String of BSOD Errors, Possible Malware

Hi, I have been experiencing the following problems as described in this thread, http://forums.majorgeeks.com/showthread.php?t=250064
DavidGP suggested that I may have a malware problem and went through the Malware Removal Guide. The only problem I experienced while going through it was, I was unable to install the most recent Sun Java. I was given the following message, "The system administrator has set policies to prevent this installation." I have been running in Safe Mode due to the crashes I've been experiencing while trying to run a normal start up. I would really appreciate anyone's help on this as this has really put a hinder on my work these past few weeks. Thanks!

 

...and MGtools logs

 

Here you are.

 

Okay, so I was able to run everything as asked and am now able to run in normal mode. The only thing I noticed is, when logging in, the loading up of the desktop and everything seemed really slow. Then, when I went to open Firefox, it was running extremely slow for a while. I took a look at my processes and my CPU was running at 100% the two processes that were taking up the most were:

McScript_InUse.exe
mcshield.exe

Both were a little over 40%. I know that mcshield.exe is McAfee, which I know to slow things up a little bit during startup, but only for a minute max. But, the other one I haven't seen before. I forgot to check what it was associated with. I had to leave for a little bit before running GetLogs.bat so I logged off and closed my laptop. When I came back I opened it up and the following window popped up:

"The instruction at "0x03e0622a" referenced memory at "0x00000014". The memory could not be "read". Click on OK to terminate the program"

I went ahead and clicked ok and logged in again, and this time I didn't have the slow start up as before and everything seemed to be running at normal speed. The other thing I noticed was a Windows Security message saying my Virus Protection "McAfee VirusScan Enterprise" was out-of-date. That seemed odd and I considered uninstalling, then reinstalling it because of the out-of-date and it appearing to be the main cause before of everything running so slow. But, I didn't want to do anything with that until you gave me the okay.
For the item you asked me to take action on with TDSSKiller the only option I was given was to copy to quarantine, so I did that.
Then, here are all my logs...

 

Here are the new logs. I think after running TDSSkiller I clicked to quarantine all the items by mistake instead of just the one.

 

How exactly do I restore those files in that folder? Reboot and everything else appears to be running fine now.

 

Looking back at my log I saw that I didn't actually quarantine the other items haha, so my mistake. The only thing in the quarantine folder were two more folders titled tdlfs0000 & tdlfs0001, both with to sets of files titled tsk000(1-8) with file extensions .ini and .dta

 

It looks like I have one restore point before that TDSSkiller scan which is:
1/11/12 12:06:42 AM System Checkpoint. That is the earliest point showing up for January. Go ahead and restore to this point?

 

From what Kestrel13! said, it didn't look like anything was quarantined when I ran the scan on the 10th. It wasn't until the scan on the 11th that things appeared to be quarantined, so that's why I just posted the restore point on that date. You're right that I do have several other restore points before than in December and in November. Most recent being Dec 23rd:

11:16:11 PM Installed Java(TM) 6 Update 30
11:03:02 PM Removed Java(TM) 6 Update 22
3:15:35 PM Installed Rapport

and then Dec 22nd:

8:38:26 PM System Checkpoint

Please let me know the best action to take.

 

I was unable to restore back to the 11th. I've had 6 new BSOD's; three on the 15th and three today. Five of them were just new/different then before and all occurred randomly while browsing in Mozilla Firefox and the sixth was the same as before with my screen going whacky then freezing. The sixth happened when streaming a hockey game and everything was fine after restart.

 

Hi dutchluck13,

Can you zip up and attach any .dmp files in this folder: C:\WINDOWS\Minidump

I would like to analyze your BSOD logs.

 

Here you go, I knew I forgot to attach something to my prev. post.

 

Most of these crashes, at least from 2012 are related to the Intel(R) PRO/1000 PCI Express Network Connection Driver.

However, there was one from 2012 that was related to your NVIDIA Graphics card.

