1.11M Members

Windows Safe Mode Virus

 
0
 

Hello,
Earlier today my laptop was taken out by a virus, possibly a parasite. There had been a few errors thoughout the day, my laptop is well maintained but I didnt think anything of the messages and I am usually capable of fixing a problem.
The browser crashed, and I shut the machine off, when it re-booted it went to safe mode. A window marked 'Windows Safe Mode' popped up after the log in screen, and it proclaimed that my hard drive had failed, and there was massive data loss etc..
I figured this was a ploy, so I tried the usual tricks to cicumnavigate the screen, but everything else has been disabled.

On doing some research there are a few people effected with this, and no one seems to have an answer.

People are generally not reading the problem and just suggesting futile pieces of software to install BUT only this virus screen can be seen. No task manager, no obvious way around, this is in and out of safe mode, with and without network access.
I can get to the command prompt via safemode, but I havent used DOS for well over a decade, and dont want to risk messing.
I have looked at the settings in the 'safe mode' where it has options like "dont activate on start up" but that didnt work, but I didnt expect it to. If you close the window, it just goes through the "must scan defective hdd" nonesense again.

I have considered an OS re-installation, but I am on vista, and dont have a CD as they seem to have stopped issuing them. And I am doubtful that will work, short of a full format.

Does anyone have any ideal solutions please? (That doesnt involve installing something)

 
0
 

Does anyone have any ideal solutions please? (That doesnt involve installing something)

Hi T.o.d.d,

See if you are able to do this on a working compy:

Create the Ubuntu Live CD as per the instructions in the link.
See if your illcompy will boot it (choose the Try Ubuntu option).
If it boots, let us know.

That's just a "first step" to assess what we may be able to do - there are a number of options to try, but I want to establish a "baseline," as it were.

-- Do you have a Thumb drive to use to transfer/run programs?

I'll be back Saturday evening EST.

Let us know how you fare.

Cheers :)
PP

 
0
 

Hello all,

This appears to be a recent virus as I have also run into it.

So far you can do quite a bit. In the CMD Prompt Safe Mode, I ran the CMD to re-instate task manager:

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

Next I ran explorer.exe as a CMD Prompt and this enables me access to all my regular files in safe mode, WITHOUT it initializing the "Windows Safemode" virus.

My next step was to delete some of the suspicious files which resided in Application Data. This then allowed me to run an ESET virus scan (The virus blocks the use of a virus scanner before you have deleted some of the files associated with it). I did so and it appeared to work.

HOWEVER, the next time I ran the computer in normal mode, it lasted 15 minutes before the virus reappeared and crashed me. I assume there was some sort of downloader left that redownloaded the virus.

This is as far as I'm able to go so far.

 
0
 

A quick update, the file that will not let you open your virus scanner (including other programs it seems such as firefox, etc) is a .dll file residing in C:\Documents and Settings\All Users\Application Data.

It can only be removed once you have deleted the other files around it (various .exe's) and have restarted AGAIN in windows safe mode with command prompt.

 
0
 

It can only be removed once you have deleted the other files around it (various .exe's) and have restarted AGAIN in windows safe mode with command prompt.

Hey, Sam,

Thanks for the detailed info - much appreciated :)

-- Did you try running a tool such as Combofix?
It can be run via command prompt from a flash drive, if need be...

That may be harder for the malware to block - Of course, you need to have a good understanding of what you are working with when using such a tool....

PP:)

 
0
 

Hi PhilliePhan, I regret to inform that I've never used ComboFix before. I'll give it a shot though. Is there anything I should specifically be targeting when using it?

 
0
 

I ran SmitFraud and ComboFix.

This is the combofix log.

