Computer starts automatically only in safe mode, registry attack?

[patio]

Right Here...

[raygill]

My mistake.  I thought you met this site's guidelines page.  But now I know you meant the CCleaner site (www.piriform.com); so I downloaded both the portable zip file and the installer and it seems to be working on the affected computer now.  I just did the first step, cleaning the temporary files. 

[patio]

Good deal...keep us posted.

[raygill]

Question:  the CCleaner ran successfully and deleted a lot of temporary files and cookies.  It did not indicate any problems.  Before it ran, I got the message that it could not connect to the internet and therefore could not access the www.piriform.com website which I assume was necessary in order to run the cleaner.  Per the error message, I restarted my router by disconnecting and reconnecting the power cord.  That allowed the cleaner to run.  Now I am at stage two which calls for downloading another clean up application, AdwCleaner, from Xplode.  As I apparently connected to the internet on the affected computer in order to be able to run CCleaner, I thought I should be able to download the next cleaner, AdwCleaner, directly onto the affected computer.  No such luck.  Neither Google Chrome nor Internet Explorer work, even after disconnect/reconnect.  Anybody know why this is happening?  CCleaner would not have cleaned unless it was connected to the internet, right? 

Any response will be greatly appreciated.

[patio]

It doesn't need to connect to the web to run...that was to update it...
If you want to run ADwcleaner you may have to DLoad it on the other PC the same way...
Have you re-booted the PC though yet to see if everything is fine ? ?

[raygill]

Shouldn't complete all the steps before I try to re-start the computer?

[patio]

The way i see it i'd run 1 tool at a time...then re-boot and see if the issue is resolved...
But that's just me.

[raygill]

I re-booted.  Same result.  Goes automatically to safe mode and I cannot get on the internet.  I read the guidelines again.  They say I should create 3 logs from the clean up steps they recommend.  I actually don't know how to create a log of what I've done.  Can somebody help me out?  Thank you again for your kind assistance.

[patio]

When you boot the next time go to Control Panel/System/Advanced...uncheck "auto-restart on errors"...save changes and Exit.
Re-boot.

[raygill]

Same result.  Automatic safe mode.  Cannot access internet or change to regular mode.

So the status of my troubleshooting so far:

Per the guides, I have successfully downloaded and run CCleaner, Adwcleaner, and Malwarebytes.  The first two found nothing out of the ordinary.  Malwarebytes found 4 malicious programs, trojan horses, root kit malware, etc., and removed all of them.  I then tried the last stage, by downloading DDS.  I put it on my flash drive and transferred that to the affected computer.  Unlike the previous applications, DDS would not run because apparently it needs to access the Internet in order to do so.

I rebooted after the Malwarebytes cleaning but got the same result:  automatically into Safe Mode and not internet access.

I include below the two logs that I did generate, i.e. from the Adwclean and Malwarebytes scans.  Is it possible that all I need to do now is adjust the affected computer so it knows that I want to access the internet in the normal mode?

Here are the logs:

# AdwCleaner v2.301 - Logfile created 05/25/2013 at 15:34:00
# Updated 16/05/2013 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (64 bits)
# User : Ramond - RAMOND-PC
# Boot Mode : Safe mode
# Running from : I:\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16470

[OK] Registry is clean.

-\\ Mozilla Firefox v [Unable to get version]

File : C:\Users\Ramond\AppData\Roaming\Mozilla\Firefox\Profiles\5916rq97.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v25.0.1364.172

File : C:\Users\Ramond\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [808 octets] - [25/05/2013 15:34:00]

########## EOF - C:\AdwCleaner[R1].txt - [867 octets] ##########

------------------

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.04.04.07

Windows 7 Service Pack 1 x64 NTFS (Safe Mode)
Internet Explorer 9.0.8112.16421
Ramond :: RAMOND-PC [administrator]

5/25/2013 4:11:44 PM
mbam-log-2013-05-25 (16-11-44).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 232613
Time elapsed: 1 minute(s), 45 second(s)

Memory Processes Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> 900 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Users\Ramond\AppData\Roaming\InstallShield\InstallShield\lfbegkzq.dll (Trojan.Happili.XGen) -> Quarantined and deleted successfully.
C:\Windows\Installer\{e1a7a147-9811-f771-6555-c4ccee02b023}\U\80000032.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Windows\svchost.exe (Trojan.Agent) -> Delete on reboot.

