MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 04-22-10, 01:21
d8122 d8122 is offline
Private E-2
 
Join Date: Apr 2010
Posts: 4
Thanks: 2
Thanked 0 Times in 0 Posts
Default Nasty infection - causing BSOD intermittently

this is my cousin's computer. He had a particularly nasty version of Internet Explorer Super Anti-virus that disabled .exe files amungst other things that I have been trying to clean since 9AM this morning. I have run AVG Free 9.0 (it reports no problems now), SAS (it cleared a ton of stuff), edited the registry to allow .exe files to run, fought for three hours to get MBAM to run (it finally did run), ran Spybot and have just finished ComboFix which reported rootkit issues as well. Until this point, I got the BSOD and a memory error 0x00000008 whenever I tried to boot to windows XP in normal mode. Safe mode with networking ran ok, but with warnings. I'm attaching the logs I can find and would appreciate any assistance or direction in other actions I should take to clear things for him. I REALLY do not want to have to reload XP if I can avoid it, espcially since he can't find the CD's and I don't have a copy of Media Center which is the version he's been running. thanks in advance
Attached Files
File Type: txt mbam-error.txt (109 Bytes, 1 views)
File Type: txt ComboFix.txt (20.3 KB, 1 views)
File Type: txt avgrep.txt (6.3 KB, 1 views)
File Type: txt VundoFix.txt (160 Bytes, 1 views)
Reply With Quote
Sponsored links
  #2  
Old 04-22-10, 09:55
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 28,388
Thanks: 908
Thanked 3,578 Times in 3,493 Posts
Default Re: Nasty infection - causing BSOD intermittently

I still need to see the C:\Mglogs.zip from running C:\MGTools.exe. Run that if you haven't already per the instructions in the R&R and attach the log it creates into your next reply and then I can get on with giving you a fix.
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
Reply With Quote
  #3  
Old 04-22-10, 12:23
d8122 d8122 is offline
Private E-2
 
Join Date: Apr 2010
Posts: 4
Thanks: 2
Thanked 0 Times in 0 Posts
Default Re: Nasty infection - causing BSOD intermittently

Thank you! I've attached the log from MGTools as well as a MBAM log I was able to run this morning. No more BSOD so far today, but would appreciate your insight as to anything else I can do to clean up the mess.
Attached Files
File Type: zip MGlogs.zip (102.1 KB, 1 views)
File Type: txt mbam-log-2010-04-22 (12-53-04).txt (3.7 KB, 2 views)
Reply With Quote
  #4  
Old 04-22-10, 18:22
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 28,388
Thanks: 908
Thanked 3,578 Times in 3,493 Posts
Default Re: Nasty infection - causing BSOD intermittently

Quote:
but would appreciate your insight as to anything else I can do to clean up the mess.
And what a mess it is. Let's get started on clean up!

1. Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode

2. You have two different anti virus installed. This is never a good idea due to many reasons, so please uninstall one of the two before we continue:
  • Trend Micro PC-cillin Internet Security 12
  • AVG Free 9.0

3. Please go to Add/Remove programs and uninstall the following software:
  • J2SE Runtime Environment 5.0 Update 6

4. If you do not use Windows Messenger Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

5. Did you set the below? If not then include it in our fixables:

Quote:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by MySpace
6. Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Quote:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by MySpace
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.186,93.188.166.131
After clicking Fix exit HJT.

7. Now we need to use ComboFix
  • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    • If it is not on your Desktop, the below will not work.
  • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
  • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
  • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
Code:
KILLALL::

RenV::
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe
c:\program files\Dell\Media Experience\dmxlauncher .exe
c:\program files\Dell Support\dsagnt .exe
c:\program files\Google\Google Desktop Search\googledesktop .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\Intel\Intel Matrix Storage Manager\iaanotif .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\QuickTime\qttask          .exe
c:\program files\Yahoo!\Messenger\yahoomessenger .exe
c:\program files\Yahoo!\Search Protection\searchprotection .exe
c:\windows\ehome\ehtray .exe
c:\windows\system32\DLA\dlactrlw .exe
c:\docume~1\ed\locals~1\temp\chc         .exe

