Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP failed to start after I removed XP Internet Security 2011


  • This topic is locked This topic is locked
5 replies to this topic

#1 iamindeepshit

iamindeepshit

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 16 April 2011 - 07:34 PM

Hi All! My first post, please forgive if I make any mistake in posting's etiquette.

Short version:

Windows XP failed to start after a complete virus scan with Bit-Defender from Trinity Rescue Kit 3.4. The machine was heavily infected with malwares that took several scans to remove.

Long and detailed version:

Windows XP SP3 32-bit was infected with the infamous XP Internet Security 2011 and some other nasty malwares (windows disk fix, spyware cease, some FakeAV). After some researching, I was able to successfully removed XP Internet Security 2011 in safe mode with rKill and Malwarebytes. Everything is good and all but I still feel unsafe since for some reason the machine doesn't let me install an AV on it. I tried both Avast and AVG in safemode and normal mode but they all failed for some reason that I forgot to record down. I tried to scan with ClamWin from the USB and it caught one bastard: Trojan.FakeAV-5181. But I don't feel ClamWin is robust and adequate enough so I loaded Trinity Rescue Kit 3.4 onto a CD, boot up from the disc, and scan the whole machine with Bit-Defender. It found nothing but after restarting, Windows failed to boot since then.

A list of options would show up. If choose "Start Windows Normally", it'd go to the splash screen and the bar would load for a while then a BSOD would flash up really quickly before restarting. "Last Known Good Configuration" is the same, it would just restart but without the BSOD. "Safe Mode" also failed, it'd load to "\WINDOWS\system32\DRIVERS\agp440.sys" before giving up and restart Attached File  photo.JPG   269.79KB   3 downloads .

I tried to boot up with Hiren's Boot CD but the machine would give off a long, continuous beep. Have to restart with CTRL+ALT+DELETE.

During the time I was battling with XP Internet Security 2011. I saw some warning about hard-drive failure but I didn't really pay attention to it because I thought it might be false warning generate by one of the malwares. I wonder if it could be a coincidence. Every event listed happened all in one day. NOTE that after I removed the malwares, Windows was back to normal, it booted up ok and everything was functioning. It just failed right after I scan with Bit-Defender.

Your helps and suggestions are greatly appreciated.

Edited by iamindeepshit, 17 April 2011 - 01:29 AM.
Resized font to normal, moved from XP forum to Am I Infected.


BC AdBot (Login to Remove)

 


#2 iamindeepshit

iamindeepshit
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 17 April 2011 - 12:55 AM

Ok, so for the past hour I've tried several things. I think the crux of the problems is the agp440.sys as Safe Mode always halts when Windows attempts to load it. I booted off a Windows XP disc and go into the recovery console and try to run chkdsk /p as suggested over here but it still doesn't work. I then followed this guide from Microsoft to disable agp440.sys. No result either. I've also tried to fixmbr, fixboot. Nothing seems to work.

Someone out there must know the answer to this. Please help!

Edited by iamindeepshit, 17 April 2011 - 12:59 AM.


#3 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:02 PM

Posted 17 April 2011 - 10:19 PM

Hi, :welcome:

Lets give it a try.

We will need to view the system status from an external environment. You will need a USB drive and a CD to burn. There will be several steps to follow.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download driver.sh to your USB drive
  • Also Download Query.exe to the USB drive. In your working computer, navigate to the USB drive and click on the Query.exe. A folder and a file, query.sh, will be extracted.
  • Remove the USB & CD and insert them in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • In some computers you need to tap F12 and choose to boot from the CD, in others is the Esc key. Please consult your computer's documentation.
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Then type bash driver.sh -af
  • Press Enter
  • You will be prompted to input a filename.
  • Type the following:

    Winlogon.exe

  • Press Enter
  • If successful, the script will search for this file.
  • After it has completed the search enter the next file to be searched
  • Type the following:

    explorer.exe

  • Press Enter
  • After it has completed the search enter the next file to be searched
  • Type the following:

    Userinit.exe

  • Press Enter
  • After the search is completed type Exit and press Enter.
  • After it has finished a report will be located in the USB drive as filefind.txt
  • While still in the Open Terminal, type bash query.sh
  • Press Enter
  • After it has finished a report will be located in the USB drive as RegReport.txt
  • Then type dd if=/dev/sda of=mbr.bin bs=512 count=1


    Leave a space among the following Statements:

    dd is the executable application used to create the backup
    if=/dev/sda is the device the backup is created from - the hard drive when only one HDD exists
    of=mbr.bin is the backup file to create - note the lack of a path - it will be created in the directory currently open in the Terminal
    bs=512 is the number of bytes in the backup
    count=1 says to backup just 1 sector


    It is extremely important that the if and of statements are correctly entered.

  • Press Enter
  • After it has finished a report will be located in the USB drive as mbr.bin
  • Plug the USB back into the clean computer, zip the mbr.bin, and except for the mbr.bin zipped file, post the contents of the report.txt, filefind.txt and RegReport.txt in your next reply. The mbr.bin zipped file must be attached to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#4 iamindeepshit

iamindeepshit
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 23 April 2011 - 02:11 AM

Oh wow, you're the only one who attempt to help me. Thanks a bunch but it's too late I've reformatted the hard-drive. What I did is I installed a fresh copy of Windows on a different hard-drive then install MBAM, Avast, and AVG. I then use those to scan the infected hard-drive. Avast found a total of 13 viruses, all with high severity. I think it failed to remove 2 of them. Here's a screenshot. Should have save the logs but I didn't.
http://i.imgur.com/6vgyg.png
Spybot found these
http://i.imgur.com/97ohy.png

But after all the scans and removal. The infected hard-drive still fails to boot. The computer still reboots on its own with a BSOD prior to restarting. I chose the disable automatic restart windows option and the BSOD stays.
http://imgur.com/HsJGx

My guess is the virus must have infected a very important boot file or something to render windows unable to start.

Hey thanks for trying to help anyway. I appreciate it.

#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:02 PM

Posted 23 April 2011 - 10:01 AM

Since this still happens after a format, perhaps the boot sector of the drive is still infected.

Download GETxPUD.exe to the desktop of a clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Once this process is completed, download Dumpit by noahdfear to the USB drive.
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • In some computers you need to tap F12 and choose to boot from the CD, in others is the Esc key. Please consult your computer's documentation.
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see the file dumpit in your USB drive and double click on it.
  • After it has finished a report will be located in your USB drive named mbr.zip
  • Attach this file to a reply

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:02 PM

Posted 27 April 2011 - 11:19 PM

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users