Solved

How do I remove spyware if the machine cannot be started in safe mode?  The machine just reboots.

Posted on 2009-07-06
39
411 Views
Last Modified: 2013-11-22
I have a Windows XP desktop that appears to have LOTS of spyware infections.  The machine has a bunch of erronous entires in msconfig under the startup tab that literally had like 100 copies of the same file that resided in the local users temp files.  I've tried unchecking them all but it adds a few more upon reboot.  The infection shows one of the malicious Anti-Virus Pro 2009 messages alerting you of infections, however, unlike most of these that i have seen, it tries to open this .exe file that is in msconfig about a hundred times and within about a minute of booting to the desktop, Windows becomes unusable as to many window end up open.  

It also appears to have hijacked the browswer as trying to go to anti-virus/spyware websites ends up in a re-direct going to another site.  I did manage to get Super-antispyware downloaded as well as MBAM.  However, MBAM kept giving run-time errors when you tried to run it.  Super Anti-Spyware ran and I did the quickscan which found over 1000 threats, but even though it said it removed it all, the same thing happended upon reboot.  I'm thinking of trying combofix next if I can get the machien stable enough.

The problem is, I cannot boot to safe mode.  If I try from the F8 menu, it starts showing the files its loading and then it just restarts the machine.  It never makes it to the desktop.  I've tried safe mode with networking and plan safe mode, same thing.  This is what makes it difficutl to run combofix or some type of software as the machine just restarts itself in safe mode and normal mode has tons of infections.  

The machine just beame unstable over the weekend.  On Friday, it was useable.  
0
Comment
Question by:Jsmply
  • 14
  • 8
  • 6
  • +5
39 Comments
 
LVL 38

Expert Comment

by:younghv
ID: 24789784
One starting point would be to remove the HDD and either 'slave' it off another computer or use an IDE/SATA USB connector.

Either way, connect the HDD to another computer and use that AV to scan it.
There are also a variety of on-line scanning tools - or download something like "MalwareBytes" to scan it with.
0
 
LVL 13

Expert Comment

by:JeremySBrown
ID: 24789785
Hi Jsmply,

You take the hard drive out of the computer and put it into another computer as slave...and then run your scan that way...
0
 
LVL 38

Expert Comment

by:younghv
ID: 24789801
You could also use one of the various 'Boot Disks' that are available such as DrWebCureit (http://www.freedrweb.com/cureit/) which will actually boot your system and do a good scan for you.
0
 

Author Comment

by:Jsmply
ID: 24789810
Are the programs such as DrWebCureIt as up to date as programs like MBAM, SAS, and Combofix are about removing spyware?  

Also, the reason I can't get into safe mode, can that be caused by the infection?
0
 
LVL 13

Expert Comment

by:JeremySBrown
ID: 24789830
You can use as well...SuperAntiSpyware...or Combofix...
http://www.superantispyware.com/
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

You can use Ultimate Boot CD (UBCD)...you can download and burn the .iso and boot from cd...and run some of the anti-virus and malware tools from here...
http://www.ultimatebootcd.com/
0
 
LVL 10

Expert Comment

by:dnilson
ID: 24789843
Yes DrWebCureIt is kept up to date

If its spy/malware Id try this too instead of a virus checker FIRST.

Combofix

Download from here (ONLY)
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

0
 

Author Comment

by:Jsmply
ID: 24789864
Combofix is great and I'd love to use it, but how can I if I can't boot into safe mode and normal mode won't let it run because of all the windows it opens?
0
 
LVL 13

Expert Comment

by:JeremySBrown
ID: 24789875
0
 
LVL 13

Expert Comment

by:JeremySBrown
ID: 24789898
Two methods...from myself...and younghv...mentioned already...in ID: 24789784 and 24789785...the two first comments...
0
 
LVL 38

Assisted Solution

by:younghv
younghv earned 100 total points
ID: 24790065
Jsmply - you are probably going to have to effect this repair in stages.

The cause of your system 'cycling' instead of booting could very well be due to various infections.

The first steps described SHOULD get you clean enough to at least boot into Safe Mode - but keep in mind that both MBAM and ComboFix are designed to run in Normal Mode.

If all you can get is Safe Mode, then run them in that. You should probably download both of those programs with the "Save As" function and rename them to something like "mb.exe" and "cf.exe". Many forms of malware will prevent the actual name of those programs from functioning on your computer.

If all you can do is run them in Safe Mode, then run them again in Normal Mode as soon as you can. MBAM should first be run in the 'Quick Scan' mode - rebooted - then run a 'Full Scan'.
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 400 total points
ID: 24790111
Does the pc runs okay in normal mode? If so then please run Combofix as it should be run in normal mode anyway as younghv already stated.

Sality and other nasties delete safeboot keys so that's why an infected pc can't boot in safe mode.

Supposing your Combofix is on your desktop you can run this command:

Click the Windows 'Start' button > Select 'Run' - then copy/paste the following bolded text into the run box & click OK.

"%userprofile%\desktop\combofix.exe" /killall
0
 

Author Comment

by:Jsmply
ID: 24790158
Normal mode boots up, but within one minute there are so many windows open that I literally can't do anything at all.  The machine is almost completely frozen.  

Challange one is getting Combofix on the desktop, then I guess your command with /killall is to kill all processes?

Is that right and safe?
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 400 total points
ID: 24790171
/killall switch kills every process except critical system files(before CF proceeds), this switch is usually used when the pc is heavily infected.
OR: temporarily fix the safeboot keys so you can boot into safe mode:
Download Sfebootrepair.exe:
http://www.geekstogo.com/forum/redirect.php?url=http%3A%2F%2Fdownload.bleepingcomputer.com%2FsUBs%2FSafeBootKeyRepair.exe
(it looks for a backup in the system and finds a suitable copy to use)


OR: download AVZ
http://z-oleg.com/avz4en.zip
Unzip it to a folder on your desktop
Double click on AVZ.exe
Click on the File tab and then click on "System Restore"
Put a checkmark next to "Restore SafeBoot registry keys"
Click on Execute selected operations

0
 
LVL 13

Expert Comment

by:JeremySBrown
ID: 24790180
Are you able to take out your hard drive and put it into another computer as slave...or do you have a IDE/SATA USB connector...mentioned by younghv?
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24790218
<<<"Is that right and safe?">>>

Yes, it is very safe.
/killall switch triggers Combofix to be very aggressive and kill process on everything as well as services except for system critical processes.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 24790234
Have you tried MalwareBytes - www.malwarebytes.org
You can download a free version which will deal with a lot of spyware, malware and nasties.  I use it all the time and it is a great piece of software.
If you cannot download the latest updates directly via the program, you can visit http://mbam.malwarebytes.org/database/mbam-rules.exe
0
 
LVL 38

Expert Comment

by:younghv
ID: 24790289
alanhardisty -
Please take the time to read through all of the prior suggestions before jumping in the middle of a string.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 24790450
Apologies for repeating what has been suggested, but hope the additional link might prove useful in case the nasties prevent MBAM from updating itself.
There is a free version of Avast that performs a boot-time scan and might intercept anything that would normally be removed if you were able to get into safe mode.
http://www.avast.com/eng/download-avast-home.html
0
 

Author Comment

by:Jsmply
ID: 24798805
Okay this is proving difficult because immediatly upon booting into normal mode, I get about 10 seconds before I'm bombarded with zjhufhdfe.exe - DLL Initiialzied Failed and I constantly get the error speaker noise as it tries to to open this file hundreds of times.  =\  Any help?
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 24798851
Have you tried the suggestion in the very first post - install the HDD into another PC and scan it from there?
0
 

Expert Comment

by:kirret
ID: 24798930
Hi Jsmply.

My experience is that even if you do manage to get to Windows somehow and run tons of different anti-virus/spyware programs, you have a big chance that you PC will never be the same as it was last Friday. You can spend ages scanning your machine and still end up with things popping up on your screen. My recommendation would be to take your hard drive out, connect it to another PC as a slave (it was mentioned before too), get all your personal data off it, including IE favourites, emails from Outlook if any, a DRIVERS folder if existant in C: drive and then just make a clean XP install and start from fresh.
I'm not gonna add a link How to reinstall XP, if you need it just let me know.
0
 
LVL 38

Expert Comment

by:younghv
ID: 24799275
@Jsmply,
Even while all the junk is going on, can you open Task Manager (Ctrl-Alt-Del) - that should stay in the foreground of all applications.

If you can, do "File" "New Task (Run...)" and run the command that rpg gave you.

