Got virus - now have to boot up twice (after off/on)

[Robert]

(I re-posted this here as someone in the Media Center Edition said it
shouldn't go there, but in a general XP group. I have Windows XP Media
Center Edition 2005, Update Rollup 2 (and all the more recent Windows
updates.)

When I turn on the computer it gets to the XP screen then freezes. I
have to turn the computer on/off. The next round I get the option to go to
safe mode, normal, or last known good configuration. Selecting last known
works, and I discovered that selecting normal also works. When I shut down
the computer I go through that again on boot-up - again I have to power
on/off and then select last good or normal.

Yesterday I got the NASTY virus that I think a lot of people got in
April or July (?). I downloaded ComboFix to fix it, which it mostly did -
this bootup problem is left. The symptoms of the virus were it replaced my
desktop background with a message in the middle saying I was infected and to
download something to fix it, my homepage was replaced with a message that my
current security settings restricted the site (the correct URL was shown, and
other pages worked), and a fake anti-virus program called MSA.exe was
running.) It also disabled opening the task manager and regedit.

What I've done:
sfc /scannow completed successfully (w/error for the 5 or so know files
in the MS knowledgebase that aren't needed for Media Center, and errors for
missing Windows Media Player files - I hadn't reinstalled the player which I
uninstalled recently for a different reason - these files are listed in the
event viewer). There were, however, a couple of windows icons named file
protection... at the bottom of the screen I couldn't maximize/open, and there
was the hourglass cursor while at the bottom of the screen. I had to
ctr-alt-del then stop explorer.exe and then start explorer again. That
cleared it up. I have also ran AVG (which was installed and running at the
time of the infection - so I replaced that with Antivir - which found many
viruses (mostly webpage gen something) and a couple trojans than AVG missed.

Additional bootup symptoms:
I tried Safe Mode, and I get a loop where it gets back to the same
bootup selection window again (safe mode, norma. last know good). I don't
know if that's what this computer did before the current problem.)
Combofix had me install the windows recovery console. The bootup goes
through that so fast I don't know if I could select it. Also, I'm getting the
XP bootup screen, not the XP Media Center bootup screen (when you get to
loading with the bar moving back and forth. Media Center is loading, however,
and TV plays fine. I see something about Media Center (black/white text at
that bootup point) and then more text and then the three options (safe,
normal, last known). Combofix had me install the Recovery Console. That shows
up first, but it goes past it quickly - I don't know if there would be time
to select it if needed. On a different computer the Recovery Console was on
there was a 5 or so second delay.

 

[smlunatick]

(I re-posted this here as someone in the Media Center Edition said it
shouldn't go there, but in a general XP group.  I have Windows XP Media
Center Edition 2005, Update Rollup 2 (and all the more recent Windows
updates.)

     When I turn on the computer it gets to the XP screen then freezes. I
have to turn the computer on/off. The next round I get the option to go to
safe mode, normal, or last known good configuration. Selecting last known
works, and I discovered that selecting normal also works.  When I shut down
the computer I go through that again on boot-up - again I have to power
on/off and then select last good or normal.

     Yesterday I got the NASTY virus that I think a lot of people got in
April or July (?). I downloaded ComboFix to fix it, which it mostly did -
this bootup problem is left. The symptoms of the virus were it replaced my
desktop background with a message in the middle saying I was infected andto
download something to fix it, my homepage was replaced with a message that my
current security settings restricted the site (the correct URL was shown,and
other pages worked), and a fake anti-virus program called MSA.exe was
running.) It also disabled opening the task manager and regedit.

What I've done:
     sfc /scannow completed successfully (w/error for the 5 or so know files
in the MS knowledgebase that aren't needed for Media Center, and errors for
missing Windows Media Player files - I hadn't reinstalled the player which I
uninstalled recently for a different reason - these files are listed in the
event viewer). There were, however, a couple of windows icons named file
protection... at the bottom of the screen I couldn't maximize/open, and there
was the hourglass cursor while at the bottom of the screen. I had to
ctr-alt-del then stop explorer.exe and then start explorer again. That
cleared it up. I have also ran AVG (which was installed and running at the
time of the infection - so I replaced that with Antivir - which found many
viruses (mostly webpage gen something) and a couple trojans than AVG missed.

Additional bootup symptoms:
     I tried Safe Mode, and I get a loop where it gets back to the same
bootup selection window again (safe mode, norma. last know good). I don't
know if that's what this computer did before the current problem.)
Combofix had me install the windows recovery console. The bootup goes
through that so fast I don't know if I could select it. Also, I'm gettingthe
XP bootup screen, not the XP Media Center bootup screen (when you get to
loading with the bar moving back and forth. Media Center is loading, however,
and TV plays fine. I see something about Media Center (black/white text at
that bootup point) and then more text and then the three options (safe,
normal, last known). Combofix had me install the Recovery Console. That shows
up first, but it goes past it quickly - I don't know if there would be time
to select it if needed. On a different computer the Recovery Console was on
there was a 5 or so second delay.

Virus is / was the "fake" XP Antivirus 2xxx system. It is a "pain" to
repair. You need to install the Malwarebytes Anti-Malware and rename
the main EXE file to a COM since the "spyware" blocks all EXEs from
running.

