Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan/Malware won't allow windows to boot


  • Please log in to reply
14 replies to this topic

#1 ramsqb13

ramsqb13

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Mississippi
  • Local time:09:23 AM

Posted 25 May 2009 - 01:03 PM

I was searching for a tracklist for a cd on goole and was checking out different sites when I started getting a lot of popups. Then I got an icon down in the corner by the clock - a red circle with an X in it. I ran avg antivirus and when finished I was prompted to restart which I did. It found 6 things - a couple of exe's and dll's. When rebooting windows went to the login screen where you have to choose which person you will log in as - admin or whatever else you have set up. Problem is, is that i don't use this screen and it is always bypassed right into windows. Not sure what to do, I chose admin, didn't log me in. So I chose the other which is my name. Same thing - didn't log me in. Just stays on the login screen. ctrl-alt-del takes me to the other login with the pull-down menus. No good here either. Only way to shut the pc down is to hold the power button. I also can't get inot any form of safe mode, either. I've been reading here about similar problems but couldn't find anyone that can't get their pc to load windows in some way. I've gotten help here before - you guys are geniuses. Hope you can help out once again.

Thanks, Alan

Dell XPS400
Windows media center sp3

BC AdBot (Login to Remove)

 


#2 ramsqb13

ramsqb13
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Mississippi
  • Local time:09:23 AM

Posted 26 May 2009 - 03:59 AM

I have an update. I removed the hard drive from my pc and put it in an external usb enclosure. I hooked it up to one of my other pc's and ran AVG. It found and removed 7 infections. I reinstalled in my pc and Windows booted up normally, but I still have no internet connection through any program. When I open Foxfire, all of saved tabs open but when I click a link nothing happens. Internet Explorer, Outlook Express and uTorrent all will not connect. I have 3 other computers on my home network and they all have internet connectivity and have no signs if viruses. Also, on the infected pc, when I ctrl-alt-del I get a pop up window that says Task manager has been disabled by the administrator. I did not disable task manager and don't know how anyway. So this must have something to do with the infection? I also ran malwarebytes anti-malware. It found 1 infection.

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,077 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:23 AM

Posted 26 May 2009 - 09:35 AM

Please post the results of your MBAM scan for review.

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.
  • Click the Logs Tab at the top.
    • The log will be named by the date of scan in the following format: mbam-log-date(time).txt
      -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Logs are saved to the following locations:
-- In XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs
-- In Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware\Logs

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 sachin naik

sachin naik

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:53 PM

Posted 26 May 2009 - 10:30 AM

hey, this was even happening for me before,

see, when the login screen comes you are not suppose to enter anything but directly hit enter or press the login button, I think you may not be having any password set for your login so keep the password field blank and i think your username should automatically be entered by windows so thats your login, so dont do anythinng for your login just login directly without typing anything

You probably may be infected by virut as even i was having the same issue before

#5 ramsqb13

ramsqb13
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Mississippi
  • Local time:09:23 AM

Posted 26 May 2009 - 07:20 PM

Here is my MBAM log. I tried to boot into safe mode was was stopped by the blue admin/other user log-in screen, the screen with the icons next to the name. If you click either one of them the screen blinks and then nothing happens. Also when shutting down the PC a pop-up window says that program "O" is not responding. I don't know what program "O" is but I'm sure it's not something I want.


Malwarebytes' Anti-Malware 1.37
Database version: 2182
Windows 5.1.2600 Service Pack 3

5/26/2009 7:16:06 PM
mbam-log-2009-05-26 (19-16-06).txt

Scan type: Quick Scan
Objects scanned: 94257
Time elapsed: 5 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,077 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:23 AM

Posted 26 May 2009 - 09:11 PM

Please download and scan with Dr.Web CureIt - alternate download link.
Follow these instructions for performing a scan in "safe mode" after running ATF-Cleaner.
If you cannot boot into safe mode, then perform your scan in normal mode. Be aware, this scan could take a long time to complete.
-- Post the log in your next reply. If you can't find the log, try to write down what was detected/removed before exiting Dr.WebCureIt so you can provide that information.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 ramsqb13

ramsqb13
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Mississippi
  • Local time:09:23 AM

Posted 29 May 2009 - 05:30 PM

I've tried to post my CureIt log but it must be too long because I keep getting an "Aw Snap" error. What should I do? Are there specific parts that I should cut and paste?

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,077 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:23 AM

Posted 29 May 2009 - 09:14 PM

To see what was detected/removed, scroll down to the bottom and look under the "Scan statistics" section and just copy/paste that part into your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 ramsqb13

ramsqb13
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Mississippi
  • Local time:09:23 AM

Posted 29 May 2009 - 10:58 PM

This report must be 500 pages long. There is two sections of scan statistics.

