Computer will only boot in safe mode - virus redirect
Posted 23 February 2010 - 06:51 PM
As of this morning, installed a program and got Paladin Infection. Ran MBAM but renamed exe file would not work. Google redirected. No link to a virus or virus forum will work, from my browser. Error message says can not find server - even for this site. (Friend at friends office typing this in for me via dictation over the phone). Tried updating, reinstalling, renaming, etc. the following: Malwarebytes, Spybot, ComboFix, Adaware, HighJackThis, RootRepeal and Eset. RootKill did nothing.
Computer worked while trying to find updates and fixes for about 3 hours. Then crashed. Now will only boot in safe mode with a tiny screen. When trying to boot in normal mode, it almost gets to the point where you can see the desktop, before the Blue Screen of Death Flashes for a second and the computer restarts, over and over again.
Please if anyone can help, I thank you.
Friend will check forum often and relay any messages.
BC AdBot (Login to Remove)
Posted 23 February 2010 - 08:47 PM
Remove Paladin Antivirus (Uninstall Guide)
Posted by Grinler on February 7, 2010
Please follow the steps in the above removal guide.
Reply back with the results of the Malwarebytes' scan (copy/paste the entire content of the scan log into your next reply), and state what, if any, symptoms you are still experiencing.
We are likely to end up where we are headed.
Posted 24 February 2010 - 02:48 PM
I appreciate the direct to the advice listings for common issues on bleepingcomputer.com. However, I had already found and tried almost all of these *please note information in original post*
Let me provide more detailed information as to the current state of the computer and steps I have taken.
Computer will boot in safe mode only, with and without networking. Attempts to reboot in normal mode result in a loop of rebooting after the blue-screen-of-death flashes right before the desktop would appear. Weirdly, I was able to get it into a normal mode, briefly, but a pop up box prevented further action on the desktop until it was dealt with. The box read "you have used the System Configuration Utility to change the way Windows starts." I tried clicking the box to accept this setting and not clicking the box but both resulted in an immediate flash of the blue screen followed by the reboot cycle until I F8'd into safe mode.
Several programs are affected - not updating, not installing - with error messages talking about administrator policy changes. I've absolutely no idea what this is, certainly did not manually make such changes an have no idea how to access anything to put it back the way it was. Error messages have included something about preventing registry changes, "cannot be uninstalled due to administrator settings" (Superspyware, upon attempt to uninstall/install), cannot be installed due to safe mode or admin settings (Windows C++ update attempt).
Now for the programs I've tried...
Malwarebytes. I love this program and understand that it is usually the start of virus solutions on the bleepingcomputer forum answers. As stated in the original posting, the exe file was deleted and the renamed files corrupted so wouldn't work either. I was able to get a friend to email me a renamed exe file but that didn't work either. This morning I uninstalled then used the MBAM clean program, downloaded the MBAM install and renamed exe files to a jump drive and, after several attempts was FINALLY (WooHoo) able to get MBAM to run - was in safe mode without networking so didn't update - clicked full scan and... watched as three seconds went by, the red ticker said 3 objects found (can't see anything else due to the tiny safe mode screen), 0 files scanned then... blue screen of death flashed and computer started the reboot cycle. Arrrrgh! Same result when tried again but clicking quick scan. Tried safe mode with networking next but update attempt failed immediately. Error messages I received during the course of my MBAM adventure were: 703 (0, 453); 707 (3, 0); 732 (12007, 0). I looked for these on this forum, googled them and followed all of the advice and links from those replies to additional troubleshooting options to no avail. I love Malwarebytes. It seems to be the main line of breaking the Paladin mess (if that's all I have) according to the many answers I've read on MBAM's forums and here. With the partial success, if you can call it that, of at least getting the MBAM window open, I have tried uninstalling, MBAM clean, rKill, installing, rebooting, rebooting, installing, uninstalling, rkill, clean, safe mode with networking, safe mode without networking, renaming the renamed file, re-downloading the install and renamed file program from the "common answer" forum for MBAM issues and from MBAM... I kinda think I need some other solution at this point.
So, other program attempts (not in chronological order since I don't recall it anymore after 10+ hours of working on this mess):
Java - I read Paladin took advantage of an out of date Java. Dunno if mine was but I tried updating, then uninstalling and reinstalling but got error that admin settings prevented it. I was logged on in safe mode as Admin.
Spybot - wouldn't run, uninstalled, manually deleted folder, downloaded install files to jump drive (friend's Mac), copied to laptop (the leperous infected one), installed with apparent success then... clicking the exe file resulted in... nothing. The app didn't open, processes list showed several instances of SpyBot but nothing in the Apps portion of Task Manager.
Combofix - I know it's too powerful to use without supervision but was desperate enough to at least scan with it. Nada. Same problem, same attempts at solutions as with Spybot. Clicking the file does nothing but open processes of Combofix with nothing showing on Apps.
SuperAntiSpyware - already had this, error message when tried to run, tried to uninstall but got error that it has to close unexpectedly. Gave up after several attempts.
AdAware (Lavasoft) - Had this but uninstalled a while ago. Downloaded install file but got error that MS Visual C++ Runtime 9.0 Service Pack not installed, which directed me to Microsoft updates. Got that file. Tried to install it but was told it couldn't be installed due to safe mode or another issue.
