Solved: Windows Won't Give A Log In Screen ( safemode also )

[tre2k]

Windows XP SP2

Okay, I just got finished with this annoying virus/spyware/whatever, so I wanted to put something online for other people to google how I got my solution.

I went to a website, not sure if it was a torrent site or the scifi.com site. I think it was the torrent site. Anyways, a MSN psuedo messenger creeps up in the lower right hand corner (like it did with the bask virus that was hell to get rid of but basically just download malwarebytes and run in safemode) and then a little while later, these pop ups for some 360 security (not norton) appeared saying "your computer is infected click yes." I go into task manager and end IE, but when I try to reopen internet explorer, it shuts down immediately. I run malwarebytes and it finds several threats, I go to remove them all and the program shuts down. I go to reboot in safe mode and...

nothing.

Safemode loads (takes a little bit longer than usual) and then the background comes up with the build type, etc, but no log in window. There is an hour glass and it goes away after 15s or so. If it stays there, the log in screen never (assumedly after 1 hr and 2 house episodes) comes up. I try to log into normal windows, and the background comes up, but no windows log in screen. Nothing does anything. No task manager, ctrl+ATL+DEL... anything. So there's no way to log into windows and there's no way to log into safemode, so I was pretty much screwed.

Luckily for me, I have Ubuntu linux. I just went into the file manager for C:/windows/system32 and deleted everything that was created/modified at the date and time the messing up started. Well, I just deleted everything that was modified today in that folder. It took me a while to think about it, but it just donned all of a sudden. There were some weird .dll's that don't come up in any google searches and a few .ini files. Got rid of those, rebooted, and I was able to log into windows. Ran malwarebytes again and now I'm trojan free again. Yay.

Not everyone will have linux, but it's a good idea to have a windows start up disk, or something that can get you into dos. There you can use old school methods to browse and delete files. I was really worried I was going to have to do a reinstall. I hate spyware, so I hope this helps someone in the future.

Tre

This is what malwarebytes removed after I got rid of the DLLs

-------------------

Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 2
12/13/2008 10:52:10 PM
mbam-log-2008-12-13 (22-52-10).txt
Scan type: Quick Scan
Objects scanned: 77041
Time elapsed: 4 minute(s), 16 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 3
Memory Processes Infected:
C:\Program Files\GetModule\GetModule32.exe (Trojan.Agent) -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{93e32f2f-74ef-4673-b1d1-d820ba4bf1e8} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{93e32f2f-74ef-4673-b1d1-d820ba4bf1e8} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\icheck (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\GetModule (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\getmodule32 (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\iCheck (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\zwrjdl.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Program Files\iCheck\Uninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetModule\GetModule32.exe (Trojan.Agent) -> Quarantined and deleted successfully.

 

[Eugene1980_2]

This is EXACTLY what happened to me yesterday. Word for word. I am also getting the black startup screen with a mouse pointer, Windows won't load in either mode (normal/safe), Ctrl+Alt+Del doesn't work, and this happened after a weird situation in which I was getting popups and IE wouldn't open, so I restarted (that's when all hell broke loose). I know for sure I had viruses at the time.

In fact, I found this forum and this post by searching for "black screen startup with mouse pointer". This is word-for-word what happened to me.

So I need your advice: What do I do? How do I get into the file system and delete these files in Windows\System32? I don't have a Linux bootable drive. Any suggestions?

PLEASE respond at your earliest convenience. My email is: [email protected] . Or, you can reply here in this forum. Please, I am at my wits' end, I don't know how to fix this!!!!!! I already called Dell support, and they suggested that I get a new hard drive, and save the files from the old hard drive.

 

[hrlow2]

I'm sorry that I can't help you Eugene, but a word of advice. Do NOT save any files to be reloaded before you are sure you are 110% clean. You start copying files, you could also be copying whatever it is that has you now.Then you would have it to do all over again.

 

[tre2k]

Eugene: you can find a linux boot disk online. I have Ubuntu. It's always a good idea to have a back up operating system and it only takes up 3gb worth of space. You'll be able to install it from boot up because it installs via CD (you'll have to burn the iso to a disk I believe). But other than that, if you have your windows CD, you can boot up from the CD, but instead of reinstalling Windows, open up the Windows Repair Console Utility thing. From the dos prompt type in fixboot, press enter, then try to reboot windows. From there try to remove the spyware.

 

[srhoades]

Check the system32/drivers directory as well.

 

[tre2k]

Omg, I just read what Dell told you to do. They are idiots for that one. Why in the world would you need a new harddrive if nothing is wrong with the one you have?! Wow... That's nuts.

 

[Eugene1980_2]

Yeah, but they didn't know there was nothing wrong with the hard drive. They assumed it was some kind of drive failure. Only later did I find this forum and find out it was due to malware files.

Guys, so I actually burned a Ubuntu Linux bootable CD from the .iso image that I downloaded from Ubuntu's site. The computer does boot from that CD, but in Ubuntu's file manager, I'm unable to access the hard drive. I get the error message "Cannot mount volume." So Ubuntu can't read that drive either, at least without doing something special.

So I'm stuck, waiting for the new hard drive to arrive, along with the Windows XP boot CD (I lost mine and asked them to send me a new one)... this will happen on Weds. at the earliest...

On a side note, I was thinking -- despite all its service packs, Windows XP is still vulnerable as sh*t. What operating system would allow unknown files to be written to its system directory???

 

[Eugene1980_2]

Just an update.

I booted from the Windows XP Boot CD and went to the Recovery Console ('R') and then did the "dir" command to see the files in \System32.

I followed the advice of the original poster, to delete the randomly-named DLLs and INIs that were created this month in that directory, and it worked wonderfully. The system's up and working again, thank god. Thank you for this advice! the only issue now is that upon startup, Windows tries to locate some of these files and they're not found, so I get error messages, but that's ok and I'll fix that.

As a helpful pointer to others who may be facing the same issue, when you do the "dir" command in the Recovery Console, pay particular attention to files that have an "hs" attribute in the listing. These are exactly the files to be deleted, both DLLs and INIs, and that's how you can distinguish them easily.

Thanks again

 

[tre2k]

Cool! Glad that worked out for you.

 

[rabio84]

can anyone give me the specifics on the files deleted within system32?

 

[tre2k]

I didn't note the files, just that they were all "created" or "modified" on the same day at the same time on the same day I got the virus.