 

[Robert]

Virus is / was the "fake" XP Antivirus 2xxx system. It is a "pain" to
repair. You need to install the Malwarebytes Anti-Malware and rename
the main EXE file to a COM since the "spyware" blocks all EXEs from
running.

Antivir apparently removed it. The computer is working fine, except for the
boot issue. Will the Malwarebytes fix the bootup issue?

 

[Peter Foldes]

No Malwarebytes will not fix that. What is shown in your boot.ini lines

 

[Robert]

Antivir apparently removed it. The computer is working fine, except for the
boot issue. Will the Malwarebytes fix the bootup issue?

I installed Malwarebytes. It gives the appearance it's free when you
download it (or I would not have). After it does it's scan it says you must
register to do a repair. After I gave them my e-mail address to register
they THEN said I had to pay for the product to remove the malware. I don't
do business with deceptive people. MALWAREBYTES IS PERMANENTLY BLACKLISTED
IN MY BOOK.

 

[Peter Foldes]

Robert

I have no idea what you downloaded but Malwarebytes has a free edition which stays
free continuously. You probably downloaded the paid version which act exactly as you
posted

Here is the free version of Malwarebytes Robert

http://download.cnet.com/Malwarebyt...4572.html?part=dl-10804572&subj=dl&tag=button

or click on the fee version button on the bottom of the page
http://www.malwarebytes.org/mbam.php

 

[Peter Foldes]

Robert

Malwarebytes has a free version which does not do that. I am along with many others
are using it. You probably downloaded and installed the Trial of the paid version
which does exactly as you posted

Below you find the link to the free version which will not do that to you

Click on the Free version on the bottom of the page
http://www.malwarebytes.org/mbam.php

 

[Daave]

I installed Malwarebytes. It gives the appearance it's free when you
download it (or I would not have). After it does it's scan it says
you must register to do a repair. After I gave them my e-mail
address to register they THEN said I had to pay for the product to
remove the malware. I don't do business with deceptive people.
MALWAREBYTES IS PERMANENTLY BLACKLISTED IN MY BOOK.

You are incorrect, Robert.

Either you didn't understand or you downloaded another program with a
similar name (unfortunately we need to be on guard against these sorts
of tricks!)

This is the correct site for MBAM:

http://www.malwarebytes.org/mbam.php

All you need to do is click on the blue "Download free version" button.

Then you need to install it (which you didn't say you did).

Then update it.

*Then* finally run a scan.

If your malware is tricky, it won't let you run your anti-malware
program unless you outsmart the malware. One thing that works is to
re-name the executable from mbam.exe to something like robert.exe or
pineapple.exe. I suppose if the malware blocks .exe files, you would
need to change the extension to .com as smlunatick suggested. Then
reboot into *Safe Mode* and run the scan from there.

 

[Robert]

I spent time earlier today doing selective startups with MSCONFIG. I
found that by removing a single item in win.ini the boot-up works fine.
That section reads: (I have it disabled now, hence the ;'s)
;[Readiris]
;Scanner32=Twaino38,22

I searched files and could only find some HP software which had
"readiris" in some cfg/ini/sys ascii file. So I removed/reinstalled that HP
software - which didn't solve the problem. Everything seems to work fine
with those 2 lines commented out. How do I find out what is using those
lines??? I know the win.ini file is for legacy software/hardware.

 

[Robert]

Well, it was being consistent, but now I got the boot problem again with
those WIN.INI lines commented out. The computer had an existing problem with
ati2dvag crashing the computer, which occasionally happens, and I haven't
been able to fix (described as "This is a universal problem afflicting
thousands of PCs worldwide" that Microsoft and ATI won't deal with -
http://www.modernstreet.com/general/ati2dvag-problem/). This ATI problem
crashed the computer, and it came back up with the new boot problem. As
usual, powering on/off and selecting normal boot-up worked on reboot.

I spent time earlier today doing selective startups with MSCONFIG. I
found that by removing a single item in win.ini the boot-up works fine.
That section reads: (I have it disabled now, hence the ;'s)
;[Readiris]
;Scanner32=Twaino38,22

I searched files and could only find some HP software which had
"readiris" in some cfg/ini/sys ascii file. So I removed/reinstalled that HP
software - which didn't solve the problem. Everything seems to work fine
with those 2 lines commented out. How do I find out what is using those
lines??? I know the win.ini file is for legacy software/hardware.

No Malwarebytes will not fix that. What is shown in your boot.ini lines

--
Peter

Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.

 

[smlunatick]

Antivir apparently removed it.  The computer is working fine, except for the
boot issue.  Will the Malwarebytes fix the bootup issue?

Most anti-virus system "may" remove one of the "infected" files but
will leave a lot of "others" on your system. You need to correctly
get the "free" version of MalwareByte Anti-Malware (it is free) or the
free SuperAntiSypyware version. Only get these for the "known" web
sites.

 

[Robert]

boot.ini

[boot loader]
timeout=3
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center
Edition" /noexecute=optin /fastdetect /usepmtimer

 

[Barry Schwarz]

Use my Remove-it software, it will remove that malware from your system.
Choose yes for all options when prompted. Download it here
http://www.ms-mvp.org/

This is not the MVP site despite its fake logos.

The correct MVP site is http://www.mvps.org/.