HELP! I ran SAS and am blue screening during boot

Welcome to Major Geeks!

What program did you try to install (was it legal)? Have you uninstalled it? If not then uninstall it now.

You can do the below in safe boot mode.

Please see the instructions in the READ & RUN ME for Spybot Teatimer. You must disable it immediately. Then reboot and continue with the below.

Now jump to the part of the cleaning instructions for MGtools. Download it and save it to c:\MGtools.exe as requested. Then double click on it to run it. Do not bother attaching the MGlogs.zip file yet. We are going to do some quick partial fixes first. I say partial because that is all I can do without all of the required logs. It may be enough to help us get further.


Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {3569F196-6D0F-4E83-89F5-E73F50B3D051} - C:\WINDOWS\system32\cbXQiFwv.dll (file missing)
O2 - BHO: (no name) - {60A5A034-3572-474D-8E2D-47F424777CC1} - C:\WINDOWS\system32\yayvVNgG.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {AF6F25CD-4DE9-4D72-8BC1-B4CD84C1B526} - C:\WINDOWS\system32\ssqNExVm.dll (file missing)
O2 - BHO: (no name) - {D6258CA6-2028-4CDD-B496-CACC18721A60} - C:\WINDOWS\system32\iifecddc.dll
O2 - BHO: (no name) - {E5AD347D-E191-4394-B291-D35DD2B3FF09} - C:\WINDOWS\system32\efcBqOIc.dll (file missing)
O3 - Toolbar: vrmdtneg - {778DC3F7-1699-4A2F-8D32-143C0D00854C} - C:\WINDOWS\vrmdtneg.dll (file missing)
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\WinSpywareProtect.exe] "C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\WinSpywareProtect.exe" /autorun
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O20 - Winlogon Notify: iifecddc - C:\WINDOWS\SYSTEM32\iifecddc.dll
O21 - SSODL: xvorfwbd - {1C607259-E497-4A9E-9C03-3BF55BF8AEC7} - C:\WINDOWS\xvorfwbd.dll (file missing)
O21 - SSODL: wpvmqosg - {DA93FC0A-AFE5-4916-A720-FF2FA13506DA} - C:\WINDOWS\wpvmqosg.dll (file missing)

After clicking Fix, exit HJT.

Now reboot into safe mode.

While in safe mode, see if you can find and delete the below
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited <-- the whole folder
C:\WINDOWS\system32\iifecddc.dll <-- the file. It may not delete or be found. Just continue on.

Now see if you can boot in normal mode. If not, just go back to safe mode to continue.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.


Then attach the below log:

• C:\MGlogs.zip

Now try to run the other steps from the READ ME that were not run. That is specifically Malwarebytes Anti-Malware and ComboFix. Attach the requested los from them.

 

Okay but now you need to run Malwarebytes and ComboFix as requested and attach those logs. Then we will be able to work up a complete fix.

 

You're welcome.


Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {BA659A2D-98E5-4786-84D7-1025237D3C4D} - C:\WINDOWS\system32\qoMfedcy.dll (file missing)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)

After clicking Fix, exit HJT.

Now we need to use ComboFix.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!