Software > Computer viruses and spyware

Unable to boot in any mode except Safe Mode

<< < (2/3) > >>

elxr06:

--- Quote from: evilfantasy on April 19, 2008, 05:45:13 PM ---Do you have a flash drive to transfer over Vundofix

Removal Steps:

   1. Please print these instructions as they will be needed later when Internet access is not available.

   2. Save these instructions in word or notepad to the desktop where they can be easily found.

   3. Download Vundo Fix and save it to your desktop.

   4. When it has completed downloading, double-click VundoFix.exe to run it.

   5. Click the Scan for Vundo button.

   6. Once it's done scanning, click the Remove Vundo button.

   7. You will now receive a prompt asking if you want to remove the files, click the YES button. Once you click yes, your desktop will go blank as it starts removing Vundo.

   8. When completed, it will prompt that it will shutdown your computer, click the OK button.

   9. When the computer has shutdown, turn your computer back on.

The WinFixer and Vundo infection should now be removed from your computer.

Next go HERE and do the instructions and post the logs back in the Computer Viruses and Spyware forum.



--- End quote ---

That I think should fix the problem unless you have a system restore point and restoring earlier configurations don't matter to you too mucgh. In doing system restore, you might lose things that you did recently (more likely, you'll just have to reinstall any recent programs you installed so that the registry reads it right and cause no problem when loading)

evilfantasy:
Yes it will fix it. Problem is what all else might be wrong. Winfixer shouldn't be blocking the internet. Malware writers don't profit on broken connections.........

How To Remove Winfixer / Virtumonde / Msevents / Trojan.vundo.b

iltat:
Well, thank ya'll for the advice so far. Last night, I got the chance to go try it out on her computer, and here are my notes:

- First, I took VundoFix over on CD, which seemed to work fine, since the program DLed and ran on her computer.
- I booted her computer up, and the first time it went into Safe Mode, the Safe Mode popup came up 5 times.
- While VF was running, the WinFixer popups came up. One is a yellow yield sign in the system tray, and the other is a Windows-designed error message. After a while, a screensaver would consist of bugs crawling across the screen, eating the desktop.
- VF took a half-hour to run, but found 6 infections, which I removed. When it began to remove them, a new Windows-designed error message popped up for a second that said due to a major problem, this computer would be shut down in 30 seconds. Then, all three error messages disappeared, and VF said it needed to restart the computer.
- Upon restart, the computer still could not start in any mode except Safe Mode. As soon as it booted up to the desktop, the error messages reappeared.
- I decided to just check out System Restore and see if I could find when it would restore to. Choosing System Restore from the Start menu resulted in the following message: System Restore is not able to protect your computer. Please restart and run System Restore again.
- I restarted one more time and System Restore gave the exact same error message again.

I left off at this point because the first instruction didn't work. VF didn't remove the program, so I wasn't sure if I should go through with anything else before checking back with ya'll. Also, as I looked closely at it, the program is actually called WinIFixer, not just WinFixer. Not sure if they're the same thing.

So, any more ideas?

evilfantasy:
I am moving this to the virus and spyware forum.

You need to run SmitFraudFix. Then post a Hijackthis log.

Download and rename HijackThis (HJT)
[*] Double-click on HJTInstall.
[*] Click on the Install button.
[*] It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
[*] Upon install, HijackThis should open for you.
[*] Close HijackThis and rename it.
[*] Go to C:\Program Files\Trend Micro\HijackThis.exe
[*] Right click on HijackThis.exe and select Rename.
[*] Type in sniper.exe and press Enter.
[*]Right-click on sniper.exe and select Send To > Desktop (create shortcut)
[/list]
[*]From the desktop open Hijackthis.
[*]If using Windows Vista, Right-click and Run As Administrator.
[*]Click on the Do a system scan and save a log file button
[*] Hijackthis will scan and then a log will open in notepad.
[*] Copy and then paste the entire contents of the log in your post.
[*] Do not have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.[/list][/list]
Although we have renamed Hijackthis to sniper, we will still refer to it as Hijackthis or HJT.

iltat:
Okay, I apologize about the massive absence, but she was unable to print/save the HiJackThis log, so she had to hand-write the entire thing and I had to retype it all. Please excuse any slight typos (O's where 0's should be, uncapitalized letters, etc.) So, here it is:

