Jump to content

Viral infected laptop


Recommended Posts

About 1 week ago started to discover unwanted desktop icons - soon found out these were trojans and viruses infecting my hard drive (100 GB - preinstalled with Windows XP Home - I have no Windows installation disk). Unable to boot up in Safe Mode as I got the following error (on the "blue screen of death"):

0x0000007B(0xF79c2524, 0xC0000034, 0x00000000, 0x00000000)

Dell tech support stated that I likely had a boot sector virus and recommended that I replace the hard drive.

I can boot up to my Windows login page but before the following error pops up:

loginui.exe application error - The exception Integer division by zero (0xC0000094) occured in the application at location 0x10ba204.

After this, I am sometimes able to start up in to my desktop but cannot run any anti-spyware programs without crashing or wiping out my Desktop

Any guidance on how to proceed to remove the infections would be much appreciated. Thanks very much in advance.

Link to post
Share on other sites

About 1 week ago started to discover unwanted desktop icons - soon found out these were trojans and viruses infecting my hard drive (100 GB - preinstalled with Windows XP Home - I have no Windows installation disk). Unable to boot up in Safe Mode as I got the following error (on the "blue screen of death"):

0x0000007B(0xF79c2524, 0xC0000034, 0x00000000, 0x00000000)

Dell tech support stated that I likely had a boot sector virus and recommended that I replace the hard drive.

I can boot up to my Windows login page but before the following error pops up:

loginui.exe application error - The exception Integer division by zero (0xC0000094) occured in the application at location 0x10ba204.

After this, I am sometimes able to start up in to my desktop but cannot run any anti-spyware programs without crashing or wiping out my Desktop

Any guidance on how to proceed to remove the infections would be much appreciated. Thanks very much in advance.

I have downloaded several anti-spyware programs onto my portable flash drive - would I be able to copy/paste onto the corrupted hard drive and then be able to run them to attack these viruses? Again any guidance would be much appreciated.

Link to post
Share on other sites

I have downloaded several anti-spyware programs onto my portable flash drive - would I be able to copy/paste onto the corrupted hard drive and then be able to run them to attack these viruses? Again any guidance would be much appreciated.

I should also add that I am unable to run Malwarebytes as I had that installed on the desktop of my Windows XP Home edition. Again any guidance here would be very much appreciated. Thanks.

Link to post
Share on other sites

Hi and welcome to Malwarebytes.

Please download Win32kDiag.exe by AD to your Desktop. Double click on it. It will make a diagnostic and produce a report on the desktop. Post that report on your next reply.

-screen317

Chris,

Thanks for responding.

After a number of attempts, I was able to download the above link to my desktop and was able to copy it to my portable 5 GB hard drive. The issue I have is the download is a "desktop shortcut" and not an "application". Is there any way I can get this download to be an application? This would enable me to send you the diagnostic from an uninfected pc. I am having difficulty maintaining an internet connect on my laptop to be able to send you the diagnostic. Again your assistance and timely response would be appreciated.

Link to post
Share on other sites

Download the program from another computer, transfer it to the infected one via flash drive, run the tool on the infected computer, then copy the report to the flash drive, bring it back to the clean computer, and post the copied log to the forum from there.

-screen317

Chris,

Here is the diagnostic:

Running from: E:\Win32kDiag.exe

Log file at : C:\Documents and Settings\Jeff Dick\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB904706\KB904706

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568

Mount point destination : \Device\__max++>\^

Your assistance and timely response would be appreciated.

Thanks,

Jeff D.

Link to post
Share on other sites

Looks like you didn't let the program run till completion; wait for the black box to close before copying the log over please.

Chris,

Attempted to run the program again and the desktop went gray. Also tried to reboot several times only to get the blue screen with the error code (at top left of screen):

STOP: c0000218

Any guidance here would be much appreciated.

Thanks,

Jeff D.

