[jsmitchell]

My younger son was "befriended" by some kid/guy who told him to click on a link to install a Microsoft Xbox Live Points Generator. As I eventually found out, thanks to Kaspersky (after numerous other virus programs missed it), it was a backdoor trojan (win32.virut.ce aka w32/scribble-A, which was apparently installed from a file called xbl_gen.exe carrying backdoor.win32.vb.gtf) that allowed someone to remotely turn the PC into a spambot. Way before I knew all the details, but knowing something was amiss, I decided to run Malwarebytes on my own PC. Important note: I had NO reason to suspect any viruses on my own PC, which is not connected to the kids' PC (they even have separate cable modems). I was just curious what it might find.

Upon running Malwarebytes (after making sure to have the latest, 2/11, update and the latest database), I saw a few flagged files, thought nothing of it, and went about doing household chores. When I came back the computer had rebooted. I thought this strange since Malwarebytes doesn't do an auto reboot. I ran it overnight and, once again, awoke to a rebooted computer. I ran it again, left for moment, and when I came back it was trying to reboot but failed. Dead. Fried. Kaput.

Once again, I have no reason to believe a virus is involved. Or, if one is, that the two episodes are related. I relay the info just in case. Here's the thread I started on it: http://www.geekstogo...PU-t229688.html

I booted into WinRe and the Vista recovery tools said it passed all the tests (nine of them) and therefore has no suggestions on what to do, even after remotely accessing Microsoft. I was able to go to advanced recovery options and view a dozen system restore points but each one failed. Gateway has a recovery drive (x:) showing in gray, but somehow I couldn't access it. I had also previously made a special "system recovery disk" but apparently that's just software like what I just described, not some emergency boot disk. It basically allows you to restore to factory settings. Forget that. Too much stuff on the computer that I can't kill.

I should add that I always booted into my own settings where I have no password. Whenever I chose "administrator", it required a password but none of the ones I tried worked. I don't recall even making a password.

I could boot into safe mode with command prompt and had full access to both my c and x (recovery) drives. All my stuff seemed intact. I could even run a chkdsk-- no errors. Heck, I could even edit the registry. But I couldn't boot.

Then I read about the console tools to fix these things. Bad move on my part. At first I tried fixmbr which said it completed successfully immediately. I rebooted. Didn't affect anything.

I got back to the DOS prompt and tried fixboot. It took some time, but said it completed successfully. Rebooted. Didn't affect anything.

I got back to the DOS prompt and tried rebuildbcd. It said no windows installation was found.

I ran scanos and it came up with no windows installation anywhere on the system as well.

At that point I was down to bcedit:

bcdedit /export C:\BCD_Backup
c:
cd boot
attrib bcd -s -h -r
ren c:\boot\bcd bcd.old
bootrec /RebuildBcd

It said it found a windows installation so I rebooted and crossed my fingers. The result was that instead of saying Windows was corrupted and asking it I wanted to repair it, it went to the 'usual' boot choices (safe mode, safe mode with command prompt (which I chose), etc.) Safe mode scrolls all the files it loads. The last one I saw was crcdisk.sys before it again choked.

This time I can't boot into anything. Nothing works. I then tried to use the system restore disk I had made and asked to restore from a given point. All my restore points are now gone, as it my ability to get back to the DOS prompt.

Now what?

[Advertisements]

Hello

win32.virut.ce is a particularly nasty bit of malware that seems to be making a resurgence as of late. While it can sometimes be cleaned if caught early enough, the machine would likely never again be trustworthy for some internet activities like online banking, e-commerce, or any other activity where personal or financial information is exchanged. If this machine has been used for such activity, I would highly recommend that you use a known clean computer and change all your banking and e-commerce passwords and user names.

That said, please go to the Malware Forum and follow the instructions you'll find there.

That will give you several steps that will help you clean up 70 percent of all problems by yourself. If at the end of the process you are still having difficulty--and you may not be-- post a hijackthis log in THAT forum. Please Do Not reply to or "bump" your own topic. If it shows a reply, it may be overlooked as one that is being worked on.

I fully expect that you will receive the same information from the experts. The only real cure for this virus (that I know of) is to format and reinstall the operating system, but let's let the experts make that call.

wannabe1

[wannabe1]

Hello

win32.virut.ce is a particularly nasty bit of malware that seems to be making a resurgence as of late. While it can sometimes be cleaned if caught early enough, the machine would likely never again be trustworthy for some internet activities like online banking, e-commerce, or any other activity where personal or financial information is exchanged. If this machine has been used for such activity, I would highly recommend that you use a known clean computer and change all your banking and e-commerce passwords and user names.

