Removed Malware | Now Have Blue Screen

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Jokerkun890, May 20, 2012.

  1. Jokerkun890

    Jokerkun890 Private E-2

    Hey there. First to explain my situation:

    About a week ago my home media server / ps3 media server stopped working. They were acting up for awhile (about a month or more,) but would not work at all anymore.

    I was also getting the notice "This program may not have installed correctly," almost everytime I installed or unistalled something - but the program was installed correctly. I may still be getting this; not sure.

    Then about 3 days ago I tried to install a game, which could not install because it said it couldn't communicate with Windows Firewall. I opened WF and there was a notice that WF was turned off. Not matter what I clicked (restore defaults, turn it on, update settings, etc.) I got the following message each time:

    At first I ignored it because I was busy, but yesterday realized it must be malware, because the Firewall screen was NOT how it was suppose to look, and I assumed it probably had to do with my media server trouble.

    After some google searches, I made my way here, and came across this site. I followed the following instruction on the following page up to Step 4:

    http://forums.majorgeeks.com/showthread.php?t=139681

    A couple starnge things:

    1. Combo Fix kept saying it could sense the antivirus software (mcafee); I terminated through task manager and also stopped all services. I finally went ahead with the Combo Fix (this could be a reason for my current problem?)

    2. During Combo Fix, I would get a security warning about some file cannot be found in regards to Windows Restore; please look for the file and try again. I can't remember the name, but it started with N and was all caps. It appeared 3 times before stage 1, and then throughout all stages except 1, 14, 18, 24, and 27, as well as a couple times after. I hit okay each time, and CF successfully finished.

    3. Nothing to do with Combo Fix, but I still have no warning in my tray about UAC being turned off.

    I followed all instructions under heading 3 the site mentioned above, except for Root Repeal as it said it needed a 32-bit system (I am running a 64.)

    After completing all steps, things appeared to be working again. My media server is showing up on my PS3 and Xbox, and the firewall screen is now this:

    http://img705.imageshack.us/img705/782/firewallv.jpg

    Note: none of the options in bold (upper left) can be clicked. I assume this is just because mcafee firewall is handling it, but didn't want to change any settings for you guys to see. I was also able to install my game without issue.

    I thought everything was fixed, and was about move onto step 5, until my computer randomly blue screened. I couldn't read all of it, but it said something along the lines of:

    When the computer rebooted, I got the following info through a Windows shutdown notice:

    This first happened about 2-3 hours after completing the malware removal. It happened again about 4-6 hours later. After this I uninstalled MalwareBytes and SAS. It happened again while I was at work (atleast another 5 hours later.)

    It should also be noted: I had already installed MalwareBytes prior to finding this website. It removed three files, and I will attach that log as well. This will be log: mbam-log-2012-05-18 (19-14-30)

    Anyway, I am hoping to fix this blue screen problem and will appreciate any help.
     

    Attached Files:

  2. Jokerkun890

    Jokerkun890 Private E-2

    I have attached the last log to this post. A couple final points about the initial malware:

    I have a few roomates, so there is a good chance some porn has been watched on it through streaming; I usually keep close tabs on my PC and download any porn I watch, lol.

    I just recently uninstalled uTorrent and installed BitTorrent.

    The copy of MalwareBytes I installed first, was an illegal one with a keygen. After reading the forum post here, and the blue screen, I uninstalled it.

    I followed these steps as well:
    http://forums.majorgeeks.com/showthread.php?t=35407
     
  3. thisisu

    thisisu Malware Consultant

    Welcome to Major Geeks, Jokerkun890 :)

    [​IMG] I want you to read and follow these instructions: TDSSKiller - How to run


    [​IMG] Please download aswMBR to your desktop.
    • Double-click aswMBR.exe to run (Vista/7 right-click and select Run as Administrator)
    • Select No when asked "Would you like to download latest Avast! virus definitions?"
    • Click the [Scan] button.
    • On completion of the scan click [Save log], save it to your desktop and attach this log to your next message. (How to attach)

    MGlogs.zip wasn't attached.