Link to post
Share on other sites

  • Staff

Hi Jeff,

Can you not boot at all anymore?? Please reboot to Last Known Good Configuration (tap the F8 key just before Windows starts to load and select the Last Known Good Configuration option from the menu).

Next, we need to execute an Avenger2 script.

Note to users reading this topic! This script was created specifically for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  1. Please download The Avenger2 by Swandog46.
  2. Unzip avenger.exe to your desktop.
  3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
    Files to move:
    C:\WINDOWS\system32\logevent.dll | C:\WINDOWS\system32\eventlog.dll


  4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
  5. Read the prompt that appears, and press OK.
  6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
  7. Press the "Execute" button.
  8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

Next, try running MBAM.

After that, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Hi Jeff,

Can you not boot at all anymore?? Please reboot to Last Known Good Configuration (tap the F8 key just before Windows starts to load and select the Last Known Good Configuration option from the menu).

Next, we need to execute an Avenger2 script.

Note to users reading this topic! This script was created specifically for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  1. Please download The Avenger2 by Swandog46.
  2. Unzip avenger.exe to your desktop.
  3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
    Files to move:
    C:\WINDOWS\system32\logevent.dll | C:\WINDOWS\system32\eventlog.dll


  4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
  5. Read the prompt that appears, and press OK.
  6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
  7. Press the "Execute" button.
  8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

Next, try running MBAM.

After that, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Chris,

I attempted several times to reboot with LNC and any other way possible that I can think of. Each time I get from the Windows XP logo to the beginning of the desktop only to have the screen go blue with the previous error message I had before (at top left hand corner of screen):

STOP: c0000218

From there, no keystrokes work except for shutting the machine down. I can and have been able to run a PSA (pre-boot System Assesment (Dell laptop Inspiron E1705) - though it takes a couple of hours, there are no issues with any of the hardware of the laptop, including my obviously heavily viral infected HDD (100GB).

Again any guidance here would again be very much appreciated.

Thanks,

Jeff D.

Link to post
Share on other sites

Assuming you have your Windows XP CD, follow the instructions in this Microsoft article to fix the boot issue:

http://support.microsoft.com/Default.aspx?kbid=307545

Chris,

There was no Windows XP CD - it was pre-installed (OEM) on the laptop. I accessed the article and was able to start the recovery via the Recovery Console screen. I was able to copy all of the temp/delete/repair files except when I tried to copy this one

copy c:\windows\repair\system c:\windows\system32\config\system

I got the following error:

Windows could not start because the following file is missing or corrupt:

\WINDOWS\SYSTEM32\CONFIG\SYSTEM

1) Is there a way around this to execute the recovery?

2) I have another Windows XP CD - could I incorporate this to install or do I have to have a completely new HDD to do this?

The preference here would be to have a solution connected with 1) rather than 2).

Again any guidance here would be much appreciated.

Thanks,

Jeff D.

Link to post
Share on other sites

  • Staff

Boot from the XP CD, enter the Recovery Console by pressing R, then when you are presented with the command prompt, try all of the commands from Microsoft again.

md tmp

copy c:\windows\system32\config\system c:\windows\tmp\system.bak

copy c:\windows\system32\config\software c:\windows\tmp\software.bak

copy c:\windows\system32\config\sam c:\windows\tmp\sam.bak

copy c:\windows\system32\config\security c:\windows\tmp\security.bak

copy c:\windows\system32\config\default c:\windows\tmp\default.bak

delete c:\windows\system32\config\system

delete c:\windows\system32\config\software

delete c:\windows\system32\config\sam

delete c:\windows\system32\config\security

delete c:\windows\system32\config\default

copy c:\windows\repair\system c:\windows\system32\config\system

copy c:\windows\repair\software c:\windows\system32\config\software

copy c:\windows\repair\sam c:\windows\system32\config\sam

copy c:\windows\repair\security c:\windows\system32\config\security

copy c:\windows\repair\default c:\windows\system32\config\default

-screen317

Link to post
Share on other sites

Boot from the XP CD, enter the Recovery Console by pressing R, then when you are presented with the command prompt, try all of the commands from Microsoft again.

