Stuck in Safe Mode

Yes, when you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:

• CounterSpy
• AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
• Bitdefender - from step 6
• Panda Scan - from step 6
• runkeys.txt - the log from GetRunKey.bat
• newfiles.txt - the log from ShowNew.bat
• HijackThis

Anything that you cannot do in safe mode, just use Normal Boot mode.

Also please run this Sophos Anti-Rootkit and then attach a log from it too!

 

It is rather simple! Just don't boot in safe mode. That is normal boot mode.

In additional per the READ & RUN ME, make sure you are also not using MSconfig to disable any startups. This is called Normal Startup. Don't confuse it with Normal Boot mode. You could be in normal boot mode but not be in normal startup. See Step 0 of the READ ME where this is explained.

Your infections is part of a Trojan.Rootserv

 

Okay that explains it better!

Which scans from the Read & Run Me are you able to run?

• did you run CCleaner?
• did you run Spybot?
• did you run CounterSpy or AVG Antispyware? If so can you attach the log or are you saying absolutely nothing was found?
• did you run BitDefender? If so can you attach the log or are you saying absolutely nothing was found?
• did you run PandaActiveScan? If so can you attach the log or are you saying absolutely nothing was found?
• since you cannot boot in Normal Mode, it is okay to run GetRunKey, ShowNew, and HijackThis from safe mode. So do this and attach the 3 logs to your next message.
• also please download and try to run the below procedure and attach the log from it:
  • Using Sophos Anti-Rootkit

 

Please give me the info I requested:

1) The log from GetRunKey
2) The log from ShowNew
3) the log from Sophos AntiRootkit

You have a rootkit problem! Normal scans are not going to show anything.

You did not even install and rename HijackThis properly per the directions in the READ ME. Please follow those instructions so that we can help you.

After you get HijackThis installed and renamed per step 7 of the READ ME, continue on to the below.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to VXYCQNVAC
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pasteVXYCQNVAC into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: CmjBrowserHelperObject Object - {AC41D38F-B56D-40AD-94E0-B493D130C959} - (no file)

After clicking Fix, exit HJT.

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Now reboot in normal mode

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp\
C:\Documents and Settings\Simon\Local Settings\Temp\
Now run Ccleaner

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

See if the below tool will run:

AVG Anti-Rootkit

Attach a log!

Uninstall the below malware:
MyWay Search Assistant
PC MightyMax v9
Viewpoint Media Player

You have another malware service to stop, disable and delete.!

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to LW
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pasteLW into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT and reboot when it tells you it needs to.

Now attach the below new logs:

• AVG Anti-rootkit log
• ShowNew
• HJT

 

Run this: Restoring SeDebugPrivilege then try again. If it still does not work, try the below!

Download Blacklight Beta

• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please post contents of the BlackLight log.


Don't forget the HJT and Shownew logs.

 

Okay but did you retry AVG Anti-Rootkit after doing this.

For ever, but is that what you really meant to ask? Obviously you don't want to remain in safe mode. It's strange that you can only boot in Safe Mode. Normally this trojan does the opposite. It usually delete a registry key that is needed in order to allow you to boot in safe mode. They do that to make it more difficult to fix the problem.



Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy the quoted bold print below and paste it in the box that opens from Avenger:

Now click the 'Done' button.
Click on the traffic light icon and OK the prompt.
You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it.
A log file from Avenger will be produced at C:\avenger.txt, please post that log here in your next reply.


Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

What programs?


I need the log from Avenger!


Some additional new malware showed up. Let's see if we can fix it.
Start by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ahymerno] C:\ypftcjev.bat
O4 - HKLM\..\Run: [nvaerhov] C:\wwhydtjj.bat

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\wwhydtjj.bat
C:\ypftcjev.bat
C:\zip.exe
C:\WINDOWS\system32\drivers\fnxfdkjf.sys
C:\WINDOWS\system32\drivers\spbuxqfl.sys

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
If Killbox does not reboot just reboot your PC yourself.

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!


Do you have other user accounts on this PC?

• If so, can you boot in normal mode on the other user accounts.
• If not, create a new user account. Now see if you can boot in normal mode on this new account.

 

You're welcome. Hopefully part of what you checked out was the below link:

How to Protect yourself from malware!