Help!? Virus controlling PC even in Safe Mode

Posted on 2011-04-19
Last Modified: 2012-05-11
I have a virus that runs even in safe mode.  I have scanned with AVG livecd and removed infected files including winlogon.exe and atapi.sys.  I replaced thosed files with copies from an uninfected computer.  After rebooting, antivirus caught another virus infecting the winlogon.exe file.  I stopped the system restore service and set it to disabled and rebooted and the system is in an endless loop of restarting even when attempting to boot into safe mode.

Question by:wellnecessities
    LVL 27

    Expert Comment

    You might think about removing the infected drive, slaving it to another system and performing new scans.

    Author Comment

    Thanks David.  I am currently in that process now.  One thing I didn't mention earlier is that this virus or one of the viruses seemed to infect when the drive was accessed - ala Autorun.ini.  

    I am slaving it to a ubuntu system now to back up important files.  Hopefully I can determine the virus name so as to get removal instructions.  I have several other pcs on a network that are most likely infected.

    LVL 13

    Expert Comment

    I would scan that drive with Malwarebytes:
    Malwarebytes: CCleaner:

    When you connect the drive or anything you plan to scan make sure you hold down shift to prevent autorun. It may be getting passed around by usb.

    Last resort removal tool:

    Author Comment

    Thanks BC.  I have never heard of the "shift" option for stopping autorun, but that is very handy to know.  I have run nearly everything I can on this machine to remove viruses including, but not limited to bitdefender livecd, avg livecd, prevx 3.0, malware bytes, spybot s&d.

    The BIG problem now is that it is stuck rebooting on a loop, i.e. I press power -> POST sequence -> Windows begins to start -> blue background like desktop is loading -> black screen -> back to POST.  

    I have settled on re-installing, but knowing how to disable system restore before Windows boot, i.e. using a livecd to access those settings, would be infinitely helpful.  This particular virus reminds me of the downadup virus a while back with the difference that this virus embeds itself in such a way that it loads even in safe mode.  

    Any idea about the virus identity?  I still have other potentially infected PCs that I would much rather clean than reinstall all of them as it would entail tracking down original installation media and reinstalling all drivers, applications, etc.
    LVL 29

    Accepted Solution

    You could check the Registry of your system and see if there is any entry apart from "Userinit.exe" in "HKEY_USERS \ MyXPHive \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon" section.

    Below is tutorial on how to do it.

    How to edit the registry offline using BartPE boot CD ?

    I hope that would help.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Suggested Solutions

    Can you find a fax from a vendor you saved a decade ago in seconds? Have you ever cursed your PC under your breath during an audit because you couldn’t find the requested statement or driver history?  If you answered no to the first question or yes …
    Issue: Unstable cursor in Windows XP and Windows runs extremely slow in that any click will bring up the Hour glass (sometimes for several seconds before giving you what you want) . Troubleshooting Process and the FINAL FIX: This issue see…
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now