Unable to start up after virus problem; Startup Repair keeps going

mikenmar · 10 Dec 2011

Short version: I'm having problems starting up after a virus problem. I booted up into Startup Repair, and it's been "Attempting Repairs" for a couple hours now. What next?

I'm running Windows 7 Professional 64-bit on a MacPro through Bootcamp.

Backstory: I had been having problems with a virus that was occasionally redirecting Firefox to commercial sites. On a couple occasions I got popups trying to sell "Win 7 Security" or something bogus. (I did not try to install or register it, obviously.) I ran several different anti-virus programs, including AVG and MSE, but none seemed to stop the re-direction problem.

This morning I got another one of the bogus popups, and it was particularly assertive this time. MSE had been shut down and would not restart. I went into the Task Manager and saw "sik.exe", so I stopped the process, found the file (along with sfl.exe) and deleted it. Then all kinds of problems started to arise.

I could not restart MSE, so I uninstalled it and re-installed it successfully. It was in the process of scanning when it found a couple problems, cleaned them, and asked me to re-start Windows, which I did.

When I restarted, Windows recommended going into Startup Repair mode, which I did. After a minute or so, it asked if I wanted to do a System Restore, so I said Yes. Now it's been going a couple hours, stuck in "attempting repairs" while the blue bar moves left to right.

How long should I wait before trying to reboot, and what should I do when I reboot?

Thanks,
Mike

EDIT: Windows eventually started up normally - so never mind! The patience paid off. It did take a few hours though.

A Guy · 11 Dec 2011

Welcome to Seven Forums mikenmar. May I suggest you d/l and run Malwarebytes free? It is perhaps the best antimalware program out there. A Guy

mikenmar · 11 Dec 2011

OK, this morning the same damned virus started with the pop ups again. "Win 7 Security". This time the offending file was "era.exe", which I killed from the Task Manager. I did download Malwarebytes Anti-Malware, which found the virus on a quick scan. I'm now running a full scan.

However, one of the weird things this virus does: When you click on any executable, Windows seems not to recognize that it's a .exe file, and it asks you what program you want to use to open the .exe file....

Anyone know how to fix this?

Am I going to have to reinstall Windows at some point? I have a lot of software from my prior job that I can't reinstall, would really hate to lose all that...

EDIT: I followed these steps and the problem appears to be fixed, for now anyway.

mikenmar · 11 Dec 2011

DAMMIT.

Now I'm right back to where I started...

After running FixNCR.reg, RKill and Malwarebytes and rebooting, I uninstalled and reinstalled MSE. MSE found a couple of infections, and recommended removing them, which I did. Then, on restart, it put me back into Startup Repair AGAIN.

Now I'm stuck waiting the next several hours for the system restore to complete... What the hell? What am I doing wrong here?

Borg 386 · 11 Dec 2011

Doubtful you did anything wrong. More then likely there are remnants left of the virus, and they can be hard to remove.

Have a look at this site & follow the steps.

Remove Win 7 Security 2012 (Uninstall Guide)

Although not what you want to hear, bear in mind there is the chance that your PC may be so badly infected, that it might be time to cut your losses, migrate as many files as you can off the HD & reinstall Win 7.

Other tools you can try:

Norton Power Eraser

Norton Rescue Tools

Because Norton Power Eraser uses aggressive methods to detect threats, there is a risk that it can select some legitimate programs for removal. You should use this tool very carefully.

SuperAntiSpyware portable. You could try running this from a Flash Drive and see if it can nail the remnants of it.

SUPERAntiSpyware.com - SUPERAntiSpyware Portable Scanner

How to Repair Windows 7 System Files with System File Checker

SFC /SCANNOW Command - System File Checker

mikenmar · 11 Dec 2011

I got a BSOD during the Malwarebytes scan. Any more advice?

Jacee · 11 Dec 2011

You have a "Backdoor" Trojan. Read this info:

Backdoor Trojans provide the author or ‘master’ of the Trojan with remote ‘administration’ of victim machines. Unlike legitimate remote administration utilities, they install, launch and run invisibly, without the consent or knowledge of the user. Once installed, backdoor Trojans can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity on the computer and more.
If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums.
You should consider them to be compromised.
They should be changed by using a different computer and not the infected one, if not an attacker may get the new passwords and transaction information.
Banking and credit card institutions should be notified of the possible security breech.
More info can be found below:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
How to report ID theft, fraud, drive-by installs, hijacking and malware? Security | DSLReports.com, ISP Information

Flush the dirty DNS cache and restore MS's Hosts file:

Copy and paste these lines in Note pad.

@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0

[B]Save as flush.bat to your desktop.
Double click on the flush.bat file to run it.Vista and Windows 7... right click the .bat file and choose to run as Administrator. Your computer will reboot itself.

Next, follow these instructions again! Remove Win 7 Security 2012 (Uninstall Guide)

mikenmar · 12 Dec 2011

I still can't run Malwarebytes (in Full Scan mode) without getting a BSOD... I've run the Quick Scan (after first running FixNCR.reg and rkill), and it doesn't find anything.

Any other tips?

I got another re-direct in Firefox today, so it appears I still have an infection. Damn this is so frustrating....

Borg 386 · 13 Dec 2011

Possible that a rootkit is causing all the problems. Have a look here & try running a rootkit scan or 2 and see what it finds.

Best Free Rootkit Scanner and Remover

Also, look at the link above to Norton Power Eraser, it also features a rootkit scan.

You could also try submitting the BSOD to this thread and see if they could help you find the cause of the problem

Crashes and Debugging - Windows 7 Forums

Another possibility is to try a bootable AV rescue disk

http://www.techmixer.com/free-bootab...download-list/

(Kaspersky has been known to cause some problems in the past, if they have remedied this problem, I do not know, however you may wish to try some of the the other rescue disks)

I know you don't wish to do it, but if the PC is having this many problems, it might be a good idea to migrate as much data as you can off the HD & start over with a clean install. Since it's giving you this many problems, you can never really be sure that you got all of the infection off and it's probably not trustworthy anymore.

Jacee · 13 Dec 2011

Download DDS from one of these links:
Mirror 1 Mirror 2 Mirror 3

Disable any script blocking protection
Double click the dds icon to run the tool.
When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt <--- will be minimized in the task tray
Save both reports to your desktop.

Include the contents of both logs in your next post.