Please Help with Mallware, virus, or whatever

Hi,

Could someone please help me.

I'm getting a BSOD once in a while Stop 0x0000008E 0xC0000005

This PC won't shutdown when I select Start, Shutdown, Restart
In Windows Task manager it doesn't have the ShutDown pulldown tab.

If there is anything else I can do to help find the problem please let me know.

Thank you,

Docfxit

PS: I did run SuperAntiSpyware from a bootable CD. I can't find the log.

 

Hi, docfxit

The version of MBAM you ran is outdated. Can you update MBAM and run a full scan and attach its new log.

Now we need to run TDSSKiller by Kaspersky
Follow the instructions here and attach your log when you are finished. (How to attach items to your post)


Please download MBRCheck by GeeksToGo to your desktop.
See the download links under this icon

• Double click MBRCheck.exe to run (Vista and Win7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (How to attach items to your post)

 

Mine updated yesterday. I have updated today and will send you the results tomorrow.

I have run TDSSKiller and attached the results.

I'm having trouble downloading MBRCheck. My router is not allowing that web site. I have turned off my virus checker. I found MBRCheck someplace else and after I downloaded it there are zero bytes. Do you have any suggestions on how I can download it?

Thank you,

Docfxit

 

Go into more detail.

• Why do you think it's your router that won't allow you?
• Are you getting redirected to another site when you attempt to search/download?

I prepared a fix for you, do this and then retry MBRCheck. If something here does not work, continue to the next step but make a detailed note of what happened when you tried to perform any step that didn't go as planned.

Also, don't forget to attach your new MBAM log using mbam v1.51.2.1300

Please download Disable/Remove Windows Messenger by Doug Knox to your desktop.

• See the download links under this icon:
• Double-click MessengerDisable.exe
• Place a check-mark in Uninstall Windows Messenger
• Click Apply
• Click Exit

Run C:\MGtools\analyse.exe by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Shut down your protection software now to avoid possible conflicts.
Note: This is actually Trend Micro HiJackThis - v2.0.4
Choose Do a system scan only and select the following lines but do not click fix until you exit all explorer windows and all browser sessions including the one you are reading in right now:

