Can only boot in safe mode

This all started with Outpost and Virtumonde. I went through all of the computer maintainence and cleaning proceedures and think I got rid of the vundo trogan, but not sure about the rest. The computer will not boot up in normal startup mode. I can only get it to boot up in safe mode (with networking). I have attached all the logs. Please help!

Thanks, scrimm

 

Hi scrimm!
Welcome to Major Geeks!

Please go to safe mode and do the following:
Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it
double click it and allow it to merge with the registry.

After you've done this, please try to get the MGTools.exe file onto your computer. If you have Safe Mode with Networking, try to connect to the internet and download from this address: http://forums.majorgeeks.com/showthread.php?t=139313
The MGTools.exe download link is in the list with Combofix, AVG Antispyware and Spybot. If you don't have Safe Mode with Networking, please try to download this onto a cd or flashdrive using another computer and then install it into the root drive (usually C) where your operating system is located. Double click on it to run it and it will produce a set of logs called MGLogs.zip. Post these to us as an attachment. You may have to use a second computer with internet access to post to us. The infections are still there and the logs will help us a lot to see how best to proceed.

Thanks.
abri

 

Thanks Albi,

I added the reg fix and here is the MGLog.zip. Thanks so much for your help!!

Scrimm

 

Hi scrimm!

Can you get into normal boot mode yet? If not, please do as much of the following as possible.


1)You need to uninstall the below:

- Java(TM) 6 Update 2

2)After uninstalling the above Reboot your computer!

3)Install the current version of Sun Java from: Sun Java Runtime Environment

4) Run HijackThis and select Do a system scan only. Select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {0554E528-E447-41AF-B0F4-1F1D000BE7D8} - (no file)
O2 - BHO: (no name) - {14c67b65-8333-48aa-b740-2e0ea6720d04} - (no file)
O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: (no name) - {BBEA5FA4-09D9-4DC5-BF12-CD96C90D97A4} - \
O2 - BHO: 0 - {C230AD8E-F8EC-4E9A-1A8D-FF5E74ED4E27} - (no file)
O2 - BHO: (no name) - {D6EA7A51-A393-4273-AC09-AFB45BC17C25} - \
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\SC\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O20 - Winlogon Notify: wingdm32 - wingdm32.dll (file missing)
O21 - SSODL: lwNoFEKdkBT - {CC1D9986-66B7-332C-D5FE-FBECAFA4CF95} - (no file)
O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - (no file)


After clicking Fix, exit HJT.


5)Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

6) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

7) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


8) Please post a fresh MGlogs.zip and let me know how things are running now?

abri

 

Hi Abri,

I could not remove the Java 2 update. It would not work in safe mode, and I still cannot boot up in safe mode- Although it alomst did today! When I booted up in normal mode it went through a check disk and cliscked through all of the start up screens, but finally got stuck on updating personal settings before it could finish booting.
I did update the Sun Java runtime environment though.
I could not run Hijack this because I do not have that program and couldn't find it. I know it is a variation of MG Tools, but I don't have then ability to input the text into the program with MG Tools like we could with hijack this, or can with avenger.
I did run ATF cleaner and have attached a new MGLogs zip file.
Thanks for your input- It has really helped so far.
Scrimm

 

I forgot to attach the MGLogs zip file.
Thanks
Scrimm

 

Hi scrimm,
Everything that I had you fix in post number 4 is still in your MGlogs. I'm not positive, but I think the MGlogs may be the same ones as before. Please do the following.

1) Open the C:\MGTools folder and look for the program called analyse.exe which is hijackthis with a different name. Please make a folder under Program Files called HJT and copy analyse.exe into that folder. You can do this by holding down the ctrl key while you're moving it.

2) Double click on analyse.exe in its new location to run it and have it produce a log.

3) Then rerun the MGTools.exe which is directly under C:\ and it will produce a new set of logs which should be stored over the previous ones. This set of logs, called MGlogs.zip, will be located in the MGTools folder and you should be able to check them and make sure by the date and time that they are the newest ones. There shouldn't be any others, because they are designed to overwrite the previous one which is what we want.

Either the logs are not updating or your fixes aren't working and it's important before we continue to find this out. By running analyse.exe separately, I'll be able to compare the two.

4) After you get the log for analyse.exe which will be called hijackthis.log (it should be in the HJT folder that you created analyse.exe is located) please attach both the hijackthis.log and the MGlogs.zip with your next post.

Thanks.
abri

 

Hi Abri,

Ok, I got both of the logs and have attached them. I double checked that the MGLogs is for today. I'm not sure if it was me or my system that was the problem before, but this one has todays date.

Thanks,
Scrimm

 

Hi scrimm,

Nothing I asked you to remove in post number 4 is gone according to your logs. This means that something is probably blocking the fix. Please go back and redo the instructions for post number 4, only before you start them, disconnect your computer from the internet (physically) and then disable your antivirus and any other spyware programs you may have running. Then try the instructions again.

After you've finished them, please start up your antivirus again, then reconnect your computer to the internet and run MGTools.exe again for a fresh set of logs - MGLogs.zip.

Thanks.
abri

 

Hi Abri,
I still couldn't uninstalled the Java update. I attached a screen shot of the denial. I was able to use Hijack This to fix the things you requested. I had already run the messenger deleting software and since I didn't have internet access have not done it again so far. The last time i was successful in fixing the script in Avenger that you gave me, but this time it wouldn't work. I can only assume it worked correctly before and so this time was not there to fix.?. I tried to boot normally again, but it still won't work. It gets to the desk top and then stalls saying it is updating the desktop.

