Can't start Windows in normal mode - Malware problem

I am running Windows Vista. I started having a problem last night. Some program called System Fix popped up, but it wasn't able to fix the problems it was reporting. I did not want to pay for the upgrade so I went online and found out that System Fix was malware. I was able to log into Windows under my boyrfriend's account with no problems (no system fix), but my account (the adminstrator account) seemed to be infected. I read somewhere online to start Windows in safe mode and do a system restore. I tried that (I chose the older restore point, which was 11/24). I tried to restart in normal mode after that (by changing the settings in msconfig to normal mode), but that did not work. I tried to do system restore again to a later date (I think it was 11/25), but i still was not able to restart in normal mode. I also tried to restart in normal mode by pressing F8 during startup and selecting normal mode, but that did not work. I came across this forum and followed the instructions for removing malware. I had to run the programs in safe mode, since i could not get into normal mode. The logs are attached.

 

Hi and welcome to Major Geeks, swanbird!

I want you to read and follow these instructions: TDSSKiller - How to run


Please download MBRCheck by clicking here and save it to your desktop.

• Double-click on the file to run it. (Vista/7 right-click and select Run as Administrator)
• A window will open on your desktop.
• If an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
• If nothing unusual is found just press Enter.
• A .txt file named MBRCheck_mm.dd.yy_hh.mm.txt should appear on your desktop.
• Attach that file to your next message. (How to attach)

 

Thanks for your quick reply. I ran both and they did not seem to find anything. The logs are attached.

 

Can you zip and upload the .dmp files in: C:\Windows\Minidump to your next post for analysis?

 

Here you go.

 

Download SystemLook from one of the links below and save it to your desktop.
Download Mirror #1
Download Mirror #2

If you have a 64-bit system, please download the 64 bit version from here:
SystemLook (64-bit)

• Double-click SystemLook.exe to run it.
• Copy and Paste the content of the following code box into the main text-field:

Code:

:filefind
ataport.sys

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan and a file entitled SystemLook.txt will be created on your desktop.
• Attach that file to your next message. (How to attach)

 

here are the results

 

Boot into Safe Mode with Command Prompt

At the command prompt window, type the following command and then press ENTER:

• sfc /scannow

Let this scan finish and then retry booting into Normal Mode.

 

OK, i did that, but unfortunately, it did not work. I tried restarting in normal mode after the scan but it still would not start in normal mode. I attached the log that was mentioned at the end of the scan.

 

Do you have your Vista DVD?

If you do not, you can download this: Windows Vista 64-Bit (x64) Recovery Environment

Create a bootable CD for the Windows Vista Recovery Enviroment, from the ISO image. You can use ImgBurn do this.

Boot into the Recovery Console using this CD/DVD and first try Startup Repair

Let me know if it detects any Startup issues, if it does, select "Repair and Restart".

If it says something like "Startup Repair cannot repair this computer automatically", then proceed to the next step:

Click Command Prompt
From here, type in the following command, pressing ENTER afterwards:

• bootrec /fixboot

Let me know the results

 

I ran startup repair and got the message "Startup repair could not detect a problem". I restarted the machine, it went into safe mode automatically, so i ejected the disk and restarted again, pressing F8 and selecting normal mode. the computer just started in safe mode again. Thanks

 

What happens if at the F8 Advanced Boot Menu you choose:

• Enable low-resolution video (640x480)

Another thing to try:

Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop. (Vista/7 right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  netsvcs
  /md5start
  atapi.sys
  ataport.sys
  csrss.exe
  explorer.exe
  regedit.exe
  services.exe
  svchost.exe
  userinit.exe
  winlogon.exe
  /md5stop
  %systemdrive%\*.*
  %systemroot%\*. /mp /s
  %systemroot%\system32\*.sys /90
  %systemroot%\system32\*.exe /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  

• Now click the button.
• Two reports will be created:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Attach both OTL.txt and Extras.txt to your next message. (How to attach)

 

OK, I restarted and enabled low level video resolution. Everything seems the same, just bigger. The logs from OTL are attached. You are great to spend so much time on this. Thanks

 

Ok, good.

