Jump to content

Windows 7 boot loop after malware removal


Recommended Posts

I was wondering if anyone can walk me through restoring quarantined items that Malwarebytes removes via command line. I looked through the FAQ, but can't seem to figure it out. Here's my situation:

I have a laptop running Windows 7 64-bit Home Premium SP1 and it got infected with the 2012 fake antivirus and the TDSS trojan. I was able to install and update Malwarebytes without an issue, turned off System Restore, downloaded Kaspersky's TDSSKiller, rebooted into Safe Mode, and scanned for malware. Malwarebytes removed about 12 things or so and TDSSKiller found about 2 or 3 instances which it removed.

Now after the removal, I can't boot back up into Windows. I've tried booting normally, into safe mode, safe mode w/ networking, last known good configuration, disable auto restart on BSOD, etc. Every option still kicks over into a boot loop. I have also tried running Windows 7 Startup Repair from both the F8 screen and from booting from my Windows 7 disk and it can't find anything to repair. I've also tried booting into my Windows 7 disk and running "sfc /scannow /offbootdir=d: /offwindir=d:\windows" and that comes back with "Windows Resource Protection did not find any integrity violations."

I would like to try a Windows repair installation (or in-place upgrade if you may), but can't start this without first booting into Windows. Is there any way I can use the command line utility from the Windows disk to run Malwarebytes to restore what it had removed?

Thanks,

Justin

Link to post
Share on other sites

What type of laptop is this? 90% of newer laptops have a hidden recovery partition you can boot into which will bring your laptop back to new. It will be like the first day you turned it on. But unfortunately you will loose any documents or pictures. Windows 7 has a backup and recovery program built in? Did you use it? What it does is create a system image to be stored on an external hard rive.

Link to post
Share on other sites

I'm not wanting to restore the laptop with the recovery partition or reinstall Windows unless I just have to. I'm just wanting to see if I can repair the system files or registry entries that were affected by Malwarebytes' removal of some of the threats found so I can try something else. If anyone knows of a trick (since it's unsupported) to run a repair installation on Windows 7 as you could on Windows XP without the ability to first boot into Windows, I would gladly take that advice as well.

Thanks,

Justin

Link to post
Share on other sites

Hello and welcome to Malwarebytes

Since you were infected, it was most likely the infection that caused your computer to no longer boot. You mentioned you ran TDSSKiller and found 3 items. It could have very well be the rootkit removal as well. We normally do not like to run Malwarebytes in safe mode unless asked to do so by one of our experts. That being said, you will have to continue this with one of our experts and they will guide you in the right direction to get your computer back up.

Since you are/were infected, here are the steps needed to get your computer cleaned....

Please read the following so that you can begin the cleaning process:

Don't use any temporary file cleaners unless requested - this can cause data loss and make recovery difficult

You have 3 Options that you can choose from as listed below:

  • Option 1 —— Free Expert advice in the Malware Removal Forum
  • Option 2 —— Paying customer -- Contact Support via email
  • Option 3 —— Premium, Fee-Based Support

OPTION 1

As we don't deal with malware removal in the General Malwarebytes' Anti-Malware Forum, you need to start a topic in the

Malware Removal forum so a qualified helper can help you fix any malware related problems/infections you may have.

  • Please read and follow the directions here (http://www.malwarebytes.org/forums/index.php?showtopic=9573), skipping any steps you are unable to complete.
  • After posting your new post, make sure under options, you select Track this topic and choose Immediate Email Notification,
    so that you're alerted when someone has replied to your post.

NOTE: Please do not post back to (bump) your topic within the first 48 hours.

Replying to your own posts changes the post count and helpers are looking for topics with zero replies.

If you reply to your own post helpers may think that you're already being helped and thus overlook your post.

  • If there is no reply from any experts after 48 hours, you can reply to the topic, asking for help again.
    Or
  • You may send a Private Message to a Moderator asking for assistance.

OPTION 2

Alternatively, as a paying customer, you can contact the help desk at support@malwarebytes.org or here (http://helpdesk.malwarebytes.org/home)

OPTION 3

If you would like to use our Malwarebytes Premium Services, Comprehensive solutions to all your computer support needs—from installation and set-up to troubleshooting and tune-ups go to our Malwarebytes Premium Services support site here (http://www.malwarebytes.org/premium-support.php)

Please be patient, someone will assist you as soon as possible.

PS: Please use the "Add Reply" Add-Reply.png button not the Reply button when you start replying.

Link to post
Share on other sites

Thanks for the reply Firefox, but this computer definitely is not infected anymore. We have run multiple scans on the hard drive from other computers with Malwarebytes, Microsoft Security Essentials, and Sophos SBE Antivirus and they find no infections on this drive now.

If there's no help for utilizing Malwarebytes via command line, then I guess I'll try elsewhere. Unfortunately it's looking more like I'll have to reload Windows, but this topic: http://www.bleepingcomputer.com/forums/topic434870.html shows an enormously similar problem to mine that I'm currently working through. Hopefully this will get it so I can boot back up.

I just have no clue why Microsoft would change certain things that make my life easier (aka - no Windows repair installation from disc & harder boot configuration editing). Oh well...

Thanks again,

Justin

Link to post
Share on other sites

  • Staff

I would follow firefox 's advice. Following someone else's topic could make matters worse as it could be a different reason for you not booting.