md tmp

copy c:\windows\system32\config\system c:\windows\tmp\system.bak

copy c:\windows\system32\config\software c:\windows\tmp\software.bak

copy c:\windows\system32\config\sam c:\windows\tmp\sam.bak

copy c:\windows\system32\config\security c:\windows\tmp\security.bak

copy c:\windows\system32\config\default c:\windows\tmp\default.bak

delete c:\windows\system32\config\system

delete c:\windows\system32\config\software

delete c:\windows\system32\config\sam

delete c:\windows\system32\config\security

delete c:\windows\system32\config\default

copy c:\windows\repair\system c:\windows\system32\config\system

copy c:\windows\repair\software c:\windows\system32\config\software

copy c:\windows\repair\sam c:\windows\system32\config\sam

copy c:\windows\repair\security c:\windows\system32\config\security

copy c:\windows\repair\default c:\windows\system32\config\default

-screen317

Chris,

I am not sure exactly what sequence to use to "boot from the xp cd" - the only way to get access to the cd drive is to press the power button to the the laptop on. After inserting the xp cd, I turned the laptop off and on again. I assume this is what you mean when you say to 'boot from the xp cd". Also, the only way I can enter the Windows Recovery Console is to press "Enter". I tried using "r" with no success. The two options given for which operating system to use are:

Microsoft Windows Recovery Console (the choice I should make)

Windows XP Media Center Edition

After typing the first "copy" line, I get the following error:

The system cannot find the file specified.

How do I know that the xp cd is being recognized? I tend to think it is not being recognized.

The next 4 "copy" lines were able to copy

The first "delete" line after I typed it displayed this:

No matching files were found.

The next 4 "delete" lines had no errors.

The first "copy/repair" line displayed the following:

The system cannot find the file specified.

I was able to copy the remaining 4 "copy/repair" lines.

Is there a step-by-step process for this?

From there I can only "EXIT" to boot up which I get:

"Windows could not start because the following file is missing or corrupt"

\WINDOWS\SYSTEM32\CONFIG\SYSTEM

The xp cd I have is NOT the original Setup CD-Rom.

I am stuck at this point.

Any guidance here again would be much appreciated.

Thanks,

Jeff D.

Link to post
Share on other sites

Hi Jeff,

You need to change the boot order from the BIOS to boot from the CD.

See here:

http://pcsupport.about.com/od/fixtheproble...orderchange.htm

Chris,

I was able to boot from the cd, but still received the same errors (precisely as entered from the previous post) when typing the copy/delete/repair lines for SYSTEM

Any guidance here again would be much appreciated.

Thanks again,

Jeff D.

Link to post
Share on other sites

Chris,

I was able to boot from the cd, but still received the same errors (precisely as entered from the previous post) when typing the copy/delete/repair lines for SYSTEM

Any guidance here again would be much appreciated.

Thanks again,

Jeff D.

Chris,

Do I need to reinstall Windows using the xp CD (booting from the CD and selecting the user agreement instead of selecting "r' to repair the registry)? Or is there a solution to this without doing this?

After attempting to boot up, the following sequence occurrs:

Use the up and down arrow keys to to move the highlight to your choice.

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS\system32\ntoskrnl.exe

" " " " " " \hal.dll

" " " " " " \KDCOM.DLL

" " " " " " \BOOTVID.dll

" " " " " " \config\system

" " " " " " \config\system.alt

Windows could not start because the following file is missing or corrupt:

\WINDOWS\SYSTEM32\CONFIG\SYSTEM

You can attempt to repair this file by starting Windows Setup using the original Setup CD-ROM.

Select "r" at the first screen to start repair.

