Rootkit.zeroaccess infection - I think

After years of malware free computers (thanks to MajorGeeks) I carelessly opened an exe file and now I appear to have the rootkit.zeroaccess infection on my Win XP machine. I use Norton Security Suite, MBAM, SAS.

Although some malware removal programs have improved the situation, I have telltale signs that concern me: MalwareBytes keeps notifying me that it has “successfully blocked access to a potentially malicious website: ...”. This message pops up every minute or so, and the referenced URL is one of the same two each time.

When rebooting, I often get a BSOD during the shutdown sequence, resulting in one of these messages:
Bad_Pool_Header, Stop: 0x00000019
Page_Fault_In_NonPaged_Area, Stop: 0x00000050
Driver_Corrupted_nmpool Stop: 0x000000D0

The discovery event:
On 3/14 when I opened the suspect file Norton popped up a message “An intrusion attempt by 174.118.90.110 requiring manual removal detected. I then locked down the firewall, disconnected the lan cable, and received the following additional Norton notices before I was able to perform the manual removal:
“atinevxx.dll contained threat Trojan.Zeroaccess!inf. Resolved-NO Action Required.”
“qwavedrv.dll contained threat Trojan.Zeroaccess!inf. Resolved-NO Action Required.”

Removal attempts:
1. I followed the Norton recommended manual removal process – running the Trojan.Zeroaccess Removal Tool.

Upon restart, Malwarebytes began showing messages: “successfully blocked access to a potentially malicious website: ...”.

2. Deleted the file I suspected of causing the problem.

3. Ran the series of XP Malware removal programs. ComboFix produced a warning message similar to: “Rootkit.ZeroAccess inserted itself into TCP/IP stack. This is a particularly difficult...” ComboFix then rebooted the computer and resumed thru all 50 stages. When it tried to reboot again I got a BSOD: Bad_Pool_Header, Stop: 0x00000019 – this was the first such instance of the BSOD.

4. I have run ComboFix and Mgtools a couple of times but received no additional alerts and no change in behavior.

5. Ran TDSSKiller.exe – no noticeable change in behavior.

Thanks in advance for any help with this.

 

Hello housailorr,

I want you to read and follow these instructions (UPDATED): TDSSKiller - How to run


Scan with: yorkyt.exe by Panda Security

• Download it to your desktop and run it.

• Yes, restart

• Let it restart again.

• Be patient as the tool is working after the 2nd reboot.

• When you see the above, test to see if browser redirects to Abnow are present or not.
• Attach the Yorkyt.exe.log to your next message (it should be on your desktop). (How to attach)

__

Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop.
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  activex
  netsvcs
  /md5start
  afd.sys
  i8042prt.sys
  ipsec.sys
  netbt.sys
  svchost.exe
  tcpip.sys
  /md5stop
  %windir%\$ntuninstallkb*. /30
  %windir%\system32\drivers\*.sys /lockedfiles
  %windir%\*.* /mp
  %windir%\*.* /rp
  %windir%\*.* /sl
  %systemdrive%\mgtools\*.*
  

• Now click the button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

Good morning, thisisu:

Thank you for your help! I ran the programs you requested. You should know that I have ran TDSSKiller and yorkyt.exe recently and have logs from the first instances also. I have included the first logs and the recent logs here so you can see if anything may have been fixed in an earlier scan.

You should also know I ran RootRepeal and AntiZeroAccess a few days ago. After running AntiZeroAccess I noticed MalwareBytes AM reports of blocked URL access was reduced from 3 URLs to 2URLs.

In addition, I have blocked my computer form all Internet traffic at the router firewall, so there may be some errors from services trying to access the Internet. I access via Ethernet cable, and as far as I know I have not experienced any problems accessing the Internet.

I have attached the TDSSKiller logs and the yorkyt.exe here and will attach the OTL logs on another post.

 

thisisu,

Here are the OTL logs.

 

Please update TDSSKiller before scanning.
Download the updated version here
Attach the log when you have used the latest version. (How to attach)

 

Code:

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR 
kernel: MBR read successfully
user != [COLOR="Red"]kernel MBR !!![/COLOR] 

Code:

      Size  Device Name          MBR Status
  --------------------------------------------
    232 GB  \\.\PhysicalDrive0   [COLOR="DarkRed"]Unknown MBR code[/COLOR]
            SHA1: 4F43A1F8C85AB60B1AECF0A4356AF8F36180AAE3

Do you have your data backed up? Since you are experiencing BSODs and due to the above info in your logs, you most likely have an MBR infection.

