Jump to content

Windows fails to boot


Recommended Posts

Yesterday, one of my clients needed assistance with removal of the malware "Antivirus xp 2008". I directed her to download and run your product in safe mode. She ran the app, and followed the procedure to remove the results. After attempting to reboot, she is now in a loop. All forms of safe mode will not start the machine. The farthest it will get is the splash screen.

I am going to see if a system restore can be done. Is there any additional information you can provide?

Thanks in advance.

Link to post
Share on other sites

  • Staff

MBAM is not designed to be run from safemode and should only be used that way as a last resort if regular mode is not able to be reached .

MBAM uses advanced drivers that allow a regular mode scan to actually find and remove MORE malware .

The rogue infection you are talking about uses nothing but simple exes and regular load points , nothing that can break a system so there is more to this then just that rogue .

Now for the issue at hand , I need to know some more info .

Was system restore on before this happened ? If it was turned off we will have very few options .

Do you have either the ability to slave the problem drive to another machine or have a boot disk ?

Have you tried last known good as a boot option ?

Link to post
Share on other sites

MBAM is not designed to be run from safemode and should only be used that way as a last resort if regular mode is not able to be reached .

Was system restore on before this happened ? If it was turned off we will have very few options .

Do you have either the ability to slave the problem drive to another machine or have a boot disk ?

Have you tried last known good as a boot option ?

Regular mode could not be used, as the machine was rejecting its use.

Assuming that the machine was a default configuration, system restore would be turned on by default. I doubt the user would have turned it off.

I have the ability to yank the drive and connect it to another machine. I also have an xp setup disk.

Last known good is not working. All safe mode options are not working.

Please advise.

Link to post
Share on other sites

  • Staff

OK , as long as restore was on we should be good because we can take a copy of their registry from before this all happened and splice it in .

A repair install is the safer way to go here though and I would try it first .

If you boot from CD , press enter at the first screen , F8 at then next you should be on the XP install screen . If you see the option to press "r" to repair , use it . This does require that you have their CD key (usually on the side of their system) and sometimes requires that you call MS to reactiviate after repair . As long as you explain that you did a repair install they will give you no trouble in reactivating .

Option 2

Slave problem drive to working system and boot into safemode (if this is an XP pro system you can use regular mode) . Open the slaved drive , we will call it Z: for now . Right click System Volume Information and select properties (if you cant see this folder turn on show system and hidden) . Click the security tab and then click add . Enter the account administrators and then click ok . You will now have administrators as having access to this folder . Highlight administrators and check the box for allow and full control , click apply , OK . Now open the folder . You will see at least 1 folder here , if there is 1 move on to next step , if more than one keep reading . Check the last modified date of each folder to see which one is the currently active restore folder , last modified should be within a few days ago .

Open this folder and inside you will see many folders RP# . Pick the one that was modified a day or so before all this trouble started and open it . Open the folder called snapshot . You want to copy the following 5 files to your desktop :

_REGISTRY_MACHINE_SAM

_REGISTRY_MACHINE_SECURITY

_REGISTRY_MACHINE_SOFTWARE

_REGISTRY_MACHINE_SYSTEM

_REGISTRY_USER_.DEFAULT

Rename them to :

SAM

SECURITY

SOFTWARE

SYSTEM

DEFAULT

Navigate to Z:\windows\system32\config . Copy all of what is inside and back it up to a folder on your desktop (there is next to no chance that we will need these but you never know) . Delete the contents of config . Now copy and paste the 5 files we just renamed into config . Shutdown , return the drive and boot the problem system .

Let us know which option you take and the results .

Link to post
Share on other sites

ran fsecure against it, found the following:

3 viruses (downloader.win32.small, js-agent.cln, win32.fraudload.vbcm)

18 spyware (adware.win32.onestep.a - f)

4 riskware (fraudtool.win32.antispywaresoldier.d, fraudtool.win32.antivirusxp2008.i)

tried quarantine and clean options, and rerunning scan now.

rerunning scan found the same virus files (they were renamed, not removed). Deleted them.

Running backup now, hopefully will be done in about an hour.

Link to post
Share on other sites

Hello,

I have seen this exact error. Turned out to he a bad HD even though the system was able to boot on occasion. Please do a DIAG on the HD and see what the resuults are especially if under warranty. The product I saw was a HP laptop under two years old. I was able to do a files and migration wizard before replacement.

Also the failure was detected very quick using builtin diags.

Good Luck,

MH

Link to post
Share on other sites

ran fsecure against it, found the following:

3 viruses (downloader.win32.small, js-agent.cln, win32.fraudload.vbcm)

18 spyware (adware.win32.onestep.a - f)

4 riskware (fraudtool.win32.antispywaresoldier.d, fraudtool.win32.antivirusxp2008.i)

tried quarantine and clean options, and rerunning scan now.

rerunning scan found the same virus files (they were renamed, not removed). Deleted them.

Running backup now, hopefully will be done in about an hour.

If your finding malware please following the instructions here http://www.malwarebytes.org/forums/index.php?showtopic=2936 and start a new topic there.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.