Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trying to get rid of trojan and can't get into safe mode


  • Please log in to reply
17 replies to this topic

#1 jjng

jjng

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 27 August 2009 - 02:41 AM

New to this forum (also fairly new to trying to fix technical problems like this) and this is my first post. My problem is very similar to the one posted in this topic: http://www.bleepingcomputer.com/forums/t/251838/got-some-new-virus-or-trojan/

I know it's recommended not to follow advice given to others, but the description was almost identical, so I've already done what's been suggested in that thread. Computer seems to be running ok now, but I still can't get into safe mode, so I suspect there is still a problem. Here's more details.

Machine is an IBM Thinkpad T43 running Windows XP. Problem started with a change in my desktop wallpaper to a blue background with a black box with the following message "YOUR SYSTEM IS INFECTED! System has been stopped due to a serious malfunction. Spyware activity has been detected. It is recommended to use spyware removal tool to prevent data loss. Do not use the computer before all spyware removed." I was also getting popup windows and popup 'bubbles' from a red X icon in the taskbar tray.

Ran an AVG scan which identified trojan horse SHeur2.AYIK, and supposedly 'healed' it, but the wallpaper and popups didn't go away. Did a Google search and found a recommendation for SmitfraudFix, which I tried. It was recommended to run that in Safe Mode, but I couldn't get in, so ran it in Normal Mode. That stopped the popups and took away the black box with warning message on the wallpaper, but the blue background stayed, and I still couldn't change the desktop. Also noticed that my clock had been changed to a 24 hr clock.

Did another search and finally found this site, and the thread noted above. So I ran MBAM which fixed all the obvious problems. Then I downloaded ATF and SUPER as recommended in the other thread, but ran into the same problem of still not being able to get into Safe Mode.

When I use F8 while booting and select Safe Mode, it gives me a blue screen with the message "A problem has been detected and Windows has been shut down to prevent damage to your computer..." followed by recommendations to restart, check for viruses, remove any newly installed hard drives, check the hard drive, run CHKDSK /F to check for hard drive corruption, etc. and ending with "Technical information: ***STOP: 0x0000007B (0xF8A6A528, 0xC0000034, 0x00000000, 0x00000000)"

This blue screen flashes by very quickly, and it goes to a black screen with the text "We apologize for the inconvenience, but Windows did not start successfully...." and options to start into Safe Mode, Safe Mode with Networking, Safe Mode with Command Prompt, Last Known good Configuration, or Start Windows Normally. None of the safe mode options work, and just repeat the sequence with the blue screen.

The laptop having this problem is a refurbished one I have only had for a couple weeks. So I do not have much on it yet and would be fine with needing to reformat and reinstall windows. However, it did not come with a Windows XP disc, and before I found this forum, I actually tried reinstalling Windows off the hard drive (using the winnt32). It started, but couldn't complete the process - can't remember the exact error, but I think I got a message saying there were files it couldn't access. Also tried System Restore, but it said there were no restore points available. I also ran Vipre as recommended in the referenced thread, then updated and rescanned with MBAM (which didn't find any infected files). Still can't get into Safe Mode.

Need help on where to go from here. I can post logs from MBAM and Vipre if needed. Will also browse the rest of the forum to see how to prevent this from happening again. I was running both AVG and ZoneAlarm (free versions) when this happened. Thanks!

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 PM

Posted 27 August 2009 - 06:48 PM

Please post the MBAM log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 jjng

jjng
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 27 August 2009 - 07:17 PM

This is the first one.

Malwarebytes' Anti-Malware 1.40
Database version: 2692
Windows 5.1.2600 Service Pack 3

8/25/2009 01:00:11 AM
mbam-log-2009-08-25 (01-00-11).txt

Scan type: Full Scan (C:\|)
Objects scanned: 130216
Time elapsed: 55 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\sdra64.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe logon.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Jennifer Ng\Local Settings\Temp\kbiwkmrowfyfuxpl.tmp (Trojan.TDSS) -> Delete on reboot.
C:\Documents and Settings\Jennifer Ng\Local Settings\Temporary Internet Files\Content.IE5\WHAN8HYR\load[1].php (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\critical_warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\logon.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winhelper.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\rdl2D.tmp.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\rdl2E.tmp.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

#4 jjng

jjng
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 27 August 2009 - 07:18 PM

And the most recent one.

