Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

After Login, Windows Won't Start Correctly.


  • Please log in to reply
9 replies to this topic

#1 bmkiss67

bmkiss67

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Location:MD
  • Local time:09:54 PM

Posted 14 February 2008 - 01:13 PM

Hi all. My wife was using my PC and clicked the No box on one of those 'You need to upgrade' popups 2 days ago and Windows won't start anymore. When you turn on the PC it starts normally and gets to the XP logon screen. When you login XP goes thru the motions of starting by putting up the background, popping up the icons, putting the taskbar out, and then it starts to put the tray icons out and that's when it freaks out. It will get a couple of tray icons out and then everything disappears, except the background, from the monitor. About 30 seconds later the icons and taskbar show back up and it starts to load the tray icons and then it repeats the cycle of not showing anything. This cycle will keep up till you turn off the PC. I am thinking this is a virus, but I'm not sure. I've run a TrendMirco Housecall and it removed a few things, but had a problem with one, I don't remember the name of it, but it didn't fix the situation. Any ideas on what I should try now? Is it possible that I have that vundo virus?

Thanks

BC AdBot (Login to Remove)

 


m

#2 graeme22

graeme22

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:09:54 PM

Posted 14 February 2008 - 05:37 PM

hi on boot up press f8 into safe mode and try remove the file that way ...or run trendmirco in safe mode

#3 bmkiss67

bmkiss67
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Location:MD
  • Local time:09:54 PM

Posted 14 February 2008 - 07:02 PM

What file should I remove?

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,719 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:54 PM

Posted 14 February 2008 - 11:41 PM

Hello bmkiss67 and welcome to BC :flowers:

Are you able to get into Safe Mode?

I've run a TrendMirco Housecall and it removed a few things, but had a problem with one, I don't remember the name of it, but it didn't fix the situation.


Do you remember what it did remove? Perchance, did you save a log of the scan? If so, please post it as a reply.

Orange Blossom :thumbsup:

Edited by Orange Blossom, 15 February 2008 - 12:08 AM.

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#5 bmkiss67

bmkiss67
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Location:MD
  • Local time:09:54 PM

Posted 15 February 2008 - 12:03 AM

Hi Orange,

I am able to get to the link, but I'm surfing here on my wife's laptop, and I am not sure what that link has to do with my problem. As for the Housecall issue, there is no log and I don't remember what it cleaned up. I do remember this, the one thing it couldn't fix was brought back up and the system told me I should handle it manually. When I clicked the manual button it showed me a reg key, I think that's what it was, and there was a dll in there. It was byxxuuv.dll, the only reason I remember that is because it still shows up in my Google search. Does not having that log file make this a lost cause?

#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,719 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:54 PM

Posted 15 February 2008 - 12:13 AM

Oops. :thumbsup: I pasted in the wrong link - doing too much copying and pasting. I have edited the above post to show the correct link which provides directions for getting into Safe Mode.

So, can you get into Safe Mode?

Having the log would have made things easier, but it's certainly not a lost cause without it. Thanks for posting the file name that came back. That is very helpful.

According to my research, that file is indeed associated with Vundo. At this point I'm going to turn this thread over to someone with more experience than I.

Orange Blossom :flowers:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#7 bmkiss67

bmkiss67
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Location:MD
  • Local time:09:54 PM

Posted 15 February 2008 - 09:04 AM

LOL, np biggie on the link. As easy as cut and paste is it can really mess things up. At any rate, yes I can get into safe mode, but my PC has the same problem in safe mode.


Thanks for everything
BMK

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,239 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:54 PM

Posted 15 February 2008 - 09:59 AM

Hello and welcome.

NOTE: all blue wording are links to instructions or tools
First you will need to follow the instructions in our Tutorial
How To Remove Vundo/Winfixer Infection

Now Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program.
DO NOT run yet.

Now reboot into Safe Mode:
Safe Mode Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.


Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or the Opera browser click on that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.


Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Please ask any needed questions,post logs and Let us know how your PC in running now.

Edited by boopme, 15 February 2008 - 10:00 AM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 bmkiss67

bmkiss67
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Location:MD
  • Local time:09:54 PM

Posted 16 February 2008 - 10:10 PM

{MOD EDIT: cut away HJT log to prevent post from being moved as HJ log wasn't requested or needed at the time..boopme}
Here is the Super log
------------------------
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/16/2008 at 01:29 AM

Application Version : 3.9.1008

Core Rules Database Version : 3404
Trace Rules Database Version: 1396

Scan type : Complete Scan
Total Scan Time : 01:57:04

Memory items scanned : 197
Memory threats detected : 0
Registry items scanned : 6572
Registry threats detected : 19
File items scanned : 98363
File threats detected : 3

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{371110C9-303A-454A-B9B2-572E42B4ACEB}
HKCR\CLSID\{371110C9-303A-454A-B9B2-572E42B4ACEB}
HKCR\CLSID\{371110C9-303A-454A-B9B2-572E42B4ACEB}\InprocServer32
HKCR\CLSID\{371110C9-303A-454A-B9B2-572E42B4ACEB}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\MLJGH.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{371110C9-303A-454A-B9B2-572E42B4ACEB}

Trojan.Unknown Origin
HKLM\SOFTWARE\Microsoft\MSSMGR
HKLM\SOFTWARE\Microsoft\MSSMGR#Brnd
HKLM\SOFTWARE\Microsoft\MSSMGR#BPTV
HKLM\SOFTWARE\Microsoft\MSSMGR#LSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#PSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#BSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#SSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#SCLIST
HKLM\SOFTWARE\Microsoft\MSSMGR#SSLIST
HKLM\SOFTWARE\Microsoft\MSSMGR#Data
HKLM\SOFTWARE\Microsoft\MSSMGR#MSLIST
HKLM\SOFTWARE\Microsoft\MSSMGR#PID
HKLM\SOFTWARE\Microsoft\MSSMGR#Rid

Unclassified.Unknown Origin
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#zip [ {330b5426-dcc9-4839-9f42-f4ba0531abd1} ]

Keylogger.Actual Spy
C:\WINDOWS\system\actualspystart.lnk
C:\TEST\KEYLOGGER\ACTUALSPY.EXE


My PC seems to be running fine now. I must thank you for all the help.

Thank you

Edited by boopme, 16 February 2008 - 10:55 PM.


#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,239 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:54 PM

Posted 16 February 2008 - 11:03 PM

Hi I am glad it is working well now. Were you aware there was a keylogger installed? Please read the details here about Actual spy and the risks you were exposed to.

Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users