ComboFix 11-03-05.01 - Sam Chinnery 06/03/2011 8:34.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.31.1043.18.1014.593 [GMT 0:00]
Gestart vanuit: E:\ComboFix.exe
AV: ESET Smart Security 4.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Sam Chinnery\Application Data\igxpgd32.dat
c:\documents and settings\Sam Chinnery\Menu Start\Programma's\Opstarten\igfxtray.exe
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\twunk_32.exe
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
.
.
(((((((((((((((((((( Bestanden Gemaakt van 2011-02-06 to 2011-03-06 ))))))))))))))))))))))))))))))
.
.
2011-03-05 10:43 . 2011-03-05 10:43 -------- d-----w- c:\documents and settings\Sam Chinnery\Application Data\SUPERAntiSpyware.com
2011-03-05 10:43 . 2011-03-05 10:43 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-03-05 10:42 . 2011-03-05 10:43 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-03-03 16:49 . 2011-03-03 16:49 -------- d-----w- c:\documents and settings\Administrator
2011-02-22 14:08 . 2011-02-24 11:27 -------- d-----w- c:\program files\Lx_cats
2011-02-22 14:06 . 2011-02-22 14:06 -------- d-----w- C:\Lexmark
2011-02-22 13:53 . 2011-02-22 13:53 -------- d-----w- c:\program files\Lexmark 510 Series
2011-02-22 13:53 . 2004-02-26 08:58 73728 ----a-w- c:\windows\system32\lxbzpwr.dll
2011-02-22 13:53 . 2004-02-26 08:58 80896 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LXBZPP5C.DLL
2011-02-22 13:53 . 2004-02-26 08:55 174592 ----a-w- c:\windows\system32\LEXPPS.EXE
2011-02-22 13:53 . 2004-02-26 08:55 201216 ----a-w- c:\windows\system32\LEXP2P32.DLL
2011-02-22 13:53 . 2004-02-26 08:55 307200 ----a-w- c:\windows\system32\LEXBCES.EXE
2011-02-22 13:53 . 2004-02-26 08:55 147456 ----a-w- c:\windows\system32\LEXBCE.DLL
2011-02-22 13:53 . 2004-02-26 08:55 197120 ----a-w- c:\windows\system32\LEX2KUSB.DLL
2011-02-22 13:53 . 2004-02-26 08:26 200192 ----a-w- c:\windows\system32\lexlmpm.dll
2011-02-22 13:52 . 1997-04-08 20:08 299520 ----a-w- c:\windows\uninst.exe
2011-02-22 13:52 . 2011-02-22 13:52 -------- d-----w- c:\documents and settings\Sam Chinnery\WINDOWS
2011-02-16 08:00 . 2011-02-16 08:00 -------- d-----w- c:\windows\system32\XPSViewer
2011-02-16 08:00 . 2011-02-16 08:00 -------- d-----w- c:\program files\MSBuild
2011-02-16 08:00 . 2011-02-16 08:00 -------- d-----w- c:\program files\Reference Assemblies
2011-02-16 08:00 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-02-16 07:59 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-02-16 07:59 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-02-16 07:59 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-02-16 07:59 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2011-02-16 07:59 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-02-16 07:59 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2011-02-16 07:59 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-02-16 07:59 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-02-15 11:20 . 2011-02-15 11:20 -------- d-----w- c:\documents and settings\NetworkService\Mijn documenten
2011-02-15 11:18 . 2011-02-15 11:18 -------- d-----w- c:\documents and settings\Sam Chinnery\Application Data\WindSolutions
2011-02-15 11:18 . 2011-02-15 11:18 -------- d-----w- c:\documents and settings\All Users\Application Data\WindSolutions
2011-02-15 11:05 . 2011-02-15 11:05 -------- d-----w- c:\program files\Common Files\eSellerate
2011-02-15 11:01 . 2011-02-15 11:01 -------- d-----w- c:\documents and settings\Sam Chinnery\Application Data\Xilisoft
2011-02-15 10:39 . 2011-02-15 11:02 -------- d-----w- c:\program files\Xilisoft
2011-02-15 10:31 . 2001-09-06 20:27 5632 ----a-w- c:\windows\system32\ptpusb.dll
2011-02-15 10:31 . 2011-02-15 10:31 -------- d-----w- c:\documents and settings\Sam Chinnery\Local Settings\Application Data\tcbackup
2011-02-15 10:31 . 2008-04-14 21:32 159232 ----a-w- c:\windows\system32\ptpusd.dll
2011-02-15 10:31 . 2008-04-13 23:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2011-02-15 10:31 . 2008-04-13 23:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
.
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2009-02-12 22:50 441344 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2009-02-12 22:49 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 14:04 . 2009-02-12 22:50 1855104 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2009-02-12 22:50 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 22:15 . 2009-02-12 22:50 670208 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 22:15 . 2009-02-12 22:50 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-12-20 22:15 . 2009-02-12 22:50 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-12-20 22:13 . 2009-02-12 22:50 371712 ----a-w- c:\windows\system32\html.iec
