Problems with Computer, no longer runs in normal start up mode

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Freetimes, Jun 14, 2010.

  1. Freetimes

    Freetimes Private E-2

    Hey, so I've gone through the "read & run me first" and the "vista cleaning procedure" threads but am still unable to boot up windows normally. I'm worried I may have terminated an essential operating system process, though I have also been infected with some viruses (and/or other problems?). I've attached below the logs from each of the anti-malware programs specified. RootRepeal failed to run, causing some error messages. I'll attach those messages to my next post as well. The second attached error message was given several times before the program exited. You can skip the rest if you are busy; just going to add some details about what happened.

    So I just moved apartments and got new internet service only to discover that my McAfee subscription had run out. Rather than dealing with this, though, I just decided to continue using my internet as usual. Anyway, a few days later, my cpu usage started quickly alternating between 0 and 100%, so I shut it off. When I rebooted, all my desktop icons were overlaid with and partially obscured by an image of a pink computer monitor, and my pc ran slowly. In a frenzy, I downloaded several free antivirus programs and firewalls. I updated my java and flash players and installed all the windows updates I could. There's one windows update I couldn't install - I'll leave a note about it at the end. Then I ran all the antivirus programs and left the scans to run all at once. (I now realize this was a bad idea.) Eventually I found these forums, stopped the scans, got rid of all but one antivirus program and firewall (except for Windows Security Essentials, which I have been unable to uninstall in safe mode) and downloaded all 5 required programs.

    Before I canceled the avira antivirus scan, the scanner and guard popped up with two alerts. One was TR\Crypt.XPack.Gen, which was found several times and located under C:\Windows\Temp\_avast5_\unp#########. The other was GEN/pwdZIP, which was located under C:\ProgramData\Spybot - Search & Destroy\Recovery\WinAgentws1.zip. This was found three times before it was successfully quarantined. I believe I deleted both of these threats from the quarantine.

    At some point before my computer stopped working, I terminated lsass.exe from the task manager. My computer immediately shut down, but continued to work after I restarted it.

    Later, my computer stopped functioning in normal start up mode. Since then, I have set it to start in safe mode. I scanned again with Avira. It found TR/Spy.25088.36 and I deleted this threat. Afterward, I followed the procedures listed on this website. Unfortunately, I have been unable to run any of the anti-malware scans (or other programs) in normal start up mode.

    As you can tell, I am completely lost when it comes to computers and will be eternally grateful if someone who knows what they are doing could help me. Really, you guys are awesome.

    Note - When I purchased my computer, I didn't order a copy of office suite with it. Instead, I used an old copy of Microsoft XP office my dad had around from several years ago. Since I've gone off to school, I no longer have the installation disc for Office with me. When I tried to install Windows Updates, XP service pack 3 required that I use the installation disc. I uninstalled a copy of Windows Photoshop Viewer on my computer (which couldn't be updated) since I don't currently need it. However, I am somewhat reluctant to get rid of Microsoft Office (if this is even necessary). Considering I am unable to update to service pack 3, is it necessary to uninstall office, or otherwise do anything?

    Thanks a ton in advance, and sorry for the lengthy post.
     

    Attached Files:

    Last edited: Jun 14, 2010
    Freetimes, Jun 14, 2010
    #1
  2. Freetimes

    Freetimes Private E-2

    RootRepeal error messages. Second Error messages was given several times, each slightly varied. I tried to run the program again after it failed the first time. I left it to run, and when I returned to my computer, only the desktop was displayed. Don't know what happened to the program, but it neither appeared to finish running nor caused any further error messages.
     

    Attached Files:

    Freetimes, Jun 14, 2010
    #2
  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I am not seeing any signs of malware in your logs, although we can deal with some miscellaneous items before I refer you to the software forum for further assistance as to why you can only boot in safe mode.

    Once you do get into normal mode, you will have to figure out whether you wish to keep avira or MSSE.

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

Driver::
Viewpoint Manager Service

Folder::
c:\program files\Viewpoint
c:\programdata\Norton
c:\programdata\Symantec
c:\programdata\NortonInstaller
c:\programdata\McAfee
C:\ProgramData\Alwil Software
C:\Program Files\Alwil Software

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\Viewpoint Manager Service]