Windows Defender - no idea what this does but clicked it and "failed to initialize properly (0x80000003)"
ESET - I'd been directed to use this before so had at least some of the program on my computer and was desperate for an online scan, anything that could at least start to clean this mess up. Could not access the site online (see initial post re google redirect and no virus sites and most virus forums, including this one, blocked with the error message "could not locate server" despite the rest of typed addresses coming up). However, I was able to get into some kind of deep link - I think - through opening a cached link. The program wouldn't update, started at 50% and went nowhere before giving a no-update error message. It doesn't appear to be able to be run without the auto update. I went to a troubleshooting site for it, could not get to the F5 advanced settings part since it hung up almost immediately. The troubleshooter then directed to make sure auto detect updates checked on internet options of control panel. Done. Make sure proxy server unchecked. K. Open "folder options" from the control panel - I can't find any "folder options" option at all in the control panel in the main window or in any control panel folder, nor can I switch to classic view from the start menu. No idea why.
Rkill - have used this frequently before installs and after reboots. Most of the time its log showed no stopped processes. However, once it showed a stop of something at locals~\temp\msinits. I've no idea what this is but recall the letters msinits from one of the Paladin discussions.
In sum, my computer is unusable from the safe mode state as the quarter-size window on a 14" screen is barely big enough to see to install files and such. It won't allow sufficient visibility to use hotmail for anything other than reading incoming mail. I'm terrified that being on the internet more will exacerbate the problem although passwords are probably irrevocably compromised. I don't have any money to take and am bankrupt so stealing identity or funds is probably not an issue. I need a computer to work at this new venture and have been up crying all night at the prospect of not having one - there's no money to replace it. To make matters more difficult, I live in a very rural area so have to drive an hour to access a friend's Macintosh computer at his office. I don't have access to another PC.
Is there any way to directly delete at least some of the infected files to compromise the ability of this virus stuff to stop MBAM from working?
Thank you so very much for any assistance you can provide.
Posted 24 February 2010 - 09:51 PM
I understand that all too well.
Your first post mentioned "RootKILL".
I looked up RootKILL, found a description of it on the cnet download.com website,
confirmed that it was NOT the same program as Rkill,
then provided the link to:
Remove Paladin Antivirus (Uninstall Guide)
Posted by Grinler on February 7, 2010
because the removal guide specifies the use of Rkill immediately prior to running Malwarebytes'.
I wasn't trying to give you a hard time, or purposely aggravate you.
I honestly didn't know you had already tried using Rkill, and in reading your 2nd post just now, I went and re-read your first post again, just to make sure I hadn't missed it.
Sometimes in life, (and especially in dealing with infected computers) there is no magic answer, and things don't always work out like we hope they will, or like we want them to.
The bleepingcomputer.com forum is dedicated to providing the best AND SAFEST help for people, because we all know that people come here (often in dire circumstances), to ask for help. What makes the bleepingcomputer.com forum superior is the fact that the advice given here has integrity, and the answers are not only accurate, they are carefully considered, reasonable and prudent.
This site does not advocate (or provide directions for) deleting files manually, because that is dangerous, and could cause MORE problems than you already have.
If you delete one wrong thing, your whole computer could be toast.
You mentioned a 732 error in Malwarebytes.
The post by quietman7 (Global Moderator) in the topic:
For those having trouble running Malwarebytes Anti-Malware
addresses a 732 error in Malwarebytes'.
Is there a public library available to you, that you could use their computer?
The public library here has computers for people to use (for free), and USB jump drives are allowed to be used in the library computers here.
We are likely to end up where we are headed.
Posted 25 February 2010 - 11:41 AM
I meant rKill, not rootkill...forgive my ignorance. I'd already found that post and tried it. I think my main issue now is trying to get the computer to boot and trying to get whatever (msinits?) is blocking MBAM from running. Is there someone with specific advice on what could possibly be deleted without further damaging my computer? I'm pretty sure I've exhausted all the "common issue" forum advice on Malwarebytes.org and here.
Posted 25 February 2010 - 03:47 PM
Posted 25 February 2010 - 06:12 PM
Posted 27 February 2010 - 03:40 PM
SAS, may take a long time to scan
Please download and scan with SUPERAntiSpyware Free
- Double-click SUPERAntiSypware.exe and use the default settings for installation.
- An icon will be created on your desktop. Double-click that icon to launch the program.
- If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
- In the Main Menu, click the Preferences... button.
- Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
- Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Scan for tracking cookies.
- Terminate memory threats before quarantining.
- Click the "Close" button to leave the control center screen and exit the program.
- Do not run a scan just yet.
Scan with SUPERAntiSpyware as follows:
- Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
- On the left, make sure you check C:\Fixed Drive.
- On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
- After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
- Make sure everything has a checkmark next to it and click "Next".
- A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
- If asked if you want to reboot, click "Yes" and reboot normally.
- To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
- Click Close to exit the program.
Please download Dr.Web CureIt, the free version & save it to your desktop. DO NOT perform a scan yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
Scan with Dr.Web CureIt as follows:
- Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
- Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
- The Express scan will automatically begin.
(This is a short scan of files currently running in memory, boot sectors, and targeted folders).
- If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
- If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
- When complete, click Select All, then choose Cure > Move incurable.
(This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
- Now put a check next to Complete scan to scan all local disks and removable media.
- In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
- Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
- When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
- Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
- In the top menu, click file and choose save report list.
- Save the DrWeb.csv report to your desktop.
- Exit Dr.Web Cureit when done.
- Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
- After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
why won't my laptop work?
Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter
Posted 28 February 2010 - 04:17 PM
Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/299240/safe-mode-boot-only-otl-log-post-per-garmanma/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.
From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.
Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.
Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.
To avoid confusion, I am closing this topic. Good luck with your log. IMPORTANT: In is important to stick with the topic until you are declared clean. Just because symptoms are gone does not mean the infection is gone.
An ounce of prevention is worth a pound of cureSpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users