Computer starts automatically only in safe mode, registry attack?

[raygill]

Desktop with Windows 7  service pack 1, Intel I-5-2500 CPU @ 3.30 GHz, 16.0 GB memory, 64 bit OS,  crashed one month ago.  Self-help unsuccessful.  Using laptop in mean time.  Tried desktop again today.  Always starts automatically in safe mode.  Scan in SM showed no errors.  Cannot access internet.  Someone suggested it might be root kit virus.  Any suggestions on how to proceed?

[Allan]

1) Define "crash" please.

2) If you suspect malware, Please follow the instructions in the following link and post your logs in the thread you create (NOT in this thread):
http://www.computerhope.com/forum/index.php/topic,46313.0.html

[raygill]

It started with a runtime error for a paperport.exe scanning application which I have been using for over a year without any problem.  The message was 'this application has requested the Runtime to terminate it in an unusual way. Please contact etc.'  I tried to recover the system from 3 weeks earlier right before a critical update.  In the process, another message popped up:  'do you want to allow Microsoft to perform changes' i.e. search for malware.  I said no.  The computer restarted.  After restart, I got the same message but said yes this time.  The computer did its business, restarted and sounded terrible, a repetitive grumbling, grinding sound, not loud, but persistent.  Then it sounded like it was shuffling through files, then the same error message came on for just a couple of seconds ('do you want to allow MS to make changes etc').  Next error message, 'too many 16 bit programs, get rid of some....' and then it went into a repetitive cycle of shutting down, restarting, shutting down, restarting again. 

I went to the link for the malware clean up.  I think it assumes an ability to download files from the internet onto the affected computer.  I cannot do that on my affected desktop.  I am trapped in safe mode with no access to the internet.  Where can I go from here?

Thank you for your interest.

[Computer_Commando]

...The computer did its business, restarted and sounded terrible, a repetitive grumbling, grinding sound, not loud, but persistent...

Could be hard drive is going bad, test it with drive manufacturer's software.
http://www.tacktech.com/display.cfm?ttid=287

[raygill]

Thank you.  I downloaded the Western Digital Data LifeGuard Diagnostics - DLGDIAG for Windows v. 1.24 utility and ran the Quick Test which the hard drive passed.  Do you think I should run the extended test which could take several hours.  Thanks again for your help.

[patio]

Yes.
The long test is the definitive one...

[raygill]

I did the extended test and the hard drive passed.  What do you suggest I try now?  Thank you.

[patio]

Have you tried un-installing and re-installing the HP printer and it's software ? ?
As to the noise it could also be one of the fans...

[raygill]

I think the noise was a red herring.  After the initial crash, we were able to start in safe mode intentionally and access the internet.  We even downloaded a couple of different anti-malware applications to try to correct the problem.  But the computer was consistently acting like there was a virus, or Trojan, or something deviously thwarting every attempt to get at the essential problem. I think I need some help with isolating the malware and dealing with it. 

[patio]

I would suggest visiting Here...

And Post your logs for the Experts to have a looksee...

[raygill]

As you know, I cannot download directly to the affected computer because I cannot get on the internet.  So I downloaded the CCleaner application per the instructions and saved it to a flash drive.  I then transferred the flash drive to the affected computer and tried to run it.  I get the error message:  "C:\Program Files\CCleaner\CCleaner64.exe  The specified path does not exist." When I try to change the path to the flash drive (drive "I:\"  in this case) I get the same error message but with the new drive.  I imagine this is pretty elementary stuff and I apologize but I do not know how to run CCleaner in these circumstances.  Would you kindly tell me what to do?  Thank you very much.

[patio]

Is your version of Win7 64Bit ? ?
If not DLoad the 32 bit CCleaner and try it...

[Computer_Commando]

CCleaner System Requirements:
Runs on Microsoft Windows 8, 7, Vista and XP. Including both 32-bit and 64-bit versions.

[patio]

Thanx for the heads up...
Was not aware the 1 version runs on both.
Also at the bottom of the page is the ver. that will run from a flash drive...perhaps he should try that one.

[raygill]

I don't see anything about opening CCleaner from a flash drive at the bottom of the page.

[patio]

Right Here...

[raygill]

My mistake.  I thought you met this site's guidelines page.  But now I know you meant the CCleaner site (www.piriform.com); so I downloaded both the portable zip file and the installer and it seems to be working on the affected computer now.  I just did the first step, cleaning the temporary files. 

[patio]

Good deal...keep us posted.

