Can't boot in normal mode - Malware removal Safe Mode?

[Aroma]

I'm new to this forum and not a very sophisticated user, but help would be appreciated. I am running Windows XP (Build 2600.xpsp_sp2_gdr.080814-1233: Service Pack2). My computer froze and I had to hold power button to shut down. Shortly before I froze a window popped open to tell me that windows security firewall had been changed to off. I switched it back to on, but then the computer froze up a few minutes later. When I try to boot in normal mode I can log-in, but about 3 seconds after I see my desktop the screen goes black and I need to hold the power button down to turn off. I am only able to boot in safe mode. I have run spybot and adaware in safe mode and they find 'Virtumonde'. Spybot also finds 'MicrosoftWindowsSecurityCenter_disabled'. I correct/fix these problems in the software, but when I reboot nothing has changed and when I run them again (in safe mode) they find the exact same problems.

I tried following the directions on 'Read and Run me First', but don't get far because I can only boot in safe mode... I can't use the program uninstall that is part of the control panel to get rid of the Java updates of which I have a few - this seems to be because I am in safe mode. Also, it sounds like steps 2 and 3 also require to be booted in normal mode. Is it possible to complete 'read and run me first' in safe mode?

Any advice on how to proceed from here would be appreciated. thank you.

[Aroma]

I decided to finish running the scans that were suggested in Safe Mode with the exception of Super AntiSpyware which I could not install in safe mode. After completing, I was able to boot in normal mode and so far it is working. I have attached the logs for you to look at and let me know if there are any other fixes I should undertake. Thanks for a great site!

[chaslang]

Welcome to Major Geeks!

Quote:

Originally Posted by Aroma

I decided to finish running the scans that were suggested in Safe Mode with the exception of Super AntiSpyware which I could not install in safe mode. After completing, I was able to boot in normal mode and so far it is working. I have attached the logs for you to look at and let me know if there are any other fixes I should undertake.

Yes now that you can boot in normal mode, you need to install SUPERAntiSpyware and run it as requested. Then attach the log from it.

Also do the below.

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.


Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Spybot - Search & Destroy 1.4


Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

Quote:

KILLALL::

Driver::
dimvbiow
File::
C:\WINDOWS\system32\kkbbyu.dll
c:\windows\system32\drivers\rymrxbsj.sys
c:\windows\Tasks\ctsvflra.job

DirLooK::
C:\BEES40e

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• the SUPERAntiSpyware log
• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

[Aroma]

I have completed the steps you outlined and attached the logs. Please note that the only difference is that before I got your response I had already removed Java updates and Spybot 1.4 and installed recommended current version of JAVA, so I did not repeat this step. System seems to be working fine after a few hours on it. Let me know if there is anything else I should follow up on. Thank you!

[chaslang]

You're welcome.

According to your new logs, a couple of things did not get completely fixed. Let's try the below procedure.


Now we need to use ComboFix again.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

Quote:

KILLALL::
Driver::
rymrxbsj
dimvbiow

File::
c:\windows\system32\drivers\rymrxbsj.sys
c:\windows\dimvbiow

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

[Aroma]

See attached logs. System seems to be working normally. Again, thanks for your help.

[chaslang]

You're logs are clean.


If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\combofix folder from combofix (if it exists)
3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
5. Go to add/remove programs and uninstall HijackThis.
6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
7. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
8. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!