The vast majority of the time, restoring a clean MBR to a system goes without fail but just in case I am unable to restore your system to a booting state (if something does go wrong), you at least have your data handy.

Let me know before we proceed.

You should still scan with the new TDSSKiller though

 

thisisu,

Sorry for the mistake. Here is the log from the latest version of TSSDKiller.

 

I have backups that are 2 weeks old, but I will create a new set and let you know when I am ready.

I also use BootIT NG to manage partitions and disk imaging. This program works with a modified MBR and it may be interfering with the MBR scan.

 

Ok, the MBR most likely is not the issue then. Let's proceed cleaning what I could find and then let me know how the system is running.

Go ahead and create your new backup set and then proceed with the below.

__

From Add/Remove Programs (via Control Panel), please uninstall the below:

• Driver Cleaner.NET
• HijackThis 2.0.2
• IE7Pro (for troubleshooting purposes / feel free to reinstall after malware removal is complete)
• Napster
• Norton Security Suite (for troubleshooting purposes / feel free to reinstall after malware removal is complete)
• Spybot - Search & Destroy (for troubleshooting purposes / feel free to reinstall after malware removal is complete)
• The Ultimate Troubleshooter
• Uniblue DriverScanner 2009

/!\ Now download and run: Norton_Removal_Tool.exe

Please download Disable/Remove Windows Messenger to your desktop.

• Double-click MessengerDisable.exe to run it.
• Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
• Click Apply
• Click Exit

Run C:\MGtools\analyse.exe by double-clicking it (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Choose "Do a system scan only" and select the following lines but do not click fix until you exit all explorer windows and all browser sessions including the one you are reading in right now:

• R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - (no file)
• R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
• O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - (no file)
• O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)

After clicking Fix, exit out of Trend Micro HiJackThis - v2.0.4

Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the text-field.

Code:

