Stuck in safe mode and can't resolve security host names.

Hi and thanks for looking at this.
I have a winXP system running latest updates and SP3. When I got the system it was infected with various Mals..
don't have all but here are some;
Virantix
Fraud.XPAntivirus
Delf.Spool.CN
Agent,AAC2
Troj/FakeAV-CE [Sophos]

Symptoms- System would of course produce offers to purchase XP Anti virus software. The system would redirect any browser searches to Mals own site using wording culled from search to make you think you were getting the software searched for. I could not download a new version of Spybot because of the redirect. Could not update old version because something has hosed the hosts table. Could not run Spybot because something would not let it or AdAware run. I was able to change the name of the executable in spybot to get it to run. I use a USB key to bring AdAware and spybot to the system with updates I got spybot to install and it cleaned a few things but wanted a reboot, since then I have not been able to boot to normal mode (I think the items added to the boot sequence to remove the infected files are keeping the system from booting) I manually deleted the files it thought were infected(those are still listed in the hijack this log). Ad Aware will not install due to Error "Sys admin has set policies to prevent this install" and I cant run the suggested gpedit.msc to fix the problem. System has AVG 7.5 but it's out of date and redirect of host does not allow updates.

So I removed the HD from the system and connected it to another and ran norton AV 2008 and It finished the cleaning process but I can't get the drive to boot to normal mode and the hosts table is still jacked. Oh and I did check the hosts file and it is clean, the only listing is for "127.0.0.1 localhost". So can you tell me how this host resolution can be so jacked up?? I can connect to all the beguine web sites but as soon as I try to go to a security site like Majorgeeks.com and support.microsoft.com I get a failure to connect. No, it's not just in the browsers, I can't even ping these sites and I can't update the installed security software basically the domain name is not being resolved and is pointed back to 127.0.0.1 Local host. I can get to the security sites by putting the IP address directly in to address bar but links on the page won't work because they use the domain name.

Ran CCleaner
could not run SuperAnti Spyware because I'm stuck in safe mode
Ran Spybot
Ran Malwarebytes Anti-Malware but it wants to reboot to finish cleaning (only works in normal mode)
Combofix appeared to do nothing (sat in the task manager for a few minutes)
Ran MGtools log included.

Any more ideas would be appreciated.

I think that is about it, here are the logs I was able to run.

 

I guess I didn't click something when attaching, lets Try this... I see I didn't click the "upload" button....

 

Tim W.
Thanks for getting back to me on this. OK as for how it worked. Well I was good all the way to the Java runtime 6. I get this error after double clicking on the downloaded file "The Sys admin has set Policies to prevent this install".

The system still only boots to safe mode and there are no issues in Device Manager. The domain resolution problem is still there. Once again I can surf to most sites but can't connect to any security related sites. I can get to Microsoft.com, intel.com and support.intel.com but not support.microsoft.com or Majorgeeks.com, I can connect with the IP addresses. I get the same results with ping at the command prompt. So this does not appear to be a browser issue. It feels like to me that something has messed with the Network software so that the system is looking at a Hosts file that is not named Hosts and is not searchable through explorer.

I attached the logs, please note that the MGtools log is w/o the java install.

Thanks.

 

Tim,
I'm a bit slow to reply, the video card on the system I connect to majorgeeks with failed. Old card, but not unexpected it's the second of two ATI cards that I bought to fail.

Anyway, back to the system that had the problems I can't solve. I understand what you're thinking regarding the router, but it's a real simple one and any restrictions would affect all connected systems not just the one. Also these same resolution problems existed when I picked up the system, different router/different ISP. Besides, I can tell that the failed pings and DNS requests are not getting out of the box. If I were a tech support guy and someone had the problems I'm having with host name resolution I would think the fix is easy. Wipe the Hosts file and go home. But that's not the case, the hosts is clean. As far as I can tell the resolution is happening on the system.... unless it is some how spoofing me and sending all DNS requests to some bogus home brew DNS with all the security related sites stripped out. IPconfig shows that all unresolved reqeusts are being thrown at the default gateway (routers local IP address).

FYI (I download all the fix files to a non affected system and throw them across the network, then bring the log files back and send then in my posts)

ComboFix did nothing again, showed up in task manager for about 10 min then closed on it's own.

Blacklight did not run in safe mode.

Thanks

 

Tim
Thanks for getting back to me. During boot the system posts fine and I can get into the BIOS, everything seems fine there. Also system seems to find all the peripherals as in a normal boot. Next comes the windows loading screen, the one with the chasing blue cubes. That screen stays on for 7 passes of the blue cubes then the screen blinks and it goes back to the Dell bios screen and wants to boot to safe mode.

Here is the Boot.ini
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /noexecute=optin
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

I remember we use to fix some really funky network problems by reinstalling winsock in older versions of windows. Do you think there is anything in winsock or in the network stack that could produce these type of network problems?

Thanks

 

none were checked: Clicking check all boot paths reports;

This line in the boot.ini file does not refer to a valid operating system:

"C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons"

would you like to remove it from the boot.ini

I have not even tried the console but I installed it as part of the trouble shooting prior to posing in the form.....

 

Removed the boot to console option from the .ini file, system booted the same. Feels almost like a video driver issue but the system uses integrated video and there is nothing noted as wrong in Device Manager.

The reason I say it feels like a video driver issue is because the systems seems to be loading all neccesary operating system files then fails at the end, just as you would expect a resolution change and the login screen to appear.

 

I had MSConfig check the boot path and it reports that all lines in the boot.ini appear OK.

 

That's pretty much what I did before. It's easier to copy from the text file than to copy anything from msconfig. But here is the INI file renamed to .txt

Thanks again....

 

Changed boot to Diagnostic Startup but system would not come up in normal mode. Seems that something critical got removed or corrupted when I cleaned out the malware. I have always felt that XP could be fixed when there are problems, but it seems that a reinstall may be in order here. I would really love to know what has caused the network issue, that's got me concerned about the future of malware, if it can happen to this system it will happen to others.

Let me know what you think.... Thanks for helping!!!

 

TimW,
Thanks for working with me on this. It became a bit of a challenge for me to try to resolve, I hope not to run into something like this again. Still would like to know what happened to the network DNS resolution. The SFC Scan File Checker did not work. Most likely because I'm in safe mode got the error.
"Windows File Protection could not initate a scan of protected system files."

I'll got through the clean up and then do a reinstall of windows on this box. Should have it up in just a few hours....

thanks again.