The problem may just be with the resolution you are trying to use while in Normal Mode being too high.

Do the following...
First boot back into "Enable low-resolution video (640x480)" mode. (NOT Safe Mode with Networking!)

• Now press and hold the Windows key on your keyboard, then press the letter r on your keyboard.
• This opens the Run dialog box.
• Then copy the below bold text and paste it into the Open: text-field and press ENTER.
  desk.cpl

A "Display Settings" windows should have opened.
If there's more than 1 display device listed, let me know.
Adjust the resolution by moving the pointer on the spectrum / slider bar to 800x600 pixels and press the Apply button.
You may be asked "Do you want to keep these display settings?" -- Select Yes and then press the OK button to exit the Display Settings Window.
Now attempt to restart your computer in Normal Mode.
Items on the desktop will be bigger since it is a lower resolution, but first let me know if you were able to get into Normal Mode this time.

As a side note:

I'd recommend having about 15% space free. Just something to look into in the future but I do not think this is your immediate problem.

 

I did what you suggested and booted in enable low resolution video mode. I changed the resolution. Only 1 monitor listed. I still was not able to get into normal mode. I just rebooted in safe mode with networking in order to respond to this post. Thanks

 

Let's do the below as it may just be McAfee drivers that have not been fully removed. This will also remove the remaining traces of malware that I see as well as some startup items.

Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
CHR - Extension: Entanglement = C:\Users\Shari\AppData\Local\Google\Chrome\User Data\Default\Extensions\aciahcmjmecflokailenpkdchphgkefd\2.1.1_0\
CHR - Extension: AT_KateSpade = C:\Users\Shari\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhpfdkiglaphjhmhojbofcplejkjkoc\3_0\
CHR - Extension: RealPlayer HTML5Video Downloader Extension = C:\Users\Shari\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk\1.0_0\
CHR - Extension: Poppit = C:\Users\Shari\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi\2.2_0\
O2:[b]64bit:[/b] - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG9\avgssiea.dll File not found
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG9\avgssie.dll File not found
O3 - HKU\S-1-5-21-84446627-2298488937-739879425-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [Dell Webcam Central] C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [Google Quick Search Box] C:\Program Files (x86)\Google\Quick Search Box\GoogleQuickSearchBox.exe (Google Inc.)
O4 - HKLM..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe (PureEdge Solutions Inc.)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [Secure Online Account Numbers] C:\Program Files (x86)\Discover\SOAN\DiscoverSOAN.exe (Orbiscom Ltd. All rights reserved.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [UpdReg] C:\Windows\Updreg.EXE (Creative Technology Ltd.)
O15 - HKU\S-1-5-21-84446627-2298488937-739879425-1000\..Trusted Domains: nasdaq.com ([]https in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O18:[b]64bit:[/b] - Protocol\Handler\ms-help - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\ms-itss - No CLSID value found
[2011/11/25 22:03:38 | 000,000,456 | ---- | M] () -- C:\ProgramData\NtF7WRmjFFEJvE
[2011/11/25 22:02:25 | 000,000,312 | ---- | M] () -- C:\ProgramData\~NtF7WRmjFFEJvE
[2011/11/25 22:02:25 | 000,000,216 | ---- | M] () -- C:\ProgramData\~NtF7WRmjFFEJvEr
[2011/11/24 19:03:02 | 000,000,898 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/11/24 18:54:04 | 000,000,908 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-84446627-2298488937-739879425-1000UA.job
[2011/11/24 13:54:03 | 000,000,856 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-84446627-2298488937-739879425-1000Core.job
[2011/11/24 05:03:02 | 000,000,894 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/10/28 19:32:23 | 000,000,933 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Squeezebox Server Tray Tool.lnk
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
@Alternate Data Stream - 179 bytes -> C:\ProgramData\TEMP:66633281
@Alternate Data Stream - 123 bytes -> C:\ProgramData\TEMP:0888F409
[COLOR="DarkRed"]:services [/COLOR]
mfehidk
mfeavfk
mfesmfk
mferkdk
mfebopk
[COLOR="DarkRed"]:files[/COLOR]
C:\Program Files (x86)\AVG
[COLOR="DarkRed"]:reg[/COLOR]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"TranscodingService"=-
"swg"="-
"ehTray.exe"=-
"TivoServer"=-
"TivoTransfer"=-
"TivoNotify"=-
"uTorrent"=-
"MusicManager"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"StartCCC"=-
"VolPanel"=-
"UpdReg"=-
"Microsoft Default Manager"=-
"PDVDDXSrv"=-
"Dell Webcam Central"=-
"Google Quick Search Box"=-
"Adobe Reader Speed Launcher"=-
"Adobe ARM"=-
"HP Software Update"=-
"AppleSyncNotifier"=-
"masqform.exe"=-
"Secure Online Account Numbers"=-
"SunJavaUpdateSched"=-
"APSDaemon"=-
"iTunesHelper"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\RunOnce]
"AvgUninstallURL"=-
[HKEY_LOCAL_MACHINE\software\Wow6432Node\microsoft\windows\currentVersion\RunOnce]
"AvgUninstallURL"=-
[HKEY_LOCAL_MACHINE\software\Wow6432Node\microsoft\windows\currentVersion\Run]
"StartCCC"=-
"VolPanel"=-
"UpdReg"=-
"Microsoft Default Manager"=-
"PDVDDXSrv"=-
"Dell Webcam Central"=-
"Google Quick Search Box"=-
"Adobe Reader Speed Launcher"=-
"Adobe ARM"=-
"HP Software Update"=-
"AppleSyncNotifier"=-
"masqform.exe"=-
"Secure Online Account Numbers"=-
"SunJavaUpdateSched"=-
"APSDaemon"=-
"iTunesHelper"=-
[HKEY_USERS\S-1-5-21-84446627-2298488937-739879425-1000\Software\Microsoft\Windows\CurrentVersion\run]
"TivoServer"=-
"TivoTransfer"=-
"TivoNotify"=-
"uTorrent"=-
[COLOR="DarkRed"]:commands[/COLOR]
[purity]
[emptytemp]