[COLOR="DarkRed"]:processes[/COLOR]
killallprocesses
[COLOR="DarkRed"]:otl[/COLOR]
SRV - File not found [Disabled | Stopped] -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe -- (RoxLiveShare9)
SRV - File not found [Disabled | Stopped] -- %systemroot%\system32\QWAVEDRV.dll -- (pinnaclemarvinusb)Suite\IDVaultSvc.exe -- (IDVaultSvc)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\VNUSB.sys -- (VNUSB)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ViaIde)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ultra)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (TosIde)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (symc8xx)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (symc810)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (sym_u3)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (sym_hi)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Sparrow)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Simbad)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\RimUsb.sys -- (RimUsb)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql1280)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql1240)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql12160)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Ql10wnt)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql1080)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (perc2hib)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (perc2)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] --  -- (PCIDump)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (mraid35x)
DRV - File not found [Kernel | System | Stopped] --  -- (lbrtfdc)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ini910u)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (i2omp)
DRV - File not found [Kernel | System | Stopped] --  -- (i2omgmt)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (hpn)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (dpti2o)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (dac960nt)
DRV - File not found [Kernel | Disabled | Unknown] --  -- (dac2w2k)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Cpqarray)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (CmdIde)
DRV - File not found [Kernel | System | Stopped] --  -- (Changer)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (cd20xrnt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\RAYMON~1\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Atdisk)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (asc3550)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (asc3350p)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (asc)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (amsint)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (AliIde)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (aic78xx)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (aic78u2)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Aha154x)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (adpu160m)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (abp480n5)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Abiosdsk)
IE - HKU\S-1-5-21-2025429265-1292428093-725345543-1003\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found
IE - HKU\S-1-5-21-2025429265-1292428093-725345543-1003\..\SearchScopes\{79B4F60A-D530-4DC8-82CE-D99A9A8E81DA}: "URL" = http://www.ask.com/web?q={searchTerms}&qsrc=0&o=0&l=dir
IE - HKU\S-1-5-21-2025429265-1292428093-725345543-1003\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/web/{searchTerms}?babsrc=SP_ss&affID=100842&mntrId=f0512a4d00000000000000111159e252
IE - HKU\S-1-5-21-2025429265-1292428093-725345543-1003\..\SearchScopes\{B6CC3541-2CAB-4982-AA87-21DC2EC30867}: "URL" = http://search.ebay.com/search/search.dll?satitle={searchTerms}
FF - HKLM\Software\MozillaPlugins\@bittorrent.com/BitTorrentDNA: C:\Program Files\DNA\plugins\npbtdna.dll (BitTorrent, Inc.)
FF - HKLM\Software\MozillaPlugins\@mcafee.com/MVT:  File not found
[2011/03/17 12:52:00 | 000,000,000 | ---D | M] (Conduit Engine) -- C:\Documents and Settings\Raymond Orr\Application Data\Mozilla\Firefox\Profiles\c9rmjoir.RayOrr\extensions\engine@conduit.com
[2008/09/03 19:11:24 | 000,054,600 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\mozilla firefox\plugins\npbittorrent.dll
O2 - BHO: (IE7Pro BHO) - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\IEPro.dll (IE7Pro.com)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
ActiveX: {03F998B2-0E00-11D3-A498-00104B6EB52E} - Viewpoint Media Player
ActiveX: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - Viewpoint Media Player
NetSvcs: pinnaclemarvinusb - %systemroot%\system32\QWAVEDRV.dll File not found
NetSvcs: AlteraByteBlaster -  File not found
[2012/03/16 14:55:10 | 000,187,464 | ---- | C] (Webroot) -- C:\Documents and Settings\Raymond Orr\Desktop\antizeroaccess.exe
[2012/03/14 21:57:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Raymond Orr\Application Data\FixZeroAccess
[2012/03/14 21:55:06 | 001,805,736 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\Raymond Orr\Desktop\FixZeroAccess.exe
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\Documents and Settings\Raymond Orr\My Documents\*.tmp files -> C:\Documents and Settings\Raymond Orr\My Documents\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
@Alternate Data Stream - 88 bytes -> C:\WINDOWS\System32\ntbackup.exe:SummaryInformation
[COLOR="DarkRed"]:files[/COLOR]
rd /s/q C:\WINDOWS\$NtUninstallKB1780$ /c
C:\WINDOWS\8v2yf5b7x4m4m5g
C:\Program Files\Norton Security Suite
C:\Program Files\IEPro
C:\Program Files\Spybot - Search & Destroy
rd /s/q C:\WINDOWS\$NtUninstallKB1780$ /c
type "C:\Documents and Settings\Raymond Orr\Desktop\AntiZeroAccess_Log.txt" /c
type "C:\Documents and Settings\Raymond Orr\Desktop\fss.txt" /c
[COLOR="DarkRed"]:reg[/COLOR]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{79B4F60A-D530-4DC8-82CE-D99A9A8E81DA}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{B6CC3541-2CAB-4982-AA87-21DC2EC30867}]
[COLOR="DarkRed"]:commands[/COLOR]
[emptyjava]
[emptyflash]

Now click the button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

thisisu,

Reboots after removal of some programs is going slowly... not sure why. But, I'm still plugging away. Get back to you soon.

 

thisisu,

I ran OTL with the script, but it has hung up after the fourth line:
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\VNUSB.sys -- (VNUSB).

I has been at this stage for over 30 minutes. The computer will not respond to any keyboard input.

How should I proceed after I shut the computer down with the master switch?

 

Try the same fix while in Safe Mode. See: How to start your computer in Safe mode

The OTL fix will want to reboot - Allow it to return to Normal Mode.

 

Ok, that was challenging!

Gee, without my anti-malware stuff running I feel like I'm standing naked in the doorway hoping no one can see in! :-o

OTL ran in safe mode so I completed the assignment. The logs are attached.

 

Let me know how the system is running whenever you get a chance to experiment with it for a bit.

Latest logs look good.

 

The Malwarebytes AM warnings are still showing every minute or so, with the same two IP addresses.

No change yet.

 

Update MBAM
Run a Quick Scan with MBAM
Attach the log from MBAM (How to attach)

Update SAS
Run a Quick Scan with SAS
Attach the log from SAS (How to attach)

Please download RogueKiller to your desktop.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
When it is finished, there will be a log on your desktop called: RKreport[1].txt
Attach RKreport[1].txt to your next message. (How to attach)

 

Thanks, I'll have to do that in the morning as I have to get a video out this evening yet. It will be around noon before I can get to it.

I'm also still getting the BSOD's during shutdown when I reboot.

Thanks for your help so far.

 

thisisu,

Here are the logs you requested.

