safe mode hijacked - tried everything in "read me first" - spyware/malware

Discussion in 'Malware Help (A Specialist Will Reply)' started by siquedude, Dec 28, 2005.

  1. siquedude

    siquedude Private E-2

    I was infected spyaxe and usually, I can do things myself as soon as I get into safemode. However, this time, I'm unable to get into safemode. I've downloaded the following programs:

    -Ad-Aware SE
    -CCleaner
    -Microsoft® Windows AntiSpyware .Install it and update it (this can only be used with Windows 2000/XP/2003)
    -Microsoft Windows Malicious Software Removal Tool (this can only be used with Windows 2000/XP/2003)
    -SpyBot - Search & Destroy
    -Hijack This!
    -CWShredder
    -Kill2me
    -SmitRem

    And I've also ran BitDefender and PandaActiveScan which took me almost 8 hours. At first, I had that little bubble in the bottom righthand corner of the screen that tells me I'm infected. That's spyaxe I'm guessing and now that I've ran all of those programs, it's gone. However, my mainpage is still getting hijacked and I'm unable to send e-mails through outlook. I'm running out of options. When I try to boot in safe mode, it gets to a certain file that it tries to load and then it reboots and does this infinitely. The two files that I believe it tries to load before rebooting is vax347h.sys and d347bus.sys.
    I've attached my activescan log and my hijackthis log and was wondering if you guys could assist me. Please advise. Thank you very much.
     

    Attached Files:

    siquedude, Dec 28, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Start by Manually deleting all the files that you can that are listed in the ActiveScan log. Keep track of what deletes and what does not.

    Attach the BitDefender log and also smitfiles.txt from SmitRem!
     
    chaslang, Dec 28, 2005
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You still have indication of problems related to the SmitFraud family.


    D:\WINDOWS\system32\mssearchnet.exe
    D:\WINDOWS\system32\nvctrl.exe

    O2 - BHO: HomepageBHO - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - D:\WINDOWS\system32\hp6D1D.tmp

    This is probably because you could not boot into safe mode to run the programs.
    Have you tried running sfc /scannow from a command prompt window? It will look for any missing/corrupted OS files and attempt to repair/replace them but you may need a Windows XP SP2 CD if some are missing.
     
    chaslang, Dec 28, 2005
    #3
  4. siquedude

    siquedude Private E-2

    I'm actually running windows from D Drive. On the activescan log, should I just erase the D Drive infected files or all of it? There are some files on there that don't have directories, I will skip them unless you tell me otherwise. Ex:

    Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Junk E-mail\Delivery Status Notification (Failure)\Registration Confirmation\reg_pass-data.zip[File-packed_dataInfo.exe]

    I will also get an xp disk and try the sfc/ scannow and will get back to you as soon as i get a hold of the CD. For the time being, thank you for your assistance.
     
    siquedude, Dec 28, 2005
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It is telling you where they are at. They are part of your email application. You need to either delete them from within your email application or you need to go to where your email application stores its files and delete these.
     
    chaslang, Dec 28, 2005
    #5
  6. siquedude

    siquedude Private E-2

    It's been about two weeks since I got back to you. I've finally got a copy of a Windows XP CD and tried that sfc /scannow from a command prompt. It loaded some stuff and I tried to reboot in safemode again. However, the same problem occurs. I still can't get into safemode and fix the problems. BTW, I've deleted all that stuff in my e-mail. For some odd reason now, I'm only able to surf the web for 20 mins. Then I have to reboot to use the internet again. It has nothing to do with my router b/c the other computers are working just fine. Any suggestions? Thanks!
     
    siquedude, Jan 12, 2006
    #6
  7. siquedude

    siquedude Private E-2

    Also, everytime I right click on any of my drives under my computer, a blue screen appears for half a second and the computer restarts.
     
    siquedude, Jan 12, 2006
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sounds to me like you have a software or hardware problem that is not malware (although your first log does show you did have a Smitfraud infection but I don't think it is the cause of the problems you describe with blue screens and boot in safe mode).

    Did you install DAEMON Tools Version: 3.47?
    I believe the vax347h.sys and d347bus.sys files you mention in your first message are from it or maybe another application. The seem to be related to PnP BIOS Extensions. I saw some info on bluescreen issues and this program in the below link:

    http://www.daemon-tools.cc/dtcc/archive/index.php/t-4619.html

    Maybe looking at some of the below search results would be of use
    http://www.google.com/search?q=d347bus.sys

    But this aspect of your problems is better discussed in the Software or Hardware Forums.

    As far as the SmitFraud problems which are malware, it could be difficult to remove if you cannot boot into safe mode. Do you have a bootable Windows XP SP2 CD?
     
    Last edited: Jan 12, 2006
    chaslang, Jan 12, 2006
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds