I've had 3 calls in the last two days for this problem:
windows appears to boot normally until just before the login page, then
the mouse cursor appears and nothing else (blank screen with a cursor that moves)
no other options, ctrl-alt-del doesn't work
safe mode, last known good, system restore, and hp's system recovery do not work (they stop at the same spot)
only solution I have found is to install windows to a different folder (to prevent deletion of important files) and configure the new install for long term use.
the repair utility on Vista's dvd doesn't fix the problem, either
the machines were:
hp desktop, winxp
hp desktop, vista, possibly caused by a bad memory card, replaced the card then had to tackle this problem with vista
dell laptop, winxp
Has anyone seen this?
-
striker8000
- Posts: 881
- Joined: Tue Mar 02, 2004 5:28 pm
- Location: lost in time
Has anyone seen this?
still folding away, haven't been on as much lately
I've had nearly 20 laptops in this week with this problem... I'm not exactly which spyware/virus or malware is causing it but it is something. There is no fix, I've tried looking through files when slaving the drive, repair installs, chkdsk options etc... nothing but backing up data and reimage/format and reinstall the system.striker8000 wrote:I've had 3 calls in the last two days for this problem:
windows appears to boot normally until just before the login page, then
the mouse cursor appears and nothing else (blank screen with a cursor that moves)
no other options, ctrl-alt-del doesn't work
safe mode, last known good, system restore, and hp's system recovery do not work (they stop at the same spot)
only solution I have found is to install windows to a different folder (to prevent deletion of important files) and configure the new install for long term use.
the repair utility on Vista's dvd doesn't fix the problem, either
the machines were:
hp desktop, winxp
hp desktop, vista, possibly caused by a bad memory card, replaced the card then had to tackle this problem with vista
dell laptop, winxp
Here is a list off a laptop this morning that I got in thats doing the same thing... at this point hard to say which is causing it even after I remove this crap by slaving the drive.
-
YeOldeStonecat
- SG VIP
- Posts: 51171
- Joined: Mon Jan 15, 2001 12:00 pm
- Location: Somewhere along the shoreline in New England
I tried that on two different latitude models yesterday..no go. This is even after slaving the drives and removing what I could with superantispyware. I've not found a solution besides backing up data and reloading them.YeOldeStonecat wrote:Perform manual restoration of restore points from the command line, to a date prior to infection. May take several tries to find the date prior to it getting hosed.
-
YeOldeStonecat
- SG VIP
- Posts: 51171
- Joined: Mon Jan 15, 2001 12:00 pm
- Location: Somewhere along the shoreline in New England
Huh, worked for me, ident symptoms.....after slave scanned with Eset though. I'm guessing it's the latest variant, as I didnt' get to see the splash screen from the rogue running...probably that new Antivirus 360 I stumbled across earlier this week.Sava700 wrote:I tried that on two different latitude models yesterday..no go. This is even after slaving the drives and removing what I could with superantispyware. I've not found a solution besides backing up data and reloading them.
Over the past several months...wow are they getting more and more time consuming. By next spring I'll just fix things with a giant magnet.
MORNING WOOD Lumber Company
Guinness for Strength!!!
Guinness for Strength!!!
YeOldeStonecat wrote:Huh, worked for me, ident symptoms.....after slave scanned with Eset though. I'm guessing it's the latest variant, as I didnt' get to see the splash screen from the rogue running...probably that new Antivirus 360 I stumbled across earlier this week.
Over the past several months...wow are they getting more and more time consuming. By next spring I'll just fix things with a giant magnet.
yeah I like the magnet idea...but yeah hasn't worked thus far. I'll try the next one I get cause I'm sure I'll get another today.-
YeOldeStonecat
- SG VIP
- Posts: 51171
- Joined: Mon Jan 15, 2001 12:00 pm
- Location: Somewhere along the shoreline in New England
Another thing I forgot to mention......
First..what it comes down to, is how much time you want to invest in this...weigh the time/effort invested in cleaning/repairing, versus time to backup the data and do a wipe/fresh install.
...anyways..a little over a month ago, one new variant I stumbled across was loading after putting some stub files in the print spooler directory, as well as system32\dllcache directory. May be able to browse those via command prompt, or if slaved from another drive. Proceed with caution...certain files there are legit.
First..what it comes down to, is how much time you want to invest in this...weigh the time/effort invested in cleaning/repairing, versus time to backup the data and do a wipe/fresh install.
...anyways..a little over a month ago, one new variant I stumbled across was loading after putting some stub files in the print spooler directory, as well as system32\dllcache directory. May be able to browse those via command prompt, or if slaved from another drive. Proceed with caution...certain files there are legit.
MORNING WOOD Lumber Company
Guinness for Strength!!!
Guinness for Strength!!!
-
YeOldeStonecat
- SG VIP
- Posts: 51171
- Joined: Mon Jan 15, 2001 12:00 pm
- Location: Somewhere along the shoreline in New England
Dave's World has a rig on the service bench right now exhibiting similar behavior....it is able to sometimes get to safe mode...but it keeps reloading, over and over again, explorer.exe. If you do get to safe mode....it will reload the logon for you..with that common "You are in safe mode" warning.
