Virus caused my windows to not load.

JDM555 · 09-20-2009, 12:42 PM

I understand I need logs but now I can't even log into my windows xp. The virus was the pop ups of "your infected and such" and it was my walllpaper. Now I got avg and got rid of two Trojans and then I had weird problems and couldn't open chrome. Then I turned off the comp and now I tried starting and it just says windows is starting up and doesn't load. What do I do, please help.

JDM555 · 09-20-2009, 02:23 PM

I got in through safe mode. I am trying to get my logs and will post them asap.

JDM555 · 09-20-2009, 07:04 PM

Quote:

Originally Posted by JDM555

I got in through safe mode. I am trying to get my logs and will post them asap.

I can't even run HiJackThis, gmer, OR DDS.scr through safemode. This is really pissing me off, what the hell do I do now?

Ried · 09-20-2009, 07:37 PM

Hello JDM555,

I need to know exactly what happens when you try to run those tools.

JDM555 · 09-20-2009, 07:41 PM

Hi Ried.

When I open gmer and HiJackThis, (double clicking) nothing happens. It's as if I didn't even open it. Nothing comes up. I tried reinstalling them, but nothing.

But when DCC, the black command box pops up and tells me the instructions and to wait 3 minutes. Nothing else happens though. I searched, and people said you have to wait for it to finish because even though nothing happens, the scan is taking place. I left the computer for an hour, and it still had the command open, but no logs.

Ried · 09-20-2009, 07:44 PM

Try this - delete your existing gmer.exe and download it again from here.

Try again to run the scan as outlined in our pre-posting topic:

In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- Sections
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Please attach the ark.txt in your next reply

=================================

See if this tool will run for you - download rsit.exe and save it to your desktop.

Double click on RSIT.exe to run it.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

If you do not see the info.txt you can find it in the C:\rsit folder. Please attach that .txt

JDM555 · 09-20-2009, 07:51 PM

Ok, I got the first one to work and I attached ark.txt. I dl'ed the second one and it opened, and then kind of just disappeared and I have no idea if it's still running a scan or not. I tried opening it again and it didn't open? Do I have to wait a bit then the logs will appear or what?
John

Ried · 09-20-2009, 07:54 PM

No, hang on. You have a double whammy here.

Please save this file to your desktop. Click Start->Run, and copy-paste the following bolded text into the Run box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. I'll need to see that in your next reply.

==================================

Now try to run rsit.exe again. Post the logs along with the Win32kDiag.txt

JDM555 · 09-20-2009, 08:07 PM

Weird. I Dl'ed that file, and a black command box came up similar to the one that comes up when I ran DDS. A bunch of stuff starts coming up, but I go to start->run, and I tried putting it in and a command came up saying "Windows cannot find.." I tried highlighting everything, what was in parenthesis and it still didn't work. Sorry for giving you a hard time, but is there anything else I can do?

Ried · 09-20-2009, 08:09 PM

Did you save the file directly to your desktop? The command is specific to the tool being in that location.

JDM555 · 09-20-2009, 08:09 PM

Hold on. Here is the first log you wanted.

Edit: RSIT is still not working. I re-dl'ed it and it opened, then as soon as it says "Starting HJT" the whole thing disappears. I'm thinking it has to do with the same reason HJT wouldn't open at all in the first place for me.

Ried · 09-20-2009, 08:12 PM

Quote:

Running from: C:\Documents and Settings\Johnny\My Documents\Downloads\Win32kDiag (2).exe

Either move the tool out of that folder and get it directly on the desktop, or do this...

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

Quote:

@Win32kDiag -F -R
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:

## IMPORTANT ## Place fix.bat next to Win32kDiag (2).exe

Double click on fix.bat & allow it to run

Post back to tell me what it says

JDM555 · 09-20-2009, 08:18 PM

Ok, When you said place it next to, I moved the win32kDiag (2).exe on the desktop. I then put the notepoad fix.bat next to it on the desktop, and then when I went to run it, it would open a black command box and then automatically close, and the fix.bat file would disappear of my desktop? Did I do something wrong?

Ried · 09-20-2009, 08:21 PM

Okay, I need you to slow down a bit and read the instructions. I think you may have missed one of my earlier posts.

