Help Needed

clewis18 · Jun 16, 2007

In need of help i cant access my computer in normal startup only from safe mode, if i try to start up in safe mode i either get a blue screen then it restarts or it loads and i get a message saying system shutdown iniated on NTAuthority, it gives me a countdown then reboots.

I have done the read me first as best i can i cannot use internet explorer to do the online scans, this causes the blue screen to appear and it to reboot, i can also not install counterspy as windows installer will not work.

I have done all these scans from safe mode, i hope the logs are still useful this way.

TimW · Jun 16, 2007

Your initial message is unclear ...you can't run in normal mode ...or you can only run in safe mode?

1. Download this file - ComboFix
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Attach this log to your next reply

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000001
"SuperHidden"=dword:00000001
"ShowSuperHidden"=dword:00000001
"HideFileExt"=dword:00000000
Click to expand...

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O17 - HKLM\System\CCS\Services\Tcpip\..\{1A40201C-50BD-4F6A-AC60-3438D6AC19ED}: NameServer = 192.168.1.1
Click to expand...

Now attach new logs for:
ComboFix
GetRun
Shownew
HJT

clewis18 · Jun 17, 2007

yea sorry im mean it doesnt run in normal mode, that link for combo fix doesnt work and when searching on google for it loads of websites are saying its been withdrawn for causing damage.

Is there something else i can use? and shall i still create the notepad file and do the hijack this scan

clewis18 · Jun 17, 2007

ignore my previous message i dug a little deeper found combo fix and ran it also did the other things here are my results

clewis18 · Jun 17, 2007

and one more

TimW · Jun 17, 2007

Please use add/remove programs to uninstall:
J2SE Runtime Environment 5.0 Update 6

Please download and run CWShredder

Run HijackThis and select the following lines(if they still show) but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
Click to expand...

Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\pe386]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\pe386\Security]
Click to expand...

Now download and run AVGAnti-rootkit.

Attach new logs for:
HJT
ShowNew
GetRun

clewis18 · Jun 17, 2007

qqqq

clewis18 · Jun 17, 2007

Hi ive posted them but im now having to type from a different computer because after i uninstalled the Java the keys on my laptop have now gone out they were fine before but now if i type an m i get a 0 and that's the same for lots of other keys i get random characters for letters

TimW · Jun 18, 2007

Removing the old java did not cause the problem....you have a pe386 rootkit!
I'm going to post two sets of instructions below. Each will be enclosed in separate Quote boxes. Make sure to complete the first one 100% before moving on to the second one.

STEP 1: Complete this procedure completely including attaching the requested log before doing the second procedure.

Download SmitfraudFix (by S!Ri) to your Desktop.

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach that log in your next reply.

Note:process.exe ( which is used my SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. The below is a link to what process.exe is.

http://www.beyondlogic.org/consulting/proc...processutil.htmIMPORTANT: Do NOT run any other options until you are asked to do so!
Click to expand...

STEP 2: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING. Ask any questions that you may have before starting.
Please print out or copy these instructions to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. Again, if there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot your computer into Safe Mode : Starting your computer in Safe mode

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. BUT Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

Now reboot into normal mode and attach this new rapport.txt log here.
Click to expand...

How are things working now?

clewis18 · Jun 18, 2007

yea seems fine starts up great and no crashes. Thankyou very much youve been brilliant.

Thanks

Chris

TimW · Jun 19, 2007

Before I give you instructions for the final clean up...
please attach new logs for:
HJT
ShowNew
GetRun

Log in or Sign up

Help Needed

clewis18 Private E-2

Attached Files:

runkeys.txt

newfiles.txt

hijackthis.log

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

clewis18 Private E-2

clewis18 Private E-2

Attached Files:

runkeys.txt

newfiles.txt

log.txt

clewis18 Private E-2

Attached Files:

hijackthis.log

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

clewis18 Private E-2

Attached Files:

newfiles.txt

runkeys.txt

clewis18 Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

clewis18 Private E-2

Attached Files:

rapport.txt

rapport1.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member