All the "s are just repeating the same lines displayed - I did not feel like typing each line over again. This is where I am at. I am sensing a dead end here. Hopefully you can prove me wrong and we can come up with a solution.

Your assistance and timely response would again be appreciated,

Thanks,

Jeff D.

Link to post
Share on other sites

Chris,

Do I need to reinstall Windows using the xp CD (booting from the CD and selecting the user agreement instead of selecting "r' to repair the registry)? Or is there a solution to this without doing this?

After attempting to boot up, the following sequence occurrs:

Use the up and down arrow keys to to move the highlight to your choice.

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS\system32\ntoskrnl.exe

" " " " " " \hal.dll

" " " " " " \KDCOM.DLL

" " " " " " \BOOTVID.dll

" " " " " " \config\system

" " " " " " \config\system.alt

Windows could not start because the following file is missing or corrupt:

\WINDOWS\SYSTEM32\CONFIG\SYSTEM

You can attempt to repair this file by starting Windows Setup using the original Setup CD-ROM.

Select "r" at the first screen to start repair.

All the "s are just repeating the same lines displayed - I did not feel like typing each line over again. This is where I am at. I am sensing a dead end here. Hopefully you can prove me wrong and we can come up with a solution.

Your assistance and timely response would again be appreciated,

Thanks,

Jeff D.

Just to add to this - this attempt to start up the laptop was after selecting safe mode.

Link to post
Share on other sites

My apologies for the delay.

Please attempt a Repair Install of Windows (do NOT confuse that with a format and reinstallation).

See this guide for details:

http://michaelstevenstech.com/XPrepairinstall.htm

Let me know how it goes.

-screen317

Chris,

Sorry for the delay.

I tried to Repair Install and was unable to get anywhere with this - unless I am doing something procedurally wrong. The install does not recognize a version of Windows on the laptop. I think this is because the XP CD I had in the disk drive did not match the OEM version (maybe product key #'s and administrator password are diifferent). The prompt was to put in a proper version Windows CD - it seems to be another dead end.

Any assistance would again be appreciated,

Thanks,

Jeff D.

Link to post
Share on other sites

Hi Jeff,

At this point it may be in your best interest to format and reinstall XP with the disk you have. It will start fresh with an installation of XP and the boot issues will be gone. Let me

Alternatively, open up a ticket with Microsoft to see if they can provide some insight.

-screen317

Chris,

I bit the bullet and got the tech Support from Dell - did a Parallel Operating System reinstallation (I now have a WINDOWS and WINDOWS1 operating system) - lost desktop icons and some pictures, but was able to clean up the registry errors and viruses: got into Task Manager & initially deleted "Antivirus Pro" from the folder (after getting into registry through the task bar) - was able to run ComboFix (twice), then ran MalwareBtyes (there were 617 trojans/viruses), then ran SuperAntiSpyware. Once this was done, I went into Safe mode and ran MalwareBytes and SuperAntiSpyware again. After this was done, I installed the free 60 day trial version of Norton Anti Virus 2010. So far, so good - able to see the attempted attacks on my laptop through Norton's Security history.

Cost me almost $250, but will have 1 year of unlimited technical support from them. This fix spread over 2 nights, about 5 hours of phone time, and another 5 hours of virus scans, so getting the Anti-Virus protection here is a no-brainer.

I have actually started two other posts - the 2nd one can be ignored, but the 3rd one involves a different laptop, so if you or another available staff member could read and address this, it would be very much appreciated.

Thanks,

Jeff D.

Link to post
Share on other sites

Thanks for letting me know.

Post a link to the topic for the other laptop and I'll take a look. Also post a link to the topic you want me to close.

Chris,

Here is the link (post) for the 2nd laptop:

http://www.malwarebytes.org/forums/index.p...mp;#entry147784

The other topic link that can be closed:

http://www.malwarebytes.org/forums/index.p...mp;#entry144646

Your assistance and timely response would again be appreciated,

Thanks,

Jeff D.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.