folder on his drive after I slave it to my system again or must I get it by using the Recovery Console ??

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:56 AM

Posted 18 April 2009 - 05:31 PM

Try it without(RC) first, you may need to replace the registry files also?
Chewy

No. Try not. Do... or do not. There is no try.

#5 Doc Watson

Doc Watson
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 18 April 2009 - 07:50 PM

How would I do that ?? Just copy them from my system ?? If so, which keys do I need ?? I'd like to have all my bases covered before I get started.

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:56 AM

Posted 18 April 2009 - 10:33 PM

If that's required you will have to solicit help from one of the trained experts in the HJT forum
Chewy

No. Try not. Do... or do not. There is no try.

#7 Doc Watson

Doc Watson
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 18 April 2009 - 11:08 PM

OK, thanks. I'll start by replacing the userinit.exe file with my copy and cross my fingers. Would using the RC eliminate the need to replace the registry files ?? I suppose I would always have the RC option if this doesn't get me back to the desktop.

I'll try the fix first thing tomorrow after checking here for a response. Thank you for your help and honesty. Great forum. Very well run.

#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:56 AM

Posted 18 April 2009 - 11:51 PM

If you can boot the computer after replacing the userinit file then run MBAM from that computer, it's dangerous to run it on a slaved drive, as you found out.
Chewy

No. Try not. Do... or do not. There is no try.

#9 Doc Watson

Doc Watson
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 19 April 2009 - 08:59 AM

Was running MBAM what caused this userinit problem ?? Now that you mention it, the inability to boot to Safe Mode did start after I ran MBAM with the drive slaved to my system.

I'll post back with the results of replacing the file. I intend to backup the old userinit.exe file before replacing it, just in case.

#10 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:56 AM

Posted 19 April 2009 - 09:25 AM

There should be no old userinit.exe left

It would be in quarantine on the clean computer?

g:\WINDOWS\SYSTEM32\userinit.exe (Trojan.Downloader) -> Quarantined and deleted successfully.


MBAM whitelists the file and will not delete it if it is in the system 32 folder on the active system boot drive

Edited by DaChew, 19 April 2009 - 09:25 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#11 Doc Watson

Doc Watson
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 19 April 2009 - 09:55 AM

Thanks for anticipating what I would run into and posting. I just came back to ask why there is no userinit.exe file on that drive.

I'm pretty sure I deleted everything from the Quarantine folder after the scan. I don't keep trash around the house.

I'll just drop my copy in the System32 folder and give it a go.

#12 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:56 AM

Posted 19 April 2009 - 09:58 AM

You wouldn't want a copy of that infected file anyway, it's well documented and many programs killed the booting after deleting it.

It's a very serious infection
Chewy

No. Try not. Do... or do not. There is no try.

#13 Doc Watson

Doc Watson
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 19 April 2009 - 10:47 AM

SUCCESS !!!!! Booted right to the desktop as it was setup to do by the owner.

Only two error windows on loading and I'm guessing that they are related to one of the infections because neither one is on my system and they are both .dll's.

Error Loading: C:Windows\system32\jtistngo.dll
The specified module could not be found

Error Loading: C:Windows\system32\yxerekfc.dll
The specified module could not be found

The security center is shut down as well. So my next move is to run MBAM on that system after installing it and then install ZoneAlarm and remove AVG and install Avast. Then do a general defrag and system cleaning and get this puppy back to it's owner.

Thank you for your excellent diagnosis and assistance with this perplexing problem !!! If there are any further steps you would recommend or if you think my plan for this system is unsound, please let me know. All advice and insight will be gratefully accepted.

#14 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:56 AM

Posted 19 April 2009 - 10:53 AM

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".


Please download Malwarebytes Anti-Malware (v1.36) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/
Chewy

No. Try not. Do... or do not. There is no try.

#15 Doc Watson

Doc Watson
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 19 April 2009 - 11:14 AM

Ok... all that will have to wait until I get back to my friend's location. His ISP is Verizon and mine is Comcast, so I can't connect to the internet here on his machine. But I have downloaded fresh copies of ATF and MBAM and put them on a thumbdrive with the other fresh copies of security programs I want to load on this system. I'll clean up the system when I get to his location and post back here with any other issues.

Thanks again for all your help. Yoda would be proud !! :flowers:

I release you to go help some other poor soul escape from virus/malware Hell. :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users