Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware, Spyware - Can't Restart In Safe Mode


  • This topic is locked This topic is locked
7 replies to this topic

#1 spacegirl

spacegirl

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:43 PM

Posted 26 January 2008 - 03:43 AM

HI,

I can't restart in safe mode. I know that I have malware/spyware. It appears as 3 icons on my desktop Error Cleaner, Privacy Protector and Spyware Protection - all with the url /shandler.php?id=502&aid=138&pn=5&sand=0&sg=2.

Does anyone know what files I must specfically look for in the registry to remove this trojan?

Thanks in advance.

BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,581 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:43 PM

Posted 26 January 2008 - 11:11 AM

Some types of malware can delete or alter the safeboot key in the registry resulting in the inability to reboot into safe mode.

Go to Start Run and type: regedit
  • Click OK.
  • On the left side, click to highlight My Computer at the top.
  • Go up to File Export
    • Make sure in that window there is a tick next to "All" under Export Branch.
      Leave the "Save As Type" as "Registration Files".
      Under "Filename" put RegBackup.
  • Choose to save it to C:\
  • Click save and then go to File Exit.
Download SafeBootKeyRepair.exe by sUBs and save to your desktop.
  • Double-click on it and follow the instructions.
  • When finished, reboot and see if you can access safe mode.
Then, if your using Win XP or 2000, do this:

Please print out and follow the generic instructions for using "SmitfraudFix". Make sure you scroll down to Clean and perform the steps where you reboot in "Safe Mode" and run option #2.
-- If you have downloaded SmitfraudFix previously, please delete that version and download it again as the tool is frequently updated!
-- If the tool fails to launch from the Desktop, please move smitfraudFix.exe to the root of the system drive (usually C:\), and run it from there.

If you still cannot use safe mode, then run the tool in normal mode.

Please download RogueRemover and save to you Desktop. (compatible with Windows 2000, NT, XP, Vista)
  • Double-click on rr-free-setup.exe to install in C:\Program Files\RogueRemover and follow the prompts.
  • During installation an icon will automatically be created on your Desktop.
  • If the program does not open after installation, double-click on the RogueRemover icon to launch.
  • Select "Check for Updates" and click Download if any are found.
  • Wait for the updates to finish downloading, then Close the update window.
  • Select "Scan" and follow the onscreen directions to remove anything found.
  • If nothing is found, exit RogueRemover.
  • If RogueRemover finds something, it will present a list of detected items.
  • Click on Save log, then Ok at the prompt.
  • Click "Remove selected", then Yes at the prompt.
  • Wait for the removal to complete and then close RogueRemover.
  • A file will be created and saved at C:\Program Files\RogueRemover\RRLog******.txt
  • Post the contents of the RRLog file in your next reply.
If using Windows Vista, be sure to Run As Administrator.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 spacegirl

spacegirl
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:43 PM

Posted 26 January 2008 - 11:57 AM

thanks. it works.

I initially did a scan with Norton in safe mode and I found the IEDefender virus and found some ad-ware, which it cleaned up . There are still 3 unknown icons on my desktop. A message of a virus alert pops up and my pc freezes within 2 minutes in normal mode, no matter what i'm so I can't even go on the web. The names of the icons are Error Cleaner, Privacy Protector and Spyware and Protection. When I check theirproperties I get the following web address - /shander.php?id=502&aid=318&pn=5&sand=0&sg=2 ? I am following the general procedures and am currently running the Stinger on that PC

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,581 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:43 PM

Posted 26 January 2008 - 02:16 PM

Norton, stinger and general scanning tools will not be effective. You need to use SmitFraudFix which was created specifically to deal with this kind of infections. If safe mode is working again, then please follow the instructions I provided above.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 spacegirl

spacegirl
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:43 PM

Posted 26 January 2008 - 03:06 PM

I have run SmitfixFraud in safe mode. But when I start it up normally again those same 3 icons appear. No popups appear though. Must I run the Rogue-Remover?

I don't seem to see a file attachement link so can I just past and post my Rapport.txt findings from SmitfixFraud and my HijackThis Log?

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,581 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:43 PM

Posted 26 January 2008 - 03:08 PM

Post your hijackthis log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 spacegirl

spacegirl
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:43 PM

Posted 26 January 2008 - 03:32 PM

thank you :thumbsup:

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,581 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:43 PM

Posted 26 January 2008 - 05:38 PM

Your welcome.

Your hijackthis log is posted here.

After posting a log you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic until you are cleared by the HJT Team. If you still need assistance after your log has been reviewed and you have been cleared, please PM me or another moderator and we will re-open this topic.

Thanks for your cooperation and good luck with your log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users