After clicking Fix, exit out of Trend Micro HiJackThis - v2.0.4

Now we need to make use of ComboFix by sUBs

• Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop but do not run it!
  • If it is not on your desktop, the below will not work.
• Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
• Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]DDS::[/COLOR]
uInternet Connection Wizard,ShellNext = yes
uInternet Connection Wizard,ShellNext = 0a000000
uInternet Connection Wizard,ShellNext = yes
uInternet Connection Wizard,ShellNext = 01000000
uInternet Connection Wizard,ShellNext = yes
uInternet Connection Wizard,ShellNext = 1a000000
uInternet Connection Wizard,ShellNext = 1a000000
uInternet Connection Wizard,ShellNext = Microsoft Corporation
uInternet Connection Wizard,ShellNext = MICROSO
uInternet Connection Wizard,ShellNext = 5.50.4134.100
uInternet Connection Wizard,ShellNext = no
uInternet Connection Wizard,ShellNext = yes
uInternet Connection Wizard,ShellNext = yes
uInternet Connection Wizard,ShellNext = \0
uInternet Connection Wizard,ShellNext = about:NoAdd-ons
uInternet Connection Wizard,ShellNext = about:SecurityRisk
uInternet Connection Wizard,ShellNext = 1 (0x1)
uInternet Connection Wizard,ShellNext = 300 (0x12c)
uInternet Connection Wizard,ShellNext = 0 (0x0)
uInternet Connection Wizard,ShellNext = 0 (0x0)
uInternet Connection Wizard,ShellNext = 4000 (0xfa0)
uInternet Connection Wizard,ShellNext = yes
uInternet Connection Wizard,ShellNext = 1 (0x1)
uInternet Connection Wizard,ShellNext = yes
uInternet Connection Wizard,ShellNext = yes
uInternet Connection Wizard,ShellNext = yes
uInternet Connection Wizard,ShellNext = 1 (0x1)
uInternet Connection Wizard,ShellNext = yes
uInternet Connection Wizard,ShellNext = yes
uInternet Connection Wizard,ShellNext = no
uInternet Connection Wizard,ShellNext = 1 (0x1)
uInternet Connection Wizard,ShellNext = 1 (0x1)
uInternet Connection Wizard,ShellNext = 0 (0x0)
uInternet Connection Wizard,ShellNext = yes
uInternet Connection Wizard,ShellNext = 1 (0x1)
uInternet Connection Wizard,ShellNext = 1 (0x1)
uInternet Connection Wizard,ShellNext = 0 (0x0)
uInternet Connection Wizard,ShellNext = 0 (0x0)
uInternet Connection Wizard,ShellNext = 0 (0x0)
uInternet Connection Wizard,ShellNext = 0 (0x0)
uInternet Connection Wizard,ShellNext = 1 (0x1)
uInternet Connection Wizard,ShellNext = 1 (0x1)
uInternet Connection Wizard,ShellNext = 1 (0x1)
uInternet Connection Wizard,ShellNext = 1 (0x1)
uInternet Connection Wizard,ShellNext = 0 (0x0)
uInternet Connection Wizard,ShellNext = 60000 (0xea60)
uInternet Connection Wizard,ShellNext = 0 (0x0)
uInternet Settings,ProxyServer = 127.0.0.1:8080
[COLOR="DarkRed"]DirLook::[/COLOR]
C:\Dnload
c:\qb71
C:\ANG0
C:\ANG1
[COLOR="DarkRed"]File::[/COLOR]
C:\Delete.log
C:\Win-Files.txt
C:\WINDOWS\Temp\fb_3480.lck
C:\WINDOWS\Temp\ZLT011e8.TMP
[COLOR="DarkRed"]FileLook::[/COLOR]
C:\AUTOCHK.EXE
C:\WINDOWS\system32\T.COM
[COLOR="DarkRed"]RegLock::[/COLOR]
[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="04F0D21-79D8-7A25-D702-433F"
[COLOR="DarkRed"]Registry::[/COLOR]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{0EEA5558-3D1F-4077-976F-EF2F4ECE89C3}]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{250DB406-BC7D-4209-B3DC-8B44D1C7A457}]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{30ECAD80-1BF9-4942-B34F-08F80B882B76}]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{5E571071-CA30-45BB-8F79-C45D742FD3FA}]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{7084C14A-C055-4B77-B74E-52C57C1D665D}]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{846860C5-9C1C-4966-B4D9-2A67F74C82BA}]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{B3F3ED5D-F192-4913-9E8E-DFC35EACD207}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d2ce3e00-f94a-4740-988e-03dc2f38c34f}]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,00

• Save the above as CFScript.txt and make sure you save it to the same location (should be on your desktop) as ComboFix.exe
• At this point, you must exit all browsers now before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your desktop.
• Now use your mouse to drag CFScript.txt on top of ComboFix.exe.
  
• This shall launch ComboFix.
  Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
• Allow ComboFix to update itself if prompted.
• When it finishes, a log will be produced at C:\ComboFix.txt
  Note: If after running ComboFix you discover none of your programs will open up because you receive the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
• Attach this log to your next message. (How to attach items to your post)

Are you aware of these .bat files on your system? Are they something you created?

• c:\windows\system32\TempWmicBatchFile.bat
• c:\windows\CwbRmDir.bat

Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
Notes:

• This will automatically update all the logs inside MGlogs.zip
• Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.

LET ME KNOW HOW THE PC IS RUNNING AFTER YOU HAVE COMPLETED THESE STEPS​

 

When I download MBRCheck.exe from your link I get zero bytes. Both from the Authors site and from Majorgeeks site. When I try to download it from:
http://ad13.geekstogo.com/MBRCheck.exe
I get a message:

Thank you for preparing a fix. I don't see the fix. Where would I find the fix?

I have attached it.

I have attached it.

I have seen the first one. It was putting a new file in that folder multiple times a day. I think I stopped it. I have not seen the second one.

I have attached it.

I received an error from HijackThis:


I am still getting the Stop BSOD.

Thank you very much for your time and help.

