Hi guys
After a long nite and day running scans and stuff, Im back to update you before preparing for another round of scans and tasks.
The malware may have deleted the SafeBoot registry keys.
Here are some options to restore them:
http://didierstevens.wordpress.com/2007/02/19/restoring-safe-mode-with-a-reg-file/
Or - Download & run this tool > SafeBootKeyRepair-CF http://www.techsupportforum.com/sectools/sUBs/SafeBootKeyRepair-CF.exe
Stevens solution worked great here and
finally I got safe mode recovered. Thanks a bunch, DavidR.
Hi, DavidR has you off on the right foot. The safe mode fix I usually use is the one by sUBs, no particular reason.
Id like to make a note about the second link as I tried it -
sUBs SafeBootKeyRepair-CF.exe...
the link is not valid. I searched there for another link but all references to that file pointed to that same invalid link (guess they didnt redirected to new location).
----
Once having the safe mode back, I sticked with previous suggestions.
- You did NOT uninstall Norton completely and that can give problems
- Remove nav completely
- Remove Kaspersky completely
I did ran the Norton Removal Tool (saw it on some other topic here and thought it was a good thing to do) 2 days ago. It downloaded ok, ran ok and said in the end it was removed. But I suppose something didnt work that good as I could see on logs I posted previously remaints of NIS on my system. Following your advice, I downloaded it again and ran it again, getting the same result.
I found the Kaspersky Removal Tool (http://support.kaspersky.com/faq/?qid=193239279) and its instructions ask to run it under SAFE MODE. Then what Im gonna do is to run again Norton but on safe mode as well I will do with Kaspersky.
.: Well, I proceed like I said above but seems
it didnt work, at least for Kaspersky. The KIS directory is still there. I guess Norton didnt work as well.
Any suggestions?
You could try downloading and running a full scan with cureit.
...run msconfig and select "safeboot on the "boot ini" tab.
... run HijackThis that would be good.
Cureit was downloaded and I will run it on safe mode. Next thing on my to-do list.
.: I proceeded like Tarq57 suggested.
I did at first a fast scan then after I did a complete one. However, I made a silly mistake when running the complete one... I didnt set the options ok and the log I got from it was 36M sized as it covered all scan actions and files.
Infected or suspicious files were moved all to quarantine. Attached goes the fast scan log and the HijackThis log (20080413 1437).NOTE: Its not the first scan I do that would get files from fixing tools like ComboFix and DSS considering either infected or suspicious. All of files detected by all tools were moved to quarantine or chest. Should I get them outta there? Are they really infected or are they safe?
......
.: I found another thread where it was suggested to download and run
Symantec Fix Tool for Beagle MO (FxBgleMO.exe), which I had previously downloaded and then I decided to run it as I had found already some variations of Beagle on previous scans (wouldnt hurt to try).
The tool ran ok and the result was negative. The log goes attached.
......
From other thread I got suggestions from Tech, as follows:
1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.
.: I started to follow then and
so far I performed steps 1 to 3. Avast logs goes attached plus another HijackThis log (20080414 0030).
.: I noticed some files which were not caught on previous scans (even manual ones for specific folder or file) were pointed as infected on those recent scans I performed. I dont understand how come the same file to be scanned many times and to not be detected the infection.
Example: The file I suspect to be the bad guy since the start (the key for KIS) was scanned several times and only at the last boot-time Avast scan it got detected as a rookit.
I wonder how many more scans I will have to do till busting them all and to feel safe enough to get a back up done without fearing to carry on backup infected files which were not detected after more than 1 week of effort and hard work.
......
Well, thats it for now. By morning Im gonna check over here again and then will go on from step 4.
I dont know if Im doing the right things here or not. If any of you have something to add or manifest about the procedures done so far and to be done ahead, please feel free to post. All help and feedback are welcomed and quite needed.
Thank you all again for your attention and efforts on trying to help, as well for your patience.
Have all a great week.