Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows won't boot after trojan


  • Please log in to reply
3 replies to this topic

#1 HEXno

HEXno

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 30 November 2010 - 03:07 AM

Hello,

Well, I've never had a virus this bad actually cripple my computer. Today, I apparently got a trojan from visiting a website. I knew something was wrong right away because McAfee shut down and then restarted, except that I now know (believe) it was a fake anti virus. It looked exactly like McAfee, and "McAfee" warned me that a program wanted permission right aroud the time of visiting this site. So, I said block, and "McAfee" prompted saying a restart was needed to get rid of the virus. I've never seen this prompt, and like an idiot, clicked restart. Some other stuff was happening too, like Chkdsk prompts, and a really weird prompt claiming to be, like, Windows Security Essentials. It sort of looked like the Windows Update window for XP, except it was designed differently.

That's pretty much everything that went on, the computer restarted, and now Windows won't boot. No Windows load screen. It also won't boot into Safe Mode. Last Known Good Configuration doesn't work either. Nothing loads at all. I can try to provide more details later, but I can't remember much more than what I already listed.

So, what do I do? I've been downloading various boot cds like UBCD, AVG Rescue CD, Hiren's BootCD, etc. AVG command line found nothing wrong, at least the scan I did. I'm currently running Hiren's BootCD and using SuperAntiSpyware whatever and finding the trojans, but Windows still won't boot at all. I'm trying more things but I need expert help. Please, please help! Thank you in advance.


UPDATE: I don't even know what I'm doing really, but for some reason, I was able to boot my full Windows using Hiren's BootCD's option "Boot from the Hard Drive (XP)." Windows then booted (normally) off my hard drive. So, I was back on my desktop, which is good, except I still can't boot Windows normally (Safe Mode or otherwise) without the assistance of Hiren's BootCD. Also, the trojans still seem to be present, because everything appeared to load properly, except that McAfee still seems suspect. Probably most interesting is that I tried to run regedit to see what the SafeBoot keys looked like (I'm assuming the trojan destroyed them) and what do you know, I got a prompt saying, "The registry editor has been disabled by your administrator." Yeah, that's new, because I never did that, and it worked fine before all this. It also might be worth noting that when I put in my XP disc and tried using the DOS recovery options, it asked for the administrator password. My password to log onto windows doesn't work. So, did the trojan set its own administrator password? It seems to have definitely made some major changes and I'm locked out, like from regedit (that's all I've tried so far). On the XP restore disc, at that password prompt, if I just hit enter, it brings the command line up, "C:/WINDOWS" but then I don't know how to use any of the commands. So, why does it ask for the password if it just let's me onto this command line, or perhaps I'm not really on the command line. Point is I don't know how that disc should really operate because I've never used it. So, with the new info, how should I proceed?

Edited by HEXno, 30 November 2010 - 12:18 PM.


BC AdBot (Login to Remove)

 


#2 HEXno

HEXno
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 30 November 2010 - 12:18 PM

UPDATE 2: Windows still won't boot normally or in Safe Mode. The only way I can load Windows and get to my desktop is through the Hiren option I mentioned above. I've now run a quick scan with Malwarebytes, turning up a whole list of hits for a trojan, including a confirmation on what I suspected above; regedit feature was locked out, among many other things. I then restarted and still no boot. Went back in through the Hiren option, did a full scan with Malwarebytes and McAfee; McAfee reports nothing, Malwarebytes turned up three more hits for the same trojan, still infecting folder options and two other things. Also found access restored to regedit console. Restarted again. Unfortunately, Windows still will not load normally. Currently running chkdsk /r command using Windows XP CD.

#3 HEXno

HEXno
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 03 December 2010 - 01:22 AM

UPDATE 3: Chkdsk finished and claimed to have fixed a few errors. I then initiated chkdsk /p after being notified there was nothing wrong with the drive and this time it didn't say it fixed any errors, but still no Windows boot and no safe mode. Also ran SuperAnti's... "Restore Safe Mode..." feature to no avail.

Although Windows not booting is the primary concern, there is also the issue of this trojan not going away even after about 5 "removals" using Malwarebytes. I ran HJT and there are numerous suspect entries, so hopefully someone can tell me which ones to remove using HJT to permantently (I hope) get rid of this trojan. Removing the trojan doesn't seem to restore a proper boot, but that could be the remaining 3 hits (even though they only say it involves "nofolderoptions" and regedit). So, does anyone have any ideas on how I can get Windows to boot normally and in safe mode? Shall I attempt a Restore Point, or is going forward better?

I'm ready to post the HJT log as soon as I can get it off that comp and onto another one to post here, so I can proceed in removing the trojan permanently with HJT. Thanks in advance for any advice.

#4 dpasch

dpasch

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 AM

Posted 07 January 2011 - 12:40 PM

i have a fix for you

ran into this today

your going to need a xp install cd to get into recovery console to do fixmbr

you probably have the alueron torjan in the mbr like the pc i fixed today it will re-write a new mbr and should fix your problem




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users