Logfile of trend micro hijackthis v2.0.2
Scan saved at 9:09:25pm, on 4/23/2008
Platform: WindowsXP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes :
C:\windows\system32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\explorer.exe
C:\windows\system32\drivers\spools.exe
C:\Program Files\Trendmicro\HijackThis\sniper.exe.exe
C:\Program Files\Internet Explorer\iexplore.exe
R1_HKCU\Software\Microsoft\Windows\Current version\internet setting.proxyoverride=*.local
R3_URLSearchHook:Yahoo! Toolbar_{EF99BD32-C1FB-11D2-892F0090271D4F88}-C:\PROGRA~1\Yahoo!\companion\Installs\cpn\yt.dll
F2-Reg:system.ini:Shell=Explorer.exe C:\windows\Shell.exe
F2-Reg:system.ini:userInit=C:\windows\system32\userint.exe, C:\programFiles\Common Files\Microsoft Shared\sysctc.exe,
O2-BHOLno name)-{3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9}-C:\Windows\system32\jfiehayd.dll
O2-BHO:C:\windows\system32\jfiehayd.dll-{C5AF49A2-94F3-42BD-F434-2604812C897D}-C:\windows\system32\jfiehayd.dll
O3-Toolbar:Hpview-{B2847E28-SD7D-4DE8-8B67-05D28BCF79F5}-C:\Program Files\HP\Digital imaging\bin HPDTLKO2.dll
O3-Toolbar:Yahoo! Toolbar-{EF99BD32-C1FB-11D2-892F-0090271D4F88}-C:\PROGRA~1\Yahoo!\companion\installs\cpn\yt.dll
O4-HKLM\..\Run:[YsearchProtection]”C:\Program Files\Yahoo!\search protection\searchprotection.exe”
O4-HKLM\..\Run:[QuickTime Task]”C:\Program Files\QuickTime\QTTASK.exe”-atboottime
O4-HKLM\..Run:[itunesHelper]”C:\Program Files\itunes\ituneshelper.exe”
O4-HKLM\..\Run:[Postsetupcheck]C:\windows\system32\Rundll32.exe”C:\windows\system32\atgban.dll” Dllstart
O4-HKLM\..\Run:[runner1 C:\windows\mrofinu1000106.exe  61A847B5BBF72813329B385772FF01FOB3E35B6 638993F4661AA4EBD86D67C56389B284534F310 F3D1DC7E4638E8323A15806F97BDE4417E6FD96 7002BA754E2C2832213329D26033AAC
O4-HKLM\..\Run:[b4fe43bd]rundll32.exe”C:\windows\system32\fqvtivpi.dll”,b
O4-HKLM\..\Run:[ntuser]C:\windows\system32\drivers\spools.exe
04-HKLM\..\Run:[autoload]C:\Documents and Settings\Adriana\cftmon.exe
O4-HKLM\..\Run:[BluetoothAutorizationAgent]C:windows\system32\BluetoothAuthorizationAgent.exe
O4-HKLM\..\Run:[WinIFixer]C:\Program Files\WinIFixer\WinIFixer.exe
O4-HKLM\..\Run:[antivirus Pro]C:Program Files\AntivirusPro\AntivirusPro.exe
O4-HKLM\..\Run:[jdgf894jrghoiistd]C:\windows\Temp\winlogan.exe
O4-HKLM\..\Run:[advap32]C:windows\TEMP\loader2.exe\v
O4-HKLM\..\Run:[SystemDrive]C:windows\system32\maxpaynow1.exe
O4-HKLM\..\Run:[taskmon]C:windows\taskmon.exe
O4-HKLM\..\Run:[msvtt]C:windows\system32\mmhkj.exe
O4-HKLM\..\Run:[BMb7cd7021]Rundll32.exe “C:\windows\system32\amcakabk.dll”,s
O4-HKLM\..\Run:[kernelFaultCheck]%systemroot%\system32\dumprep O-K
O4-HKCU\..\Run:[ctfmon.exe]C:Windows\system32\ctfmon.exe
O4-HKCU\..\Run:[Yahoo! Pager]”C:\PROGRA~1\Yahoo\MESSEN~1\YAHOOM~1.EXE”-quiet
O4-HKCU\..\Run:[MSMSGS]”C:\Program Files\Messenger\msmsgs.exe”/background
O4-HKCU\..\Run:[YsearchProtection]C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4-HKCU\..\Run:[srro]”C:\DOCUME~1\adriana\MYDOCU~1\SSTEM~1\winlogon.exe” –vt ya2b
O4-HKCU\..\Run:[Odog] “C:\Documents and settings\adriana\My Documents\M?crosoft.net\??rvices.exe”
O4-HKCU\..\Run:[ntuser]C:\Windows\system32\drivers\spools.exe
O4-HKCU\..\Run:[jdgf894jrghoiiskd]C:\Windows\TEMP\winlogan.exe
O4-HKCU\..\Run:[Jnskdfmf9eldfd]C:\Docume~1\adriana\LOCALS~1\Temp\csrssc.exe
O4-HKCU\..\Run:[ServicePack1]C:\Windows\system32\vedxgbame4.exe
O4-HKCU\..\Run:[autoload]c:\Documents and settings\adriana\cftmon.exe
O4-HKUS\S-1-5-18\..\Run:[autoload]C:\Documents and settings\\local service\cftmon.exe (user ‘SYSTEM’)
O4-HKUS\S-1-5-18\..\Run:[jdgf894jrghoiiskd]C:\windows\temp\winlogan.exe (user ‘system’)
O4-HKUS\S-1-5-18\..\Run:[jnskdfmf9eldfd]C:\windows\temp\csrssc.exe (user ‘system’)
O4-HKUS\S-1-5-18\..\Run:[spoolsv]C:\windows\system32\spoolvs.exe (user ‘system’)
O4-HKUS\S-1-5-18\..\Run:[windows update loader]C:\windows\xpupdate.exe (user ‘system’)
O4-HKUS\.DEFAULT\..\Run:[ntuser]C:\windows\system32\drivers\spools.exe (user ‘Default user’)
O4-Startup:DW-Start.lnk=C:\windows\system32\rwwnwb4d.exe
O4-Global startup:adobe reader speed launch.lnk=c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
O4-Global startup:Lumix simple viewer.lnk=?
O7-HKCU\software\Microsoft\windows\current version\policies\system.disableregedit=1
O8-Extra content menu item: Add to HP organize… -C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\sendTo.html
O8-Extra content menu item: E &xopt to Microsoft Excel – res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9-Extra button: (no name)-{O8BOE5CO-4FCB-11CF-AAA5-00401C608501}-C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9-Extra ‘tools’ menuitem:sunjava Console-{08BDE5CO-4FCB-11CF-AAA5-004016608501}C:\Program Files\java\j2re1.4.2_03\bin\npjpi142-03.dll
O9 Extra button: Yahoo! Messenger-{E5012C4E-7B4F-11D3-B5C9-005004563C96}-C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 Extra ’Tools’ menuitem: Yahoo! Messenger-{E5D12C4E-7B4F-11D3-B5C9-0050045C3L96}-C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
09-Extra button:Messenger-{FB5F1910-F110-11dz-BB9E-00C04F795683}-C:\Program Files\Messenger\msmsgs.exe
09 Extra ’Tools’ menuitem:windows messenger-{FB5F1910-F110-11dz-BB9E-00C04F795683}-C:\Program Files\Messenger\msmsgs.exe
OI7-HKLM\System\ccs\services\tcpip\..\{7345DF05-A119-4931-9OE6-666CF5AEA1DA}:nameserver  85.255.116.168.85.255.112.209
OI7-HKLM\System\ccs\services\tcpip\..\{CD941F95-643F-460F-856B-CSD8263728DC}: nameserver  85.255.116.168.85.255.112.209
OI7-HKLM\system\cs1\services\Tcpip\Parameters:Name Server=85.255.116.168.85.255.112.209
OI7-HKLM\system\cs1\services\Tcpip\..\{7345DF05-A119-4931-90E6-666CF5AEA1DA}NameServer=85.255.116.168.85.255.112.209
OI7- HKLM\system\cs1\services\Tcpip\parameters:Nameserver=85.255.116.168.85.255.112.209
O20-Applnit_DLLS:C:\windows\system32\wowfx.dll
O20-Winlogon Notify:awtttus-C:\windows\system32\awtttus.dll
O20-Winlogon Notify:ibudu-C:\windows\system32\ibudu.dll
O20-Winlogon Notify:partnershipreg-C:\Documents and settings\All users\\Documents\Settings\partnership.dll
O20-Winlogon Notify:wlctrl32-C:\windows\system32\WLCtrl32.dll
O21-SSODL:BeaQtlcG-{B4FE4313-1E54-E9B9-2D3B-2B96A415245B}-C:\windows\system32\zckmib.dll
O21-SSODL:PrxRam-{439e5852-9e59-4240-84c8-fe09995e25c8}-C:windows\Installer\\{439e5852-9e59-4240-84c8-fe09995e25c8}\PrxRam.dd
O21-SSODL:AlrtAlrt-{8bb3b421-ce22-4132-9140-a1fdefbfdo29}-C:\windows\Resources\AlrtAlrt.dll
O21-SSODL:zip-{da053baf-f7e9-4f4f-b41d-a5139124b1a2}-C:\windows\Installer\{da053baf-f7e9-4f4f-b41d-a5139124b1a2}\zip.dll
O22-Sharedtaskscheduler:jhsf8d984jief8dsfus98jkefn-{C5AF49A2-94F3-42BD-F434-Z604812C8970}-C:\window\system32\jfiehayd.dll
O23-Service: Apple Mobile Device-Apple, Inc.-C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23-Service :Bonjour Service-Apple Inc.-C:\Program Files\Bonjour\mdNSRejponder.exe
O23-Service : Command Service (cmdservice) –unknown owner- C:\windows\IA\command.exe
O23-Service :FC1 (fci)-unknown owner-C:\windows\system32\svchost.exe:ext.exe
O23-Service:Google Online Services-Unknown owner-C:\Documents and settings\Adriana\ie_updates3r.exe
O23-Service: iPod service-Apple Inc.-C:\Program Files\ipod\bin\ipodservice.exe
O23-Service:Network Monitor-unknown owner-C:\Program Files\Network Monitor\netmon.exe
O23-Service:task scheduler (schedule)-unknown owner-C:\windows\system32\drivers\spools.exe

--
End of File – 8463 bytes

Navigation

[0] Message Index

[#] Next page

[*] Previous page