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
[HKEY_USERS\S-1-5-21-1506168599-1336243981-2645369500-1001\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{81B03A20-DCE6-AAA5-FC95-DAD7AC662948}*]
"oahilkihknnemabibeamapopmkiclf"=hex:69,61,6d,6c,69,61,66,6a,6c,6f,63,64,63,61,
   70,6e,6b,70,00,00
"nabibljflobecpidknhpafkgooli"=hex:69,61,69,6c,65,64,67,70,63,68,6c,70,6b,6f,
   66,66,6d,66,00,00
"oalndlebknkhhmenjoecnbeomeaong"=hex:64,61,61,6d,69,64,6f,69,00,ff
[HKEY_USERS\S-1-5-21-1506168599-1336243981-2645369500-1001\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:61,c3,23,5a,58,fc,d4,92,72,a8,c5,36,0c,6b,04,39,c3,40,fc,22,e1,8c,41,
   f4,08,17,0f,69,b6,e5,b4,35,b7,62,4d,f8,e7,d5,8f,83,86,9b,4b,bd,ba,59,fe,15,\
"??"=hex:7a,48,b1,aa,15,03,19,e1,5b,aa,fa,05,dc,9d,fc,aa
[HKEY_USERS\S-1-5-21-1506168599-1336243981-2645369500-1001\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:bf,38,0f,94,5b,94,e7,43,08,59,95,92,93,01,98,e4,17,e9,93,c7,c3,
   16,df,fd,de,bc,57,a9,ff,72,d1,14,9e,91,06,93,a0,ef,78,e2,0b,ef,55,07,b3,06,\
"rkeysecu"=hex:cf,fd,36,ed,8f,83,8f,67,d5,d5,68,a4,04,da,e7,c7
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now you can post in the software forum and return here once you can boot normally if you like so that I can check new logs and either deal with any malware that shows or give you final steps if I still see no signs of malware.
     
    Kestrel13!, Jun 14, 2010
    #3
  4. Freetimes

    Freetimes Private E-2

    Hey,

    I don't have time to run this right now, but I will do it tomorrow. Out of curiosity, what will this do? Thanks again.
     
    Freetimes, Jun 14, 2010
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    It will delete a left over service from viewpoint, old folders from various protection software, and open alot of locked reg keys, which sometimes combofix reports but there is no need to make a fuss of, I just thought I would include it in my script anyway.
     
    Kestrel13!, Jun 14, 2010
    #5
  6. Freetimes

    Freetimes Private E-2

    Ok, thanks very much. The scan is currently running on my computer (currently using my brother's) and I will post and update with the attached log in 10 minutes or so. The copy of TR/Spy.25088.36 that avira found was located in a Warcraft III folder. I used to play Warcraft III years ago, but uninstalled it awhile ago. When I came to university, one of my friends wanted to play DotA, and so installed a copy of Warcraft III on my computer. Now there is a Warcraft III folder on my desktop, but the program doesn't show up in the Control Panel. I can't actually remember having the folder there, but I guess it must have been there for awhile. So I had a couple questions. Can I and should I delete this folder? Also, is it possible that when my friend gave me a copy of Warcraft III, it came with a virus and then sat latent on my computer until my firewall protection expired? Thanks again, I'll post an update soon.
     
    Freetimes, Jun 15, 2010
    #6
  7. Freetimes

    Freetimes Private E-2

    Ok, so I did as you requested. Combofix ran. It performed the scan then deleted the specified files before continuing to run. Either in the middle of deleting the folders, or immediately thereafter, it produced an error message saying catchme had failed to run or something. When I hit ok, the computer immediately shut down. Now that it's restarted, it looks like combofix is preparing a report that I'll attach below.

    I saved the log to my hard drive and also to a flash drive I am using to transfer files between computers. I've previously scanned the flash drive for viruses but none were found. When I tried to "Safely Remove..." the flash drive from my computer, windows popped up with an error message stating:

    "C:\Windows\system32\rundll32.exe

    Illegal operation attempted on a registry key that has been marked for deletion."

    Cheers for the help.
     

    Attached Files:

    Freetimes, Jun 15, 2010
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Well you said yourself that you don't play WOW any more, and considering avira found a threat in there, I would delete it yes!

    So now, as there is nothing more to be done here in malware, do post in software if you have not already done so and then come back here to do a final check once you are in normal mode again. :)
     
    Kestrel13!, Jun 16, 2010
    #8
  9. Freetimes

    Freetimes Private E-2

    Ok, so I'm back from the software forums. Apparently I just needed to disable some startup programs. Now I'm only running winpatrol, avira, and zone alarm on start up. Seems to be taking longer than expected to boot up, but I guess this is caused by the above programs. So now do I rescan my computer?

    Thanks again for the help and patience.
     
    Freetimes, Jun 17, 2010
    #9
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I am not expecting to find any malware but you just never know, now that you are back in normal mode, feel free to run scans again. If everything seems ok, and you don't think there's any need, or you are not experiencing any malware-like benhaviour with your machine then I can give you final steps. Let me know what you would like to do. :)
     
    Kestrel13!, Jun 18, 2010
    #10
  11. Freetimes

    Freetimes Private E-2

    Here are the combofix and mgtools logs. Root Repeal failed to run again, and the other two found nothing. Thanks.
     

    Attached Files:

    Freetimes, Jun 18, 2010
    #11
  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    Kestrel13!, Jun 19, 2010
    #12
  13. Freetimes

    Freetimes Private E-2

    Ok, thank you.
     
    Freetimes, Jun 19, 2010
    #13
  14. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You're welcome. :)
     
    Kestrel13!, Jun 21, 2010
    #14

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds