TechSpot

Malware ral and Safe mode problem

By rmarcante
May 22, 2008
Topic Status:
Not open for further replies.
  1. Hi to everybody,

    I'm Riccardo and this is my first post here, so I apologize in advance should this not be the right forum to post this message.

    In order to solve the problem I'm having since 3 days with google slowing down probably redirecting elsewhere, I'm following the preliminary removal instructions I've found here.
    But a problems never goes alone: when I came to point 13 I've found out that I can't boot on safe mode, no matter how I try (and you can bet I've tried hard).

    Can I solve this? Or could it be another consequence of a malware? I've heard about worm Bagle (or something similar) but I didn't seen any of the folders typical for it.

    If I can't solve this, could I run in normal mode through the end of the removal process or I'll waste my time?

    Additional info: I use a Dell Latitude 630 with Windows XP SP3 (but no recovery cd).

    Thank you in advance for your attention

    Riccardo
  2. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Do what you can, however you can. Then get us the logs. If you were able to run Combofix then it should show if safe mode has been disabled or corrupted. We can then reinstall safe mode.
  3. rmarcante

    rmarcante Newcomer, in training Topic Starter

    Hi BD and thank you for your quick reply,

    yesterday I've tried for third consecutive night to get rid off this problem and I've followed all steps included in V/S/M preliminary removal instructions.
    At the end, for the very first time, none of the tools I've used warned me about problems, which I consider a good point.
    Anyway, since I don't wanna get too happy, here are my logs together with a couple of info since the no-safe mode problem had forced me to a kind of workaround:

    1) on step 2: mcAfee Virus Scan Enterprise 8.5.0 is resident on my PC so I have not downloaded AVG nor Avast antivirus. After this bad experience, in your opinion, would it be safe to change my AV?

    2) still on step 2: regarding firewall, I'm using Windows Firewall. Again, would it be better to use ZoneAlarm?

    3) on step 10: I could not run SmFraudfix on safe mode. On normal mode, none of the three tools have found anything.

    4) on step 13: as I told you, no safe mode allowed on my PC. As a workaround, I've used a BART PE environment. Once started on BART PE, I've run Sophos Antivirus (from command prompt): Sav32Cli -f -remove which, I suppose, has performed a full scan and removal. No viruses found though.

    5) on step 14: same thing: no safe mode. In normal mode, nor SS&D and AdAware had something bad to say.

    Ok, that's it.
    Here attached you'll find HJT and Combofix logs. I hope you can give me good news.

    Thank you again

    Riccardo
  4. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    I will work up some further instructions for you but in the mean time.

    1) I recommend Avira Antivir, it is just as good as paid programs but uses a lot less resources and its free. It also has a resident protection and excellent detection rates, but this is up to you.

    If you decide to remove Mcafee please do it this way.
    Remove Mcafee products
    1. Click Start, Settings, Control Panel.
    2. Double-click Add or Remove Programs.
    3. Select the McAfee SecurityCenter product.
    4. Click Remove and follow the steps provided.
    5. Download the Mcafee removal tool from http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe
    6. Click Save and save the file to your desktop
    7. Make sure all McAfee windows are closed.
    8. Double-click MCPR.exe to run the removal tool. (Vista users need right click and run as administrator)
    9. Restart your computer after receiving the message CleanUp Successful.


    2) Use a Firewall - It is very important that you use a Firewall on your computer. If you use the Windows Firewall you might think that's enough but it only controls inbound traffic. Simply using a Firewall in its default configuration can lower your risk greatly. Here are some firewalls which are free for personal use and most commonly used:
    Comodo (Vista Compatible)
    Kerio
    Online Armor
    Zonealarm (Vista Compatible)


    3) I see some cracks / keygens in the logs this is more than likely where you picked up this problem. P2P programs and torrents are also well known to spread infection.
  5. rmarcante

    rmarcante Newcomer, in training Topic Starter

    Thank you BD.

    Waiting for your final advice:

    1) I'll download Avira, no doubt about that (although I thought you'd suggest AVG)

    2) I've already downloaded ZA, tonight I'll update my PC

    3) as a matter of facts, I've downloaded one or two keygens 10/15 days ago to run a very known CD burner (probably the most famous one) and I had immediately some doubts about them. Unfortunately it was too late. I have just one (silly?) question about this: is there any tool able to warn me just in case it happens again (I mean using keygens)? Or the only thing I can do is run any SS&D or SAS after the damage is done?

    Thank you again

    R
  6. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Well the obvious answer would be not to use keygens ;) But I will suggest some software once you are clean to help keep you that way. Please be patient as I work up your next set of instructions I am at work at my real job so it may take a bit.
  7. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    I didn't get to see your SUPERantispyware log either please attach it for me.

    Can you explain this also before we proceed

    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.mirabilandia.it
    O17 - HKLM\Software\..\Telephony: DomainName = ad.mirabilandia.it
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.mirabilandia.it
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ad.mirabilandia.it
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ad.mirabilandia.it
  8. rmarcante

    rmarcante Newcomer, in training Topic Starter

    Hi BD,

    please find here attached my last SAS log.
    Furthermore, mirabilandia is the company where I work.
    I suppose those parameters are requested to log into the domain.

    If they may bother, I could ask IT dept. whether they can remove them.

    Thank you again

    Riccardo
  9. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Those entries are fine as long as it is somewhere you trust.

    Run Kaspersky Online AV Scanner

    Order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
  10. rmarcante

    rmarcante Newcomer, in training Topic Starter

    hi BD,

    please find here attached Kaspersky log.

    I've read through it and I've noticed, beside all those locked files, three locations where it seems to find something bad:

    - the recycler bin: these are rots from previous operations. I've emptied the bin after this log;
    - nero trials versions, which I've downloaded from official site. I've googled to find something about AdTool.Win32.MyWebSearch.bm and I've seen that it's related to some toolbar (I can't remember which one) Nero suggests to install with it;
    - smitfraudfix, but I think this is the virus it uses to test my resident AV.

    In any case, I wait for your reply (also about Safe Mode, if you can).

    Thank you again

    Riccardo
  11. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Everything in your log looks ok. Aside from the keygens like I said earlier

    Let's check a few things now before we clean up:

    First:
    Go to Start -> Run -> type msconfig -> go to boot.ini -> check the boxes for safeboot and minimal -> then restart when it asks.

    see if it boots into safe mode if yes come let me know, if no continue to next option

    -----------------------------------------------------------

    Next:
    Download to your Desktop this self-extracting ZIP archive FixPolicies.exe

    • Double-click FixPolicies.exe
    • Click the Install button on the bottom toolbar of the box that will open.
    • The program will create a new Folder called FixPolicies
    • Double-click to Open the new Folder, and then double-click the file named Fix_Policies.cmd
    • A black box will briefly appear and then close. This will enable your Control Panel, Task Manager and stop any Administrative warnings.

    Afterwards attempt restarting to safe mode, if it works let me know if not continue

    ---------------------------------------------------------------------------

    If that doesn't work:
    I had an option to reinstall safe mode for XP SP2 but you have SP3 so I am not sure that it will work, I will look into it further
     
  12. rmarcante

    rmarcante Newcomer, in training Topic Starter

    I've tried first 2 tools:

    msconfig:

    1st try:- after reboot, it didn't stop at black screen with blinking white line on left upper corner, but it showed me windows splash screen and then nothing else: the screen has remained black without getting the usual login page;
    2nd try: I've pressed F8 to try with safe mode at prompt: no way: usual black screen immediately;
    3rd try: last good configuration: before getting into Windows it said that volume was corrupted and went through a scandisk (or something similar); on the next automatic reboot, we were back to situation 1 (splash screen only)
    4th try: after a BartPE to restore boot.ini, I went through a normal boot and everything was fine. So i tried second option

    fixpolicies.exe
    no way: usual black screen

    safeboot.zip
    I didn't register those changes because I've seen they're related to SP2. Now, I've SP3 installed. May I go through it as well or not?

    All and all, the thing which is concerning me the most is the corruption of the volume right after 1st try.

    Thank you very much for your comprehension

    Riccardo
  13. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    I am going to ask one of the other helpers that is better at this side of it to step in, then I will go through the clean up process with you.

    Most of my tools are for sp2, so be patient while I send the link to them.
  14. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    This concerns me a lot, because if any Virus/Trojan/Malware has infected your Windows system files (and then later removed the infected file) It is possible that Windows will require a repair (using the correct Operating System disc)
    You can also contact Dell and purchase your missing recovery CD at a significantly reduced cost.

    This won't matter.
    Running tools meant for SP2 (likely the original version of your Windows) will help your system not hurt it (used under fault condition)

    Presently (through using BartPE disc) you are able to get to Normal mode, is that correct?
    Also you are still not able to get to Safe mode, whatever you try?

    If so

    In Normal mode go to Add/Remove programs and remove Windows Service Pack 3.
    This will take your computer back to the original SP2 (and shouldn't ask for any CD)
    Once Windows Service Pack 2 is back, restart your computer back to Normal mode.

    At this stage reply back
  15. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    So what do you think about merging a new safe boot into the registry? Don't follow this without the ok from kimsland, but this was going to be my 3rd suggestion

    Download the ZIP file, extract the SafeBoot-for-Windows-XP-SP2.reg file and merge it into the registry by double-clicking it:
    SafeBoot.zip

    Click YES on the following screen
    [​IMG]
  16. rmarcante

    rmarcante Newcomer, in training Topic Starter

    I'm sorry but I'm getting a little confused now.
    Let me recap.

    1) It seems that I'm almost clean, since BD told me my logs were ok, isn't it? If this is correct, I suppose having eliminated all malwares I had

    2) I'm having no problems booting on normal mode, using Windows as it's meant to be used. I needed BartPE because I was stuck, having changed my boot.ini with /safemode /minimal parameters. Once restored my old boot.ini I had no problems with normal mode, but still no safe mode

    3) I've followed BD suggestions about fixpolicies.exe but nothing has changed.
    Now I was ready to apply safeboot.zip but I'm a little concerned since it's intended for SP2.

    I don't want to be insolent, but I understand that kimisland solution (downgrade to SP2) was intended to restore normal mode, which should not be the main issue.

    Correct if I'm wrong: should I apply safeboot.zip on SP3, which is the worst thing that could happen? I think at worst I won't boot on safe mode. Or could it get worse?

    By the way, I've read yesterday a couple of threads where this "SP3 no safe mode" problem was discussed. Although the symptoms are not exactely the same, I've seen that Microsoft itself had something to say about graphics board interferences.
    Furthermore, someone's suggesting Safe Mode Fixer by MoonValleySoft.com:
    http://www.techspot.com/vb/topic15202.html

    Thank you again

    Riccardo
  17. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Yes that's right. I know. Don't worry I'll question you if I don't know.

    @Blind Dragon

    Good find, actually it is slightly different for SP3.

    Your SafeBoot Reg file is missing the following, for SP3 (Disregard the spaces, just being the limit of allowed characters)

    As I happen to have the SP3 reg file, I'll attach it. (done :) )


    @rmarcante, forget about uninstalling SP3 (ok we all learn new things)

    Please download the attachment SafeBoot-SP3.zip Extract and double click on SafeBoot-SP3.reg file, then select Yes

    Restart your computer, and repeatively press F8 key, then go to Safe Mode

    If you can now do this, please reply back

    By the way, don't purchase anything just yet

    Attached Files:

  18. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Thanks kimsland, would you mind if I download and re-use this as well?
  19. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Actually it's from my system, there is the smallest of possibilities (less than a percentage) that it's not the absolute clean default
    (ie I would need to install Xp clean, then SP3 to absolutely confirm)

    But I'm 99.99999% sure it's ok (anyway mine works)
    So yes, take whatever you like with attachments/downloads on a public forum
  20. rmarcante

    rmarcante Newcomer, in training Topic Starter

    I'm sorry guys but it still doesn't work.
    The last driver I could read on the bottom of my screen was mup.sys, so I've googled a little and I've found out that I'm not alone (and I feel better, I must confess).
    But still I see a lot of different opinions about it: someone says mup.sys is not the failing point but simply the last one being called by boot procedure, someone else says that I should disconnect all my USB devices (but I only have mouse connected, should I really disconnect it?), someone else says that's a SP3 bug and we should wait for a patch by MS.

    If you don't have any other ideas, I think I'll give up on this subject, waiting for any definitive solutions by MS. But, of course, should you have some ideas, I'll give it a shot.

    @kimisland
    thank you very much anyway

    @BD
    BD, before this "no safe boot" deviation, you were mentioning something about cleaning my PC...

    Thank you very much for your patience

    Riccardo
  21. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    someone says mup.sys is not the failing point but simply the last one being called by boot procedure
    Yes

    someone else says that I should disconnect all my USB devices (but I only have mouse connected, should I really disconnect it?),
    Yes that could work too

    someone else says that's a SP3 bug and we should wait for a patch by MS.
    No

    -------

    Just in case, can you go back to Safe Mode boot up, and just before the Mup.sys (I know it's quick, just around that area) repeatively press the ESC key on you keyboard.

    By the way, there are known fixes for Mup.sys issue.
  22. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Lets clean up what we have been doing and secure the work you have done already.

    Update your Java Runtime Environment
    • Click the following link
      Java Runtime Environment 6 Update 6
    • The 5th option down is the one you want (click Download)
    • Check the box to agree to terms of service
    • Check the box for your operating system and click 'Download selected'at the bottom
    • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
    • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_06 folder
    --------------------------------------------------------

    Uninstall Combofix
    * Click START then RUN
    * Now type Combofix /u in the runbox
    * Make sure there's a space between Combofix and /u
    * Then hit Enter.

    * The above procedure will:
    * Delete the following:
    * ComboFix and its associated files and folders.
    * Reset the clock settings.
    * Hide file extensions, if required.
    * Hide System/Hidden files, if required.
    * Set a new, clean Restore Point.