FileLook::
c:\windows\system32\FFD313F53E.sys

DirLook::
C:\WINDOWS\8C503S8BZ13JLG57

File::
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe
c:\program files\Dell\Media Experience\dmxlauncher .exe
c:\program files\Dell Support\dsagnt .exe
c:\program files\Google\Google Desktop Search\googledesktop .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\Intel\Intel Matrix Storage Manager\iaanotif .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\QuickTime\qttask          .exe
c:\program files\Yahoo!\Messenger\yahoomessenger .exe
c:\program files\Yahoo!\Search Protection\searchprotection .exe
c:\windows\ehome\ehtray .exe
c:\windows\system32\DLA\dlactrlw .exe
c:\program files\76156.dat
C:\Documents and Settings\LocalService\Local Settings\Application Data\63RDu2gJKQ
C:\Documents and Settings\NetworkService\Local Settings\Application Data\63RDu2gJKQ
C:\Documents and Settings\ed\Local Settings\Application Data\22k5paIc
c:\docume~1\ed\locals~1\temp\chc         .exe
C:\Documents and Settings\ed\Local Settings\Application Data\3007464621
C:\Documents and Settings\ed\Local Settings\Application Data\30074646213035940529
C:\Documents and Settings\ed\Local Settings\Application Data\30074646213289215207
C:\Documents and Settings\ed\Local Settings\Application Data\300746462163RDu2gJKQ
C:\Documents and Settings\ed\Local Settings\Application Data\30074646217Alp65jw
C:\Documents and Settings\ed\Local Settings\Application Data\3007464621812392749
C:\Documents and Settings\All Users\Application Data\22k5paIc
C:\Documents and Settings\All Users\Application Data\3007464621
C:\Documents and Settings\All Users\Application Data\3035940529
C:\Documents and Settings\All Users\Application Data\3289215207
C:\Documents and Settings\All Users\Application Data\63RDu2gJKQ
C:\Documents and Settings\All Users\Application Data\7Alp65jw
C:\Documents and Settings\All Users\Application Data\812392749
C:\Documents and Settings\ed\Templates\22k5paIc
C:\Documents and Settings\ed\Templates\3007464621
C:\Documents and Settings\ed\Templates\3035940529
C:\Documents and Settings\ed\Templates\3289215207
C:\Documents and Settings\ed\Templates\63RDu2gJKQ
C:\Documents and Settings\ed\Templates\7Alp65jw
C:\Documents and Settings\ed\Templates\812392749
C:\WINDOWS\system32\wahoneza.dll 
c:\docume~1\ed\LOCALS~1\Temp\geurge.exe
c:\docume~1\ed\LOCALS~1\Temp\nvsvc32.exe

Folder::
c:\documents and settings\ed\Local Settings\Application Data\cxbkaolui

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\befifufobi]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ewrgetuj]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hsf87efjhdsf87f3jfsdi7fhsujfd]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YVIBBBHA8C]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\NoExplorer]

RegLock::
[HKEY_USERS\S-1-5-21-2897835390-3875079946-978270905-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,49,73,fa,c4,4c,ca,93,4c,8d,e4,4c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,49,73,fa,c4,4c,ca,93,4c,8d,e4,4c,\
  • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
  • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
  • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
  • Now use your mouse to drag CFscript.txt on top of ComboFix.exe



  • Follow the prompts.
  • When it finishes, a log will be produced named c:\combofix.txt
  • I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


8. Reboot your machine and install the most current and up to date version of Java available here at the below link:

Java Runtime 6

9. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

10. Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!

Last edited by Kestrel13!; 04-22-10 at 18:47.. Reason: typo
Reply With Quote
  #5  
Old 04-22-10, 22:09
d8122 d8122 is offline
Private E-2
 
Join Date: Apr 2010
Posts: 4
Thanks: 2
Thanked 0 Times in 0 Posts
Default Re: Nasty infection - causing BSOD intermittently

I tried to follow your instructions to the letter .. with one exception. I uninstalled AVG earlier today before your message and installed MS Security Essentials (in the hope idiot would at least let that update), but I cannot get PC-Cillin to uninstall. If I try to uninstall under CP, a fatal error occurs. There's nothing under Program files, and task manager doesn't show pccmon* process running, but ComboFix insists it is there. I even tried downloading a fresh install in hopes it would over-write and fill in any blanks, but that didn't work either. I ran Combofix anyway. the only messages that popped up said windows was missing critical files and to insert the XP Profession CD 2. I didn't (and can't should I need to in the future as this machine is running Media Center and the only disc i have is for XP Pro). All else went smoothly and I have not experienced any BSOD's today as I surfed, added a new user account and found a great recipe for Arroz Con Pollo,
The logs for ComboFix and MGTools are attached.

PS - if any marginal "fluff" stuff would best be uninstalled, please let me know. It hasn't helped him get a date anyway

You're a champ!
Attached Files
File Type: txt combofixlog.txt (21.4 KB, 2 views)
File Type: zip MGlogs.zip (103.9 KB, 2 views)
Reply With Quote
Sponsored links
  #6  
Old 04-23-10, 05:28
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 28,388
Thanks: 908
Thanked 3,578 Times in 3,493 Posts
Default Re: Nasty infection - causing BSOD intermittently

Both AVG and Trend Micro require removal tools. Let's see what we can do to clear up from the old anti virus and also have another go at deleting some files that are being stubborn.

