Unknown virus/spy causing machine not to boot even in safe mode

[jstevens]

Greetings,

Here is my sad story, well more for a friend and his poor computer. Through un-admitted steps and user initiated ok'd install of spyware applications a computer is experiencing the following. When booting up the Winxp logo is displayed and then hangs.

This also occurs unfortunately under safe mode. When the driver list is displayed, the machine hangs. This occured after a definite infection.

I did what I normally do, take the HD out into a known clean system with multiple security apps. Symantec enterprise 10, spysweeper enterprise, spyblaster, superantispyware. I ran full scans with each product on the affected HD. I also went into the appropriate directories and manually removed any recent day files that were left on the machine.

After all of this the machine still hangs. It ran late and I am going to attempt a repair reinstall of XP.

However this is the nice part, the clean and supposedly protected machine I tried to do the clean in, is now experiencing the same exact fail to boot issue, even in safe mode!


I didn't think this could be possible. Is this some sort of boot sector virus? But how could that prevent the OS from fully booting? Did some sort of system kernel driver get installed?

Winfixer and trojan-downloader were detected and suposdely quarantined. I have experience with Winf, virtumonde and trojans before and have never seen this.

Has anyone seen or even heard of such a thing?


Jason

 

[jimp56]

ouch! now thats scary. never heard of that. but, you might get better results posting in the virus/spyware forum, many members there have vast experience with the baddies:

http://www.tek-tips.com/threadminder.cfm?pid=760

 

[jstevens]

Yep, did as well. Posted here in case someone had a good way of finding the bad driver and disabling it. I assume that is why I cant boot even in safe mode to the desktop. Some driver, service or DLL is trying to load and hanging the boot process.

I will try to boot recovery console and do a listsvc and see if I can find anything odd and try to disable it.


Thanks though,

Jason

 

[linney]

This deals with eliminating any Boot Sector virus.

http://groups.google.com/groups?hl=...TF-8&q=%22boot+sector+virus%22%2Bwindows%2Bxp

 

[bcastner]

Have you tried, in Recovery Console, a bootcfg /repair and then a fixboot ?

 

[bcastner]

Let me expand on the use of the Recovery Console. I would in this order type:

chkdsk /r
fixmbr
bootcfg /repair
fixboot
exit

One other note: if in Safe Mode booting the freeze occurs with either MUP.SYS or AMDAGP.SYS, neither of these are at fault, and using the DISABLE command will not help.

 

[jstevens]

Here are the steps I took.

Messing around with the recovery console had no effects.

1) Took HD out and ran a multi scan in another machine. Turns out the second machine was having a different issue.
2) Put HD back and performed a repair reinstall of operating system, in this case Winxp home.
3) On repair reinstall, machine did lock but upon power off, installer recovered and completed.
4) Machine being able to boot now, ran internal multi scan using:
SAV 10 Enterprise / Spysweeper Enterprise / Superantispyware / spybot
5) Ran hijack this, multiple items were still present, used hijack to remove items and repair registry.
6) Rebooted and ran process 4-5 again. System clean and operational.

The main infections I found was winfixer and winantispyware however there were over 40 different trojan entries found and 10 unknown objects as reported by superantispyware.

I hope everyone knows that one really must run multiple antispyware apps to be sure of a full clean. Super found alot but after running super, spysweeper enterprise found quite a bit more. My typical order is SAV - Super - Spysweep - spybot just for kicks. Spybot and Addaware really are not effective programs compared to super and sweeper.

I hope this event can be of use to someone with a similar issue in the future. I was able to recover this machine to my suprise. I assume some system level driver was causing the issue. Upon reinstall the installer removed or disabled the failing driver during its normal install procedure. Atleast thats my guess.

Thanks
Jason