-----------------------------------------------------------------------------
Scan statistics
-----------------------------------------------------------------------------
Scanned: 345048
Infected: 9
Modifications: 0
Suspicious: 0
Adware: 6
Dialers: 0
Jokes: 0
Riskware: 3
Hacktools: 0
Cured: 0
Deleted: 8
Renamed: 0
Moved: 3
Ignored: 0
Scan speed: 374 Kb/s
Scan time: 02:44:30
-----------------------------------------------------------------------------

C:\Documents and Settings\Alan Bone\.housecall6.6\Quarantine\SSF120.tmp.bac_a05996 - incurable - moved
C:\Documents and Settings\Alan Bone\.housecall6.6\Quarantine\webhdll.dll.bac_a04176 - incurable - moved
C:\Documents and Settings\Alan Bone\.housecall6.6\Quarantine\whagent.exe.bac_a04176 - incurable - moved
C:\Documents and Settings\Alan Bone\.housecall6.6\Quarantine\whiehlpr.dll.bac_a04176 - incurable - moved
C:\Documents and Settings\Alan Bone\.housecall6.6\Quarantine\whinstaller.exe.bac_a04176 - incurable - moved
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP745\A0122254.EXE - incurable - moved
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP745\A0122290.EXE - incurable - moved

=============================================================================
Total session statistics
=============================================================================
Scanned: 346225
Infected: 9
Modifications: 0
Suspicious: 0
Adware: 6
Dialers: 0
Jokes: 0
Riskware: 3
Hacktools: 0
Cured: 0
Deleted: 8
Renamed: 0
Moved: 10
Ignored: 0
Scan speed: 390 Kb/s
Scan time: 02:45:29

-----------------------------------------------------------------------------
Scan statistics
-----------------------------------------------------------------------------
Scanned: 215251
Infected: 1
Modifications: 0
Suspicious: 1
Adware: 0
Dialers: 0
Jokes: 0
Riskware: 0
Hacktools: 1
Cured: 0
Deleted: 1
Renamed: 0
Moved: 0
Ignored: 0
Scan speed: 378 Kb/s
Scan time: 01:59:14
-----------------------------------------------------------------------------

C:\SDFix\apps\Process.exe - incurable - deleted
C:\Program Files\Common Files\Motive\InstallHelper.exe - incurable - deleted

=============================================================================
Total session statistics
=============================================================================
Scanned: 215842
Infected: 1
Modifications: 0
Suspicious: 1
Adware: 0
Dialers: 0
Jokes: 0
Riskware: 0
Hacktools: 1
Cured: 0
Deleted: 3
Renamed: 0
Moved: 0
Ignored: 0
Scan speed: 377 Kb/s
Scan time: 02:01:01
=============================================================================

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,077 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:23 AM

Posted 30 May 2009 - 07:10 AM

How is your computer running now? Are there any more reports/signs of infection?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 ramsqb13

ramsqb13
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Mississippi
  • Local time:09:23 AM

Posted 30 May 2009 - 10:27 AM

I still can't connect to the internet through any programs. When I shut down the computer a warning window pops up that says "program O is not responding" i don't know what program O is. I am now able to boot into safe mode where before I could not. The other three computers on my home network are all able to connect to the internet.

#12 ramsqb13

ramsqb13
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Mississippi
  • Local time:09:23 AM

Posted 30 May 2009 - 11:50 AM

I just did "netsh winsock reset" from the command prompt and rebooted. I am now able to connect to the internet and get my email through outlook express. I use AVG 8.5, Malwarebytes AntiMalware and run super-antispyware about once a week. About once a month I do Trend Micro's web based scanner. Short of not using the internet is there anyway that I can be 100% protected? I do want to thank you and tell you that your website is one that everyone should know about. I really appreciate all the help I've gotten here. The last time I was here I learned about "netsh winsock reset." So in addition to helping you're also teaching.

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,077 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:23 AM

Posted 30 May 2009 - 01:47 PM

Most Internet connectivity problems arise out of corrupt Winsock settings due to the installation of a networking software or Malware infestation. Using netsh winsock reset is a method to re-enable connectivity so that's what I would have instructed you to do.

There is no way to guarantee you will not get reinfected. No single product is 100% foolproof and can detect and remove all threats at any given time. The security community is in a constant state of change as new infections appear. Each vendor has its own definition of what constitutes malware and scanning your computer using different criteria will yield different results. The fact that each program has its own definition files means that some malware may be picked up by one that could be missed by another. Thus, a multi-layered defense using several anti-spyware products (including an effective firewall) to supplement your anti-virus combined with common sense and safe surfing habits provides the most complete protection.

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista users can refer to these links: Create a New Restore Point in Vista and Disk Cleanup in Vista.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 ramsqb13

ramsqb13
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Mississippi
  • Local time:09:23 AM

Posted 05 June 2009 - 05:22 PM

I guess I spoke too soon. A Trend Micro program called RUBotted said that my PC was infected with a bot. I can barely connect to the internet most of the time. I have to refresh pages five or six times to get them to load most of the time. I ran Trend Micro's free online scan to catch the bot and any other stuff that has snuck in there. Problem is now that I can run Trend's scan three, four, five times right in a row and it's picking up trojans and other malware every time and not always the same ones over and over. I can also run AVG back to back to back and AVG finds multiple infections almost every time, as well. DrWebCureIt also finds multiple infections on back to back runs.

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,077 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:23 AM

Posted 05 June 2009 - 09:53 PM

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users