Re: Got virus - now have to boot up twice (after off/on)

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

...Let me know if you still think I should try your suggestion.

No.

Contact HP Support.


Robert wrote:
I spent time earlier today doing selective startups with MSCONFIG. I
found that by removing a single item in win.ini the boot-up works fine.
That section reads: (I have it disabled now, hence the ;'s)
;[Readiris]
;Scanner32=Twaino38,22

I searched files and could only find some HP software which had
"readiris" in some cfg/ini/sys ascii file. So I removed/reinstalled that HP
software - which didn't solve the problem. Everything seems to work fine
with those 2 lines commented out. How do I find out what is using those
lines??? I know the win.ini file is for legacy software/hardware.

Let me know if you still think I should try your suggestion. The
antivirus software was up to date, and Windows updates are enabled.

"PA Bear [MS MVP]" wrote:

There is a very good chance that you are seeing the effects of a hijackware
infection!

NB: If you had no anti-virus application installed or the subscription had
expired *when the machine first got infected* and/or your subscription has
since expired and/or the machine's not been kept fully-patched at Windows
Update, don't waste your time with any of the below: Format & reinstall
Windows. A Repair Install will NOT help!

1. See if you can download/run the MSRT manually:
http://www.microsoft.com/security/malwareremove/default.mspx

NB: Run the FULL scan, not the QUICK scan! You may need to download the
MSRT on a non-infected machine, then transfer MRT.EXE to the infected
machine and rename it to SCAN.EXE before running it.

2. [WinXP ONLY!! =>] Run the Windows Live Safety Center's 'Protection' scan
(only!) in Safe Mode with Networking, if need be:
http://onecare.live.com/site/en-us/center/howsafe.htm

3. Run a /thorough/ check for hijackware, including posting the requested
logs in an appropriate forum, not here.

Checking for/Help with Hijackware
http://aumha.net/viewtopic.php?f=30&t=4075
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://www.elephantboycomputers.com/page2.html#Removing_Malware

**Chances are you will need to seek expert assistance in
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://www.spywarewarrior.com/viewforum.php?f=5,
http://www.dslreports.com/forum/cleanup,
http://www.bluetack.co.uk/forums/index.php,
http://aumha.net/viewforum.php?f=30 or other appropriate forums as well.**

If these procedures look too complex - and there is no shame in admitting
this isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Client - since 2002
www.banthecheck.com


Robert wrote:
(I re-posted this here as someone in the Help & Support group suggested
it.)

I have Windows XP Media Center Edition 2005, Update Rollup 2 (and all the
more recent Windows updates.)

When I turn on the computer it gets to the XP screen then freezes. I
have to turn the computer on/off. The next round I get the option to go to
safe mode, normal, or last known good configuration. Selecting last known
works, and I discovered that selecting normal also works. When I shut down
the computer I go through that again on boot-up - again I have to power
on/off and then select last good or normal.

Yesterday I got the NASTY virus that I think a lot of people got in
April or July (?). I downloaded ComboFix to fix it, which it mostly did -
this bootup problem is left. The symptoms of the virus were it replaced my
desktop background with a message in the middle saying I was infected and
to
download something to fix it, my homepage was replaced with a message that
my current security settings restricted the site (the correct URL was
shown, and other pages worked), and a fake anti-virus program called
MSA.exe was running.) It also disabled opening the task manager and
regedit.

What I've done:
sfc /scannow completed successfully (w/error for the 5 or so know files
in the MS knowledgebase that aren't needed for Media Center, and errors
for
missing Windows Media Player files - I hadn't reinstalled the player which
I
uninstalled recently for a different reason - these files are listed in
the
event viewer). There were, however, a couple of windows icons named file
protection... at the bottom of the screen I couldn't maximize/open, and
there was the hourglass cursor while at the bottom of the screen. I had to
ctr-alt-del then stop explorer.exe and then start explorer again. That
cleared it up. I have also ran AVG (which was installed and running at the
time of the infection - so I replaced that with Antivir - which found many
viruses (mostly webpage gen something) and a couple trojans than AVG
missed.

Additional bootup symptoms:
I tried Safe Mode, and I get a loop where it gets back to the same
bootup selection window again (safe mode, norma. last know good). I don't
know if that's what this computer did before the current problem.)
Combofix had me install the windows recovery console. The bootup goes
through that so fast I don't know if I could select it. Also, I'm getting
the XP bootup screen, not the XP Media Center bootup screen (when you get
to
loading with the bar moving back and forth. Media Center is loading,
however, and TV plays fine. I see something about Media Center
(black/white
text at that bootup point) and then more text and then the three options
(safe, normal, last known). Combofix had me install the Recovery Console.
That shows up first, but it goes past it quickly - I don't know if there
would be time to select it if needed. On a different computer the Recovery
Console was on there was a 5 or so second delay.

.

Relevant Pages