See the below for details:

Mini011512-01.dmp // Jan 15th 2012

Code:

STACK_TEXT:  
b84d3d98 b7cae821 40000080 8ae91418 8a25cda0 nt!KeBugCheckEx+0x1b
b84d3df8 b5f901f8 8ae91418 b84d3e5c 00000001 NDIS!ethFilterDprIndicateReceivePacket+0x5fe
WARNING: Stack unwind information not available. Following frames may be wrong.
b84d3e14 b5f9a35c 8ac08008 b84d3e5c 00000001 e1e5132+0x21f8 [COLOR="Red"]<--- Intel(R) PRO/1000 PCI Express Network Connection Driver[/COLOR]
b84d3e34 b5f9ca7d 8aea0038 00000000 b84d3e5c e1e5132+0xc35c [COLOR="Red"]<--- Intel(R) PRO/1000 PCI Express Network Connection Driver[/COLOR]
b84d3f6c b5f96341 014a7000 00000001 00000000 e1e5132+0xea7d [COLOR="Red"]<--- Intel(R) PRO/1000 PCI Express Network Connection Driver[/COLOR]
b84d3fa8 b5f8f371 004a7000 b84d3fcc b7ca3e99 e1e5132+0x8341 [COLOR="Red"]<--- Intel(R) PRO/1000 PCI Express Network Connection Driver[/COLOR]
b84d3fb4 b7ca3e99 8ac08008 8ac53008 ffdff9c0 e1e5132+0x1371 [COLOR="Red"]<--- Intel(R) PRO/1000 PCI Express Network Connection Driver[/COLOR]
b84d3fcc 80545eef 8a4a7ac8 8a4a7ab4 00000000 NDIS!ndisMDpcX+0x21
b84d3ff4 80545a5b b72f6534 00000000 00000000 nt!KiRetireDpcList+0x61
b84d3ff8 b72f6534 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x2b
80545a5b 00000000 00000009 0081850f bb830000 0xb72f6534

Mini011512-03.dmp // Jan 15th 2012

Code:

DEFAULT_BUCKET_ID:  GRAPHICS_DRIVER_FAULT

STACK_TEXT:  
aa6277e8 00000000 e24ef018 e24ef018 e24ef018 nv4_disp+0x29852 [COLOR="Red"]<--- Related to a NVIDIA Graphics card[/COLOR]

Are you using an addon card (PCI-E) for internet or are you using the built in ethernet adapter on your motherboard?

I realize the logs say PCI-Express but it could still be either or.

 

I've been using the built in ethernet adapter on my motherboard

 

For troubleshooting purposes you may want to completely uninstall your network adapter drivers from the Device Manager and then install these: Intel: PROSet Network Adapter Driver Set 16.4

Download them first so you have them handy

The below could also be used. These are the older versions though.
These are the default drivers that came with your laptop: ThinkPad T61 (6459-CTO)

• Readme http://download.lenovo.com/ibmdl/pub/pc/pccbbs/mobiles/7kra26ww.txt
• Direct Download Link http://download.lenovo.com/ibmdl/pub/pc/pccbbs/mobiles/7kra26ww.exe

 

I went ahead and tried to uninstall the current drivers, however on restart the drivers are reinstalling themselves from somewhere. So, when I try to install the new Intel driver set it doesn't allow for it to happen and I get the following message. "The installed version of Intel PROset is not supported for upgrades. You must uninstall it before installing this version"

 

Download and install Revo Uninstaller from here.

Now open Revo Uninstaller and look for any of the below:

• Intel PROSet Wireless
• Intel(R) PRO Network Connections Drivers
• Intel(R) PROSet/Wireless WiFi Software

Choose to uninstall each and everyone of these if present.

If requested to restart for the changes to take effect, go ahead and reboot.

If a hardware installation wizard pops upon reboot. Choose Cancel and proceed to attempt to install the Intel: PROSet Network Adapter Driver Set 16.4 file you downloaded earlier.

 

I went ahead and uninstalled as you asked. Now, when I go to run the installer it starts off by going through an extracting process. At this point I can see in my toolbar various pop-ups for new Intel hardware found. But, after it finishes the extraction process and switches to the installation wizard I am still getting the same message as before and am unable to finish the install. After this I went to the Device Manager and the all the Intel drivers are there as if they have been installed.

 

Let's do this so I can try to see what files/drivers are present now:

Now download the latest MGtools.exe to the root of your c: drive.

• Replace your existing MGtools.exe with this one.
• Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
• When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)

Also let me know if you are still experiencing BSODs or not.

 

Here you go

 

You ran a much older version of TDSSKiller before:

I want you to read and follow these instructions: TDSSKiller - How to run

Please download Disable/Remove Windows Messenger to your desktop.

• Double-click MessengerDisable.exe to run it.
• Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
• Click Apply
• Click Exit

Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the text-field.

Code:

[COLOR="DarkRed"]:files[/COLOR]
C:\Documents and Settings\Admin Tyler\Local Settings\Application Data\2509137411
C:\Documents and Settings\Admin Tyler\Local Settings\Application Data\3469191438
C:\Documents and Settings\Admin Tyler\Local Settings\Application Data\3jOBub6
C:\Documents and Settings\Admin Tyler\Local Settings\Application Data\50vGiJ1FW7x2
C:\Documents and Settings\Admin Tyler\Local Settings\Application Data\8MuP2
C:\Documents and Settings\Admin Tyler\Local Settings\Application Data\G2MJ
C:\Documents and Settings\Admin Tyler\Local Settings\Application Data\MF62
C:\Documents and Settings\Admin Tyler\Y¯Y¯
C:\Documents and Settings\Admin Tyler\Y9Y9
C:\Documents and Settings\Admin Tyler\Local Settings\Application Data\avG
C:\Documents and Settings\Admin Tyler\Local Settings\Application Data\jfpies
C:\Documents and Settings\Admin Tyler\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150060}
xcopy %temp%\smtmp\1 "%allusersprofile%\start menu" /s /i /h /y /c
xcopy %temp%\smtmp\2 "%userprofile%\application data\microsoft\internet explorer\quick launch" /s /i /h /y /c
xcopy %temp%\smtmp\3 "%appdata%\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar" /s /i /h /y /c
xcopy %temp%\smtmp\4 "%allusersprofile%\desktop" /s /i /h /y /c
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\*.dat
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\*.dat
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows Media Player NSS\3.0\*.xml
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\9J2JWIGZ\*.xml
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\GV3D89DS\*.xml
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\NZFHW4JO\*.xml
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\SCXGZ397\*.xml
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\*.xml
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\*.xml
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows Media Player NSS\3.0\Icon Files\*.jpg
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows Media Player NSS\3.0\Icon Files\*.png
[COLOR="DarkRed"]:commands[/COLOR]
[purity]
[emptytemp]

Now click the button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)
Note: This file could be very large, in which case you should zip this file up and then attach it.

Put your computer back into Normal Startup Mode and reboot before proceeding to the next step. See >> Use MSconfig to setup for Normal Startup Mode

Please delete your old copy of ComboFix.
Now download a new copy of ComboFix.exe and run it. Attach the latest log when finished. (How to attach)

Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Here are all the logs. In the time before running everything I had two more BSODs same as before; related to the connection driver. Then I got the same BSOD twice more while trying to run GetLogs.bat. I attached the BSOD log aswell.

 

BSOD log

 

Scan with TDSSKiller again
When you find: TDSS File System
Delete it!
Leave everything else detected alone (Skip)
Then attach the new TDSSKiller log.

Download and run Norton Removal Tool to remove the remaining traces of Norton.

Reboot afterwards.

Once you have rebooted...

Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the text-field.

Code:

[COLOR="DarkRed"]:processes[/COLOR]
killallprocesses
[COLOR="DarkRed"]:files[/COLOR]
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\*.dat
C:\WINDOWS\System32\drivers\tcpip.sys|c:\windows\system32\dllcache\tcpip.sys /replace
C:\WINDOWS\Tasks\PCDoctorBackgroundMonitorTask.job

Now click the button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

After you get done with the above, I would also like you to scan with the below:

Please download aswMBR to your desktop.

• Double-click aswMBR.exe to run (Vista/7 right-click and select Run as Administrator)
• Select No when asked "Would you like to download latest Avast! virus definitions?"
• Click the [Scan] button.
• On completion of the scan click [Save log], save it to your desktop and attach this log to your next message. (How to attach)

 

Here are all the new logs.

 

There is a problem with the MGlogs.zip you uploaded.

Please try again using these instructions:

Now download the latest MGtools.exe to the root of your c: drive.

• Replace your existing MGtools.exe with this one.
• Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
• When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)

 

I'd like to restore a clean Master Boot Record (MBR) to your system. I must ask, do you have your data backed up? Sometimes attempting to repair the MBR can cause boot issues. I'll work with you to resolve any potential booting issue if that does occur. It is quite rare though.

Let me know whenever you get a chance.

 

Here's the MGlogs. I'll have a go at MBR repair later tomorrow.

 

Back up your data first just incase:

Whenever you are ready to attempt to fix the MBR:

Open aswMBR again
Click the FixMBR button. Reboot.
Then scan with aswMBR again and attach its latest log.

Also attach any new .dmp files from c:\windows\minidump

 

I haven't had a chance to try and fix the MBR yet. But, I should get to it sometime at the beginning of this week.

 

No problem. Take your time.