[raygill]

Question:  the CCleaner ran successfully and deleted a lot of temporary files and cookies.  It did not indicate any problems.  Before it ran, I got the message that it could not connect to the internet and therefore could not access the www.piriform.com website which I assume was necessary in order to run the cleaner.  Per the error message, I restarted my router by disconnecting and reconnecting the power cord.  That allowed the cleaner to run.  Now I am at stage two which calls for downloading another clean up application, AdwCleaner, from Xplode.  As I apparently connected to the internet on the affected computer in order to be able to run CCleaner, I thought I should be able to download the next cleaner, AdwCleaner, directly onto the affected computer.  No such luck.  Neither Google Chrome nor Internet Explorer work, even after disconnect/reconnect.  Anybody know why this is happening?  CCleaner would not have cleaned unless it was connected to the internet, right? 

Any response will be greatly appreciated.

[patio]

It doesn't need to connect to the web to run...that was to update it...
If you want to run ADwcleaner you may have to DLoad it on the other PC the same way...
Have you re-booted the PC though yet to see if everything is fine ? ?

[raygill]

Shouldn't complete all the steps before I try to re-start the computer?

[patio]

The way i see it i'd run 1 tool at a time...then re-boot and see if the issue is resolved...
But that's just me.

[raygill]

I re-booted.  Same result.  Goes automatically to safe mode and I cannot get on the internet.  I read the guidelines again.  They say I should create 3 logs from the clean up steps they recommend.  I actually don't know how to create a log of what I've done.  Can somebody help me out?  Thank you again for your kind assistance.

[patio]

When you boot the next time go to Control Panel/System/Advanced...uncheck "auto-restart on errors"...save changes and Exit.
Re-boot.

[raygill]

Same result.  Automatic safe mode.  Cannot access internet or change to regular mode.

So the status of my troubleshooting so far:

Per the guides, I have successfully downloaded and run CCleaner, Adwcleaner, and Malwarebytes.  The first two found nothing out of the ordinary.  Malwarebytes found 4 malicious programs, trojan horses, root kit malware, etc., and removed all of them.  I then tried the last stage, by downloading DDS.  I put it on my flash drive and transferred that to the affected computer.  Unlike the previous applications, DDS would not run because apparently it needs to access the Internet in order to do so.

I rebooted after the Malwarebytes cleaning but got the same result:  automatically into Safe Mode and not internet access.

I include below the two logs that I did generate, i.e. from the Adwclean and Malwarebytes scans.  Is it possible that all I need to do now is adjust the affected computer so it knows that I want to access the internet in the normal mode?

Here are the logs:

# AdwCleaner v2.301 - Logfile created 05/25/2013 at 15:34:00
# Updated 16/05/2013 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (64 bits)
# User : Ramond - RAMOND-PC
# Boot Mode : Safe mode
# Running from : I:\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16470

[OK] Registry is clean.

-\\ Mozilla Firefox v [Unable to get version]

File : C:\Users\Ramond\AppData\Roaming\Mozilla\Firefox\Profiles\5916rq97.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v25.0.1364.172

File : C:\Users\Ramond\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [808 octets] - [25/05/2013 15:34:00]

########## EOF - C:\AdwCleaner[R1].txt - [867 octets] ##########

------------------

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.04.04.07

Windows 7 Service Pack 1 x64 NTFS (Safe Mode)
Internet Explorer 9.0.8112.16421
Ramond :: RAMOND-PC [administrator]

5/25/2013 4:11:44 PM
mbam-log-2013-05-25 (16-11-44).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 232613
Time elapsed: 1 minute(s), 45 second(s)

Memory Processes Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> 900 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Users\Ramond\AppData\Roaming\InstallShield\InstallShield\lfbegkzq.dll (Trojan.Happili.XGen) -> Quarantined and deleted successfully.
C:\Windows\Installer\{e1a7a147-9811-f771-6555-c4ccee02b023}\U\80000032.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Windows\svchost.exe (Trojan.Agent) -> Delete on reboot.

(end)

I greatly appreciated your continued assistance.

[raygill]

Does anybody know if I can transfer this whole thread to the "computer viruses and spyware" category? If that's possible, how do I do it?  Thank you.

[patio]

Consider it handled...

[raygill]

Thank you, Patio.  Given my next to last post, any thoughts on how I can run the last stage on the affected computer?

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
****************************************************
Remove the Adware:

• Please close all open programs and internet browsers.
• Double click on adwcleaner.exe to run the tool.
  
• Click on Delete.
  
• Confirm each time with OK
  
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile in your reply.
• You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.
  