2010-12-20 17:25 . 2009-02-12 22:50 735232 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-09 15:15 . 2009-02-12 22:50 739328 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 15:14 . 2008-04-14 22:11 2031616 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-12-09 15:14 . 2009-02-12 22:50 2153472 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 14:30 . 2009-02-12 22:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Sam Chinnery\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Sam Chinnery\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Sam Chinnery\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2009-01-30 204288]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-02-18 2423752]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-08-26 16851456]
"EDS"="c:\program files\Samsung\Samsung EDS\EDSAgent.exe" [2007-12-20 659456]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-28 1044480]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"DMHotKey"="c:\program files\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]
"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2008-10-20 2768896]
"MagicKeyboard"="c:\program files\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-14 151552]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"LXCDCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCDtime.dll" [2005-07-11 69632]
"lxcdmon.exe"="c:\program files\Lexmark 6300 Series\lxcdmon.exe" [2005-06-24 200704]
"EzPrint"="c:\program files\Lexmark 6300 Series\ezprint.exe" [2005-07-05 94208]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360]
.
c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-9-17 580200]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Documents and Settings\\Sam Chinnery\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [14/05/2009 13:47 107256]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 18:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 18:41 67656]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [12/02/2009 15:18 4300]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [14/05/2009 13:47 731840]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [14/01/2008 18:01 30208]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [12/02/2009 15:22 238464]
S2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32mpcoinst,serviceStartProc --> RUNDLL32.EXE ykx32mpcoinst,serviceStartProc [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Inhoud van de 'Gedeelde Taken' map
.
2011-02-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 09:50]
.
.
------- Bijkomende Scan -------
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SMSN&bmod=SMSN
uInternet Settings,ProxyOverride = *.local
IE: Verzenden naar &Bluetooth-apparaat... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Verzenden naar Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\Sam Chinnery\Application Data\Mozilla\Firefox\Profiles\u4jfo0ih.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Adobe DLM (powered by getPlus(R)): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: ChatZilla: {59c81df5-4b7a-477b-912d-4e0fdf64e5f2} - %profile%\extensions\{59c81df5-4b7a-477b-912d-4e0fdf64e5f2}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS VERWIJDERD - - - -
.
HKLM-Run-ISW - c:\program files\CheckPoint\ZAForceField\ForceField.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-06 08:41
Windows 5.1.2600 Service Pack 3 NTFS
.
scannen van verborgen processen ...
.
scannen van verborgen autostart items ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCDCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCDtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scannen van verborgen bestanden ...
.
Scan succesvol afgerond
verborgen bestanden: 0
.
**************************************************************************
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------
.
- - - - - - - > 'winlogon.exe'(1100)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Voltooingstijd: 2011-03-06 08:43:59
ComboFix-quarantined-files.txt 2011-03-06 08:43
.
Pre-Run: 17,355,395,072 bytes beschikbaar
Post-Run: 17,542,107,136 bytes beschikbaar
.
WindowsXP-KB310994-SP2-Home-BootDisk-NLD.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 01D07B7E7E4E0B1A24705F10A9D712A0

