Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tidserv!inf and BSOD 0x0000008E


  • Please log in to reply
13 replies to this topic

#1 FLeonard

FLeonard

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:24 PM

Posted 03 January 2009 - 07:54 AM

Good morning,

I am not sure where to go with this. Looks like I have been infected with Tidserv!inf and possibly something else. At this point I can boot in safe mode and run forever but the PC will BSOD with error code 0x0000008E after XP is done populating the system tray. What I saw:

1. SAV CE found Tidserv!inf in seneka3ca4.tmp in Local Settings/Temp and asked for a reboot to clean it
2. I found MSLN.EXE and MSICONF.EXE in system32 and deleted them
3. There are 4 files called seneka*.* fresly created in system32
4. I went through the 8 steps in safe mode but I am unabled to uninstall SAV CE as I can only run in safe mode
5. I ran Kaspersky web scan over night
6. This PC dual boot 2 copies of XP and the other one works fine and can access the danaged one

Thank you in advance for your help

BC AdBot (Login to Remove)

 


#2 Guest_Jay-P VIP_*

Guest_Jay-P VIP_*

  • Guests
  • OFFLINE
  •  

Posted 03 January 2009 - 09:09 AM

Please download Malwarebytes' Anti-Malware to your desktop.

* 2X-click mbam-setup.exe and install the program.

* At the end, checkmark:


o Update Malwarebytes' Anti-Malware

o Launch Malwarebytes' Anti-Malware



* Then click Finish.

* As soon as it loads, select quick scan, then click Scan.

* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad.

* Post the log in your next reply.

Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (i.e. Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

#3 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male

Posted 03 January 2009 - 09:11 AM

Hello.

Just wanted to add to Jay-P VIP's advice.

Use "Full Scan" instead of quick. Otherwise, it will not scan the WINDOWS of the infected one installation.

With Regards,
The Panda

EDIT: Typo.

Edited by PropagandaPanda, 03 January 2009 - 09:12 AM.


#4 FLeonard

FLeonard
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 03 January 2009 - 09:57 AM

Jay, Panda, thanks for your reply.

Here is the Mbam log ran in safe mode. Are you saying I should try to run Mbam in normal mode and try to beat the BSOD?

Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3

01/02/09 21:40:26
mbam-log-2009-01-02 (21-40-26).txt

Scan type: Quick Scan
Objects scanned: 67979
Time elapsed: 4 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
F:\Program Files\Live_TV (Adware.Agent) -> Quarantined and deleted successfully.
F:\Documents and Settings\Steven\Application Data\NetPumper (Adware.NetPumper) -> Quarantined and deleted successfully.
F:\Documents and Settings\Kidz\Application Data\NetPumper (Adware.NetPumper) -> Quarantined and deleted successfully.
F:\Documents and Settings\FLeonard\Application Data\NetPumper (Adware.NetPumper) -> Quarantined and deleted successfully.

Files Infected:
F:\Program Files\Live_TV\INSTALL.LOG (Adware.Agent) -> Quarantined and deleted successfully.
F:\WINDOWS\system32\iaxcfg32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
F:\Documents and Settings\All Users\Desktop\Best BDSM P0rn.url (Rogue.Link) -> Quarantined and deleted successfully.
F:\Documents and Settings\All Users\Desktop\Gay Fetish Sex.url (Rogue.Link) -> Quarantined and deleted successfully.

Thanks again

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,941 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:24 PM

Posted 03 January 2009 - 10:10 AM

Scanning with MBAM in safe or normal mode will work but removal functions are not as powerful in safe mode. MBAM is designed to be at full power when malware is running so safe mode is not necessary when using it. In fact, it loses some effectiveness for detection & removal when used in safe mode because the program includes a Direct Disk Access (DDA) driver which does not work in safe mode. Further, scanning in safe mode prevents some types of malware from running so it may be missed during the detection process. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM. Doing a safe mode scan should only be done when a regular mode scan fails.

Your MBAM log indicates you are using an outdated database. Please update it through the program's interface (preferable way) or manually download the updates and just double-click on mbam-rules.exe to install. Then perform a new Quick Scan in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 FLeonard

FLeonard
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 03 January 2009 - 11:55 AM

Scanning with MBAM in safe or normal mode will work but removal functions are not as powerful in safe mode. MBAM is designed to be at full power when malware is running so safe mode is not necessary when using it.


