Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IS 2010 Infected and can no longer boot


  • This topic is locked This topic is locked
60 replies to this topic

#1 Chris28

Chris28

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Location:NH
  • Local time:06:08 AM

Posted 20 January 2010 - 02:10 PM

Trying to remove "Internet Security 2010" from an HP Pavillion a1034n (XP Home Edition SP3). Attempted to boot in safe mode and the computer no longer boots. I have a bootable CD and am able to access the recovery console. FIXMBR command appears to have no effect. When set to "not reboot after failure" blue screen error remains. Error "Code":

Stop: 0x0000007E (0xc0000005, 0x80537009, 0xF792E508, 0xF792E204)

Any thoughts on how to 1) get the maching to boot and 2) remove "Internet Security 2010"?

BC AdBot (Login to Remove)

 


m

#2 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:09:08 PM

Posted 20 January 2010 - 09:04 PM

Chris28
Welcome to BC :thumbsup:

Please describe the steps you have taken so far to deal with the infection and what may have resulted in rendering your computer un-bootable.

Let's get you started with the first task ....

Download &/or build yourself a bootable CD that also has the facility to edit the Windows registry off-line. Any of the following will be ideal and also enable you to recover your files if necessary.

Hiren's BootCD (my first preference, but could be illegal depending on your particular jurisdiction)
http://www.hirensbootcd.net/

UBCD4Win (you need to build it using an XP installation CD)
http://www.ubcd4win.com/index.htm

BartPE (smallest download, you need to build it using an XP installation CD)
http://www.nu2.nu/pebuilder/
How to Create a BartPE Bootable CD Using PE Builder
http://www.winhelponline.com/blog/create-b...ing-pe-builder/

When you have the bootable CD burned and established that you can boot from it, we can try to get your system back up and running again.
Once you are able to boot from one of the above CDs, I recommend that you back up your personal files to an external USB hard drive or CD/DVD or such like, in case we are not successful.
-----------------------------------

Instructions using BartPE, to remove the malware, Internet Security 2010

There are a number of ways to go about this, and a number of tools to choose from, so I have had to make a choice, and hope that you can follow this without too much trouble. If there is any problem along the way, please stop and post your question/problem with details of where exactly you are up to.

:huh: Use the following guide to create a BartPE bootable CD How to edit the registry offline using BartPE boot CD ?
http://windowsxp.mvps.org/peboot.htm
:trumpet: Then use that same guide and the BartPE CD to edit the Window's registry in the exact fashion used in the guide example. Please be very careful, very exact, and post if you have any problem what-so-ever.


:flowers: When you have completed the above, again using BartPE, please look for the following folders/files and delete them if found.
  • c:\s
  • c:\Program Files\InternetSecurity2010 <<< delete this folder and all its contents
  • c:\WINDOWS\system32\41.exe
  • c:\WINDOWS\system32\winhelper86.dll
  • c:\WINDOWS\system32\winlogon86.exe
  • c:\WINDOWS\system32\winupdate86.exe
  • %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk
    C:\Documents and Settings\<username>\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk
  • %UserProfile%\Desktop\Internet Security 2010.lnk
    C:\Documents and Settings\<username>\Desktop\Internet Security 2010.lnk
  • %UserProfile%\Start Menu\Internet Security 2010.lnk
    C:\Documents and Settings\<username>\Start Menu\Internet Security 2010.lnk
Source: Remove Internet Security 2010 (Uninstall Guide) Posted by Grinler on December 10, 2009
http://www.bleepingcomputer.com/virus-remo...t-security-2010


:inlove: Now restart your computer normally, removing the BartPE CD.
Does your system start normally now? If so, we will now be able to continue with the malware removal using the "normal" methods.

Best of luck.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#3 Chris28

Chris28
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Location:NH
  • Local time:06:08 AM

Posted 20 January 2010 - 10:54 PM

Thanks for the quick response :thumbsup:

What I've done so far...

was able to boot - but could not close down the continual IS2010 pop ups. Went into MSCONFIG and set to boot in Safe Mode. From that point on thing have not gone well. Since initial post I built and ran AVIRA Rescue CD. It was able to run and found several threats. The new BSOD Stop is *** Stop: 0x0000007B (0xF792E524, 0xC0000034, 0x0000000, 0x0000000). Working now to build Bart's PE.

#4 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:09:08 PM

Posted 20 January 2010 - 11:25 PM

Went into MSCONFIG and set to boot in Safe Mode. From that point on thing have not gone well.

Carry on building your BartPE bootable CD. When you are able to boot from it and get to the BartPE Desktop, I want you to fix the problem that you have created by forcing SafeBoot using MSCONFIG.

Using the BartPE CD, boot from it and browse your hard drive. Look for the "boot.ini" file located on the system drive (usually C: drive)

C:\boot.ini

Open the file boot.ini with a text editor (it is a simple text file).
Delete the following switch: /safeboot:minimal
(If in any doubt, copy the content of the boot.ini file and post it here.)
Save the file and close it.

(You should now be able to boot and load Windows normally (not in to Safe Mode) ?)

Edit: On second thoughts, at this stage I would like you to test starting Windows normally. If it is able to load normally (albeit with popups), well and good; continue with the remainder of the instructions. If however, you are confronted with a STOP 0x7B BSOD error message, please let me know.

Carry on with the remainder of my instructions using BartPE
I am not sure that you will now need to bother editing (or simply checking the registry entry) the registry as suggested earlier. If you are able to remove most of the Internet Security 2010 files, it will make things easier for when you do attempt to start and use Windows.

Do not worry at this stage if you cannot start Windows in Safe Mode (that may have been disabled by the infection).


Use the instructions in the following link as a first step ...
Remove Internet Security 2010 (Uninstall Guide)
Posted by Grinler on December 10, 2009

Do not post in the HJT/Malware Removal forum as suggested in that link (they are very busy).
Instead, post the entire contents of the log from MBAM in this thread, and we will clean up the left-overs with you here.

Let me know how you get on.

Edited by AustrAlien, 20 January 2010 - 11:30 PM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#5 sjwis

sjwis

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 20 January 2010 - 11:47 PM

I recognized immediately as attack and pulled the plug. On next boot, my desktop was lime green and I unplugged immediately.
Took PC to my vendor. He was unable to get to safe mode.
He removed the drive and moved it to another PC (where it was not the boot drive) to run malwarebytes.

In approximately 24 hours time he also had two laptops brought in with the same problem, both were worse off than mine as the OS had been corrupted.

Hoping this is helpful.

In my opinion, pulling the plug is the wrong approach with these hijack trojans. They want you to be able to use your PC to mail them money. They are aggressive at burrowing into your machine at bootup. It may be better to immediately run malwarebytes at the first sign of hijacking icons.

#6 Chris28

Chris28
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Location:NH
  • Local time:06:08 AM

Posted 21 January 2010 - 09:04 AM

:thumbsup: Feeling a bit dense here - how do I browse using Bart - nothing jumps out at me.

#7 Chris28

Chris28
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Location:NH
  • Local time:06:08 AM

Posted 21 January 2010 - 09:06 AM

Check that - figured it out

#8 Chris28

Chris28
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Location:NH
  • Local time:06:08 AM

Posted 21 January 2010 - 09:11 AM

The ini file is marked "read-only" and will not allow me to save the changes. Can I alter the attributes using Bart PE?

#9 Chris28

Chris28
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Location:NH
  • Local time:06:08 AM

Posted 21 January 2010 - 09:13 AM

Seems when ever I postI figure it out shortly therafter - sorry to those reading...

#10 Chris28

Chris28
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Location:NH
  • Local time:06:08 AM

Posted 21 January 2010 - 09:19 AM

Ok - made the change to the boot.ini file and am still not able to boot Windows normally. However, I do get a new error *** Stop: 0x0000007B (0xF78E3524, 0xC0000034, 0x0000000, 0x0000000). Let me know how you would like me to proceed.

Continuing with prior instructions using Bart PE.

Edited by Chris28, 21 January 2010 - 09:46 AM.


#11 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:09:08 PM

Posted 21 January 2010 - 10:02 AM

I do get a new error *** Stop: 0x0000007B

Using BartPE, please browse to

C:\Windows\system32\drivers <<< folder

and look for the file "atapi.sys".
Let me know whether it is present or not.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#12 Chris28

Chris28
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Location:NH
  • Local time:06:08 AM

Posted 21 January 2010 - 10:31 AM

Sorry AustrAlien - did not see you post. I completed the other Bart PE changes and went to boot and got the following message:
<Windoes root> \System32\hal.dll - file missing.

Checking now for the C:\Windows\system32\drivers\atapi.sys

C:\Windows\system32\drivers\atapi.sys is not present

C:\Windows\system32\drivers\atapi.sys.XXX is present

H:\HP_Recovery\system32\drivers\atapi.sys is present in the HP Recovery Console as is \System32\hal.dll - which BTW I cannot execute via F10 at startup.

Edited by Chris28, 21 January 2010 - 10:37 AM.


#13 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:09:08 PM

Posted 21 January 2010 - 10:55 AM

C:\Windows\system32\drivers\atapi.sys is not present

C:\Windows\system32\drivers\atapi.sys.XXX is present

It seems that the Avira Rescue CD has identified the file atapi.sys as infected, and renamed it: Hence the 7B STOP errror.

Note: When working with BartPE, you may notice a delay .... a LARGE delay .... when attempting to perform the following actions.
Be prepared to be PATIENT !
It may take 3 minutes or more .... to simply perform the action "Copy" ... and then likewise the action "Paste".


Please navigate to

C:\WINDOWS\ServicePackFiles\i386 <<< folder

and locate the file atapi.sys.
Right-click on it and choose "Copy".

Navigate to

C:\Windows\system32\drivers <<< folder

and right-click in a vacant area and choose "Paste".
You should now have a copy of the file atapi.sys in the drivers folder.

Shut down with BartPE, remove the CD and allow Windows to start normally.
What happens?
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#14 Chris28

Chris28
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Location:NH
  • Local time:06:08 AM

Posted 21 January 2010 - 11:30 AM

Ok - working on that. What about the missing file <Windoes root> \System32\hal.dll?

#15 AustrAlien

AustrAlien

    Inquisitor


  • BC Advisor
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:09:08 PM

Posted 21 January 2010 - 11:36 AM

Ok - working on that. What about the missing file <Windoes root> \System32\hal.dll?

That message is usually a furphy .... a red herring ... a little misleading if literally interpreted.

Did you check with BartPE to see if it was actually missing? I expect that it will be where it should be, and not missing at all.
Let me know what you see.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users