    [​IMG] - Scan with MGtools and/or attach MGlogs.zip
     
  4. Jokerkun890

    Jokerkun890 Private E-2

    Thanks for the welcome and the assistance.

    I realized after I posted I forgot to attach the MG log and couldn't find an edit button; I didn't want to post again because the forum states no bumping.

    Anyway, here's the other 3 logs you requested.

    Also, it could be my imagination but it seems to be doing it more. I blue screen'd after about 3 hours last night, and right after boot up today. Same crash report as posted in post #1

    Thanks again.
     

    Attached Files:

  5. thisisu

    thisisu Malware Consultant

    Your logs are really clean.

    Just delete this one file: C:\Users\JoelandIsma\AppData\Roaming\Microsoft\Windows\Templates\lof0n8u5xjhh

    Run this scan too:

    [​IMG] Please download MiniToolBox and save it to your desktop and run it.

    Checkmark following checkboxes:

    • List Devices -> All
    • List last 10 Event Viewer log
    • List Minidump Files
    Press Go and attach the result (Result.txt) that pops up. A copy of Result.txt will be saved in the same directory the tool is run.
     
  6. Jokerkun890

    Jokerkun890 Private E-2

    Deleted the file and attached the log for MTB.
     

    Attached Files:

  7. thisisu

    thisisu Malware Consultant

    Does this file exist? C:\Windows\MEMORY.DMP052112-16177-01

    Code:
    Error: (05/21/2012 03:50:12 PM) (Source: BugCheck) (User: )
    Description: 0x000000d1 (0x0000000000000028, 0x0000000000000002, 0x0000000000000000, 0xfffff88001761b2d)C:\Windows\MEMORY.DMP052112-16177-01
    
    Error: (05/21/2012 03:50:09 PM) (Source: EventLog) (User: )
    Description: The previous system shutdown at 3:48:27 PM on ?21/?05/?2012 was unexpected.
    
    Error: (05/21/2012 03:44:08 PM) (Source: VDS Basic Provider) (User: )
    Description: Unexpected failure. Error code: D@01010004
    
    Error: (05/21/2012 03:44:08 PM) (Source: VDS Basic Provider) (User: )
    Description: Unexpected failure. Error code: D@01010004
    
    Error: (05/21/2012 03:44:07 PM) (Source: VDS Basic Provider) (User: )
    Description: Unexpected failure. Error code: D@01010004
    http://www.sevenforums.com/software/20376-vds-basic-provider-error-code-490-01010004-a.html - read this.

    Dell DataSafe Local Backup - this application could be the culprit too: http://en.community.dell.com/owners-club/alienware/f/3746/t/19375646.aspx?PageIndex=4
     
    Last edited: May 21, 2012
  8. Jokerkun890

    Jokerkun890 Private E-2

    No, just one called MEMORY.DMP .
     
  9. Jokerkun890

    Jokerkun890 Private E-2

    Is the error mentioned in both threads the one I get in my unexpected shutdown report, or did you find it in the log?

    Either way, they (the threads) both mention Virtual CloneDrive as problem, specifically in regards to Windows 7. I just recently installed that, so I guess I should go ahead and uninstall it?

    Edit: I installed it right after the first set of Malware checks, as I uninstalled Daemon for the checks.
     
  10. thisisu

    thisisu Malware Consultant

    It's in your logs too.

    Yes try that. Remove Daemon Tools completely too if it's still present.
     
  11. Jokerkun890

    Jokerkun890 Private E-2

    I just uninstalled them.

    Also, windows just gave me this report to send off to solve the problem (which I did.)

     
  12. thisisu

    thisisu Malware Consultant

    Alright, keep me updated.
     
  13. Jokerkun890

    Jokerkun890 Private E-2

    There hasn't been a blue screen since I uninstalled the virtual drive. Thanks again.
     
  14. thisisu

    thisisu Malware Consultant

    You're welcome ;)

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis if it present
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work through the below link:
    Be safe :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds