Solved Very infected system only runs in safe mode

January 31, 2012 at 23:11:02
Specs: Windows 7
My son is away at college and is having a lot of problems today with his laptop. I'm trying to help him remotely but would appreciate some assistance.

He said everything was running ok this morning and then the system suddenly crashed. When it came back on it had slowed down so much it was unusable. He didn't recall visiting any sites that acted unusual. He did say that iTunes reported itself as broken. In looking at his event viewer log it seems the system might have been running Windows Update when it crashed.
I was able to get him to boot into Safe Mode and he tried running a full scan with Norton Internet Security. It found 20+ virus but then froze before it could act on them.

I then ran the Kaspersky Root Kit Killer and it found rootkit.boot.pihar.b. I used Kaspersky to remove it and rebooted the system. Another Kaspersky scan shows all clear.

I then was able to run Norton. It found about 28 heuristic viruses and said it deleted them all. I re-ran Norton and Kaspersky again and they both came up as clean. I then tried having him do a normal boot. The system came back crawling and was again unusable. I have it in Safe Mode again and re-ran Norton, which came up clean.

I then ran Malwarebytes and it came up with two more viruses.

Malwarebytes Anti-Malware

Database version: v2012.02.01.02

Windows 7 x64 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.7600.16385
Neal :: NEALS_LAPTOP [administrator]

1/31/2012 9:46:24 PM
mbam-log-2012-01-31 (21-46-24).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 181024
Time elapsed: 2 minute(s), 49 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCR\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.


I had it remove them and re-ran it, Kaspersky and Norton. All came back clean (finally!) Unfortunately when he tried rebooting into Windows it ran slow, the screen flashed back a few times and it said that Windows Explorer had stopped running. I could not access it remotely.

Back to Safe Mode.

I did note that his audio icon is showing that "the audio service is not running" in case that helps.

I ran dds.scr and have those logs but won’t post them until asked to.

Thanks for reading through all of this! I tried to capture everything I can while I’m connected to his system. I also have a Hijack This log if needed. I’m more than open to any suggestions. I can get back on his system and pull any data if needed in Safe Mode.



See More: Very infected system only runs in safe mode

Report •

February 1, 2012 at 02:32:04
✔ Best Answer
you must be able to access his machine using safe mode with networking. So try these 2 free fully working trials and run them till they run clean:
1- Trojan Remover
2- Hitman Pro

Some HELP in posting on plus free progs and instructions 7 Medals

Report •

February 1, 2012 at 11:42:14
Thanks for the suggestions. I tried both of those and they report clean in Safe Mode, which is all I can access it by now. Booting normally continues to slow the system so much that Gotomypc can't get a good connection, and Windows Explorer eventually crashes.

Since all of the scans are coming back ok I'm hopeful that the viruses are gone, but I'm worried that his Windows installation may be damaged now. Any suggestions short of a system restore are welcome. Unfortunately whatever hit him deleted all of the system rollback points so it would be all or nothing as far as a restore... Happily he has been listening to dad and has a recent backup of all his files!


Report •

February 8, 2012 at 00:21:02
I finally had to bite the bullet and restore the system. Happily we had a complete backup so all we lost was time.

Report •

Related Solutions

February 8, 2012 at 05:20:51

Report •

Ask Question