 
0
 

Hi PhilliePhan, I regret to inform that I've never used ComboFix before. I'll give it a shot though. Is there anything I should specifically be targeting when using it?

Nah - Just curious if you had considered trying that.

-- Are you able to update your Super Anti-spyware and run a scan in Normal Windows Boot?
If not, try MBAM

How are things running now? Are you still experiencing problems?

PP:)

 
0
 

Nah - Just curious if you had considered trying that.

-- Are you able to update your Super Anti-spyware and run a scan in Normal Windows Boot?
If not, try MBAM

How are things running now? Are you still experiencing problems?

PP:)

Hey again, the problem was fixed after I ran a variety of different programs.

My method was as follows and will require a USB stick with the following programs on it (dl'd on other computer or something like that):

Spybot Search and Destroy
ComboFix
SmitFraud
MalwareBytes Anti-Malware
---
- F8 on restart to get to boot mode selection
- Boot Windows Safe Mode with Command Prompt
- Enable Task manager using the following command:

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

- Run explorer.exe by using the following command:

explorer.exe

- I did the following however you might be able to skip this black chunk:
- C: drive, documents and settings, all users, application data - delete all files that were created on the day of virus (suspicious .exe's that share the same look as windowssafemode icon
- restart the whole process except now go back into application data and delete the .dll file that was also created on the same day and could not be deleted previously (in my case it began with a caps N)

- Clean out Temp files etc. by following daniweb's tutorial for doing so
- Run all of the virus scanners above

After I had succesfully done all of that, the virus was gone. I may have gone a little overkill (especially considering the post above mine did it in one fell swoop). But at least it killed the virus :p.

Thanks for the tips Phillie, ComboFix was the main thing that worked I believe.

 
0
 

I've just tries the solution suggester by Corplusea and had no joy. When I press Ctrl/Alt/Delete I only have the options Lock this Computer / Switch User / Log off /or Change Password. Where do I find Task Manager?

 
0
 

I've just tries the solution suggester by Corplusea and had no joy. When I press Ctrl/Alt/Delete I only have the options Lock this Computer / Switch User / Log off /or Change Password. Where do I find Task Manager?

Richard, please begin your own thread rather than post in anothers. That is the only way you can receive assistance, beginning your own thread.

 
0
 

So sorry! I am a bit new and naive about this forum stuff. I thought that the thread was 'Windows Safe Mode Software Virus' So who's toes did I step on?

 
0
 

Not necessarily stepped on toes, it is just too confusing for the poster and the helper to work with more than one person and computer on a single thread. Persons may have the same problem on their computer that another does but you have to remember that no two computers are identical. An infection can cause one type of problem on one computer but show itself in another way on another computer. This is why you should start your own thread, that way you can receive individual assistance. Even the same infection my require a different removal process on one computer than those taken on another.

Right above the thread listing area you will see Click Here To Start A New Thread, click that, create your thread, give it a definitive name to separate it from another person's thread. State your problem, give full information about your computer, os, av program and any other security programs, steps you may have taken, etc. Then somebody will be most happy to assist you personally. We are very short handed here so be patient.

 
0
 

Hi all,

I get the same problem, how do you get command prompted up when that virus is in the way? Thanks


Blake

 
0
 

Hi all,

I get the same problem, how do you get command prompted up when that virus is in the way? Thanks


Blake

Blakeman, you need to create your own thread instead of posting within another person's thread. It becomes too confusing to the original poster, the helper working with the poster and any others reading the thread to help more than one person in a thread.
Create your own thread, stating your problems and some body will be most happy to assist you personally with your computer.

 
0
 

For anybody that does not want to go through 'tweaking it up' just do system restore to the day before virus strucked. Sorted.

 
0
 

For anybody that does not want to go through 'tweaking it up' just do system restore to the day before virus strucked. Sorted.

Very bad advice.
System Restore will NOT uninstall a program and this includes an infection. You have to look at an infection as a bad program. It won't remove it, it may only remove the footprints you need to FIND the infection. In Addition, there is absolutely no way to know for sure WHEN the infection entered the computer. You may experience symptoms of the infection and believe that is the moment the infection came onto your computer but in reality sometime in the past days, weeks or even a month may have been when that very first "crumb" of the infection came onto the computer just to wait. System Restore does not fix your system and it was not meant to fix it.

 
0
 

This thread is now closed - If the original poster requires it re-opened, please PM me.

To all others:
Please start a new thread for assistance with your infection. Each problem is unique with differing degrees of severity and accompanying malware. It is much easier for the few volunteers to work "one on one" with you.

Thanks for your patience :)
PP

You
This article has been dead for over six months: Start a new discussion instead
Post:
Start New Discussion
View similar articles that have also been tagged: