Grey screen with login, incorrect voucher, start.exe [antivirus info]

UPDATE 2012.09.20 commenter Lauralea suggested the following simpler procedure:

  1. Reboot Windows (you can power off your machine if necessary)
  2. When your computer restarts, enter safe mode by pressing F8 before Windows can load
  3. Run malwarebytes (alternate link) to remove the infection
  4. Reboot and you should be good to go!*
*NOTE: I would recommend performing an additional virus scan after you reboot, just to make sure there aren’t any other viruses/trojans. -JD

Original instructions:

If you get a grey box like this,

then you have a virus infection or more specifically a trojan horse. It starts automatically at boot up and will intercept CTRL-ALT-DEL keypresses and other attempts to bypass it.

Here is one method to disable it so you can run an antivrus program:

  1. Reboot Windows (you can power off your machine if necessary)
  2. When your computer restarts, enter safe mode by pressing F8 before Windows can load
  3. Once in safe mode, go to Start ->Run -> msconfig.exe
  4. Go to the “Startup” tab and disable ‘start.exe’ (or similar suspicious executable, but be careful not to disable something legitimate) bu unchecking the box next to it
  5. Press the ‘OK’ button to confirm
  6. Reboot
Now you should be free of that grey screen. I highly recommend running a complete antivirus scan using something like AVG Free. Here is the report that it generated after removing the trojan:

Location: “C:\Documents and Settings\Administrator\Application Data\xkpoe\start.exe”
Description: “Trojan horse Generic28.AZPH”
AVG Free: “Moved to Virus Vault”

PS if you found this post helpful, please rate it from 1 to 5 stars in the comments section, thanks!

15 comments

  • Lauralea

    Hi, I’ve tried this and I never found a start.exe. I’ve disabled things that looked suspicious but, that still hasn’t worked. I don’t know what else to do and I am panicing. I have an online class I need to get back too. Is there anything I can do to fix this? Please.

  • Lauralea

    Thank you for the quick response! But, I actually ended up figuring it out myself a few minutes after I sent in my comment. I went into safe mode and then downloaded Malwarebytes, ran that and it eliminated the trojan.

  • Jojo77

    This had been driving me crazy! Thanks to you all I used the 2 methods above and now my computer is finally back to normal with no incorrect voucher crap killing me! 5 our of 5 stars from me

  • Panzer

    Hi, I’ve recently been infected with this virus, however I cannot boot into safe mode, when I try to my computer will just restart when it loads windows. Any tips?

    • Hi Panzer,
      Thank you for your comment. If you are still have this issue, can you elaborate on what happens when you try to get into safe mode? (i.e. are you able to select safe mode from the boot selection menu? if so, what does it say?)

      Best regards,-
      -JD

  • Panzer

    Hi JD, thanks for the reply. I was short on time so I resolved the issue by sticking my HDD into my brothers hot swap bay ( don’t know why I didn’t think of this earlier) and managed to scan it that way. As for the safe mode options, I have with networking, with command prompt however selecting any of those would end up with “Windows is loading” with the win7 background screen, however I’m assuming as soon as explorer.exe starts up the virus just causes my system to reboot.

    After clearing the virus I did check to make sure my safe mode wasn’t faulty, and with the virus removed it worked as it should have. Perhaps a more evolved version of what’s been posted here. However even after a scan the some of the virus remained ( I had full control at this point) and MSE was quarantining the virus every 5 minutes and I had to use hitman pro to finish the nasty bugger off.

    • Hi Panzer,
      Thank you for your followup comment and the great tip! I am certain your strategy will be helpful to others in similar situations.

      Thanks again and great job solving the problem!

      🙂

      Best regards,
      -JD

  • Mark Sinden

    The variant of this which I had was in the form of a dll file. It was being started in the startup section by a rundll command, and had installed an automatically starting system service. I had to disable the service in Safe mode AND disable the rundll lines in the startup, in order to then start the computer normally. Malwarsbytes Antimalware followed and along with some thought SEEMS to be tackling the problem.

    Please note the files concerned were all tagged as “Essential System Files” and hidden by Windows by default – use the Folder Options > View section to change this behaviour.

  • R

    I cant find start.exe either & I cant find anything suspicious in startup. For me Malware bytes or avast dont pick it up yet – I ran both twice to no avail. Im nervous posting in case its a key logger & swipes my email but its driving me mental. I have been having safe mode issues also. It seems to alternate which option safemode starts on – for example I hit F12 -& get the boot options:
    1. Normal
    2: C Drive (Not correct wording but essentially the same)
    3: Ide/DVD Rom (Not correct wording but essentially the same)

    If you pick 1 or 2 & get into the safemode options the next time you reboot & hit F12 & get to the boot options the safemode function seems to switch to a different option – IE: If the last time you used safemode it was on option 2 then this time it may have jumped to option one – that seems to be the case – just try the opposite route each time.

    • Hi R,
      Thank you for your email. Sorry for the delay in responding.

      It sounds like perhaps safe mode is not getting fully selected/logged into? Did you try the tutorials for entering safe mode? (or you can youtube it…)

      Once your are in safe mode and can perform the steps described in the post and comments, hopefully all will be well.

      Sorry to not be of more specific help, it just sounds like a safe mode issue???

      Best regards,
      -JD

  • Natnat

    I too was infected. Nothing but grey screen on startup. Tried to get into safe mode but computer would automatically reboot in normal mode once files finished loading for safe mode. Was finally able to start in safe mode with networking option by pressing F8 upon restart.
    Followed your advice—-> msconfig.exe——-> disabled any programs that I didn’t recognize. After that windows loaded normally and I was able to run spyhunter (antivirus/antimalware)

    Identified:

    Ransomware.ukash virus/ FBI moneypak
    —- ZnmJIgW.exe

    And

    Virus.google.redirect virus
    —- Bieko.exe

    Thanks for your suggestions and hope this helps others

    Natnat

    • Hi natnat,
      Thanks for the sharing your experience and the great tips. Good job sticking with it and getting that nasty stuff removed 🙂

      Have a great weekend!

      Best regards,
      -JD

Leave a Reply

Your email address will not be published. Required fields are marked *