Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Loader.exe - now cannot boot computer


  • This topic is locked This topic is locked
5 replies to this topic

#1 ncantor

ncantor

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 28 July 2010 - 09:51 AM

Yesterday, I started receiving pop-ups on my computer. Numerous instances of iexplore.exe were running, but no IE was visible. I noticed that two programs were running with a description of "File Loader" - they were loader.exe and smss.exe. I searched the internet and found numerous sites detailing this same behavior, so I reset my computer to start in safe mode and run MBAM from safe mode. Unfortunately, after the computer shut down, it would not turn on again. Now it simply powers on and sits at a black screen. I can get to BIOS setup, but cannot seem to get to any further than that. All the sites I have seen relating to this loader.exe/smss.exe did not describe this detail - no one seemed to not be able to boot up afterwards. Any help would be much appreciated.

(Running Windows Vista 64-bit.)

BC AdBot (Login to Remove)

 


#2 ncantor

ncantor
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 30 July 2010 - 07:01 AM

Update: I was able to load a second hard drive with a clean install of Windows 7 (only temporarily - the key I have is for an upgrade, not a clean install). Using this, I can boot with the corrupt drive as a slave. I ran Hijackthis and MBAM, but I'm not sure how much good it will do, since the loaded registry is for the new OS. Here are the logs from HJT and MBAM. Any help would be much appreciated - I still can't boot on the secondary drive, but I can access it and add/delete files. Is there a way to change the registry of the OS on the secondary drive? Not sure if that would even help, since I can't seem to detect where the problems actually are.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:47:44 AM, on 7/30/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Noah\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 3852 bytes


----------------------------------------------MBAM------------------------------------------------

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4368

Windows 6.1.7600 (Safe Mode)
Internet Explorer 8.0.7600.16385

7/30/2010 6:39:14 AM
mbam-log-2010-07-30 (06-39-14).txt

Scan type: Full scan (C:\|F:\|G:\|)
Objects scanned: 666629
Time elapsed: 1 hour(s), 42 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
F:\Users\Noah\AppData\Local\Temp\csoawnxmer.exe (Adware.AdRotator) -> Quarantined and deleted successfully.
F:\Users\Noah\AppData\Local\Temp\xocnswaerm.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.


#3 ncantor

ncantor
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 30 July 2010 - 04:39 PM

Note - in case this wasn't clear, the logs from HJT and MBAM are both from a run on the clean Windows 7 OS. MBAM scanned the infected drive (F:\) but apparently didn't find anything amiss other than those two from the temp folder. After running MBAM, I still couldn't boot from the infected OS.

Edited by Budapest, 03 August 2010 - 01:32 AM.
Moved from AII ~BP


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,250 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:17 PM

Posted 07 August 2010 - 08:31 AM

Hello and sorry for the delay.

Are you able to press F8 on startup and if so, do you get the windows boot options?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 ncantor

ncantor
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 09 August 2010 - 10:11 AM

You can close this thread - I've solved my problem. I probably didn't do it in the best manner possible, but its solved nonetheless.

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,250 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:17 PM

Posted 09 August 2010 - 10:36 AM

Glad to hear you solved it. smile.gif

This topic will now be closed.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users