Followed procedure this time...

something weird is going on - need help

I've tried to follow all the procedures you ask for, but my laptop isnt letting me get through all of them.

About two weeks ago I got a virus - not sure which one, but my AVG keep finding one, even when I would send it to the vault. (It came in an email, from what looked to be a trusted source, but when I clicked on a link int he email, it downloaded the virus...)

Then my computer was slowing down REALLY slow. I was also getting the blue screen of death on a regular basis.

I found your forums, and I downloaded all the programs and started to run them. Whenever I would try to run the Microsoft Malicious Software Removal Tool it would bring up the blue screen. Windows Defender would run, but it wouldnt let me update the definitions.

I was able to get Spybot and Ad-Aware to run, and it seemed to take care of everything.

Also - my computer kept telling me I had no firewall, even though I have ZoneAlarm and it was on. it also keeps telling me I have no virus program running, even tho AVG is running.

But it gets better. While all this was going in, I saw a TV commercial for StopSign. I thought if they had an ad on CNN, they could be trusted...well once I downloaded that my problems got worse. No internet access. More blue screens. I finally got through to someone at eAcceleration and got the removal tool. By using their tool, Spybot and Ad-Aware I removed it - i hope...

So here is my HJT log. Please let me know if there is anything you see.

Thanks!

Now my system is still slow, and when I came home tonight after being out for a few hours, my computer had the blue screen again.

So, I ran HijackThis, hoping there is something in the log that will help.

it's a fairly new computer - few months old (Dell) and I have it covered by them, but i need to make sure it isnt a software issue, since none of my problems seemed to start when i got the virus onthe machine.

 

Re: something weird is going on - need help

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support


When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)

• Bitdefender
• Panda Scan

It looks like you did the scans per your HJT log but we need to see the results so please attach them. Based a quick look at your log you have many issues that will need to be dealt with so please be patient someone will help you ASAP!

Additional Note: As you have already indicated you had issues Windows Defender please refer back to that step and try the alternative, Counter Spy.

 

Re: something weird is going on - need help

Thanks for the help. I'll run them tonight and post the logs. Hopefully it will let me run them without giving me the blue screen....

but i will post what I am able to run.

thanks!

 

OK, I went back through and did the procedure step by step.

I had a previous post at http://forums.majorgeeks.com/showthread.php?t=94171

This may be long but i wanted to get it all in.

NOTE: I had disabled System Restore a while ago on my computer at the recommendation of a friend, and I haven't turned it back on yet. Let me know if you recommend that I enable it.

Here are my notes, and the correct logs are attached. If there are other files/logs needed, please let me know. The post would only let me upload three, but i think thats all you needed.

Thank you for your help!

Problems still noted:

Windows says there is no anti-virus program. I have AVG and it was always able to detect it before.

Firewall – Unable to activate the Windows Firewall. I have the free ZoneAlarm running. Windows Security Center says it sees ZoneAlarm “but its status is unknown.”

System is running VERY SLOW, and I’m not able to use my network printer.

I still get the Blue Screen...seems to happen randomly, but i notice it if i leave the computer on for a while with nothing happening. When I come back, the blue screen is there.


Question: My desktop now seems to be having issues. Is the problem on this laptop one that could have spread over the network?


Here are the steps I followed.(I cut and pasted from the READ ME thread)

Empty any quarantine folders for antivirus and antispyware applications.
AVG – nothing in vault.

Empty your Recycle Bin.
Done

Programs:

CCleaner. - Install only, then exit. Done
Ad-Aware SE…..Updated.
SpyBot - Search & Destroy. Updated.

Microsoft Windows Defender 1051 (Beta 2) – I already had it installed, but when I tried to update it, I got the blue screen and had to reboot.

CounterSpy. Since I was shut down with Defender, I downloaded this program.
Hijack This! – Downloaded.

-------------
Rebooted into safe mode: When I rebooted and chose Safe Mode, the next screen listed Windows Professional twice, making it look like I had two different copies installed.

Ran CCleaner with the default options to clean out temporary files. DONE

Ran Microsoft Windows Malicious Software Removal Tool: BLUE SCREEN OF DEATH WHEN I RAN FILE.

Ran Ad-Aware SE – found two critical objects:

Data : mark@tribalfusion[1].txt
Value : Cookie:mark@tribalfusion.com/

Data : mark@perf.overture[1].txt
Value : Cookie:mark@perf.overture.com/


Ran Spybot Search & Destroy: Nothing found. Immunized.

Run Microsoft Windows Defender: Wasn’t able to update – GAVE ME BLUE SCREEN OF DEATH but when I rebooted I was able to run it with the old definitions. 136 days out of date.

CounterSpy: Not able to install in safe mode.

Online Virus And Trojan Scanning

Rebooted into safe mode with networking.

Bitdefender No problems found. Exported report, and log attached.

Panda ActiveScan would not run in safe mode with networking, so rebooted into normal mode, and scanned computer. Log attached

Ran CounterSpy:

CounterSpy Results:

Spyware Scan Details
Start Date: 6/10/2006 11:20:11 PM
End Date: 6/11/2006 12:00:31 AM
Total Time: 40 mins 20 secs

Detected spyware
No spyware were found during this scan.
​

After running all the tools and fixing what they find, reboot in normal mode. Done


HijackThis Log attached

 

You are strongly advised to do the following immediately:

1. Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned.

2. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

3. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.

Make sure you have done the following:
- How to view hidden, system files & folders!
- Running Hoster

Read and Understand the following:
- Searching for Hidden Files on WinXP

Download
- Pocket Killbox

Now Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Next using the Search function in the Start Menu Search for ibm0000?.*; delete every occurance.

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Follow the directions for Running WinPfind by OldTimer.

Post WinPFind.txt and a fresh HijackThis log.

 

Wow. I'll do that ASAP. Where do I find the reference to the bug you found - is that in the HJT log?

Do I need to do anything to my desktop to see if its infected with it as well?

I'll look at this forum from another computer - this is the last post. I'll disconnect from the internet now.

 

This is the Keylogger:
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"

If you think that your desktop may be infected then follow the procedures in our Read ME First.

I'll be here when you are ready.

 

Thanks for the info. I followed your procedures, and am back online now.

In the middle of the WinPFind scan, i got an error window - I did a print screen and attached the box. What does this mean?

Attached are the logs you asked for. Please let me know if the computer looks clean.

Can I use this one to change my passwords, etc?

I'll contact my banks, etc. and take care of the other info tomorrow. Now that I ran your procedures, is this

it's still somewhat slow, and tells me that it cant find any virus software, e ven tho I have AVG running. it also says it seens ZoneAlarm, but it isnt configured right - not sure what else I need to do to ZoneAlarm.

While I was typing this I got a ZoneAlarm notice that said "Your computer is trying to contact IP address 192.168.1.104" The only thing
Does this mean there is something still on my computer?

 

chaslang:

Thanks - I'll use my desktop, but right now since I'm not sure that one is clean either i'm running your steps on that one also, so I wont be able to change any passwords, etc. until I get them both cleaned up. I'll need to wait until one of them gets the green light so I can go change that info.

QUESTION: Since I have another computer, when i finish all the steps for malware, do I put that into a new post, or just add it to this one so i can keep working with Shadow?

thanks!

 

Shadow:

Two items:

1. I'm running the procedure scans on my desktop and it looks like it found something in BuitDefendar. I'll post all those logs later. Do you want that on a separate post?

2. I keep getting an alarm from Zone Alarm that "192.168.1.104" is trying to access my computer. Is that a local network address or something still resident on my machine?

Thanks!!

 

Seperate threads for each computer.

C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare I have no idea what program this folder belongs to. The name would imply that it is some type of shared service; but I have no idea what it is.

The IP addresses shown by Zone Alarm, indicate you are connected to a router, and have an internal network; wireless according to your HijackThis log.. IP 192.168.1.1 should be the address to the router and 192.168.1.104 should be the address to your computer. If this is not the case then your computer is trying to connect to a private network.

Your HijackThis log is clean. Since WinPFind will not run to completion; do the following:
- Running Ewido Anti-Malware
- Using GetRunKey

Post the Ewido log and runkey.txt; when finished.

 

Here are the logs you asked for.

Questions:

1. Windows says it sees my zonealarm but it isnt configured ... I've done the config through zonealarm, and wonder it i'm missing a step.
2. It also says it doesnt see any anti-virus. I have AVG installed, running and updated. Do i need to reinstall it so windows detects it?

 

Windows Messeger is running in the background, and represents a security risk.[/color] Disable Windows Messenger by running[/b] Shoot The Messenger. If you are using this as your IM client then replace it with MSN Messenger. This is optional on your part. Windows Messenger is intended for use by Network Administrators and can be used to display messages on your computer.

Post a fresh HijackThis log.

 

Fresh HJT log attached.

Should I reinstall AVG - is that why Windows isnt recognizing it as running?

Also - your thoughts on AZ free vs. AZ pro?

 

Your HijackThis log is clean.