Official AVG Removal Tool

PCCTool from Trend Micro

Now Run Ccleaner. (Not on the registry section though)

Please go to Jotti's malware scan

(If more than one file needs scanned they must be done separately and logs posted for each one)
  • Copy the file path in the below Code box:
    Code:
    c:\windows\system32\FFD313F53E.sys
  • At the upload site, click the browse button.
  • Next click Submit file
  • Your file will possibly be entered into a queue which normally takes less than a minute to clear.
  • This will perform a scan across multiple different virus scanning engines.
  • Important: Wait for all of the scanning engines to complete.
  • Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

Could you please get this: FFD313F53E.sys into a zipped file and attach it for me in your next post? To do this, see the below:

Please go to start > Run and paste in the following:
Quote:
%systemdrive%\MGTools\zip "%systemdrive%\collect.zip" c:\windows\system32\FFD313F53E.sys
log retrievable @ C:\collect.zip

Now we need to use ComboFix
  • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    • If it is not on your Desktop, the below will not work.
  • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
  • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
  • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
Code:
KILLALL::

Folder::
c:\windows\8C503S8BZ13JLG57
C:\Documents and Settings\ed\Local Settings\Application Data\avg
c:\program files\AVG
c:\documents and settings\NetworkService\Local Settings\Application Data\avG
c:\documents and settings\All Users\Application Data\avG

File::
C:\Documents and Settings\ed\Local Settings\Application Data\3035940529
C:\Documents and Settings\ed\Local Settings\Application Data\3289215207
C:\Documents and Settings\ed\Local Settings\Application Data\63RDu2gJKQ
C:\Documents and Settings\ed\Local Settings\Application Data\7Alp65jw
C:\Documents and Settings\ed\Local Settings\Application Data\812392749
  • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
  • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
  • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
  • Now use your mouse to drag CFscript.txt on top of ComboFix.exe



  • Follow the prompts.
  • When it finishes, a log will be produced named c:\combofix.txt
  • I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Also delete all files in the below bold folders except ones from the current date (Windows will not let you delete the files from the current day).

Quote:
C:\WINDOWS\temp
C:\Documents and Settings\ed\Local Settings\temp
Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
Reply With Quote
The Following User Says Thank You to Kestrel13! For This Useful Post:
d8122 (04-23-10)
  #7  
Old 04-23-10, 08:52
d8122 d8122 is offline
Private E-2
 
Join Date: Apr 2010
Posts: 4
Thanks: 2
Thanked 0 Times in 0 Posts
Default Re: Nasty infection - causing BSOD intermittently

Once again .... THANK YOU! I think the old AVs are finally cleaned. Logs and file you requested are attached. According to Jotti's, the file was clean - wonder what it is from? Here is the URL:
http://virusscan.jotti.org/en/scanre...742eaff50b6859

How'd you learn to interpret the output files? I'd love to learn more myself
Attached Files
File Type: txt combofixlog.txt (18.0 KB, 4 views)
File Type: zip MGlogs.zip (103.4 KB, 1 views)
File Type: zip collect.zip (308 Bytes, 2 views)
Reply With Quote
  #8  
Old 04-23-10, 09:31
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 28,388
Thanks: 908
Thanked 3,578 Times in 3,493 Posts
Default Re: Nasty infection - causing BSOD intermittently

Quote:
How'd you learn to interpret the output files? I'd love to learn more myself
Was taught by Chaslang and another online malware removal school.

Anyway, your logs are clean!

If you are not having any other malware problems, it is time to do our final steps:
  1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
  2. If we used Pocket Killbox during your cleanup, do the below
    • Run Pocket Killbox and select File, Cleanup, Delete All Backups
  3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
    • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
    • "%userprofile%\Desktop\combofix" /uninstall
      • Notes: The space between the combofix" and the /uninstall, it must be there.
      • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
  4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
  5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
  6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
  7. Go to add/remove programs and uninstall HijackThis.
  8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
  9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
    • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
  10. After doing the above, you should work thru the below link:
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
Reply With Quote
The Following User Says Thank You to Kestrel13! For This Useful Post:
d8122 (04-23-10)
  #9  
Old 04-23-10, 14:08
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,326
Thanks: 61
Thanked 7,645 Times in 4,118 Posts
Default Re: Nasty infection - causing BSOD intermittently

Quote:
Originally Posted by d8122 View Post
O According to Jotti's, the file was clean - wonder what it is from?
It is just from using DivX.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #10  
Old 04-23-10, 18:40
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 28,388
Thanks: 908
Thanked 3,578 Times in 3,493 Posts
Default Re: Nasty infection - causing BSOD intermittently

Quote:
Originally Posted by chaslang View Post
It is just from using DivX.
Thanks Chas
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
Reply With Quote
Sponsored links
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
nasty infection kdogg Malware Removal 14 11-21-09 22:35
nasty infection - please help bigpampers Malware Removal 5 02-19-09 17:34
Help with nasty little infection... jourdo Malware Removal 7 03-31-08 12:13
Please Help Me out with nasty infection. Tyler_durden81 Malware Removal 5 07-12-06 00:59
Please Help Me out with nasty infection. Tyler_durden81 Malware Removal 2 07-11-06 00:24


All times are GMT -5. The time now is 11:00.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


All content Copyright MajorGeeks.com source code Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger