Inactive System infected: system password always rejected, but in Safe mode

Status
Not open for further replies.

Puntazo

Posts: 7   +0
Goodmorning.
I am reaching out to you for support in removing infections in my system. My understanding after reading through multiple posts in this Forum is that the clean up process cannot be effective unless I interact with a technician on your side, who is skilled at reading system scan logs. Hence I opened this new thread and I hope it is not redundant.
I am running Windows 7 Pro on a Dell Latitude E4310 with Avast Antivirus free version.
It is quite some time (months) now that AVS regularly detects the iLivid threat. At the beginning the only anomaly I noticed was that my web browsers (mainly IE, but also Chrome) were redirected from Google to ask.com. I took specific action to restore my original Internet options and the issue appeared mitigated. However it was never completely fixed. Recently I also experienced sluggishness and in Task Manager I noticed some suspicious processes running in the background and taking up memory. A couple of days ago I started reading random troubleshooting instructions, installed and ran a scan with Malwarebytes, which found a number of infections.
Now I no longer seem to be able to login to Windows normally using my usual password, however the same password works fine if I access to it through Safe mode.
Would it be possible to interact with one of your technician and go through all necessary steps to remove current infections, setup my system with an adequate set of anti-threat tools, and be instructed on how often I need to perform system scans in order to maximize my protection level.
Sorry for this lengthy message and thank you very much for your support!
 
Welcome aboard

Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

===============================

redtarget.gif
Download RogueKiller from one of the following links and save it to your Desktop:

Link 1
Link 2

  • Close all the running programs
  • Windows Vista/7/8 users: right click on RogueKiller.exe, click Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • Pre-scan will start. Let it finish.
  • Click on SCAN button.
  • Wait until the Status box shows Scan Finished
  • Click on Delete.
  • Wait until the Status box shows Deleting Finished.
  • Click on Report and copy/paste the content of the Notepad into your next reply.
  • RKreport.txt could also be found on your desktop.
  • If more than one log is produced post all logs.
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

redtarget.gif
Create new restore point before proceeding with the next step....
How to: http://www.smartestcomputing.us.com/topic/63983-how-to-create-new-restore-point-all-windows/

Download Malwarebytes Anti-Rootkit (MBAR) from HERE
  • Unzip downloaded file.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt
 
As for Malwarebytes Anti-Rootkit, the scan was successfully completed, no infections were found, no clean up required, hence there are no log files available.
I will be able to follow up debugging for the next half hour, then, if necessary, I will be able to resume troubleshooting on 5/26 AM CET.
Thank you for your support so far and best regards.
 
Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Never rename Combofix unless instructed.
  • Close any open browsers.
  • Very Important! Temporarily disable your anti-virus and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    If the connection is not there use restore point you created prior to running Combofix.
  • Double click on combofix.exe & follow the prompts.

  • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error Illegal operation attempted on a registery key that has been marked for deletion, restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try the following...

Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

Restart computer in safe mode

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

When the scan is done Notepad will open with rKill.txt log.
NOTE. rKill.txt log will also be present on your desktop.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
 
Hello Broni,
Thanks for confirming.

I still experience the following two issues:

1. System login password continues to be rejected in Normal mode, while successfully accepted in Safe mode (just retested). So, let me reiterate that all the infection scans I ran where performed in Safe mode. I am not sure if this affects the overall final success of the clean up process (?)

2. I now experience the following issue: both IE and Chrome when first launched (with default Home page: http://www.google.com) both prompts me to proceed to update version/component. I did not go ahead with the updates. If I enter different URLs however, the browsers work fine
Here are the error messages that I get:

IE:
Outdated Browser Detected
You are currently using - Mozilla (not Firefox) 0 - which is now outdated
Please Update The Latest Version Of Internet Explorer (Recommended)

Chrome:
Chrome: Warning! Your Flash Player may be out of date. Please update to continue.

Any ideas? Thanks!
 
2. We'll see about those.

1. Can you change login password in safe mode and see if the new one will work in normal mode?
Do you have to use login password for whatever reason?
 
This topic is marked as abandoned and closed due to inactivity.

This member will NOT be eligible to receive any more help in malware removal forum.
 
In reply to comment # 15:

2. It seems I managed to resolve this by deleting related Temp files, no longer an issue.
1. Tried to change pw in Safe mode, but does not go through. It seems I have to relay this to corporate. And yes, the pw refers to my corp account. Regarding this, I would appreciate if you could help me remove from this thread my posts # 2,3,4,5,6,8, or let me know how to edit them, since I realized they shows some references on the account owner, etc...
I would like to clarify that for the last weeks this laptop ran exclusively outside the corporate network.
To address point 1 I also ran the full suite of Dell Diagnostics Tools to exclude any hardware failures that may prevent me from successfully log on to my corp account.
I would appreciate any advice you may have to resolve the password issue, so that I can then re-run the full set of anti-infection tools, but this time in Normal mode.

Thank you very much!
 
Yes, I did. My ticket is in a queue list and will be addressed ASAP.
Any chance you can take a look at my request in point 1 above, please. Thank you.
 
It started as system security issue, since my laptop got infected. As a direct consequence of the system cleanup process my system account got corrupted and I can no longer log on to it in Normal mode. Based on this forum guidelines for infection troubleshooting I understand that all tools need run in Normal mode. My objective is to regain access to my system in Normal mode - and for this I am awaiting corp help -, run in Normal mode the same sequence of tools that I had previously successfully utilized in Safe mode and when I get a green flag from you on the resulting log files declare this issue resolved. So, thank you again for your support in all these stages.

Can I meanwhile kindly get assistance with this, please:
"could help me remove from this thread my posts # 2,3,4,5,6,8, or let me know how to edit them, since I realized they shows some references on the account owner, etc..."
 
Most of those tools can be run in safe mode as well but I'd prefer you gain access to normal mode first so we know it's not malware related.

Logs hidden from public view.
 
Status
Not open for further replies.
Back