When I ran SAS with the Quick Scan button checked, it performs a complete scan instead. The complete scan takes several hours, so I left it run while I was out. When I returned, it was still running (over 2x as long as a normal complete scan) so I stopped it.

I again attempted the Quick Scan but it ran a complete scan which I left running and went to bed. This morning it was still running so I stopped it.

I have SAS set to run a daily scan automatically and that scan completed, so I have included the log for the complete scan.

Not sure why SAS is working that way, but will address it later.

 

Here are the next steps I'd like you to take. Let me know how the PC runs after you have completed them.

Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]RegLock::[/COLOR]
[HKEY_LOCAL_MACHINE\software\Classes\.tab\PersistentHandler]
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b579-08002b30bfeb}"
.
[HKEY_LOCAL_MACHINE\software\Classes\cfexefile\DefaultIcon]
@DACL=(02 0000)
@SACL=
@="%1"
.
[HKEY_LOCAL_MACHINE\software\Classes\cfexefile\shell]
@DACL=(02 0000)
@SACL=
.
[HKEY_LOCAL_MACHINE\software\Classes\cfexefile\shellex]
@DACL=(02 0000)
@SACL=
[HKEY_LOCAL_MACHINE\software\Classes\mapi\Shell]
[COLOR="DarkRed"]RegLockDel::[/COLOR]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0C0DD146-A2A6-BFA4-F4B84228CE730E88}\{718890A1-4FA8-4866-06B3B07592C0C36E}\{C0B10667-122D-45CB-48A7F7AE622314D0}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{11B5C8DC-3FEA-1682-D4F0355518481497}\{414E0745-768E-27E6-1A22BEEA50FFC306}\{0F77990A-A8C5-E83C-A2DEB9098A2A23DE}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{20182402-24ED-DBEE-0C047CC941A92C12}\{18337038-91FA-1511-718667CAE01F35A0}\{7E9CBDE1-C583-B4C7-27A5326796C918BF}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{969D404C-EC53-A9AF-A02B8ED8C194B4B8}\{49CEC6C1-E90A-6C40-7DC9D5345834AD37}\{B3C560DA-C3C9-1298-A5CC78F93CD65657}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A3898AE7-11D1-364C-50B629D3BDD33730}\{75E2AEA1-D0D7-F395-00074BFE3B49B652}\{C6A3DC00-042F-33E6-17A49D873A8D73F7}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B3A3A58F-967E-A40A-C7DDFB524B0CDFB3}\{B28E8422-363F-1C4B-CC056478281B7FCE}\{569EFB20-10B3-C9F5-895B6A19B8852344}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
[COLOR="DarkRed"]RegNull::[/COLOR]
[HKEY_USERS\S-1-5-21-2025429265-1292428093-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{26FD9D71-8F27-8990-0A17-048347883521}*]
[COLOR="DarkRed"]Suspect::[137][/COLOR]
c:\windows\system32\drivers\mf.sys
c:\windows\system32\drivers\mtlstrm.sys
c:\windows\system32\drivers\nwlnknb.sys
c:\windows\system32\drivers\slnt7554.sys

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.

This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Thisisu,

I had to boot into Safe Mode to get CF to finish.

When CF rebooted, prior to finishing the reports I got a message: CF needs to submit malware files for further analysis.

I unblocked Internet access momentarily, then clicked the OK button and files were uploaded.

Attached are the reports.

 

These were clean.

Only during shutdown and reboot? Never while the computer is idle?

At this point I would like to see the logs from the BSODs you received so I can try to figure out what is causing the crashes.
These can be found in this folder: c:\Windows\Minidump
Inside this folder there should be a few .dmp files
Please zip all of these up and attach for review.

 

I can find no dmp files. Is there a configuration or set up that would prevent these from being generated?

 

Yes there is, read this: Configure Windows to Save Minidump Files During System Crash (BSOD)

 

Thisisu,

I have identified the culprit file that is causing MBAM to show the alerts.

I have a program called "easydownloads.exe" that loads automatically at start up. If I kill the process, the alerts stop. If I restart the process, the alerts resume.

I have no idea how this program got onto my computer. I certainly don't use it. I first noticed splash screen that appeared during reboot recently - I seem to think it appeared sometime after the Norton alerts began, but I can't say for sure.

I have changed the file extension so it should not restart (I hope). If you think I should send the file somewhere for analysis I will do so, if not I will remove it.

I have configured the minidump and will reboot to get some data for you.

 

The file has been analyzed here.