So I guess we need to figure out the BSOD 0x000008E to run MBAM in normal mode. Here is the MBAM log with current definitions:

Malwarebytes' Anti-Malware 1.31
Database version: 1602
Windows 5.1.2600 Service Pack 3

01/03/09 11:52:48
mbam-log-2009-01-03 (11-52-33).txt

Scan type: Full Scan (F:\|)
Objects scanned: 228783
Time elapsed: 42 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> No action taken.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
F:\Program Files\mIRC\backup\mirc.exe (Backdoor.Bot) -> No action taken.
F:\WINDOWS\system32\senekaplgppkdh.dll (Trojan.Agent) -> No action taken.
F:\WINDOWS\system32\senekawrscfufg.dll (Trojan.Agent) -> No action taken.
F:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> No action taken.
F:\WINDOWS\system32\seneka.dat (Trojan.Agent) -> No action taken.
F:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> No action taken.
F:\WINDOWS\system32\drivers\seneka.sys (Trojan.Agent) -> No action taken.
F:\WINDOWS\system32\drivers\senekavvvksdlx.sys (Trojan.Agent) -> No action taken.

Thanks for your help. I do appreciate.

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:24 PM

Posted 03 January 2009 - 12:18 PM

Hello.

Re-run scan with MalwareBytes Anti-Malware
Your MBAM log shows "No action taken". This usually occurs if you forget to click "Remove Selected" and instead only clicked "Save Logfile". Please rerun the scan and remove the items. Post bad the resulting log file.
---
There is a slight chance that your other Windows will lock up booting because MBAM ripped out the bad driver files, but is unable to read the other Window's registry to delete the drive. If this is the case, we can dequarentine the items MBAM took out.

Do not remove the quarentined items.

With Regards,
The Panda

Edited by PropagandaPanda, 03 January 2009 - 12:19 PM.


#8 FLeonard

FLeonard
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 03 January 2009 - 12:32 PM

To all who helped me out, thanks a lot!

It looks like it worked. I posted the wrong log. I did have MBAM remove all it found. The "bad" XP started up fine and I am running MBAM in normal mode. I will post the log as soon as done. Will also try to boot the other XP as soon as MBAM is done.

A quick question if I may. What would you recommend for good protection? I confirmed today that Symantec SAV CE is not very good and also discovered MBAM.

Thanks again for your help. It is good to have guys like you helping fight the dark side.

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:24 PM

Posted 03 January 2009 - 02:12 PM

Hello.

If you have a paid version, it's probably better than any free version.

If you are looking for another paid version, I would go with Kaspersky.

With Regards,
The Panda

#10 FLeonard

FLeonard
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 03 January 2009 - 03:00 PM

Updated log:

Malwarebytes' Anti-Malware 1.31
Database version: 1602
Windows 5.1.2600 Service Pack 3

01/03/09 14:58:02
mbam-log-2009-01-03 (14-58-02).txt

Scan type: Full Scan (F:\|)
Objects scanned: 231170
Time elapsed: 1 hour(s), 11 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Thanks

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:24 PM

Posted 03 January 2009 - 03:30 PM

Hello.

Will also try to boot the other XP as soon as MBAM is done.

Can the infected installation boot? Safe mode/normal mode?

With Regards,
The Panda

#12 Guest_Jay-P VIP_*

Guest_Jay-P VIP_*

  • Guests
  • OFFLINE
  •  

Posted 03 January 2009 - 04:22 PM

At this point I can boot in safe mode and run forever but the PC will BSOD with error code 0x0000008E after XP is done populating the system tray.


Whilst the others are helping with MBAM, I will help with your Windows error.

I am going to copy some info below, but you will need to read each page step by step. Follow #1 first, and then #2.

Support Article 1 - Microsoft.com
Support Article 2 - Microsoft.com


Possible causes of this error may include the following:

* Hard disk damage
* General hardware configuration problems with the BIOS, the memory, the hard disk, or with other devices
* Incompatible device driver
* Incompatible software



All of such issues CAN be related to the infection, that the computer you described, may have. This does not mean, however, you are disabled from trying any solutions thast are included in these Microsoft error and solution articles.

#13 FLeonard

FLeonard
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 03 January 2009 - 05:34 PM

Panda, Jay,

Both XP's (infected and backup) boot OK (safe or normal mode). The BSOD is gone. I will run MBAM once more to make sure the last 2 registry keys are gone for good.

Thanks for your help

#14 Guest_Jay-P VIP_*

Guest_Jay-P VIP_*

  • Guests
  • OFFLINE
  •  

Posted 03 January 2009 - 09:21 PM

You are welcome. If you have any more issues please post them as soon as possible so that one of us may help you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users