BleepingComputer.com: Blue Screen! Please help!!

Hi,

I have been helped with the "HijackThis" section for help with malware found on my system.

I was recommended now to come here to possibly found a solution.

To see that post:
INFECTED - with trojan or more?

The only other possiblitity apparently is to reformat and reload your computer.

Which as you can imagine is not something I'd like to do!!!!

Please help!

This post has been edited by beack08: 26 June 2009 - 09:55 AM

Do you have any information from the BSOD that you can post on here to help us help you with it possibly?

Thanks,

ok I am not very knowledgable with all this... so bare with me.
I understand that the error should list a driver with a .sys in the file name.
How can I found out the name? what do I do for that?


Just before the system crach I was told:


--------------------------------------
Hi beack08,

You need to disable your Avira AntiVir Antivirus before running ComboFix, as it will prevent it from running.

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

CODE
File::
c:\windows\95382hazktool59a.exe
c:\windows\z079backdoor5729.bin
c:\windows\system32\256czteal859.bin
c:\windows\359fsp9ware3z5.dll
c:\windows\system32\51959teaz23165.exe
c:\windows\system32\669cspywzre3565.dll
c:\windows\3z41d5wnloader24409.bin
c:\windows\system32\460z9pywa5e387.dll
c:\windows\system32\z6217t95j1d7.dll
c:\windows\748zpam9ot525.dll
c:\windows\system32\188spar9ez554.exe
c:\windows\79eevzr5539.bin
c:\windows\system32\395a9ir1450z.exe
c:\windows\11095wor57ez.dll
c:\windows\system32\26724v5rusz439.dll
c:\windows\system32\3957downloaderz231.dll
c:\windows\15726spz179.exe
c:\windows\system32\zc47spy9are1517.bin
c:\windows\25d1bzckdo5r9616.bin
c:\windows\17995iruz14f.bin
c:\windows\system32\20e9addwzre5662.bin
c:\windows\system32\3917spy5are1999z.bin
c:\windows\system32\29609s5y50ez.exe
c:\windows\system32\5799zparse1827.exe
c:\windows\1752zhi9f1155.bin
c:\windows\zd595hief299.exe
c:\windows\46a695arse62z.bin
c:\windows\6951do5nload9z536.dll
c:\windows\system32\2e9cs5arsz526.exe
c:\windows\3dz5spars59159.dll
c:\windows\system32\16809n9t-a-v5rus77bz.bin
c:\windows\1cf3zddw5re19509.dll
c:\windows\system32\1917z5oj6b6.exe
c:\windows\system32\6e45vzr4219.dll
c:\windows\20575spambot696z.bin
c:\windows\system32\30115v5rus59z.dll
c:\windows\system32\5142downloade9251z.exe
c:\windows\1930spars5z527.bin
c:\windows\system32\242z9v5rus192.bin
c:\windows\system32\57377tr9j6d6z.exe
c:\windows\system32\4247not-a95irus4bz.exe
c:\windows\549z5hre9t559.dll
c:\windows\system32\5bd3b5ckdzor28559.exe
c:\windows\z815troj5339.dll
c:\windows\130dthi5f1219z.dll
c:\windows\system32\1e7bz5yware9116.dll
c:\windows\system32\52063wo9m27z.bin
c:\windows\4501h9ckt5oz7b9.bin
c:\windows\system32\3e08backdoo590z4.bin
c:\windows\7936sp95z5.exe
c:\windows\system32\569tzoj129.exe
c:\windows\51599spz470.bin
c:\windows\system32\zfff5hreat26439.bin
c:\windows\system32\58fez5wnl9ader1167.bin
c:\windows\25695s9zmbot649.dll
c:\windows\system32\310a59zef541.bin
c:\windows\system32\411a5aczdoor3095.exe
c:\windows\6a25tzal2189.exe
c:\windows\system32\16783vi5us5z9.bin
c:\windows\system32\311139i5uzd9.bin
c:\windows\5541spazbo96c.dll
c:\windows\system32\1195ot-a-viru9777z.exe
c:\windows\381espar5e990z.dll
c:\windows\2918zteal3175.exe
c:\windows\1563down9oaderz174.bin
c:\windows\system32\59879troz3859.exe
c:\windows\9c6addware5z89.dll
c:\windows\12335n5t-a-virus9z3.exe
c:\windows\583bad9waz5684.bin
c:\windows\11z63spy3955.dll
c:\windows\12008s5yz98.dll
c:\windows\system32\55919py58az.bin
c:\windows\5935tzoj17d9.exe
c:\windows\7e9aste5l12z5.exe
c:\windows\system32\27449not5z-v9rus648.exe
c:\windows\90511nzt-a-virus77a.exe
c:\windows\794esparse572z.dll
c:\windows\43z9sparse5313.bin
c:\windows\29ze5hreat99691.dll
c:\windows\7z985ack9oor1218.exe
c:\windows\9831spy4z05.dll
c:\windows\5392steal18z0.exe
c:\windows\system32\19fc5pywarez86.bin
c:\windows\system32\29902n9t-5zvirus11c.bin
c:\windows\system32\10209zirus509.dll
c:\windows\5zedsparse1993.bin
c:\windows\73d895dwarz1589.exe
c:\windows\system32\25e5addwa9ez70.exe
c:\windows\715cz9eal506.bin
c:\windows\system32\5951not-azvirus3d59.bin
c:\windows\system32\9aczspyware5630.dll
c:\windows\6248s9yzare529.exe
c:\windows\6z539roj1ea.bin
c:\windows\5b5ez9r2664.dll
c:\windows\6bb0dow9lzader2245.exe
c:\windows\5308z9cktoolc6.bin
c:\windows\system32\localspl.dll
c:\windows\2z118v95us6db.exe
c:\windows\7415downl9adzr984.exe
c:\windows\system32\7e11stezl5934.exe
c:\windows\20170szam9o534a.exe
c:\windows\system32\57czthre9t52500.dll
c:\windows\54az9ddwar52824.bin
c:\windows\28229tr5z64e.exe
c:\windows\system32\125z0spambot98b5.dll
c:\windows\247z2sp5519.dll
c:\windows\system32\32791tzoj52b5.bin
c:\windows\19d3thzef955.bin
c:\windows\29806not5a-virus5z2.bin
c:\windows\98z5hie91935.bin
c:\windows\system32\win32k.sys
c:\windows\system32\z374sp91e85.exe
c:\windows\system32\7b585z91607.dll
c:\windows\system32\284zbac9door995.exe
c:\windows\25913spambot595z.bin
c:\windows\7bdet5rzat25139.exe
c:\windows\system32\rpcrt4.dll
c:\windows\system32\58896hacktzol6f5.exe
c:\windows\system32\2169zwo5m5c7.bin
c:\windows\system32\ezsidmv.dat
c:\windows\2239znot-a-v5rus35f.exe
c:\windows\4z59py55.dll
c:\windows\11684ha9ktool5z.bin
c:\windows\14779h5cktoo9z.dll
c:\windows\5a8cth5ef9z7.dll
c:\windows\system32\3568threa58z99.bin
c:\windows\65bdownz5ader989.exe
c:\windows\system32\58d8szyware25359.exe

Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

------------------------------



The only .sys listed up there is c:\windows\system32\win32k.sys.
Could this be the one???
SifuMike, the person helping me, maybe didn't think about that. he just told me that it's a wild card to guess what .sys is caucing the problem.

Are you aware that your HJT log thread is still open ?

http://www.bleepingcomputer.com/forums/ind...=233570&hl=

I do not see on that thread your HJT Helper ask you to start a new topic..so you ought really continue on that thread .

well the post that told me to come to you as been deleted and more steps have been given

So I am not sure what happenned. I posted my message here following instruction of SifuMike.

I have asked the Staff to check this out for you ; you may wish to return TO the HJT thread and stay on that one to avoid any confusion

I was just told again to come back here


Here the message:

Hi,

QUOTE
When typing cd erdnt\subs
I get: - the system connaot find the file or directory specified.
So the I tried batch erdnt.con
I still get: - the system connaot find the file or directory specified.
I then typed exit and it retarted and again same blue screen.

If it cant find the files then that means a backup was not made before it crashed.

QUOTE
In the steps you gave me prior to the systeme crashiug the only .sys listed was

c:\windows\system32\win32k.sys.
Could this be the one?

Yes, that may be the one.

It looks like you my have to reformat and reload your computer. Read here for instructions how to format and reinstall Windows:
http://web.mit.edu/ist/products/winxp/adva...all-format.html


Since this is drastic step and the last resort, I suggest you to go our Windows experts at the Windows XP Home and Professional forum. Perhaps they can suggest a better solution.

Let them know that you have been to this forum and that malware was found and removed. IMHO, a driver is causing your problem.

When posting to any other forum, do not post a HijackThis log or DDS log, or the post will simply be moved back to this forum for infection analysis. That is what HijackThis is used for and that is what we specialize in here in this forum.

Also, when posting in any other forum for assistance, give as much detail as possible regarding any issues that are occurring. The more information they have, the better the Windows techs can analyze the issue and make any recommendations for resolving it.



--------------------

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!




Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

SIFUMIKE has request them to post elswhere...

Quote

Quote

boopme: I don't understand what you mean. I am in the right place, right?

You might try the following procedures, Help Diagnosing BSODs And Crashes (BC) - http://www.bleepingcomputer.com/forums/topic176011.html

The system files...such as win32K.sys...are not necessarily the problem, just the point where the problem disconcerts XP. If you follow the procedures above, that may provide more data that can be used to try to help you.

FWIW: Anytime you get a BSOD error message...you should write it down, in entirely. The message is Windows trying to tell users what is wrong and/or where whatever went wrong occurred.

Does your system boot into XP at this moment?

Louis

Yes you belong here beack08

Hi Louis,

No right now it doesn't load either in safe mode or last known config. I get the same blue screen with message:

--------
STOP: c000021a {Fatal System Error}
The session Manager Initialization system process terminated unexpectedly with a status of 0xc000026c (0x000000000 0x00000000)
The syetem has been shutdown

---------

So I can't follow the steps you recommend as i can get windows to load.

This post has been edited by beack08: 26 June 2009 - 01:21 PM

With the help of SifuMike I was able to fix the issue I was having.

Could you please close this tread?

We are so sorry for causing them unnecessary work.

Thank you again so much for your support.

Soooo...how did you "fix" whatever was wrong?

Louis

Look here Louis from post 31...

Thanks all ...I am closing this thread..