Virus infected in PC and safe mode booting not working

[guhanath]

Recently my PC was infected with a worm giving a fake warning that "you are using pirated illegal copy of windows".
I searched the net and found that it is a worm named "W32.Launcer" which infects removable drives and closes the windows when the title contains "player","winamp" etc. so I am unable to open any media players.

I ran a full scan.my antivirus detected the trogen and deleted the files.but still the warning appears.So I tried to run AdAware anti spyware,but it closes as soon as it opened.I confirmed that the trojan still remains.

My normal boot worked fine and I decided to run antivirus from safe mode, but after selecting the safe mode from boot option, it hangs with black screen with "safe mode" showing in all corners of the screen and nothing happens after that[the safe mode worked fine before running the scan]

Then I booted in normal mode and did a mistake. In msconfig i selected the option "/SafeMode" in boot.ini.Now whenever i boot it goes to the safe mode and nothing showing up.

How can I set back to normal mode? how can i edit the boot.ini to deselect the option?
how can i boot again with safe mode to delete the trojan?

I even tried last known good configuration but of no use.

My PC Config is Win XP with SP3 Release candidate,2 GB Ram,Bitdefender total security 2008, adaware 2007

 

[guhanath]

Hi,
I used the live cd of ubuntu and was able to view the windows drive with boot.ini.however i am unable to edit and save the boot.ini as it is read only. is there any other way that i can replace the old boot.ini with the new one or is it possible to change the permission of the file from live cd itself?

or is it possible to edit the boot.ini file from recovery console itself?

 

[guhanath]

Now i modified the boot.ini from live cd and saved it to usb drive.then using the xp recovery console i changed the attribute of boot.ini to remove the read only attribute and copied the new boot.ini to my windows root.
Now i am able to boot into normal mode but still safe mode not working.
Now the priority moves to removing the trojan.I couldnt delete the trojan from normal mode.how can i remove it then?Is it possible to run any spyware from cd media? what are the ways i can diagnose the safe mode and how can i recover it.
In the normal mode i cannot open any antispyware or install new antispyware because whenever any window opens the trojan closes the window.
I found 2 process in task manager winhelp.exe and wowexec.exe which i could not kill at all.
I know that I am half way through little additional help will be needy.

 

[ThinkFree]

I couldnt delete the trojan from normal mode.how can i remove it then?

I found 2 process in task manager winhelp.exe and wowexec.exe which i could not kill at all.
I know that I am half way through little additional help will be needy.

Try using UNLOCKER if you can install it to remove the infected files. It can be used to kill such objects as well.

 

[guhanath]

Hi All,
Thanks for your extended support. I have installed the OEM version of Windows XP updated to SP3RC, BitdefenderTotal Security 2008(with all updates), Adaware 2007.

I could not run Adaware at all(it opens and closes immedietly, the trojan is not allowing it to open,even i could not access its folder, it immedietely closes it, even i could not install spybot,the window closes)

I ran a runscanner utility, a startup analyzer and process manager which tells me the rootkits and missing files. I found that lot of sys files were missing like pcidump.sys,changer.sys.Do they all required to get into safe mode?. so i tried to run sfs to get the missing windows files but no success( i used my friends xp cd,product key differs and windows gives error that cd product is different) how can i go about it?

It is really annoying that i could not recover the safe mode(is there any way to find what is happening in safe mode when it shows black screen?)

Runscanner identified winhelp as rootkit(at1.job) but the file was missing and startup has this running process.this might be the reason i am not able to kill the process.

There is no file named Aut3.tmp or Aut4.tmp
Regarding running the AVGrootkit i wll chk and let u know.

 

[janki2008]

Try RootKit unhooker.

*www.woodmann.com/collaborative/tools/images/Bin_Rootkit_Unhooker_2008-3-6_11.25_RkU3.7.300.509.zip

File size: 160 kb only

Shows SSDT, shadow SSDT, process viewer, hooks etc...

I normally use this tools to for finding hiden files + any rootkit which might have hooked kernel api itself via .sys i.e. at the time of booting where it hooks NtQueryDirectoryInformation & hides itself we can easily see that.

Excellent tool worth trying.

Janki

 

[guhanath]

Hi All,
I am able to remove the W32.Launcer worm which gave the warning "you are using illegal version of windows". Thanks for
your answers which did that with various rootkits.
Now i have narrowed down to 2 problems.
1. Safe mode still not booting up
2. A spyware is still present which closes any spyware application.(ie:whenever i open any antispyware it closes
immedietly.Even it is not allowing to install any antispywares like Spybot/AVG Antispyware. Even trying to access the
antisyware installation folder closes/even when web page contains any soln for spyware it closes that).Does anyonw know what malware it is?

Regarding the first problem,i found tht some malware will delete the registry key for safeboot.is that true?can anyone suggest what will be the default value?

If i am able to restore safe boot, then i think i can run antispyware from safe mode and remove it.Suggest a soln.
Also if i want to run SFC using my friends XP cd,how can i go about it?

 

[guhanath]

Hi All,

Please try to help me in this.Does anyone have idea on how to use UBCD4Win to recover/repair windows

 

[dheeraj_kumar]

I sincerely advice you to backup all program settings, and your documents, and do a fresh install of xp. I have found via experience, that some virii and malware, and most rootkits leave some trace of themselves when you remove them, and they slow down your PC to a living hell. You are trying since 18/4 to 23/4 (today) why not spend 30 mins to reinstall xp?

 

[guhanath]

Hi Dheeraj,

I dont want to reinstall XP as I have so many programs installed on my machine and i know that once my safe mode is ready i can run the spyware and remove the malware else i will try UBCD4Win to repair it. give suggestions

 

[blueshift]

@guhanath,
could you edit the boot.ini file?

This is what I found you must be looking for.
Restoring Safe Mode with a .REG file

Do you have access to Taskmanager, MSConfig, Regeditor, Command windows?

 

[guhanath]

Hi,
I will try this option and let you know. yes, I can access all except these actions.
1. Cannot get into safe mode
2. No Antispyware programs running/cannot install new.
3. explorer closes automatically when i go into installation folder of antispyware.
4.if any windows contains "spyware""adaware" etc.. it closes.

apart from this everything looks normal