"%userprofile%\desktop\combofix.exe" /killall

@kirret - Everyone here understands that the final option is a "Format/Re-install", but we are posting suggestions about how to avoid doing that. And no, a properly cleaned machine will not have anything popping up on the screen.
0
 
LVL 38

Expert Comment

by:younghv
ID: 24799294
@Jsmply,
IF you can kill all those processes, my first choice would be to run the ComboFix function. The creator of CF is working on improvements constantly and it will be your best shot at killing most malware.
If you then post your CF log, rpg can write you a script to run that should remove any left over baddies.
0
 

Author Comment

by:Jsmply
ID: 24800150
Hi all, thanks!  I'm really trying to avoid a format here as it has LOTS of custom applications the user does not have. I found a way to boot up!  I went to msconfig before the windows started and I choose diagnostic startup. This boots without the problems but I have no internet or USB. Can I load combofix from a CD?  Will it run okay with diagnostic startup selected?
0
 

Expert Comment

by:Dommnic
ID: 24800223
hi,
  you can try to remove following files manually:-
Unregister Antivirus 2008 Pro DLL Files:
shlwapi.dll
wininet.dll

Stop Antivirus 2008 Pro Processes:
Antivirus 2008 Pro.lnk
Uninstall Antivirus.lnk
Antvrs.exe
Antivirus2008Pro.exe

Find and Delete these Antivirus 2008 Pro:
Antivirus2008Pro.exe
shlwapi.dll
wininet.dll
Antivirus 2008 Pro.lnk
Uninstall Antivirus 2008 Pro.lnk

Remove Antivirus 2008 Pro Registry Values:
HKEY_CURRENT_USER\Software\Antivirus
HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Antivirus = %ProgramFiles%\Antivirus 2008 Pro\Antvrs.exe


If doesn't work run smith fraud fix in normal mode atleast two times. It will work for sure.

Before attempting any above step don't forget to take registry backup and set restore point.
0
 

Author Comment

by:Jsmply
ID: 24800297
Okay, I'm running Combofix right now under the selective startup.  It's running very fast, I guess since no processes are running.  It's rebooting now.  

Under my MSCONFIG, I see zjhufhdfe.exe in the startup hundreds of times.  I googled it and Google says it's a root kit.  Can anyone shed any light on that?  I can attached the combofix log in a few minutes.  I'm hoping to fix this tonight.  Any experts online still?  
0
 

Author Comment

by:Jsmply
ID: 24800301
Actually, that's assuming I can get the log off this computer.  Remember it won't read USB or the network connection in this selective startup mode.  
0
 

Author Comment

by:Jsmply
ID: 24800355
I got the log!  Okay, I ran Combofix in the diagnostic startup mode, let it do it's thing, then I put it back to regular startup.  The machine starts up just fine and I don't have the 120012381 error messages anymore, BUT msconfig is still full of hundreds of copies of zjhufhdfe.exe which is in c:\documen~1\melvi\locals~1\temp\zjhufhdfe.exe

They are not opening anymore, I assume that's because Combofix or Super Anti-Spyware (which I ran before Combofix) deleted the file (even though it's not in the log).  However, I still have hundreds of them checked enabled in msconfig.  Can someone review this log file from Combofix PLEASE?  RPGGamerGirl I'd really appreciate it.  I REALLY need to make sure it's right before giving the user back the machine as they are VERY hard to deal with.

Thanks!
ComboFix.txt
0
 

Author Comment

by:Jsmply
ID: 24800714
Okay, the computer appears to be acting normal again!  I have run full scans with Combofix, MBAM, Super Anti-Spyware, and each one removed stuff.  Now I've run Combofix again (in normal mode) now that I assume the system is clean.  Here is a copy of the latest log!  Please let me know if you see anything alarming before I return the machine to the user!  

It shows no deletions, just a warning about proquote.exe being missing?  I also got safemode back up and running, thanks RPGGamergirl!
newlog.txt
0
 

Author Comment

by:Jsmply
ID: 24800718
Oh and I manually disabled all of the hundred copies of zjhufhdfe.exe in msconfig startup.  They are still on the list, but they are NOT re-enabling themselves upon restart.  
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 400 total points
ID: 24801212
Looks good, I see you are in a hurry to return the pc.
 Just wondering if you could check what's inside these folders for my own curiousity, thanks.
C:\forms
c:\windows\System Volume Information


Those disabled random entries in msconfig if you don't want them showing anymore, just delete them from the registry, they're located in these key:

The disabled entries are present in these locations:
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ MSConfig \ startupreg
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ MSConfig \ startupfolder

Before you return it you can uninstall Combofix.

