Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection by unknown trojan--can't boot even in safe mode


  • Please log in to reply
4 replies to this topic

#1 Jen S.

Jen S.

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:25 AM

Posted 31 October 2009 - 03:47 AM

Hello, I'm hoping that someone can help me.

Even with my antivirus and antispyware programs, I still managed to pick up several trojans. After visiting one site that McAfee said was safe, McAfee then told me that it quarantined 3 trojans. I immediately left the site, closed everything, and ran Superantispyware (SAS). It picked up a host of spyware programs with an additional 5 trojans. When I was trying to quarantine/remove them, SAS said that the computer needed to be restarted before the trojans could be completely removed so I restarted my laptop. However, once I did that, I never could get my system to boot up completely again. Since I thought I was getting everything cleaned up, I didn't write down the name of any of the trojans; and, unfortunately, I don't remember a single one of them. I also don't recall that any of the names even looked familiar, and I'm fairly certain that no names were repeated so I believe they were all different trojans.

I'm running Windows XP SP3. If I turn on the system and let things just run on their own, it goes to the user logon screen. An error message then pops ups that says XP will restart in about a minute (the seconds are counted down) due to an error in "c:/windows/system32/services.exe" with the specific problem being at 1073741482. If I try to boot the system without waiting for that error message, I can click on one of the system users. It then acts like it's going to log on the user and fully boot but then goes to the log-off sound with the message that the user is being logged off.

I have tried to boot in safe mode and in the last known working configuration. I am unable to get any further with either mode. I do have the XP Recovery Console available (as well as the XP3 Recovery CD). I did try to see if I could fix things using the recovery console that was already loaded on the system. I was able to run chkdsk /r, and it said that it found and fixed some errors. However, when I tried to run bootcfg /scan, it said there was a fatal error that was preventing it from running and suggested running chkdsk again. I did that, but it still didn't help. I know there's a virus removal command for the console, but I was a little afraid to try it since I really don't know what I'm doing. I don't know if it makes a difference, but I don't have the original OEM XP disks....just the recovery disk.

I don't know what else to do since I can't get to any of the antispyware/antivirus programs on my system, nor can I get to the Internet or any programs at all. So, I'm not sure if or how I could even think about generating a HJT log or any other log. I have Internet access through my husband's laptop. Before posting this topic, I did read through several related topics posted here in this forum (also one of your volunteers had helped me remove a Virtumondo infection earlier this year) so I'm familiar with using files that you post. However, I don't know how I will even be able to run them on my laptop since it won't even fully boot even in safe mode.

Please let me know if you need more information, and thank you in advance for your help! I really appreciate it!

Best regards,
Jennifer

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,745 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:25 AM

Posted 31 October 2009 - 08:41 AM

It can be difficult to determine what exactly caused this problem. Bootup failure can be due to a variety of issues to include application faults, hardware failures, loose pin connections or malware. Startup failures that occur before the OS loader (Ntldr) starts could indicate missing or deleted files, or damage to the hard disk master boot record (MBR), partition table, or boot sector. If a problem occurs during startup, the system might have incompatible software or drivers, incompatible or improperly configured hardware, or corrupted registry/system files. However, the first thing to do is check all your hardware connections and ensure they are fitted properly.

If you cannot bootup or logon in normal or safe mode, then your options are limited. You may be able to use a Windows XP bootable Floppy Disk to boot from a diskette instead of your hard drive. If your hard drive's boot sector or Windows' basic boot files have been corrupted, this disk will circumvent the problem and boot you into Windows. If you don't have an emergency boot floppy, you may be able to use one created on another PC running Windows XP but there's no guarantee that it will boot your machine.Another option is to create a Bootable CD:These are links to Anti-virus vendors that offer free LiveCD or Rescue CD utilities that are used to boot from for repair of unbootable and damaged systems, rescue data, scan the system for virus infections. Burn it as an image to a disk to get a bootable CD. All (except Avira) are in the ISO Image file format. Avira uses an EXE that has built-in CD burning capability.If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO. If you need a FREE utility to burn the ISO image, download and use ImgBurn.

Note: In order to use a rescue disk, the boot order must be set to start from the CD-ROM drive. If the CD is not first in the boot order, the computer will attempt to start normally by booting from the hard drive. The boot order is a setting found in the computerís BIOS which runs when it is first powered on. This setting controls the order that the BIOS uses to look for a boot device from which to load the operating system. The default will normally be A:, C:, CD-ROM. Different computers have different ways to enter the BIOS. If you're not sure how to do this, refer to:If at some point, you are able to boot up but have difficulty running programs, you can try using the VIPRE Rescue Program - the size of the downloaded application is large. This is a utility designed to scan and clean a computer which is so badly infected that most programs cannot run. Virus definitions are included and the program is self-running once executed. All scans include Rootkit Detection. Be sure to print out and follow the instructions provided on the same page for running under Windows or with the Command Line option from Safe Mode with Command Prompt.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Jen S.

Jen S.
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:25 AM

Posted 31 October 2009 - 01:46 PM

Thank you for the information! I will go through all this tonight and post the outcome ASAP.

#4 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:10:25 PM

Posted 31 October 2009 - 04:34 PM

Jen S.

FYI: Google 1073741482 : It is a common problem.

The way to get around the imminent shutdown is ...
When you get the reboot prompt, go to the command line
Start > Run > and type "cmd" and press the ENTER key.
Type "shutdown -a" and press the ENTER key.
This will abort the reboot.

FYI: See the following link ...
Windows Xp Shuts Down - help Required
http://www.bleepingcomputer.com/forums/t/259928/windows-xp-shuts-down-help-required/

There may be a possible complication in your case if you cannot log in at all, and cannot access the command line to prevent the imminent shutdown. Please let us know if this is the case, with details of what you have tried, and what happens, and we will try and work out a way around it.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,745 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:25 AM

Posted 31 October 2009 - 11:47 PM

No one should follow specific instructions provided to someone else especially if they were given in the HijackThis forum. Those instructions were given under the guidance of a trained staff expert to help fix that particular member's problems, NOT YOURS. Before taking any action, the helper must investigate the nature of the malware issues and then formulate a fix for the victim. Although your problem may be similar, the solution could be different based on the kind of hardware, software, system requirements, etc. and the presence of other malware. Using someone else's fix instructions could lead to disastrous problems with your operating system.

In the MajorGeek thread, the user was instructed to use and post a log from Combofix. Please note the message text in blue at the top of this forum.

You should not be using Combofix unless instructed to do so by a Malware Removal Expert who can interpret the logs. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert", NOT for general public or personal use. Combofix was never meant to be used as a general purpose malware scanner like SuperAntispyware or Malwarebytes' Anti-Malware. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer.

Further, ComboFix logs are not permitted outside the HijackThis Logs and Malware Removal forum and then only when requested by a HJT Team member. However, the HJT Team members are all volunteers who contribute to helping members as time permits but currently there is a backup and you may have to wait for assistance. Referrals are made to the HJT forum if we cannot assist you in this forum.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users