It made malwarebytes blue screen in safe mode on one pass.
This system had a program on it called "Big Fix"...which is a driver/system updater program, freebie I think, been around a long time. Similar to incredimail.....while not directly spyware itself, the programs come with some adware which seems to always eventually snowball the system over time with more junk. This rig has a new Vundu variant which isn't exactly identified yet...just being called "Vundu.Rogue"...by Spybot and MB.
It made malwarebytes blue screen in safe mode on one pass.
This system had a program on it called "Big Fix"...which is a driver/system updater program, freebie I think, been around a long time. Similar to incredimail.....while not directly spyware itself, the programs come with some adware which seems to always eventually snowball the system over time with more junk. This rig has a new Vundu variant which isn't exactly identified yet...just being called "Vundu.Rogue"...by Spybot and MB.
MORNING WOOD Lumber Company
Guinness for Strength!!!
Guinness for Strength!!!
-
YeOldeStonecat
- SG VIP
- Posts: 51171
- Joined: Mon Jan 15, 2001 12:00 pm
- Location: Somewhere along the shoreline in New England
Something else odd with this new variant.....
As being able to log into safe mode started working more....in addition to that constant "you are working in safe mode..." greeting from explorer constantly reloading, the "log in screen" in safe mode appears in full color and resolution. Normally this is crippled in safe mode 640 x 460 low color resolution. Several reboots in a row after hittin the F8 during bootup and selecting safe mode...we were greeting with full color 1280x1024 login screen on this PC...once you'd log in..the desktop would snap back into safe mode.
As being able to log into safe mode started working more....in addition to that constant "you are working in safe mode..." greeting from explorer constantly reloading, the "log in screen" in safe mode appears in full color and resolution. Normally this is crippled in safe mode 640 x 460 low color resolution. Several reboots in a row after hittin the F8 during bootup and selecting safe mode...we were greeting with full color 1280x1024 login screen on this PC...once you'd log in..the desktop would snap back into safe mode.
MORNING WOOD Lumber Company
Guinness for Strength!!!
Guinness for Strength!!!
Mount the disk on a Linux box or boot from a live linux cd and delete:
docs & settings/user/local settings/tif delete the dir itself
docs & settings/user/temp/ all files
windows/temp/ all files
Check these dirs for suspicious programs:
docs & settings/all users/start menu/programs/startup
docs & settings/user/start menu/programs/startup
There are even live linux distros that have a registry editor and you can remove unwanted pointers to malware, such as in this hive: hklm/software/microsoft/windows/current version/run
http://www.extremetech.com/article2/0,1 ... 485,00.asp
Worst case is one could just create a .CMD file that deletes ALL values in the common startup locations in the registry and using a linux live cd, copy the cmd file to the root of the boot partition and place a shortcut to it in the all users start menu/startup folder, boot the comp in safe mode and after login the cmd file will execute. Reboot again and should be able to get to Windows nicely! Might even be able to run the cmd file from the windows recovery console.
docs & settings/user/local settings/tif delete the dir itself
docs & settings/user/temp/ all files
windows/temp/ all files
Check these dirs for suspicious programs:
docs & settings/all users/start menu/programs/startup
docs & settings/user/start menu/programs/startup
There are even live linux distros that have a registry editor and you can remove unwanted pointers to malware, such as in this hive: hklm/software/microsoft/windows/current version/run
http://www.extremetech.com/article2/0,1 ... 485,00.asp
Worst case is one could just create a .CMD file that deletes ALL values in the common startup locations in the registry and using a linux live cd, copy the cmd file to the root of the boot partition and place a shortcut to it in the all users start menu/startup folder, boot the comp in safe mode and after login the cmd file will execute. Reboot again and should be able to get to Windows nicely! Might even be able to run the cmd file from the windows recovery console.
No one has any right to force data on you
and command you to believe it or else.
If it is not true for you, it isn't true.
LRH
and command you to believe it or else.
If it is not true for you, it isn't true.
LRH
-
YeOldeStonecat
- SG VIP
- Posts: 51171
- Joined: Mon Jan 15, 2001 12:00 pm
- Location: Somewhere along the shoreline in New England
I had a variant of this malware today...formatting the disk as I type!
Booted once into safe mode successfully, removed a bunch of crap, removed rootkits, was in an endless loop of reboots & bsods for next 3 hrs.
Couldn't even get a decent restore point via the recovery console! Bye bye old xp, hello new xp.
Booted once into safe mode successfully, removed a bunch of crap, removed rootkits, was in an endless loop of reboots & bsods for next 3 hrs.
Couldn't even get a decent restore point via the recovery console! Bye bye old xp, hello new xp.
No one has any right to force data on you
and command you to believe it or else.
If it is not true for you, it isn't true.
LRH
and command you to believe it or else.
If it is not true for you, it isn't true.
LRH
-
striker8000
- Posts: 881
- Joined: Tue Mar 02, 2004 5:28 pm
- Location: lost in time