Unknown virus/spy causes machine not to boot even in safe mode

[jstevens]

Greetings,

Here is my sad story, well more for a friend and his poor computer. Through un-admitted steps and user initiated ok'd install of spyware applications a computer is experiencing the following. When booting up the Winxp logo is displayed and then hangs.

This also occurs unfortunately under safe mode. When the driver list is displayed, the machine hangs. This occured after a definite infection.

I did what I normally do, take the HD out into a known clean system with multiple security apps. Symantec enterprise 10, spysweeper enterprise, spyblaster, superantispyware. I ran full scans with each product on the affected HD. I also went into the appropriate directories and manually removed any recent day files that were left on the machine.

After all of this the machine still hangs. It ran late and I am going to attempt a repair reinstall of XP.

However this is the nice part, the clean and supposedly protected machine I tried to do the clean in, is now experiencing the same exact fail to boot issue, even in safe mode!


I didn't think this could be possible. Is this some sort of boot sector virus? But how could that prevent the OS from fully booting? Did some sort of system kernel driver get installed?

Winfixer and trojan-downloader were detected and suposdely quarantined. I have experience with Winf, virtumonde and trojans before and have never seen this.

Has anyone seen or even heard of such a thing?


Jason

 

[kjv1611]

I have a suggestion. Before trying a repair of windows on either machine, how about using the boot menu (where you would choose Safe Mode), and instead choose "boot using last known working configuration". It is possible that the software was just not stable with some other software or hardware, and caused the hang-up, and that going to a previous setup may fix that - a setup prior to the install of the software.

The good part is that it is actually getting to a Windows screen, even if it is only the initial boot-up logo.

If that doesn't work, a repair should do the trick. My guess is that it may not be that the spyware itself is the problem, but rather that it may have caused other problems b/c of faulty programming of the infecting program.

The only other possibility, I would guess, is if it were possible (and I would think that it would be technically possible, being that programming is stored on the CMOS memory - though not easy, I'm sure).

So, my guess is just bad programming messing with some registry entries or something of that nature.

Try the previous settings trick, then the windows repair if that fails.

 

[jlockley]

This isn't always spyware. I recently experienced it after a windows update. Also, removal of spyware can disable or remove drivers or interfere with the boot process. You can try to go through last known good boot process, but that may just point to what was removed by you or automatically.

If you have recently done an upgrade, check with MSft on the site. support for upgrade issues is free. Otherwise, it's time to restore your configureation with the installation cd.

After you do this be sure to go to the Microsoft site and download the latest version of installer (3.1, I think). It's a little hard to find, but otherwise you will find that some programs continually demand to be installed. You may also need to remove and reinstall a couple of programs. In my case it was Office to restore ODBC connectios and IE6, which the recovered os refused to recognize.

Your updates will no longer be registered. What to reinsatll is always an issue.

It is still better than a fresh install.

 

[jstevens]

Thanks for your reply. I apologive for not updated this post here.

I had to perform a repair reinstall of XP. Upon initial setup device detection, the installer locked. However and may be luckily, after a power off and then back up, setup continued and finished. At that point I had a bootable system. Ran multiple localized utilizies, spysweeper, superantispyware, spybot, and removed items with hijackthis.

After all of that system is clean and working and all is well.


Horray. The system was massively infected with over 20 trojans, winfixer, and the main culpret was winantispyware.

http://www.symantec.com/security_response/writeup.jsp?docid=2006-030709-2859-99

A computer illeterate person unwittingly paid for and installed this utter spyware junk, which then super hosed the system to the point as described above. It must have installed some driver that was being prevented from loading on boot, even under safemode.

One note: The second system that I first did an offline scan of the infected HD in did not have the same problem but a different problem that was unrelated.

Jason

 

[JPLWU]

Any idea what the driver was for future reference? Also, how would a faulty driver install itself onto a clean computer? It sounds like there was more to this one than just that. If it transferred itself to your clean computer, then it has some type of worm associated with it, not just a trojan.

If you think you can, you might...if you know you can then you will.

A+

 

[jstevens]

I did not go back and look through the drivers folder and compare to the registry to see which ones were loading and which ones were not. If there is a utility to do this as oposed to a manual one I can do that.

I made the assumption of the setup process in that when it is doing its hardware detection phase and driver loading, if the system locks, upon a reboot the setup process will disable that driver upon continued setup.

I am pretty certain that winantispyware put in a driver that was causing the lockup. Other programs such as symantec, spysweeper and superantispyware do the same at a low level to intercept calls and hooks. Winantispyware is one of those spyware programs that trick users into installing it as an antispyware program. The company superhoses your machine, then pops up a window to then clean your machine that it just infected, for a price of course.

Just to note, it did not transfer to a clean machine while performing an offline scan. The second machine was having a seperate mainboard driver issue. However the symptoms were very similar.

I just counted my blessings that I recovered the system. Haveing a machine lock under safe mode is never a happy experience.

Jason