Win32/PEPATCH.ao...I can't boot in Normal mode now

[lambjailer]

Hello "TechSpotees"!!!

First time here...

This morning I turned on my computer and AVG immediately detected a virus known as WIN32/PEPATCH.ao, but would not remove it. I turned off my computer and restarted in safe mode; AVG then removed the virus. BUT...I can not reboot in Normal mode now...only safe mode. When I attempt to reboot normally, the computer starts and just stops before I enter my password with a navy blue screen and computer stays on...just hangs there.

I have run everything from HJT to CCleaner to running all sorts of diagnostics and attempting reboots with minimal services with no luck. Everything "checks out", but I just can't work in normal mode. Is there a registry key lingering that I should delete??? A driver I need to reload???

Any help would be appreciated.

 

[kitty500cat]

Hello lambjailer and welcome to TechSpot. :wave:

Very Important: Malware infections can lead to identity theft, loss of funds from bank accounts, misuse of credit card information, etc since they can send sensitive information from your computer to their creators. Please read this thread before deciding what course of action to take regarding your infection.

If, after reading the above thread, you decide to clean your system, do the following.

Go and read the Viruses/spyware/malware, preliminary removal instructions. Follow all the instructions as closely as possible.

Post fresh HJT, ComboFix, and AVG Antispyware logs (as many of these as you can) as attachments into this thread, only after doing the above. Also post here the results of the AVG Antirootkit scan.

Regards

This thread is for the use of lambjailer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.

 

[almcneil]

I would try an XP repair installation.

 

[lambjailer]

Here is my HJT post

Thank you Kitty500cat for getting back to me so fast!!!

Note that I can only run these tests in safe mode as I can not start in normal mode. And...I have AVG rootkit but it will not run in "safe".

Here is my up to the second HJT...I have run EVERYTHIING else as suggested on the preliminary instructions with nothing to post.

View attachment 20111

Ty,

Bill

 

[kitty500cat]

almcneil had a good point, although before you repair Windows, you should do this:

Run HJT and do a system scan. Place a check in the box next to the following entries (if there):

O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://winantivirus.com/download/2007/download.php?file=2&aid=dn_tr_wav_kw1_us_en&lid=http+grisoft&affid=dn_66695_{6eba1f97-47a0-412c-bd8a-d50422d80ec2}&lng=en&cnt=us

O21 - SSODL: idNbuzh - {F005D9CD-5AAF-7367-039E-442AC198EFB8} - C:\WINDOWS\system32\ngwi.dll

Close all open web browsers, including this one. Then click the Fix Checked button.

Now you should try to repair Windows, in case any system files are corrupted.

Also, WinAntiVirus is a very nasty rogue program. Don't have anything to do with it.

Regards

This thread is for the use of lambjailer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.

 

[lambjailer]

How do I "repair windows"???

Kitty,

Thanks for all of your help...BUT...now that I have run every scan and every diognostic on my computer(i.e. system information, msconfig, etc) that tells me everything is "ok", I am little hesitant to go "repairing" when I don't know what to repair. That is, do I go to tech guy tomorrow and see what he says??? Do I go buy a new tower and simply download my files and start over??? What could be corrupted and how do I know what is???

Ty

Bill

p.s. I am going to make a decision in the morning b/c my time is a little valuable...although for now I am getting around the internet "safely" and able to everthing except use my printer(disabled in "safe")...so can u help...fast!?!?

 

[kitty500cat]

You can see how to perform an XP repair installation here. I recommend doing this, because it should repair any corrupted system files.

Can you boot into normal mode now? If not, that probably means you do have bad system files, in which case a repair is probably the least drastic measure.

Regards

This thread is for the use of lambjailer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.

 

[lambjailer]

I did one other thing late/early last night this morning. In safe mode, I ran the "error check" utility in computer management(CHKDSK) and after a LONG scan for errors on "c"(i have no "d" on this rebuild) it found that "the drivers amdk7 and fips failed to load on boot-start". BUT..it also said that it "cleaned minor inconsistencies on the drive"; some unused index entries; and there are 0(zero) bad sectors.

I plan to do this...go to Best Buy and get an external hard drive(which I should have anyway) and new computer(just the tower) and get back to business. I will try and reboot once more AFTER I have downloaded all my data to the EHD...BUT...if there are any quick fixes you can think of I am all ears.(note...I do not have any CD that came with the computer)

 

[kitty500cat]

Do you have the Windows product key?