That said, please go to the Malware Forum and follow the instructions you'll find there.

That will give you several steps that will help you clean up 70 percent of all problems by yourself. If at the end of the process you are still having difficulty--and you may not be-- post a hijackthis log in THAT forum. Please Do Not reply to or "bump" your own topic. If it shows a reply, it may be overlooked as one that is being worked on.

I fully expect that you will receive the same information from the experts. The only real cure for this virus (that I know of) is to format and reinstall the operating system, but let's let the experts make that call.

wannabe1

[jsmitchell]

I have no reason to assume this PC is infected. It showed no signs of it, which I'm well aware of now dealing with the other one. All I want to do is get it booted up, even in safe mode. Once booted, I'll run Kaspersky software to see if it's infected. How can I boot it?

[wannabe1]

I'm sorry. The way I read the post, we were still looking at the machine that was infected with virut...my mistake. I obviously had not had enough morning coffee.

When you boot the machine to the Advanced Boot Options (where Safe Mode is), have you tried using the "Last known good configuration" option?

When you ran the chkdsk, did you use the /r switch (chkdsk /r)?

When entering Recovery Console, did you try leaving the password blank and just pressing "Enter".

[jsmitchell]

"Last known configuration" does not work. Yes, I did use the "/r" parameter on chkdsk when I could still access the DOS prompt. When entering recovery console, I (also) left the password blank when trying to login as administrator. I did all the above using my regular user name.

Note that when I was in DOS mode everything looked fine. It was when I tried to repair the boot record on my own where I screwed things up to where we are now.

[Jacee]

Do you have a recovery disc? If not, here's how to create one:
http://www.vistax64....overy-disc.html

[jsmitchell]

I tore the house apart and finally found the full Vista OS CD Gateway supplied. I booted from it and chose the recovery option. It said something about not being able to boot from the hard drive and asked if I wanted to repair it. I said yes but to no avail.

The second time I booted from the CD it came up with a screen asking me to select the OS to repair. The software had found an installation, but under the OS column it said "unknown." Furthermore, it says that if you can't see your OS, to choose the "Load Drivers" for your hard disk option: "Insert the installation media for the device and click OK to select the driver." If I click on "OK", it takes me to a "Sources" directory with seven sub folders and six set up files.

Now what?

[jsmitchell]

The directories, if this helps, are:
adprep
en-us
license
servicing
dlmanifests
inf
recovery

The set up files are:
sfpat
sfpath
upgcompat
osfilter
sfpat2k
sfpatxp

[jsmitchell]

I figured loading of drivers was only necessary if I wasn't trying to boot from drive C, so backed up and hit "next" instead. This took me back to the familiar automated repair screen where, after some time, Vista says it was unable to repair the system and should notify Microsoft of the problem, which it did to no avail. I then entered the advanced diagnostics menu which I suppose was the goal in the first place.

Awaiting further instructions...

[jsmitchell]

If someone is still reading this, I'm still down and in need of help. I was able to use the Vista system disk to get back to the DOS prompt and undo the following that Microsoft said to try:

bcdedit /export C:\BCD_Backup
c:
cd boot
attrib bcd -s -h -r
ren c:\boot\bcd bcd.old
bootrec /RebuildBcd

With:

del bcd
ren bcd.old bcd
bcdedit /import C:\BCD_Backup

This allowed the PC to again boot into recovery mode, recognize that Vista was installed, but still could not recover anything. It also did not restore the restore points I used to see but was not be able to access.

Again it passes all the various tests, but generates an event that the problem still persists:
Problem Event Name: startuprepairv2
Problem Signature 01: Auto Failover
Problem Signature 02: 6.0.6000.16386.6.0.6001.18000
Problem Signature 03: 6
Problem Signature 04: 1114129
Problem Signature 05: Corrupt registry
Problem Signature 06: 11
Problem Signature 07: 3221225804
Problem Signature 08: 3
Problem Signature 09: Rollback registry
Problem Signature 10: 0
OS Version: 6.0.6000.20.0.256.1
Locate ID: 1033

Although I was able to backup my data, I really don't want to have to reformat and reinstall all my software. Thanks.