The command I gave you, was dependent upon the tool being downloaded directly to your desktop. You downloaded it to a different location, and it appears that your renamed it with the (2).

Keep it on your desktop and use this command

"%userprofile%\desktop\win32kdiag (2).exe" -f -r

JDM555 · 09-20-2009, 08:26 PM

I'm sorry Ried, but I don't know what you mean by "use this command" what do I do with the bolded item? And I didn't reinstall it somewhere else, the program was installed in my Downloads folder and I guess I might of dl'ed it twice, where the (2) came from. So you want me to leave the win32kDiag(2) on the desktop?

Ried · 09-20-2009, 08:30 PM

Yes. Leave the win32kDiag (2) on the desktop. Then click Start>Run and copy paste that command I gave you in my last post, into the Run box and click OK. Let it run, then post the log it produces.

JDM555 · 09-20-2009, 08:35 PM

Here you go.

Ried · 09-20-2009, 08:36 PM

Excellent. Now try to run rsit.exe and post the logs.

JDM555 · 09-20-2009, 08:41 PM

Yeah. I don't know what's up with RSIT, but whenever I get past the pop up and click continue, I see the blue bar, and then when it reaches the end, the whole thing disappears. I have no idea why. What is suppose to happen when you run it? is there a window that pops up after the loading bar and then you wait a bit and two logs pop up? Cause that isn't happening for me.

Ried · 09-20-2009, 08:45 PM

We'll just press on. I have enough to work with from the gmer scan.

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

====================================================

Download ComboFix from one of these locations, but rename it to jdm555.exe before you save it to your desktop.

Link 1
Link 2

* IMPORTANT - Save the renamed ComboFix.exe to your Desktop

====================================================

Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are receiving 'access denied' when you try to work with the AV, then continue anyway and click OK when ComboFix AV warnings appear.

====================================================

Double click on the renamed combofix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

09-20-2009, 12:42 PM	#1 (permalink)
JDM555 Registered User Join Date: Sep 2009 Posts: 44 OS: XP	Virus caused my windows to not load. I understand I need logs but now I can't even log into my windows xp. The virus was the pop ups of "your infected and such" and it was my walllpaper. Now I got avg and got rid of two Trojans and then I had weird problems and couldn't open chrome. Then I turned off the comp and now I tried starting and it just says windows is starting up and doesn't load. What do I do, please help.

09-20-2009, 02:23 PM	#2 (permalink)
JDM555 Registered User Join Date: Sep 2009 Posts: 44 OS: XP	Re: Virus caused my windows to not load. I got in through safe mode. I am trying to get my logs and will post them asap.

09-20-2009, 07:37 PM	#4 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,938 OS: WinXP and Vista	Re: Virus caused my windows to not load. Hello JDM555, I need to know exactly what happens when you try to run those tools. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

09-20-2009, 07:41 PM	#5 (permalink)
JDM555 Registered User Join Date: Sep 2009 Posts: 44 OS: XP	Re: Virus caused my windows to not load. Hi Ried. When I open gmer and HiJackThis, (double clicking) nothing happens. It's as if I didn't even open it. Nothing comes up. I tried reinstalling them, but nothing. But when DCC, the black command box pops up and tells me the instructions and to wait 3 minutes. Nothing else happens though. I searched, and people said you have to wait for it to finish because even though nothing happens, the scan is taking place. I left the computer for an hour, and it still had the command open, but no logs.

09-20-2009, 07:44 PM	#6 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,938 OS: WinXP and Vista	Re: Virus caused my windows to not load. Try this - delete your existing gmer.exe and download it again from here. Try again to run the scan as outlined in our pre-posting topic: In the right panel, you will see several boxes that have been checked. Uncheck the following ... Sections IAT/EAT Drives/Partition other than Systemdrive (typically C:\) Show All (don't miss this one) Then click the Scan button & wait for it to finish. Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post. Save it where you can easily find it, such as your desktop Caution Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries Please attach the ark.txt in your next reply ================================= See if this tool will run for you - download rsit.exe and save it to your desktop. Double click on RSIT.exe to run it. Click Continue at the disclaimer screen. Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized) If you do not see the info.txt you can find it in the C:\rsit folder. Please attach that .txt __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