Thanks Abri!

scrimm

 

Hi scrimm!

I think the Avenger problem might have been mine. The files got deleted anyway, so that's okay.

Please go to add/remove programs and try to uninstall Outpost Firewall Service. If it doesn't allow you to do this, tell me.

At which point did it occur that you were no longer able to boot into normal mode? Was that after trying to fix Vundo or was the problem already there before? And why did you think that Outpost (mentioned in the 1st post) is part of the problem?

abri

 

Hi Abri,

I'm still booting in safe mode with networking and still can't unistall things with the add/remove in the control panel. I did however find the uninstall for outpost with windows explorer and was able to unistall it. What I was really talking about in my first post was outerbound, not outpost. The problems with this computer began sometime in May or June this year. It started with this outerbound software giving me popup ads all of the time, and I couldn't exit off of them. I was forced to go to the site and check out the merchandise. Then somehow I got the vundo. Both of these things could not just be uninstalled. In researching how to get rid of all of this I came across MajorGeeks and tried some of the suggetions at that time. One of them was getting outpost firewall to protect my computer. It also suggested Panda and Kranminsky SP? scanner and a few others, which I downloaded and used, but could never get rid of the problems. I would say it was around June after I had tried quite a few of the different scanners, etc... that my computer got so slow it couldn't even boot up in normal mode. It would hang at the desktop and freeze up. Today I tried to boot up in normal mode and actually got it to boot although it took many hours just to get it to come up. 1 hour to complete booting, slowly moving the mouse and then waiting for the pointer to move and then waiting for 15 to 20 minutes for it to react after clicking a button. There was a dos screen with avenger running some scripts that it said were not working and the task manager was up the whole time. I hope this background helps. Oh, PS- I did delete the Java 2 runtime update from the windows explorer since I couldn't get the uninstaller to work. Then tried to install the java update you gave me from MajorGeeks, but it would not allow me to install either. It said the network adminstrator did not allos me to do that. However, I am signed on as the adminstrator. Also, before we used I think it was avenger, maybe one of the other things we did, I could install and uninstall- no problem. Also, something has happened to Word. Everything else in MS office is there, but word has disappeared. Not sure if that is relevant or not, but thought I should mention it. Ok, so much for the long winded post. Thanks again for all of your help.
Scrimm

 

Hi Scrimm,
I wanted to ask you about what you said here:

What did you fix? The reason I'm asking is because you're the second person this week who had trouble running Avenger, and this could be due to it not being installed correctly, but it might have some other reason and I would like to try and find this out.

I think you are referring to OuterInfo, which is common enough that it should be gone through the normal cleaning procedures. Nothing we are doing is working in any normal kind of way and I would like to ask for a second opinion about how you should proceed. I'll get back to you.

abri

 

Hi scrimm!

I would like to add this post to my previous one. I'm not sure one of the scans in your MGTools is giving us all the information we usually use. I'm missing all the dll files. In any case, there are several files that need to be removed, if we can get to them. Since you are having trouble running Avenger, please try the following:

Next, Download a tool we will need- Pocket KillBox

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
If Killbox does not reboot just reboot your PC yourself.

I don't know if you will have more success with this, but if these files are deleted, it might help us to get further.
abri

 

Hi Abri,

I did run Killbox. I did not get any error message - all went smoothly. I mentioned Avenger working properly the first time- I said that because it took the scripts and acted like it was doing what we asked it to do. The second time it couldn't run them - I think it said it was becuase it couldn't find them. Should I be running another set of logs now?

Thanks,
Scrimm

 

Update:

Hey Abri, I have just booted up normally!- although it is still selective startup. Next I'll set it to normal mode and try that. Since I wasn't in safe mode, I removed the java 2 update from the control panel! It worked! I'll go ahead and get the java update now before I re-boot. Thanks!

 

Wonderful news- I changed the startup back to normal, and it booted right up! Everything seems to be running good. Thank you so much for all of your help! Is there anything I should do now to ensure all is ok and /or to finish the cleanup?

Thanks again Abri,
Scrimm

 

Hi scrimm!
That's the best news!

I would like for you to do the following, then post one more set of MGlogs and then I will give you the final clean-up instructions to remove all the stuff we've been using here.

1) Run HijackThis and select Do a system scan only. Select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [fglsjnrx] C:\rycltafx.bat
O4 - Global Startup: ymetray.lnk.disabled

After clicking Fix, exit HJT.

2) Copy the contents of the below Quote Box including the word REGEDIT4 to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

3) Now, please run CCleaner again.


4) Please post a fresh MGlogs.zip and let me know how things are running now?

abri

 

Hi Abri,

Yes, it is good news! all thanks to you and MajorGeeks help! I have posted a fresh set of MGLogs. The computer seems to be running pretty good as far as I can tell and pretty quick. I was wondering, how did you get into this? It seems like a really cool way to give back.

Thanks,
Scrimm

 

I forgot to mention I couldn'y find this to fix-

O4 - HKLM\..\Run: [fglsjnrx] C:\rycltafx.bat

But did fix the other one.

Thanks,

Scrimm

 

I got a virus.

Please do the following cleaning instructions. I don't think you need a firewall, because I think your Nortons Internet Security includes one.

abri