Malwarebytes' Anti-Malware 1.40
Database version: 2697
Windows 5.1.2600 Service Pack 3

8/25/2009 11:49:50 PM
mbam-log-2009-08-25 (23-49-50).txt

Scan type: Full Scan (C:\|)
Objects scanned: 130247
Time elapsed: 55 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#5 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 PM

Posted 27 August 2009 - 07:20 PM

Run a scan with SAS in Normal Mode and post that log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#6 jjng

jjng
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 27 August 2009 - 07:20 PM

Sorry, actually this is the latest one. The other one was run sometime in between. But still no infected files detected.

Malwarebytes' Anti-Malware 1.40
Database version: 2702
Windows 5.1.2600 Service Pack 3

8/27/2009 2:11:02 AM
mbam-log-2009-08-27 (02-11-02).txt

Scan type: Full Scan (C:\|)
Objects scanned: 130462
Time elapsed: 54 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#7 jjng

jjng
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 27 August 2009 - 07:26 PM

I take it SAS is SUPERAntiSpyware? Just making sure. Thanks!

#8 Straythe

Straythe

  • Members
  • 124 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:29 AM

Posted 27 August 2009 - 08:00 PM

I take it SAS is SUPERAntiSpyware? Just making sure. Thanks!


Yep, it is. Here's a description of how to run it (by Budapest):

http://www.bleepingcomputer.com/forums/ind...t&p=1401125

Good luck - Straythe (not a staff member)
***"When you surround an enemy, leave an outlet free [...] to make him believe there is a road to safety, and thus prevent his fighting with the courage of despair." Sun Tzu ***

#9 jjng

jjng
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 27 August 2009 - 08:16 PM

Thanks! Running SAS now. Will post the log when it's done.

#10 jjng

jjng
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 27 August 2009 - 09:35 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/27/2009 at 10:14 PM

Application Version : 4.27.1002

Core Rules Database Version : 4073
Trace Rules Database Version: 2013

Scan type : Complete Scan
Total Scan Time : 01:37:45

Memory items scanned : 459
Memory threats detected : 0
Registry items scanned : 4089
Registry threats detected : 0
File items scanned : 46093
File threats detected : 35

Adware.Tracking Cookie
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@www.stopzilla[1].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@a1.interclick[1].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@stopzilla[1].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@zedo[2].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@interclick[2].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@doubleclick[1].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@247realmedia[2].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@atdmt[1].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@mediaplex[1].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@serving-sys[1].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@adbrite[1].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@msnportal.112.2o7[1].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@specificclick[1].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@ads.pointroll[2].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@trafficmp[1].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@tribalfusion[1].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@casalemedia[2].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@ads.bridgetrack[1].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@oasn04.247realmedia[2].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@ads.addynamix[2].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@bs.serving-sys[2].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@revsci[1].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@websponsors[1].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@apmebf[1].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@collective-media[1].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@cdn4.specificclick[2].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@specificmedia[1].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@ad.yieldmanager[2].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@advertising[2].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@realmedia[2].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@fastclick[1].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@avgtechnologies.112.2o7[1].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@media6degrees[2].txt
C:\Documents and Settings\Jennifer Ng\Cookies\jennifer ng@click[1].txt

Trojan.Agent/Gen
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\KPQ7496B\DARKSIDE[1].EXE

#11 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 PM

Posted 27 August 2009 - 10:04 PM

Can you now get into Safe Mode?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#12 jjng

jjng
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 27 August 2009 - 10:13 PM

No, still can't get into Safe Mode - same blue screen error.

#13 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 PM

Posted 27 August 2009 - 10:19 PM

Right click on the C drive in Explorer and go Properties > Tools > Check Now (under Error Checking). Check both boxes then click "Start Now". A message will pop up saying that Error Checking will run after you restart the computer. Restart the computer and Error Checking will run automatically after the restart. After itís finished it will restart into Windows automatically.

Then try Safe Mode again.

If that doesn't work try the System File Checker:

How to Use SFC.EXE to Repair System Files
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#14 jjng

jjng
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:29 AM

Posted 27 August 2009 - 10:46 PM

Tried to run error checking... I checked the 2 boxes, then clicked "Start" and it immediately popped up with a window which said "Windows was unable to complete the disk check." Nothing about running after restart. There is just an OK button in that window. Looking at your link for SFC now...

#15 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 PM

Posted 27 August 2009 - 10:49 PM

You can also run error checking like this:

Go Start > Run and type: "chkdsk /r"
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users