 

[lambjailer]

no i dont kitty...the version i have was a rebuild onto "c"...stripped down. I went to Best Buy(i know the "geeks" there)...the boss said even though they would sell me the two drivers I need on a cd it may not even work as I did the CHKDSK in "safe" and who knows what else is on there. So, I bought vista(new tower)...an Ext Dr...(and a copy of Office 2007 which I need)...and I will return with the XP and have them clean it up later so I have another computer for my office when I need it totally cleaned and cheap(like $60-90)

what do you think???


ty 4 your help

 

[Zarcc]

I think that is a silly idea

I'm currently working on removing that virus myself. It sounds like the file was deleted, you can always reinstall windows XP you can get a program to get the key off of your computer and use any old disc. The computer should have came with a recovery cd that could also work, but again you risk data lost.

I take it you are running Windows XP? I'm sure there are many steps you can take to fix that though I'm not exactly sure what they'd be atm. Really tired and never ran into that problem before.

If you put in any windows xp cd you can press R while it loads to go into the recovery console.

Check out Kellys Korner, it might have the fix, it has never let me down. If I fix this computer and still think about your issue, I'll hit this site up again.

Back to work...

 

[kitty500cat]

Oops. Sorry lambjailer, I must have missed your post.

I'm not sure how to find your Windows product key, but it can probably be done from Windows itself.

You could open a new thread in our Windows OS forum to ask how to do it.

Regards

 

[almcneil]

Lambjailer, did you ever try the XP repair installation I recommended? I can't find any mention of you trying it in your replies.

 

[M0ntG0M3rY]

Lambjailer, did you ever try the XP repair installation I recommended? I can't find any mention of you trying it in your replies.

After repair, he'll need to activate Windows XP before first login. But he's saying he doesn't have windows XP product key.

 

[almcneil]

After repair, he'll need to activate Windows XP before first login. But he's saying he doesn't have windows XP product key.

M0ntG0M3rY, the Product Key is the first step in the repair installation. It comes up almost immediately. The activation code, which is based on the Product Key, comes up after the repair is completed.

If he doesn't have a Product Key, then he cannot do an XP repair installation.

 

[M0ntG0M3rY]

Yes, before installation, you can put in there anything, it'll take it. But after installation Windows will say the product key is invalid.

 

[Zarcc]

Sorry, Lamb,

I fell victem to the same case.
Win32/PEPatch.AO has attached itself to this computers:
spooler
winlogon
explorer

This computer is a Windows XP home edition SP1

I supply this information for anyone else who may run into the same problem.
I booted from a cd to clean the files and just like before blue screen on normal logon only. Could this come in with Grom?

One of the viruses knocked me off-line by either damaging the winsock.dll or what refers to it.

My cd drive was able to run auto run but could not open it. (An auto-run was pulled up but I could not examine the disc in Safe mode or Safe mode with prompt).

A repair install does remove the blue death but does not fix the explorer and winlogon issues.

Repair install is done like so:
Plug-in a windows xp cd (of the same type such as home, pro, business, multimedia, ect. Service packet doesn't matter).
Boot off of said cd (enter BIOS by pressing insert, home, F1, F2, or F12 in most cases. Each bios is different, so figure it out).
When you get prompted to press any key to start from cd do so.
If you have 3rd party raid drivers or whatever press F6 when prompted to do so, if you don't know, then you probably don't.
When you get the option to go into the repair/restore menue or set-up go to set-up
Follow the process until you get the choice to repair the install which you'll get unless it is really messed up.
You will need a cd key for this process, it comes on most manufactured computers unless you've reinstalled it with a store bought cd. That cd-key should be on the box, if you can't find it, you can get a program like key grabber at http://www.magicaljellybean.com/ or at http://www.freewarefiles.com.
Keep in mind that keys brought up by these might bring up the OEM key if it is a manufactured computer.


Again, still having the problems after you get back into normal mode via repair install


Hope this helps.

 

[almcneil]

Yes, before installation, you can put in there anything, it'll take it. But after installation Windows will say the product key is invalid.

Sorry mate, but the Product Key is checked for validity when you enter it, not after the installation. I've done it many times and when I made a typo, it bounced the Product Key as invalid. I then made the correction and then the installation proceeded.