To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:

ComboFix /u
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24801359
c:\windows\system32\proquota.exe <-- if you can, you can also replace this file that the virus had deleted. It belongs to Profile Quota Manager which controls how much disc space is available to each specified user.
You can get replacement from these locations:
C:\Windows\$NtServicePackUninstall$
C:\Windows\ServcePackFiles\i386

Or from the Windows CD using command --> sfc /scannow

0
 

Author Comment

by:Jsmply
ID: 24803110
Hi Rpg, the forms folder has one word document. There is no windows/system volume information folder. Isn't that were restore points are kept?  I cleared those out yesterday. I enabled hidden files and folderd and still don't see it. I wasn't totally sure if I just copy and paste proquote.ex_ from c:/i386 since you gave a slightly different path so I didn't want to risk it so I left that alone. Does that matter?  Will it cause any errors the user will notice?  Thanks!
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24803420
Oh okay, so your i386 folder you put in your C:\?
You can still get the replacement from there, that should still be okay.
<<<"There is no windows/system volume information folder. Isn't that were restore points are kept?"> >>

Yes, but that's not the default location of the System Volume Information. I've noticed that with this infection I also see that folder but no one replies back to me for the contents yet.....I'm still waiting for someone to give me back that info.

If you have time, can you let combofix do this please? Only if you have time thanks.

Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
DirLook::
C:\forms
c:\windows\System Volume Information
------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.
0
 

Author Comment

by:Jsmply
ID: 24803531
RPG, I am so sorry. I already told the user they could start using the machine again :(  if I would have known I would have run 100 scripts for you while the machine was still at my desk. Do you think this folder you wanted to see or proquota is going to cause problems?  If so I can request the machine back. Better to do that than have it crash again and the user go nuts (she is very difficult).
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24803831
No I shouldn't think so, like you said there was only a text file in the "forms" and the other one(System Volume Information) is probably only having harmless files inside otherwise Combofix would've picked it up if it housed some malicious .exes.

The proquota.exe replacement.
If she is very difficult she's not going to like  it when you take it back saying you forgot something...
IF she ever find the file is missing one day, then she could just run her Windows CD.... I mean files can get corrupted or go missing(deleted by viruses) at any time and need to be replaced that's normal. But it's up to you...
0
 

Author Comment

by:Jsmply
ID: 24804473
Thanks RPG, so what will not having proquote do?  Will it pop up and say its missing at one point or cause any problems in windows, disable any feautures, etc?  Sorry again I couldn't get you that lost log. Please don't take it out on my next EE post for help :) if I would have gotten your post 30 mins earlier I would have been glad too!
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24805038
<<<"Please don't take it out on my next EE post for help :)">>>

Certainly not, I know you would have helped me if you could I understand, it's okay.
You've been really great and cooperative, you worked well with us. It will be a pleasure to join in your future questions. Next time I'm participating in your thread just shoot me an email so I'll reply quickly as I can be online but not always browsing at EE.

You may not realize but there are Askers that are not so nice, if you had read what an Asker had said in this thread(his comment was deleted), he arguably said NO to our requests for logs plus the "F" word as well, and wanted a quick fix to his problem, lol.
http://www.experts-exchange.com/Virus_and_Spyware/HijackThis/Q_24513305.html#a24751509
I can understand the frustrations an Asker has(with an infected pc and all), but I think he was a bit too much lol.


About the proquota.exe, I'm not really sure it's importance, when it's needed. It says somewhere that a Disc Quota management can also be turned off.
You can try and experiment with yours, rename your proquota.exe(so like it's missing) and see how long it will take before you get an error or any windows alert about it being gone.

Here's what it says about proquota.exe
Proquota.exe, a utility that ships with Windows NT Service Pack 4, allows you to limit the hard disk space that user profiles can consume.
Check this out, it explains Profile quota manager quite well.
http://articles.techrepublic.com.com/5100-10878_11-5754321.html
0
 

Author Closing Comment

by:Jsmply
ID: 31600387
Thanks so much RPG!  You have been a life saver and I can't imagine how anyone could ever be so rude to you.  I'd be glad to take you up on your e-mail offer, which address is best to use?

I also awarded a few points to Younghv as he pointed me in the right direction.  Thanks everyone who helped!  The user has not complained since returning the machine, so I assume they are in good shape!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Sub-Titled: “My Way” (with apologies to Francis Albert Sinatra) Let me start by stating emphatically that I am one of those Experts who prefer doing things “My Way”. It’s kind of a no-brainer. “The following procedure works for me, so here is …
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now