Now click the button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Logs attached. When I ran OTL, I was prompted to reboot, but the program did not continue runnig after reboot. I did find the log though. Thanks

 

These logs are clean.

Can you go back into the Windows Vista Recovery Console using the CD/DVD and enter both of these commands at the Command Prompt pressing ENTER after each one:

• bootrec /fixmbr
• bootrec /fixboot
• exit

Then attempt to reboot your computer in Normal Mode. Another thing you may want to try is uninstalling your ATI video drivers from Low-resolution mode. I would not reinstall them until you are in Normal Mode. All of these things really aren't the scope of this specific forum. You can get more help here: Software or Drivers

Some information you want to share:
Studio 1737
http://www.dell.com/support/drivers/us/en/19
ATI Mobility Radeon HD 3650 (atikmdag.sys) >> Download

As I am not seeing any other malware problems in your logs, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

 

OK, good news. I was able to get back into normal mode. First I ran the commands you suggested at the commend prompt and attempted to restart in normal mode. Same problem - still in safe mode. Then I uninstalled ATI Catalyst Control Center in add/remove programs. I now realize this is probably not what you meant when you said uninstall ATI Radeon Graphics drivers (I was just confused). Tried to restart in normal mode but it still did not work. So I went back into msconfig and unchecked "safe boot" under Boot Options in the Boot tab. In an act of desperation and willing to try anything, I also checked the box labeled make all boot settings permanent. I restarted and voila! I'm now back in normal mode. I'm sure it was not just this last thing that did it -- probably one of the things you made me do in one of your posts. Everything seems to be fine. I will follow your instructions to clean up. I really appreciate all your help and support. This has been so draining for me, but I had a vested interest in getting it resolved! You have no such interest and yet you helped me through the night. I really appreciate that.

 

That's great news :cool

You're welcome. Surf safely!