    -----------------------------------------------------------------------
    Cleanup using OTMoveit2 by OldTimer
    Now we can clear out the rest of the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally.

    Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop.

    1. Double click OTMoveIt2.exe to launch it.
    If using Vista Right-Click OTMoveIt and choose Run As Administrator
    2. Click on the CleanUp! button.
    3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
    4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

    * When finished exit out of OTMoveIt2

    ---------------------------------------------------------------------------

    Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
    1. Set correct settings for files
      • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View

        tab.
      • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
      • If unchecked please check Hide protected operating system files (Recommended)
      • If necessary check "Display content of system folders"
      • If necessary Uncheck Hide file extensions for known file types.
      • Click OK

      clear system restore points

      • This is a good time to clear your existing system restore points and establish a new clean restore point:
        • Go to Start > All Programs > Accessories > System Tools > System Restore
        • Select Create a restore point, and Ok it.
        • Next, go to Start > Run and type in cleanmgr
        • Select the More options tab
        • Choose the option to clean up system restore and OK it.
        This will remove all restore points except the new one you just created.

    2. Make your Internet Explorer more secure - This can be done by following these simple

      instructions:
      1. From within Internet Explorer click on the Tools menu and then click on Options.
      2. Click once on the Security tab
      3. Click once on the Internet icon so it becomes highlighted.
      4. Click once on the Custom Level button.
        • Change the Download signed ActiveX controls to Prompt
        • Change the Download unsigned ActiveX controls to Disable
        • Change the Initialize and script ActiveX controls not marked as safe to Disable
        • Change the Installation of desktop items to Prompt
        • Change the Launching programs and files in an IFRAME to Prompt
        • Change the Navigate sub-frames across different domains to Prompt
        • When all these settings have been made, click on the OK button.
        • If it prompts you as to whether or not you want to save the settings, press the Yes button.
      5. Next press the Apply button and then the OK to exit the Internet Properties page.
    3. Use an AntiVirus Software - It is very important that your computer has an anti-virus

      software running on your machine. This alone can save you a lot of trouble with malware in the future.

      See this link for a listing of some online & their stand-alone antivirus programs:

      Virus, Spyware, and Malware Protection and

      Removal Resources


    4. Update your AntiVirus Software - It is imperitive that you update your Antivirus software

      at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to

      catch any of the new variants that may come out.

    5. Use a Firewall - I can not stress how important it is that you use a Firewall on your

      computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this

      and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your

      risk greatly.

      For a tutorial on Firewalls and a listing of some available ones see the link below:

      Understanding and Using Firewalls



    6. Visit Microsoft's Windows Update Site Frequently - It is important that you visit

      http://www.windowsupdate.com regularly. This will ensure your

      computer has always the latest security updates available installed on your computer. If there are new updates to

      install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

    7. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with

      its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus

      protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

      A tutorial on installing & using this product can be found here:

      Using Spybot - Search & Destroy to remove

      Spyware , Malware, and Hijackers


    8. Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with

      program on a regular basis just as you would an antivirus software in conjunction with Spybot.

      A tutorial on installing & using this product can be found here:

      Using Ad-aware to remove Spyware, Malware, &

      Hijackers from Your Computer


    9. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into

      your Internet Explorer settings that will protect you from running and downloading known malicious programs.

      A tutorial on installing & using this product can be found here:

      Using SpywareBlaster to protect your computer

      from Spyware and Malware


    10. Update all these programs regularly - Make sure you update all the programs I have listed

      regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
    Follow this list and your potential for being infected again will reduce dramatically.

    here are some additional utilities that will enhance your safety

    • IE/Spyad <=

      IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair

      attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you

      will still be able to connect to the sites.
    • MVPS Hosts file <= The

      MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents

      your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
    • Google Toolbar <= Get the free

      google toolbar to help stop pop up windows.
    • Winpatrol <= Download and install

      the free version of Winpatrol. a tutorial for this product is located here:

      Using Winpatrol to protect your computer from malicious

      software
  23. rmarcante

    rmarcante Newcomer, in training Topic Starter

    All done!
    Thank you again for all your patience and the attention you paid to me!

    It's a wonderful site and I'd like to know whether I can contribute somehow.

    Thank you
    Ciao

    Riccardo

    PS: BD, I'm gonna PM you
  24. rmarcante

    rmarcante Newcomer, in training Topic Starter

    Now, it's time to keep on going with safe boot topic. I'll keep you posted.

    Thanks

    Riccardo
  25. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Absolutely let me know what comes of it.

    You can contribute when ever you like in this forum, especially when you find a solution to your problems and you see somebody come along with the same problem
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.