Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Safe Mode Virus


  • Please log in to reply
8 replies to this topic

#1 T.o.d.d

T.o.d.d

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 04 March 2011 - 06:41 PM

Hello,

Earlier today my laptop was taken out by a virus, possibly a parasite. There had been a few errors thoughout the day, my laptop is well maintained but I didnt think anything of the messages and I am usually capable of fixing a problem.
The browser crashed, and I shut the machine off, when it re-booted it went to safe mode. A window marked 'Windows Safe Mode' popped up after the log in screen, and it proclaimed that my hard drive had failed, and there was massive data loss etc..
I figured this was a ploy, so I tried the usual tricks to cicumnavigate the screen, but everything else has been disabled.

On doing some research there are a few people effected with this, and no one seems to have an answer.

People are generally not reading the problem and just suggesting futile pieces of software to install BUT only this virus screen can be seen. No task manager, no obvious way around, this is in and out of safe mode, with and without network access.
I can get to the command prompt via safemode, but I havent used DOS for well over a decade, and dont want to risk messing.
I have looked at the settings in the 'safe mode' where it has options like "dont activate on start up" but that didnt work, but I didnt expect it to. If you close the window, it just goes through the "must scan defective hdd" nonesense again.

I have considered an OS re-installation, but I am on vista, and dont have a CD as they seem to have stopped issuing them. And I am doubtful that will work, short of a full format.

Does anyone have any ideal solutions please? (That doesnt involve installing something)

BC AdBot (Login to Remove)

 


#2 strolln

strolln

  • Members
  • 400 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:N. Calif.
  • Local time:09:46 PM

Posted 05 March 2011 - 10:55 AM

My daughter's computer had this yesterday as well. She encountered a popup that told her she had a disk failure and would she like to install "Windows Safe Mode"? She clicked yes! Arrgghh!

I was able to remove it by booting with a BitDefender Rescue CD. After BitDefender removed it there were still some remnants left such as Task Manager disabled and the desktop background was locked into the screen indicating Safe Mode. However, I now had access to everything else on the machine so I did a System Restore to several days back and that took care of the last 2 remnants.

Hope this helps.
To Err is human; to really foul things up requires a Bleeping Computer!

#3 JerinDS

JerinDS

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:46 AM

Posted 05 March 2011 - 04:29 PM

I had this issue on my General Manager's computer today. I was so frustrated and defeated I didnt even think of the obvious. Here is how I defeated this beast using system restore.

1. restarted in safe mode with command prompt (was lucky enough to get cmd up)

2. here is the filepath for system restore C:\windows\system32\restore\rstrui.exe

After the restore and reboot i ran rkill and Malwarebytes to make sure and computer is fully functional.

It worked for me hopefully it works for you!

Good Luck

Edited by JerinDS, 05 March 2011 - 04:42 PM.


#4 RSBjr

RSBjr

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:46 PM

Posted 05 March 2011 - 07:13 PM

Arrgh. I just got the same virus about an hour ago and I am not terribly computer savvy. I tried following JerinDS's instrx but to no avail. I got to cmd prompt through safe mode and typed in restore\rstrui.exe but it says it is not a recognized command. Is it different for vista business? Any help is appreciated.

Edited by RSBjr, 05 March 2011 - 07:28 PM.


#5 T.o.d.d

T.o.d.d
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 05 March 2011 - 10:23 PM

I had this issue on my General Manager's computer today. I was so frustrated and defeated I didnt even think of the obvious. Here is how I defeated this beast using system restore.

1. restarted in safe mode with command prompt (was lucky enough to get cmd up)

2. here is the filepath for system restore C:\windows\system32\restore\rstrui.exe

After the restore and reboot i ran rkill and Malwarebytes to make sure and computer is fully functional.

It worked for me hopefully it works for you!

Good Luck

Thanks for this, I caved in the end and went looking for an OS disk, although it is still re-installing, so potentially still not resolved yet, ill see how the reinstall goes and shall update from there.

#6 magicmonster65

magicmonster65

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:46 AM

Posted 07 March 2011 - 10:41 AM

jerin, you're a legend, your method worked for me.

#7 TheHaaz

TheHaaz

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 08 March 2011 - 01:29 AM

This thing frustrated me before I went to work and after I got off I messed with it for a half hour or so. Not sure if this is different with different OS's or not but for me (XP PRO SP3) I found something easy that worked. After booting in any mode, sign in to any account, NOTE: DO NOT CLICK ANYTHING HAVING DO TO WITH THE POPUPS...once you click something it kicks in...if you leave it alone it will just sit there...you may get a few system tray baloons but ignore them. Once I got the dialog box speaking of boot disk failure I just opened utility manager with windows+U, then clicked the help button on the utility manager, when the help index came up I clicked options and internet options. From there I clicked settings under browsing history, then clicked view files. I was then given an explorer menu and subsequently explorer finished booting. At this point I still had task manager disabled by "administrator" so I navigated through the registry to hkey_current_user/software/microsoft/windows/currentVersion/policies/system and deleted the value called DisableTaskMgr...(or set the value to "0"). Once I was able to open task manager I closed the processes I found harmful and continued searching for those .exe files on the disk. I still consider myself a novice at this type of thing, but I guess I managed to get rid of all the crap associated with it. I ran a scan and fix with AdAware free version and I guess that cleaned up a bit more. After a reboot I have had no problems in the last 24 hours or so. (fingers crossed) I hope this helps.

Edited by TheHaaz, 08 March 2011 - 01:30 AM.


#8 ste125

ste125

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:46 AM

Posted 08 March 2011 - 07:50 AM

Hi all,im new here and first time ive posted on a forum. I got the safemode virus yesterday and went online on another computer for help as mine was disabled by that safemode virus.Just want to say a big thankyou to JerinDS for the advice as it worked a treat.

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,833 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:46 AM

Posted 08 March 2011 - 08:18 AM

so I navigated through the registry to hkey_current_user/software/microsoft/windows/currentVersion/policies/system and deleted the value called DisableTaskMgr...(or set the value to "0"). Once I was able to open task manager I closed the processes I found harmful and continued searching for those .exe files on the disk.

It is not recommended to manually edit the registry without first making a backup! Likewise I do not recommend to delete files if you are not absolutely sure what they are.

Furthermore, please make sure to read this topic: Instructions for posting advice in Am I Infected

A good way to back up the registry is Erunt:

BACKUP THE REGISTRY
---------------------------
Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users