I would probably start by looking in the root of you windows drive for the tdsskiller log. This is more then likely the culprit of your problem as what it does is replace infected drivers and such from a tdss infection. Its extremely rare the malwarebytes alone would cause a boot loop. I would double check the drivers it replaced.

Link to post
Share on other sites

Thanks again for your replies. I had went back and looked through the logs for the scans that I ran and I do believe that the reboot loop problem came after the quarantine actions that Malwarebytes took. I had posted wrong information in my original post as I was working off of little sleep (plus I have about 8 laptops and 3 desktops that I'm working on). TDSSKiller actually didn't find and remove any threats as I had ran that last. I had also ran Dr. Web Cure It Antivirus scanner, which had removed a couple of items (will post below). Malwarebytes was the program that had really quarantined the most.

Here's what was found in each scan:

Dr. Web:

  1. [Memory scanning] Process in memory: C:\Windows\SysWOW64\PING.EXE:2000 infected with BackDoor.Tdss.565 - eradicated
  2. >C:\Windows\system32\consrv.dll/data001 - infected with BackDoor.Maxplus.90
  3. >C:\Windows\system32\consrv.dll/data002 - infected with BackDoor.Maxplus.90
  4. C:\Windows\system32\consrv.dll - archive contains infected objects - moved

Malwarebytes:

  1. Registry Keys Detected: 1
    HKCR\AH (Rogue.MultipleAV) -> Quarantined and deleted successfully.
  2. Registry Values Detected: 2
    HKCR\.exe\shell\open\command| (Hijack.ExeFile) -> Data: "C:\Users\Justin\AppData\Local\vhc.exe" -a "%1" %* -> Quarantined and deleted successfully.
    HKCR\ah|Content Type (Rogue.MultipleAV) -> Data: application/x-msdownload -> Quarantined and deleted successfully.
  3. Registry Data Items Detected: 1
    HKCR\.exe| (PUM.HijackExefiles) -> Bad: (i8) Good: (exefile) -> Quarantined and repaired successfully.
  4. Files Detected: 5
    C:\Users\Justin\AppData\Local\fwq.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
    C:\Users\Justin\AppData\Local\vhc.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
    C:\Users\Justin\Documents\4kIS1.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
    C:\Users\Justin\Documents\vw0C4u.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
    C:\Windows\assembly\temp\kwrd.dll (PUP.BitMiner) -> Quarantined and deleted successfully.

TDSSKiller:

  1. No threats found. (Ran last)

I have researched a bit about the consrv infection that Dr. Web had found and searched the registry (from Startup Repair) to see if there were any keys pointing to the "consrv.dll" file, but there were none.

I can browse through and see the files in Malwarebytes' quarantine folder, but am unsure of how I can restore these since I can't boot into Windows to just check to see if I can get the system to boot back up. I looked again for a complete list of command line utilities for Malwarebytes, but was unable to find any directions on restoring these files.

Again, any and all help is appreciated. If Malwarebytes doesn't have this sort of capability via command line or if I can't manually open the quarantine archive and re-import the registry keys and copy over the infected files, please let me know so I'll not keep searching for this. If it doesn't have this capability, I would greatly suggest adding it to future versions of Malwarebytes.

Thanks again,

Justin

Link to post
Share on other sites

  • Staff

There is no way to restore quaritine files offline. The files in quaritine are modified by mbam so they will no longer run.

All the files you listed:

C:\Users\Justin\AppData\Local\fwq.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.

C:\Users\Justin\AppData\Local\vhc.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.

C:\Users\Justin\Documents\4kIS1.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.

C:\Users\Justin\Documents\vw0C4u.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.

C:\Windows\assembly\temp\kwrd.dll (PUP.BitMiner) -> Quarantined and deleted successfully.

Would never cause a no boot situation. All those would load only after you login into your acct. If you are never making it into where your user account loads then Malwarebytes is not the issue.

Personally this looks like An incomplete removal Of the maxplus rootkit. By dr web.

http://blog.crosbydr...epair-windows-7

http://threatpost.co...e-appear-052411

The first link should be your exact issue. You searched for consrv.dll and that would never pull up the key that is the culprit. It only has consrv under it.

This is getting out of scope here for the general forum so if you need further advice please follow firefox's post and an expert will help you get this repaired.

Link to post
Share on other sites

If you have the most recent version of the TDL rootkit, it creates a hidden encrypted partition and apparently moves the boot code there. I have this trojan, and just restored my computer to it's factory state, and it still will not boot due to this manipulation of the boot code. Still trying to figure out how to get by it...

Link to post
Share on other sites

  • Root Admin

I am going to be closing this topic now as mentioned this is well beyond the scope of the General forum.

Also if you're working on that many systems

(plus I have about 8 laptops and 3 desktops that I'm working on)

Then I'm guessing this is probably some type of business which should be using a corporate licensed version of our software and you should be contacting support on an issue like this before it gets into a booting issue.

Please contact Corporate Support

In order to assist you better please provide the following information

Cleverbridge Order Reference Number:

Organization name:

Approved Contact name:

If you no longer have access to the order number you can contact Cleverbridge to obtain information about your order.

Cleverbridge customer service

If this is not a business and you want further assistance then please post a new topic in the HJT forum as requested by FireFox

Thank you

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.