Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

tried to remove virtumonde now XP won't boot


  • Please log in to reply
19 replies to this topic

#1 clain

clain

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 10 January 2010 - 06:34 PM

I tried to remove virtumonde following the directions here http://www.bleepingcomputer.com/virus-remo...undo-virtumonde. After following the instructions I shut off the computer.

Next day started up the computer, booted fine. I wanted to run malwarebytes again so i run rkill (just to make sure nothing is still running from virtumonde) then installed malwarebytes (since parts of it got deleted during the removal of virtumonde according to the directions on the site given earlier), click on update, during the update the computer restarted.

I don't know if there was an error message as I wasn't watching the computer at the time. The computer restarted then went to the safe mode options screen. I try to boot up in safe mode, loops back to the safe mode options screen, try last known config, loops again. Comp is stuck in a reboot loop so I have to hold in the power button to get it to shut down. I wait a few mins then start it up again, back in the boot up loop.

I haven't attempted to do anything more with it. I do not want to lose data on it as the computer is not mine. I have a new hard drive to put in it so I can pull this hard drive. What would be the safest course of action to maintain as much data on the hard drive as I can? Should I try to get XP to boot up or just pull the drive and slave it to try to recover the data? Is virtumonde doing this or is it a separate issue? If I slave the drive and copy the data will virtumonde tag along to a new computer with the recovered data?

I don't have any logs, but here is a list of the problem files malwarebytes found:

Agent2.AERR
Clicker.AEJJ
FakeAlert.LF
Virtumonde
Backdoor.bot
Trojan.Koblu
Malware.Trace
Trojan.Agent
Rootkit.Agent
Disabler.SecurityCenter
Trojan.Downloader
Spyware.Passwords
Trojan.Dropper
Trojan.FakeAlert
Trojan.Scan
Adware.Minibug
Trojan.Inject

Are all of these infections from virtumonde of did i have several different infections? I had run AVG prior to malwarebytes and it only picked up virtumonde and said it removed it, spybot also only picked up virtumonde and also said it had removed it, but neither had since malwarebytes also picked it up.

Any suggestions are much appreciated.

Edited by Pandy, 10 January 2010 - 07:51 PM.
Moved from HijackThis Logs and Virus/Trojan/Spyware/Malware Removal as no logs were posted. ~Pandy


BC AdBot (Login to Remove)

 


#2 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:02:33 PM

Posted 10 January 2010 - 08:56 PM

Let's start with the following and see what happens:

:flowers: Get a look at the error message presented by the BSOD (blue screen of death) ....
  • Start tapping the F8 key after you press the ON button, and continue tapping until you are presented with the "Windows Advanced Options Menu" screen.
  • Use the UP/DOWN arrow keys to select "Disable automatic restart on system failure" and press the <ENTER> key.
  • Your system will attempt to restart normally, but when it crashes, it will not re-start: Instead, you will see a BSOD with error message.
  • Record the error message details, and post in this thread.

    Posted Image

    Posted Image

:thumbsup: Try the following ...
  • Start tapping the F8 key after you press the ON button, and continue tapping until you are presented with the "Windows Advanced Options Menu" screen.
  • Use the UP/DOWN arrow keys to select "Last known good configuration", and press the <ENTER> key.
  • The computer will attempt to load Windows.
  • If Windows does not start, try the same thing again .... and continue trying for at least 10 times, before you rule that option out as a means of getting your OS up and running again, normally.
Why 10 times? Based on past experience, a successful result is sometimes achieved after several consecutive failed attempts.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#3 clain

clain
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 10 January 2010 - 09:53 PM

Thank you very much for your reply.

I started the computer and tapped F8, got me to the safe mode screen, usually when I got here before there was a line at the bottom that said something (don't remember what it was) and it would count down from 30 until it would restart again ... hence the restart loop. This time that last line was there and it started to count down, then it just went away.

The computer is currently at the safe mode screen and my options are

Safe Mode
Safe Mode with Networking
Safe Mode with Command Prompt

Last Know Good Configuration (your most recent setting that worked)

Start Windows Normally

those are my only options

I haven't chosen anything, should I skip the "Disable auto restart" direction and go ahead and try the last known good config option 10 times?

#4 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:02:33 PM

Posted 10 January 2010 - 10:04 PM

Yes it won't hurt to try that first.

Then keep trying to start ... tapping F8 ... and you should get the option to "Disable ... "
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#5 clain

clain
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 10 January 2010 - 10:12 PM

selected last known good config, it attempted to restart, saw a flash of a BSOD and tapped F8 which got me to a screen that says:

Please select the operating system to start:

Windows XP Media Center Edition
Microsoft Windows Recovery Console

at bottom it says for troubleshooting and advanced startup options for windows, press f8

should i consider selecting one of these new options or just carry on and press f8 to see if i get the disable autorestart option?

sorry for being dense, i'm just very much wanting to save as much data on the drive as possible so don't want to mess things up.

thank you very much again for your help and your patience!

#6 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:02:33 PM

Posted 10 January 2010 - 10:16 PM

Please select the operating system to start:

Windows XP Media Center Edition
Microsoft Windows Recovery Console

Select your operating system.

You have installed the Recovery Console: That is interesting to know.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#7 clain

clain
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 10 January 2010 - 10:34 PM

Tried "last known config" 10+ times, still no option to "disable auto restart"

Just a bit of info, don't know if it's relevant but from the windows slash screen it goes to the flash of the BSOD then starts over again to the startup where it lists stuff, gets to Detecting IDE Drives then lists to Fourth Channel then goes to safe mode screen.

all i am able to see on the BSOD is "A problem has been detected" looks like about 3 paragraphs of stuff then "Technical" something at the end.