*****************************************
It appears your system is infected with a rootkit. A rootkit is a powerful piece of malware, that allows hackers full control over your computer for means of sending attacks over the Internet, or using your computer to generate revenue.

Malware experts have recommended that we make it clear that with the system under control of a hacker, your computer might become impossible to clean 100%.

Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your antivirus and security tools to prevent detection and removal. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is sent back to the hacker. To learn more about these types of infections, you can refer to:

 What danger is presented by rootkits?
 Rootkits and how to combat them
 r00tkit Analysis: What Is A Rootkit

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Do NOT change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information. (If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.) Banking and credit card institutions should be notified to apprise them of your situation (possible security breach). To protect your information that may have been compromised, I recommend reading these references:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
What Should I Do If I've Become A Victim Of Identity Theft?
 Identity Theft Victims Guide - What to do
It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot
be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with such a piece of malware, the best course of action would be a reformat and clean reinstall of the OS. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully:
When should I re-format? How should I reinstall?
Help: I Got Hacked. Now What Do I Do?
Help: I Got Hacked. Now What Do I Do? Part II
Where to draw the line? When to recommend a format and reinstall?

Guides for format and reinstall:

how-to-reformat-and-reinstall-your-operating-system-the-easy-way

However, if you do not have the resources to reinstall your computer's OS and would like me to attempt to clean it, I will be happy to do so. But please consider carefully before deciding against a reformat.
If you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful.

Please let me know what you have decided to do in your next post. Should you have any questions, please feel free to ask.

[raygill]

Thank you SuperDave.  What you describe is scary.  I need to erase and reinstall because I use the computer for my business.  I do not store 3d party financial information or passwords or anything like that but I am connected to networks that have somewhat sensitive legal information.  I am also, of course, connected to my personal bank accounts and financial information utilizing various passwords and usernames.  I had been automatically backing up the with an external hard drive on a weekly basis before the crash happened.  I had to transfer the data from that drive to my laptop as the latter did not have all the information that my desktop had.  I am mostly concerned now about possible infection of the laptop via the backup and also the use of a USB flash drive in the previous clean up steps, as well as our home network.  Please advise regarding this latter issue.  I attach a copy of the   # AdwCleaner v2.301 - Logfile created 05/28/2013 at 16:44:41
# Updated 16/05/2013 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (64 bits)
# User : Ramond - RAMOND-PC
# Boot Mode : Safe mode
# Running from : I:\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16470

[OK] Registry is clean.

-\\ Mozilla Firefox v [Unable to get version]

File : C:\Users\Ramond\AppData\Roaming\Mozilla\Firefox\Profiles\5916rq97.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v25.0.1364.172

File : C:\Users\Ramond\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [935 octets] - [25/05/2013 15:34:00]
AdwCleaner[S1].txt - [867 octets] - [28/05/2013 16:44:41]

########## EOF - C:\AdwCleaner[S1].txt - [926 octets] ##########

[SuperDave]

I am mostly concerned now about possible infection of the laptop via the backup and also the use of a USB flash drive in the previous clean up steps, as well as our home network.

If you're laptop became infected, you would soon know it. Run your AV scan on it and also on your flash drive.

[raygill]

I scanned the hard drive and the flash drive and they are both okay.

[SuperDave]

Just to be on the safe side, run another scan with this scanner.No need to post the logs.

Please download and run MicroSoft Safety Scanner. This will take about 20 minutes to run and will produce a log if your computer was infected. Please post the log. This scanner only has a shelf life of 10 days so you will need to download a new one if you want to run a scan after the trial period has expired.

[raygill]

I ran the quick scan and it found no infections.  I originally started the full scan but at 28 minutes it was barely a quarter finished so I quit and did the quickie instead which took about the 20 minutes that you had estimated.  Thank you.  What next?

[SuperDave]

I ran the quick scan and it found no infections.  I originally started the full scan but at 28 minutes it was barely a quarter finished so I quit and did the quickie instead which took about the 20 minutes that you had estimated.  Thank you.  What next?

That's it unless you've changed your mind about reformatting your harddrive.

[raygill]

Well, even though the news has been bad, I want to thank you and everybody at this site in helping me to learn more about the mess I have gotten myself into and hopefully how to avoid it happening again.  This is really an excellent resource for someone like me with a modest amount of knowledge about computers, just enough to get myself into trouble, but a desire to learn more without really knowing how to go about it.  This forum seems like a good learning tool.  Thanks again and    .

[SuperDave]

You're welcome. I will lock this thread. If you need it re-opened, please send me a pm.

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.