09-20-2009, 07:54 PM	#8 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,938 OS: WinXP and Vista	Re: Virus caused my windows to not load. No, hang on. You have a double whammy here. Please save this file to your desktop. Click Start->Run, and copy-paste the following bolded text into the Run box, and click OK. "%userprofile%\desktop\win32kdiag.exe" -f -r When it's finished, there will be a log called Win32kDiag.txt on your desktop. I'll need to see that in your next reply. ================================== Now try to run rsit.exe again. Post the logs along with the Win32kDiag.txt __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

09-20-2009, 08:07 PM	#9 (permalink)
JDM555 Registered User Join Date: Sep 2009 Posts: 44 OS: XP	Re: Virus caused my windows to not load. Weird. I Dl'ed that file, and a black command box came up similar to the one that comes up when I ran DDS. A bunch of stuff starts coming up, but I go to start->run, and I tried putting it in and a command came up saying "Windows cannot find.." I tried highlighting everything, what was in parenthesis and it still didn't work. Sorry for giving you a hard time, but is there anything else I can do?

09-20-2009, 08:09 PM	#10 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,938 OS: WinXP and Vista	Re: Virus caused my windows to not load. Did you save the file directly to your desktop? The command is specific to the tool being in that location. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

09-20-2009, 08:18 PM	#13 (permalink)
JDM555 Registered User Join Date: Sep 2009 Posts: 44 OS: XP	Re: Virus caused my windows to not load. Ok, When you said place it next to, I moved the win32kDiag (2).exe on the desktop. I then put the notepoad fix.bat next to it on the desktop, and then when I went to run it, it would open a black command box and then automatically close, and the fix.bat file would disappear of my desktop? Did I do something wrong?

09-20-2009, 08:21 PM	#14 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,938 OS: WinXP and Vista	Re: Virus caused my windows to not load. Okay, I need you to slow down a bit and read the instructions. I think you may have missed one of my earlier posts. The command I gave you, was dependent upon the tool being downloaded directly to your desktop. You downloaded it to a different location, and it appears that your renamed it with the (2). Keep it on your desktop and use this command "%userprofile%\desktop\win32kdiag (2).exe" -f -r __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

09-20-2009, 08:26 PM	#15 (permalink)
JDM555 Registered User Join Date: Sep 2009 Posts: 44 OS: XP	Re: Virus caused my windows to not load. I'm sorry Ried, but I don't know what you mean by "use this command" what do I do with the bolded item? And I didn't reinstall it somewhere else, the program was installed in my Downloads folder and I guess I might of dl'ed it twice, where the (2) came from. So you want me to leave the win32kDiag(2) on the desktop?

09-20-2009, 08:30 PM	#16 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,938 OS: WinXP and Vista	Re: Virus caused my windows to not load. Yes. Leave the win32kDiag (2) on the desktop. Then click Start>Run and copy paste that command I gave you in my last post, into the Run box and click OK. Let it run, then post the log it produces. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

09-20-2009, 08:36 PM	#18 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,938 OS: WinXP and Vista	Re: Virus caused my windows to not load. Excellent. Now try to run rsit.exe and post the logs. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

09-20-2009, 08:41 PM	#19 (permalink)
JDM555 Registered User Join Date: Sep 2009 Posts: 44 OS: XP	Re: Virus caused my windows to not load. Yeah. I don't know what's up with RSIT, but whenever I get past the pop up and click continue, I see the blue bar, and then when it reaches the end, the whole thing disappears. I have no idea why. What is suppose to happen when you run it? is there a window that pops up after the loading bar and then you wait a bit and two logs pop up? Cause that isn't happening for me.

09-20-2009, 08:45 PM	#20 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,938 OS: WinXP and Vista	Re: Virus caused my windows to not load. We'll just press on. I have enough to work with from the gmer scan. Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. ==================================================== Download ComboFix from one of these locations, but rename it to jdm555.exe before you save it to your desktop. Link 1 Link 2 * IMPORTANT - Save the renamed ComboFix.exe to your Desktop ==================================================== Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are receiving 'access denied' when you try to work with the AV, then continue anyway and click OK when ComboFix AV warnings appear. ==================================================== Double click on the renamed combofix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt** in your next reply for further review. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."