#8 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:02:33 PM

Posted 10 January 2010 - 11:02 PM

selected last known good config, it attempted to restart, saw a flash of a BSOD and tapped F8 which got me to a screen that says:

Please select the operating system to start:

Windows XP Media Center Edition
Microsoft Windows Recovery Console

Get to this screen again, and choose "Microsoft Windows Recovery Console" and press the <ENTER> key.
  • The Recovery Console will ask which Windows installation you would like to log on to. If you have multiple Windows installations, it will list each one, and you would type the number associated with the installation you would like to work on and press the <ENTER> key. If you have just one Windows installation, type 1 and press <ENTER>.
  • You will be prompted for the Administrator's password. If there is no password, (and this is most likely), simply press <ENTER>.
  • You will be presented with a C:\Windows> prompt. (Please advise if you are not seeing a C:\WINDOWS> prompt.)
At the C:\Windows> prompt, type chkdsk /p and press <ENTER> (Note: There is a space between "chkdsk" and "/p")
  • This test will take some time to run and at times may appear stalled but just let it run.
  • If any errors are found/repairs made, run chkdsk /p again, and repeat if necessary.
Type "exit" at the prompt and press <ENTER> to close the Recovery Console and restart your system.

Does Windows start normally now?
-------------------------------------------

I want you to look at the STOP code, right after the word "STOP" and right under the word "Technical" next time a BSOD goes flying by ....

Edited by AustrAlien, 10 January 2010 - 11:05 PM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#9 clain

clain
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 10 January 2010 - 11:16 PM

thank you very much for your continued help and patience.

i was at the safe mode screen chose last known and spammed f8 in hopes of getting to the "select operating system to restart" screen. This time was taken to the safe mode screen again but it had the "disable auto restart" option. chose that option, restarted got to BSOD. BSOD is as follows:

A problem has been detected and widows has been shut down to prevent damage to your computer.

If this is the first time you've seen this Stop error screen, restart your computer. If this screen appears again, follow these steps:

Check to be sure you have adequate disk space. If a driver is indentified in the Stop message, disable the driveror check with the manufacturer for driver updates. Try changing video adapters.

Check with your hardware vendor for any BIOS updates. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer, press F8 to select Advanced Startup Options, and then select Safe Mode.

Technical information:

*** STOP: 0x0000007E (0xC0000005, 0x8AFFE113, 0xB84FB7B8, 0xB84FB4B4)

#10 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:02:33 PM

Posted 10 January 2010 - 11:55 PM

0x0000007E: SYSTEM_THREAD_EXCEPTION_NOT_HANDLED
A system thread generated an exception which the error handler did not catch. There are numerous individual causes for this problem, including hardware incompatibility, a faulty device driver or system service, or some software issues. Check Event Viewer (EventVwr.msc) for additional information.

Source: http://aumha.org/a/stop.htm

Not a helpful message: Could be anything!

How are you going with the RC and running chkdsk /p ?
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#11 clain

clain
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 11 January 2010 - 12:07 AM

figures the stop error wouldn't be helpful lol i'm not lucky enough for it to have been :thumbsup:

running the chkdsk atm will report back once it's finished.

#12 clain

clain
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 11 January 2010 - 12:18 AM

[*]This test will take some time to run and at times may appear stalled but just let it run.
[*]If any errors are found/repairs made, run chkdsk /p again, and repeat if necessary.


just to clarify, should i keep running chkdsk /p until there are no more errors found? ran it once and it found "one or more errors on the volume" so am running it again.

#13 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:02:33 PM

Posted 11 January 2010 - 12:22 AM

should i keep running chkdsk /p until there are no more errors found? ran it once and it found "one or more errors on the volume" so am running it again.

Run it 3 times if necessary.

If there are still errors being reported on the third run, let me know.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#14 clain

clain
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 11 January 2010 - 12:25 AM

no errors after the second run, typed exit and comp restarted. windows did not come up it went to the safe mode screen again, the one without the disable restart option.

won't start in safe mode or last known config either.

Edited by clain, 11 January 2010 - 12:57 AM.


#15 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:02:33 PM

Posted 11 January 2010 - 01:44 AM

I do not want to lose data on it as the computer is not mine. I have a new hard drive to put in it so I can pull this hard drive. What would be the safest course of action to maintain as much data on the hard drive as I can?

I think it would be a good time to consider your suggested other option.

Pull the infected HDD out of the box, and replace it with the new one.
Install XP with all updates and all protection programs ... antivirus, anti-spyware etc.
When that is completed, then you can consider connecting the infected HDD and scanning it, before copying the personal files to the new HDD.

Note: Files with the following extensions should not be backed up:
  • .exe
  • .scr
  • .htm
  • .html
  • .xml
  • .zip
  • .rar
  • .asp
  • .php

To see the file extensions:
  • Show hidden and system files and folders by doing the following:
  • Launch Windows Explorer by opening "My Computer". On the menu bar, go to
  • Tools > Folder Options > and click on the "View" tab
  • Using the scroll bar at the side of the dialog box, find and check-mark "Show hidden files and folders", UNcheck "Hide protected operating system files (Recommended)", and also UNcheck "Hide extensions for known file types".
  • Click "Apply to All Folders", click "Apply" and click "OK".

The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executable files inside them as some types of malware can penetrate and infect .exe files within compressed files too. Other types of malware may even disguise itself by adding and hiding its extension to the existing extension of file(s) so be sure you look closely at the full file name. Then make sure you scan the backed up data with your anti-virus prior to copying it back to your hard drive.

Again, do not back up any data with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.

Source: quietman7 http://www.bleepingcomputer.com/forums/ind...t&p=1390964

I know you have some other unanswered questions, but I want to get this posted now, so you can proceed.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users