Trying to recover an installation stuck in "safe mode" (virus related)

SB118

SB118

SB118

Soldato
Joined
18 Oct 2002
Posts
7,700
Location
"Sunny" Plymouth
Been asked to sort a laptop which has picked up "XP Smart Security 2010", one of the best written and effective pieces of malware i've ever seen!

System is pretty much unusable, popups every 20-30 seconds that steal the focus from what ever you are doing and block the center of the screen.

Malwarebytes won't run (or at least it does for a few seconds, then gets shut down.) Same for spybot & hijack this. MS essentials has had it's service stopped and it won't restart.

Pulled the drive and scanned it in another machine, Malwarebytes pulled out 30 odd dodgy files and 2 rootkit items. Back in the laptop and the virus is still there!

It won't boot in safemode, gets through the list of things it has started, then a flicker of bsod and it restarts from post. And you can't select the options for safemode and "don't reboot on bsod" at the same time, so i've no idea what is causing the crash. Boots fine if i don't select safemode though (apart from the whole virus thing)

All the fix-it pages tell me to open reg edit and fix a few entries, but "Registry editing has been disabled by your administrator." :mad:

Tried a few workarounds to reopen regedit, but no joy.

Used msconfig to stop everything at boot (safemode in everything but name basically) and the virus is still present!

Tell msconfig to reboot in safemode and now it is stuck in a reboot loop, it's treating "start windows normally" as "safemode" (because some idiot told msconfig to do it i suppose)

Last ditch idea, repair installation. Nope, "setup will not run in safemode", so now it's stuck in a setup/reboot loop. :mad::mad:

I can pull the drive to another machine to tweak things, what file do i need to alter to tell msconfig to boot normally? OS is xp sp2.

Cheers :)
 
If its that bad it might be best to do a clean install


backing up data my be a night mare as well as you could get somethings in the backup that are infected than your back to square one.
 
Can't do a clean install, it's an office laptop with some prehistoric database on it. Which they no longer have the install media for.

Did a separate install, scanned with mbam, cleaned another 18 files off. Fixed the boot.ini and rebooted into safe mode of the original install, The virus is still there! The damn thing runs in safemode! Kills mbam the moment it starts.

Downloaded a reg editor and did the fixes suggested on a few sites, then did a reboot.
It's back to crashing trying to boot in safe mode and asks me to activate when trying to boot normally. Which then sends me to a blank screen with a mouse pointer and the laptop then just sits there, guessing the virus has done something nasty to the activation system (or something is uses)

Only taken 8 hours so far.
 
Can't boot into the infected installation at all right now. Safe mode is dead and "proper" leaves me hanging at a background picture and a mouse pointer. Hard drive light goes nuts for about 30 seconds, then everything stop.

Looks like i'll be doing another repair installation then!
 
I've had a few machines like this over the past week and all have been a complete arse to get completely clear. I usually end up removing the drive and scanning with MBAM which gets rid of most of the crap, and then checking the user profile appdata folders for any nasties lurking in there manually. This is normally enough to get it to boot, where it's worth running something like F-Secure's online scanner just to make sure there's no other crap lurking in there. You'll probably find a bootsector virus is causing all your woes with safe mode too, which you should be able to reslove with either F-Secure once you've managed to get it booting or your normal AV. :)
 
:eek: 4 machines? kin hell!

Bloody annoying, looked at quite a few "how-to" guides and every single one starts with "open regedit"..... ARGH!

If the buggers that write these things every get hired to write DRM, we're all screwed!
 
Safe mode runs, won't let me regedit though.
Safemode (networking) won't start as it says i can't active in safemode.
Normal stalls on a blank screen after me saying that i want to activate.

**** it, i'm going to bed before i distance test the damn thing!
 
Must be some uber rootkit stuf going on, using a 3rd party tool to fix the "allow regedit" setting, i could refresh the list and it had been changed back (in safemode!) No unfriendly processes showing.

Makes it tricky as malwarebytes seems to use regedit commands to clean the registry settings, meaning i end up with a dozen "registry editing has been disabled by your administrator" dialogue boxes!

Left (another) full scan running over night (after i scanned the drive on a separate machine and full scanned it after the repair install), mbam reported another 56 item this morning!

Laptop is start to look like a discus from some angles ;)
 
I appear to have had an almost identical night as the op :mad: ..ahh well looks like it's going to be a fresh install ..it simply refuses to boot on safe mode and has locked down mb, spybot, nod etc , can get into them briefly by renaming but after around 20 seconds it reboots
 
Lobovski said:
I appear to have had an almost identical night as the op :mad: ..ahh well looks like it's going to be a fresh install ..it simply refuses to boot on safe mode and has locked down mb, spybot, nod etc , can get into them briefly by renaming but after around 20 seconds it reboots
Click to expand...

Odds are it's running ave.exe or similar, it's in the registry to run before any exe you click. It hides in application data and tags itself as a system file so it's "extra" hidden until you play with the folder view options. In fact you might notice that the folder view options tag is missing ;)

Do a repair install, boot to safe mode, make an extra user account, then get to work with the cleaning tools. Installation puts folder view options back in place. Think i'm getting somewhere.

http://www.techsupportalert.com/best-free-registry-editor.htm <- 3rd party reg editor is useful.

Currently running at 14 hours (attempted) cleaning :eek: (doesn't help this laptop is a scabby old single core p4 with 512mb!)
 
Ohhh gooody a nice relaxing saturday afternoon of installs and scanning..didn't fancy the footy in the pub anyway :p we can log our progress together SB :)
 
You must log in or register to reply here.
Back
Top Bottom