(end)

I greatly appreciated your continued assistance.

[raygill]

Does anybody know if I can transfer this whole thread to the "computer viruses and spyware" category? If that's possible, how do I do it?  Thank you.

[patio]

Consider it handled...

[raygill]

Thank you, Patio.  Given my next to last post, any thoughts on how I can run the last stage on the affected computer?

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
****************************************************
Remove the Adware:

• Please close all open programs and internet browsers.
• Double click on adwcleaner.exe to run the tool.
  
• Click on Delete.
  
• Confirm each time with OK
  
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile in your reply.
• You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.
  

*****************************************
It appears your system is infected with a rootkit. A rootkit is a powerful piece of malware, that allows hackers full control over your computer for means of sending attacks over the Internet, or using your computer to generate revenue.

Malware experts have recommended that we make it clear that with the system under control of a hacker, your computer might become impossible to clean 100%.

Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your antivirus and security tools to prevent detection and removal. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is sent back to the hacker. To learn more about these types of infections, you can refer to:

 What danger is presented by rootkits?
 Rootkits and how to combat them
 r00tkit Analysis: What Is A Rootkit

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Do NOT change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information. (If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.) Banking and credit card institutions should be notified to apprise them of your situation (possible security breach). To protect your information that may have been compromised, I recommend reading these references:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
What Should I Do If I've Become A Victim Of Identity Theft?
 Identity Theft Victims Guide - What to do
It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot
be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with such a piece of malware, the best course of action would be a reformat and clean reinstall of the OS. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully:
When should I re-format? How should I reinstall?
Help: I Got Hacked. Now What Do I Do?
Help: I Got Hacked. Now What Do I Do? Part II
Where to draw the line? When to recommend a format and reinstall?

Guides for format and reinstall:

how-to-reformat-and-reinstall-your-operating-system-the-easy-way

However, if you do not have the resources to reinstall your computer's OS and would like me to attempt to clean it, I will be happy to do so. But please consider carefully before deciding against a reformat.
If you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful.

Please let me know what you have decided to do in your next post. Should you have any questions, please feel free to ask.

[raygill]

Thank you SuperDave.  What you describe is scary.  I need to erase and reinstall because I use the computer for my business.  I do not store 3d party financial information or passwords or anything like that but I am connected to networks that have somewhat sensitive legal information.  I am also, of course, connected to my personal bank accounts and financial information utilizing various passwords and usernames.  I had been automatically backing up the with an external hard drive on a weekly basis before the crash happened.  I had to transfer the data from that drive to my laptop as the latter did not have all the information that my desktop had.  I am mostly concerned now about possible infection of the laptop via the backup and also the use of a USB flash drive in the previous clean up steps, as well as our home network.  Please advise regarding this latter issue.  I attach a copy of the   # AdwCleaner v2.301 - Logfile created 05/28/2013 at 16:44:41
# Updated 16/05/2013 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (64 bits)
# User : Ramond - RAMOND-PC
# Boot Mode : Safe mode
# Running from : I:\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16470

[OK] Registry is clean.

-\\ Mozilla Firefox v [Unable to get version]

File : C:\Users\Ramond\AppData\Roaming\Mozilla\Firefox\Profiles\5916rq97.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v25.0.1364.172

File : C:\Users\Ramond\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [935 octets] - [25/05/2013 15:34:00]
AdwCleaner[S1].txt - [867 octets] - [28/05/2013 16:44:41]

########## EOF - C:\AdwCleaner[S1].txt - [926 octets] ##########