As far as Windows not properly recognizing AVG and ZA, run Windows Update and bring your computer Up2Date. May just need to be updated. If the problem is still there then uninstall AVG and ZA, reboot, then install both programs again. If that still doesn't fix the problem, then in Windows Security Center tell it you have a firewall and antivirus program and will monitor them yourself.

I run AVG free on several computers and I'm happy with it's performance. If you want a retail application then by all means buy the Pro version. With the Pro version you get support; as the Free version is unsupprted.

 

I did what you asked int he last post. Not sure if this is related, but now every time I reboot i get the blue screen. Won't let me restart for anything. I've tried several times now, and when Windows comes up, i get my desktop displaying, but no bottom bar, and then after that it goes to the blue screen.

Any suggestions?

 

Not sure if my last post made it through. Now my laptop wont boot into windows at all. Evertime I try, it gives me the desktop for about 20-30 seconds and then gives me the blue screen. Sooner if I try to run anything. I'm trying to uninstall and reinstall AVG and ZoneAlarm to see if that will help.

When I boot into safe mode, there is no connection, so I cant download the file. But i'm concerned this may be a bigger and deeper issue. Any ideas on where to look?

 

What is the Error message on the blue screen, word for word?

 

Here is a pic of the screen. This is what it looks like every time. I don't know if the hex code under the "Technical Information" has always been the same. It looks like it is each time.

I ran the dell diagnostics CD, and it didnt find any hardware issues. I think I was hoping to find a hardware issue to explain it all.

Can this be caused by a virus?

I'll check back since i'm not able to access this email to see when you post a reply. I'm letting the other computers sit until I get this one figured out, since this is the most critical.

 

Shadow:

This morning I went into safe mode and decided to see what is booting up at startup. I looked at startup in MSCONFIG and found a coupe weird things. One was from StopSign that I thought was unhinstalled. There was still an entry from eAccelration. I also saw an entry for dumprep 0 -k. I was having some problems with Roxio so i unchecked any Roxio related items. There was also an entry that had characters instead of letters - just boxes. I unchecked those too. When I rebooted same thing.

Dont know if that helps or if there are any other processes I can stop to try and narrow this down.

Can I run HJT in Safe Mode and will it help you? I cant get anything to run in regular mode. If my usb ports still work in safe mode i could transfer the HJT log to this computer to load. (but i hate to put any files from that computer onto another until I know what i'm dealing with.)

Thanks for your help!!

 

Is that an 8 or a B in the STOP Message. Either way it's hardware related and mostly likely being caused by a corrupt device driver.

Save SystemReport.bat to you desktop and run it by double-clicking on the batch file.

A DOS Window will appear and you may get “file not found” message(s). That’s OK – Just let it run. It may take 15 - 20 seconds to finish.

A log should pop up in Notepad. Please attach it with your post as Report.txt. This script will look at other registry keys not looked at by GetRunKey. This script was written by an associate of mine and I have taken over development.

 

Shadow:

It's an 8.

Attached is the report you asked for.

Let me know what you see! If it's a driver, how do I diagnose? If its hardware, the laptop is still under warranty, so i can call dell.

Thanks!

 

Shadow:

Log posted. Do I need to call Dell?

 

I apologize for taking so long to get back. That log didn't show anything of concern. 8e or Be; both are hardware related stop messages. Since you are able to get into Safe Mode, it could be your video drivers that are causing the problem. Uninstall your video drivers, reboot. When the new hardware wizard opens, close it and manually install the drivers for your video card then reboot. Let me know if that works.

 

Nope... I uninstalled the video drivers - it showed two video drivers, so I uninstalled them both. I was able to get the new driver file onto the desktop, but when I tried to run the program - it was a self executiing install file from Dell - i got the same stop message. Tried it twice with the same result.

The third time I got the driver file to unzip and start the install process before I got a blue screen. Do I need to be rebooting back into safe mode to install the driver?

Any other thoughts to try? (other than running it over in the driveway...)

 

If you are able to boot to Normal Mode, when the drivers are uninstalled, and youy get a error message when you try to install the drivers; then the drivers are not the correct ones for your card. Try the drivers that came with your computer or look again at Dell for video drivers for your computer.

 

I was using the drivers that came with the computer. I also looked at the website to make sure there werent any newer drivers, etc.

It didnt crash becuase of the program - it looks like there is something that makes it crash about 1 minute after Windows starts up.

I tried to install the drivers in safe mode, and i got the blue screen also.

What is the next step?

 

Then it's the Hardware. It's entirely possible that the Video Adapter is going bad.