Docfxit

 

I meant after running newlogs.bat. Don't worry about it now, try the below:

Please download RKill by Grinler to your desktop.
RKill is an easy to use tool that kills known processes that stop the use of our normal anti-malware applications. Simple as that. Nothing fancy. Just kill known malware processes so that anti-malware programs can do their job.

RKill can be downloaded from the following locations. Please note that the other filenames below are RKill as well, just renamed in order to allow it run by certain malware.
Note: You only need to get one of them to run, not all of them.

RKill.com Download Link
RKill.exe Download Link
RKill.scr Download Link
eXplorer.exe Download Link - This renamed copy may trigger an alert from MBAM. It can be ignored and is safe.
iExplore.exe Download Link
WiNlOgOn.exe Download Link
uSeRiNiT.exe Download Link

Attach c:\rkill.log afterwards. (How to attach items to your post)

Please download aswMBR by Avast! to your desktop.

• Double-click aswMBR.exe to run it (Vista and Win7 right-click and select Run as Administrator)
• Select No when asked Would you like to download latest Avast! virus definitions?
• Click the [Scan] button.
  Note: This scan should only take a few seconds to complete.
• On completion of the scan click [Save log], save it to your desktop and attach this log to your next message. (How to attach items to your post)

Please download OTL by Old Timer to your desktop.

• See the download links under this icon:
• Double-click OTL.exe to run (Vista and Win7 right click and select Run as administrator)
• When the window appears, underneath Output at the top-right, make sure Standard Output is selected.
• Select Scan All Users.
• Under the Extra Registry section, check Use SafeList.
• Check the boxes beside LOP Check and Purity Check.
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  netsvcs
  %systemdrive%\*.exe
  /md5start
  atapi.sys
  csrss.exe
  explorer.exe
  ipnat.sys
  ipsec.sys
  regedit.exe
  svchost.exe
  tcpip.sys
  userinit.exe
  winlogon.exe
  /md5stop
  %systemroot%\*. /mp /s
  %windir%\assembly\tmp\U /s
  %windir%\assembly\GAC\*.ini
  %windir%\assembly\GAC_MSIL\*.ini
  %windir%\assembly\gac_32\*.ini
  hklm\software\clients\startmenuinternet|command /rs
  hklm\software\clients\startmenuinternet|command /64 /rs
  

• Now click the button.
• When the scan is complete, Notepad will open with the results of the OTL scan.
• Close Notepad.
• There will be two log files on your desktop entitled OTL.txt and Extras.txt.
• Attach both OTL.txt and Extras.txt to your next message. (How to attach items to your post)

 

I'm not familiar with this software:

• SonicWALL Global VPN Client

Can you either disable or temporarily uninstall it so you can download the tools requested if any of them are blocked by this in the future??

 

Thank you very much for looking into this problem for me.

I have attached the files you requested.

Please let me know what to do next.

Thanks,

Docfxit

 

Not finding much obvious malware, let me double check. Also there is a lot of cache of previous Anti-virus programs and firewalls you've had. The .bat file below should help clear this up:

Copy the bold text below to Notepad. Save it as fixme.bat to your desktop. Be sure the "Save as" type is set to "All files" Once you have saved it double click it, upon completion, it will reboot the computer in 5 seconds. Don't panic..