Please delete the file and attach a new MGlogs.zip

 

I have removed the file and attached a new MGlogs.

I have rebooted several times, but I still do not get a minidump file. The same 3 BSOD error codes are showing up.

 

Click the button. -> Run -> Type in: msconfig and then click OK.

• The System Configuration utility opens
• Go to the startup tab and press the "Disable All" button.
• Now go to the Services tab
• Very important: Put a checkmark in "Hide all Microsoft services".
• Now press the "Disable All" button.
• Then press the "OK" button.
• You may get a pop up that says you need to reboot in order for the changes to take affect.
• Go ahead and do this now before proceeding with these next steps. IF the PC bluescreens, write down the error code you receive. Example: 0x000008e

Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the text-field.

Code:

[COLOR="DarkRed"]:files[/COLOR]
C:\Program Files\Easy Downloads
dir C:\windows\minidump /c
%windir%\system32\wevtutil.exe cl Application /c
%windir%\system32\wevtutil.exe cl Security /c
%windir%\system32\wevtutil.exe cl Setup /c
%windir%\system32\wevtutil.exe cl System /c
sc config Cdr4_xp start= disabled /c
sc config IDVaultSvc start= disabled /c
[COLOR="DarkRed"]:reg[/COLOR]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"EasyDownloads"=-
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{79B4F60A-D530-4DC8-82CE-D99A9A8E81DA}]
[-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0C0DD146-A2A6-BFA4-F4B84228CE730E88}]
[-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{11B5C8DC-3FEA-1682-D4F0355518481497}]
[-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{20182402-24ED-DBEE-0C047CC941A92C12}]
[-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{969D404C-EC53-A9AF-A02B8ED8C194B4B8}]
[-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A3898AE7-11D1-364C-50B629D3BDD33730}]
[-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B3A3A58F-967E-A40A-C7DDFB524B0CDFB3}]
[-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}]
[COLOR="DarkRed"]:commands[/COLOR]
[clearallrestorepoints]
[emptytemp]

Now click the button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

Please download Vino's Event Viewer to your desktop.

• Double-click VEW.exe to run.
• Under Select log to query, select:
  • Application
  • System
• Under Select type to list, select:
  • Error
  • Warning
• Click the radio button for Number of events
• Type 20 in the 1 to 20 box.
• Now click the Run button
• When the program is finished, Notepad will open.
• Close Notepad
• Browse explorer to find C:\VEW.txt
• This is where the log saved itself.
• Attach VEW.txt to your next message. (How to attach)

Are you making use of Comcast's ConstantGuard program? Let me know.

I would also like you to update TDSSKiller. Make sure you do this whenever you reading and following the directions below:

I want you to read and follow these instructions: TDSSKiller - How to run

Now download the latest MGtools.exe to the root of your c: drive.

• Replace your existing MGtools.exe with this one.
• Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
• When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)

 

Attached are the requested logs.

I use Constant Guard mostly because it provides a dashboard from which I installed Norton Security Suite (which I removed and have yet to reinstall).

I also use the online account feature to password protect access to my financial account web sites, and the online backup and share option for selected files.

I do not use any other options.

 

• Are you still receiving the BSODS?
  • Is it only when you try to shut down or restart the PC?
• How does the PC perform in general?

I was seeing some errors from Comcast ConstantGuard, however, the latest errors are related to ACT! Scheduler.

These BSODs may all be related to the software you have installed.

Whenever you get your next BSOD, write down the technical information that is circled in red in this example picture:

 

The computer performance seems to be normal, a little faster, but I don't yet have all the security apps reinstalled.

The BSOD only shows when I choose restart or shut down from the menu.

The last BSOD message was:

STOP: 0x00000050 (0xE14C5000, 0x00000000, 0x804D9A69, 0x00000001)

 

I do not believe this is malware related anymore.

You may want to give this a try: User Profile Hive Cleanup Service
Download and install: UPHClean-Setup.msi

You should post in the Software forum for additional help.
__

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Be safe

 

Thank you so much for your patience and diligence. It is SO comforting to have someone to help guide me and you are great, as are all that help people like me on these forums.

 

You're welcome

Thank you for the compliment

 

Thisisu,

After going thru the cleanup exercises and installing UPHClean I am no longer getting the BSOD! I have rebooted several times and all seems to work.

I'm very happy again!

 

That's great! Very glad to hear that :cool

Take care :wave