XP won't restart following trojan removal attempt

Hello Everyone,

I have read the section about malware removal but was unable to do any of it because my pc wont even start up.

Basically this is what happened - my Dad downloaded a file of the internet which was claiming to be maps for his GPS... it turned out to be a trojan. I think was called TR/Spy.banbra.199.df by AntiVir. The trojan kept on opening explorer and firefox windows by itself.

AntiVir detected the file (I think what was infected was called command.exe) but it could not delete it so I set about runing Ad-aware. Ad-aware found a few things but said it would continue trying to fix on restart so I restarted the pc thinking I'd got on top of things.

On restart the pc started as normal until I got the Windows XP screen which says 'Loading your personal settings...' then pauses for a while then says 'Saving you settings...' it then goes between the two ...loading settings saving settings, loading settings saving settings etc and gets nowhere.

I have tried pressing F8 at the start and starting with last known good configurations and also starting in safe mode but the
same thing happens...

Can anyone help me please??

 

I would recommend posting this in the Software Forum. This sounds more like a Windows issue however, if there is something malware related they will send you back. First, let's see if they can help you get Windows up.

 

Thanks for the response, I'll try that.

 

Good Luck!

 

Ok I asked the question in the software forum and tried to do a repair but it turned out that I only have the xp home disc not the xp pro disc.

So I have installed xp home next to xp pro which has worked so at least I can get at the pc, so my question now is how do I go about removing the malware and getting xp pro to start up?? or should I move everything across somehow and stick with xp home?

Thanks for any help

vvvfrom the software forumvvv

'Thanks guys.

TimW I got to that screen but found that there was no mention of the OS there, it turns out that I have xp pro installed on the pc that won't restart and I was trying to fix it with xp home.

I can't find my xp pro disc anywhere. So I have installed xp home next to xp pro so I think I am going to try and tackle it that way, unless there is another way round it??'

 

I am now going through the 'READ & RUN ME FIRST' thread although some of the points don't apply as I am running from another OS.

 

Ok,

I have gone through every point of the "READ & RUN ME FIRST" apart from the online scans as I have not yet connected to the internet using the xp home OS, I have used AntiVir Guard at this stage instead.

I have tried selecting XP pro as the operating system but I still get the exact same problem.

I have attached all the logs to this message, obviously some of them only really apply to the home os, is there a way of running the scans on the old os while logged into the new one.

 

You can only fit 3 attachments per post so here is the last one!

 

Please see the below thread on how to install and run Spy Sweeper.

• Running Spy Sweeper...

 

Thanks,
I have just run SpySweeper it came up with something called 'rootkit' and said it needed to restart to sort it out.

I did the restart, SpySweeper opened and did something then stopped, I have attached the log and a new HJT log as per instructions.

 

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

C:\Program Files\Passware ← Delete this whole folder if it exist!

C:\Program Files\Common Files\roqm ← Delete this whole folder if it exist!

Next, run CCleaner to clean up cookies and temp files.

Once you have completed the above, reboot into normal mode and attach a fresh HJT log. Also, let me know how things are running.

 

Thanks bjgarrick.

I have done what you suggested, attached is a new HJT log file.

Shall I try and start in xp pro now??

 

I tried starting up xp pro and its the same as before

 

What should my next move be??

Any suggestions?

 

You have me confused talking about XP home and pro. Can you explain your situtation exactly? Are you on another computer? The computer with the problem, what OS? What does it do exactly?

 

Thanks for the reply bjgarrick.

Sorry for any confusion.

I'll go from the start. I had XP pro on my desktop pc I we ended up downloading something from the internet that turned out to be malicious, which was being picked up by AntiVir. I tried removing it with with anti vir then with a few other programs including Ad-aware. Ad-aware picked up a few things and tried to fix them, Ad-aware then told me that it would need to restart to fix things.

On restart I was presented with the 'Loading your settings.... Saving your settings....Loading your settings.....Saving your settings' problem and the PC would not start up it just kept switching between the two.

From there I went onto the software forum where they suggested that I put in the XP disc and try and do a repair. The only thing is that I can't find my xp pro disc anywhere only an xp home disc.

So...what I did was install xp home next to xp pro in another directory so that I could at least boot up the pc and get access try and fix it from there!! also there are files that I need on it too.

At the moment i am using my laptop.

I hope this clears things up, sorry for any confusion.

 

Basically your running two OS's at this moment, correct? Your logging in with XP Home, correct?

Login any way you can login and try running the below.

Reg Supreme 1.4

When prompted, run the "Aggressive" scan and fix all found problems. Afterwards restart and try to login under the XP Pro install and let me know what happens.

 

Yes, correct.

Thanks, I'll try that and I'll let you know what happens.

Cheers

Stewart

 

Tried that reg cleaner program but still have the same problem.

Thanks

 

Can you login into the Professional install in Safe Mode?

 

I tried logging in to xp pro in safe mode but I still had the same problem.

 

Let's do this before we do anything else...login to the Home install and run the online scans listed in the READ ME. If you can attach the logs to your next post.

 

Firstly, thanks bjgarrick for your continued support.

I tried the bitdefender scan but that just made internet explorer crash every time I tried it.

Panda scan was sucessful though, attached is the log.

Cheers

Stewart

 

First, delete the folder "C:\!KillBox" and then run CCleaner.

Try to run the below online scan and attach the log...

Click on the link below and run the online scan...

Kaspersky Anti-Virus Online Scan

• Click on "Kaspersky Online Scanner"
  
• Click Accept to procede...
  
• If you get a popup askiing if you want to Install Kaspersky's ActiveX Control, click Yes to install it.
  
• If you get a Security Warning popup asking if you want to install and run kavwebscan_unicode.cab, click Yes to install it.
  
• After all updates are downloaded, click NEXT to continue...( Note it will take awhile to download these updates based on your connection speed).
  
• Click Scan Settings and select extended and make sure both boxes are checked at the bottom, Click OK to continue.
  
• Now click on My Computer and let it run!
  
• This scan may take a while but it is very thorough. After the scan is complete save the log as a txt file and attach it to your next post.

 

Thanks,

Done that please see the attached log files, I had to cut it into 3 parts i think the first one is the important one.

Cheers

Stewart

 

Reboot into Safe Mode

Navigate to the folder below and delete all contents. Be sure the viewing of hidden files and folders is enabled.

C:\Documents and Settings\frank\Local Settings\Temp

Once you delete the above files, navigate to the files below and remove each file.

C:\Program Files\Online Services\pogowulyg.html

C:\Installer\planetluckinstaller.exe

Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

• Disable and Re-enable System Restore
  
  
• Turn OFF System Restore to flush any bad Restore Points.
  
  
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above reboot once more and try again to login to the Professional install.

 

Hi Bjgarrick,

I have done all that but still have the exact same problem.

Thanks again

Stewart

 

Is it doing the same thing? How long are you allowing it to login?

 

Yes, on the pro install it does the same thing.

I leave it running and it boots up part of the way gets to 'Loading settings'... the dialog box flicks a bit then it says 'Saving settings'....then it gets stuck between the two.

...the same as before.

 

I havn't heard of anything acting like this, I am not sure what to tell you other than see what the Software guys can come up with because if we can't get into windows there isnt much I can do.

 

Hi,

I have captured a video with my mobile phone of what happens and uploaded it to the following

www.perfect-strangers.co.uk/Xp pro.mp4

This way you can see exactly what happens, I'll continue the thread on the software forum too and see if they can help.

Thanks

Stewart

 

I thought you meant it did it once but dang that is some weird acting mess. I would say you needed a repair of the XP Pro install but without the disc there isn't a way.