Now we need to make use of ComboFix by sUBs

• Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop but do not run it!
  • If it is not on your desktop, the below will not work.
• Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
• Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]DirLook::[/COLOR]
c:\windows\minidump
[COLOR="DarkRed"]FileLook::[/COLOR]
C:\WINDOWS\System32\KGyGaAvL.sys
c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
c:\documents and settings\All Users\Application Data\B21765FADC.sys
C:\Documents and Settings\All Users\Application Data\587E447A25.sys
C:\Documents and Settings\All Users\Application Data\1617EC5C27.sys
C:\Documents and Settings\All Users\Application Data\51B05C58E0.sys
C:\Documents and Settings\All Users\Application Data\215AFABA7D.sys
C:\Documents and Settings\All Users\Application Data\D09F512B2C.sys
C:\Documents and Settings\All Users\Application Data\ECB69BB7BF.sys
C:\Documents and Settings\Gary\Application Data\lakerda1967.sys
C:\WINDOWS\System32\fi60fex0419.dll
C:\WINDOWS\System32\fi5110ex0419.dll
C:\WINDOWS\System32\fi5750ex0419.dll
C:\WINDOWS\System32\fi55302ex0C0A.dll
C:\WINDOWS\System32\fi6750ex0419.dll
C:\WINDOWS\System32\fi6230Tex0411.dll
C:\WINDOWS\System32\fi6230Tex0409.dll
C:\WINDOWS\System32\fi6140ex0412.dll
C:\WINDOWS\System32\Lfkodak.dll
C:\WINDOWS\System32\Lffpx7.dll
C:\Program Files\Stunnel\stunnel.exe
C:\Program Files\WinKeyPlus\WinKeyPlus.exe
C:\Program Files\WinKey\WinKey.exe
[COLOR="DarkRed"]Folder::[/COLOR]
C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
C:\Documents and Settings\Gary\Application Data\61C00DCB-9BB6-49DA-8E37-023A6E268584

• Save the above as CFScript.txt and make sure you save it to the same location (should be on your desktop) as ComboFix.exe
• At this point, you must exit all browsers now before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your desktop.
• Now use your mouse to drag CFScript.txt on top of ComboFix.exe.
  
• This shall launch ComboFix.
  Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
• Allow ComboFix to update itself if prompted.
• When it finishes, a log will be produced at C:\ComboFix.txt
  Note: If after running ComboFix you discover none of your programs will open up because you receive the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
• Attach this log to your next message. (How to attach items to your post)

Please download OTL by Old Timer to your desktop.

• See the download links under this icon:
• Double-click OTL.exe to run (Vista and Win7 right click and select Run as administrator)
• When the window appears, underneath Output at the top-right, make sure Standard Output is selected.
• Select Scan All Users.
• Under the Extra Registry section, check Use SafeList.
• Check the boxes beside LOP Check and Purity Check.
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  netsvcs
  %systemdrive%\*.exe
  /md5start
  atapi.sys
  csrss.exe
  explorer.exe
  ipnat.sys
  ipsec.sys
  regedit.exe
  svchost.exe
  tcpip.sys
  userinit.exe
  winlogon.exe
  /md5stop
  %systemroot%\*. /mp /s
  %windir%\assembly\tmp\L /s
  %windir%\assembly\tmp\U /s
  %windir%\assembly\GAC\*.ini
  %windir%\assembly\GAC_MSIL\*.ini
  %windir%\assembly\gac_32\*.ini
  hklm\software\clients\startmenuinternet|command /rs
  hklm\software\clients\startmenuinternet|command /64 /rs
  

• Now click the button.
• When the scan is complete, Notepad will open with the results of the OTL scan.
• Close Notepad.
• There will be two log files on your desktop entitled OTL.txt and Extras.txt.
• Attach both OTL.txt and Extras.txt to your next message. (How to attach items to your post)

Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
Notes:

• This will automatically update all the logs inside MGlogs.zip
• Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.

 

Thank you for helping me to find bad stuff on my computer.

During the fixes I received this error:



Thank you,

Docfxit

 

Once again, not seeing anything malicious in your logs. Going to have you run one more very thorough scan just to see what it detects.

Download Virus Removal Tool from Here to your desktop

Run the program you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

• Click the cog in the upper right
  
  
  
  
• Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan
  
  
  
  
• Allow Virus Removal Tool to delete all infections found
• Once it has finished select report tab (last tab)
• Select Detected threads report from the left and press Save button
• Save it to your desktop and attach to your next post. (How to attach items to your post)

Please attach the .dmp files inside c:\windows\minidump
These are the logs created from when you get a BSOD. I'll try my best to analyze them for you to see if we can find out what caused you get receive a BSOD.

I'll give you some instructions on how to .zip these up if you do not know how:

Start > Run > cmd
Now paste in the following:

Press ENTER
This log can be found at C:\collect.zip
Attach collect.zip to your next message. (How to attach items to your post)

The error you received may be from a conflict with .NET framework. There are quite a few event log errors pointing to .NET framework in your Extras.txt.