Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox & Chrome Being Redirected; Safe Mode Boot Results in Blue Screen


  • This topic is locked This topic is locked
72 replies to this topic

#1 Exoleti

Exoleti

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England
  • Local time:09:42 PM

Posted 07 December 2009 - 09:12 AM

Hello,

I am operating a Gateway GT5056 with Windows XP installed. I run AVG Anti-Virus, CC Cleaner, Ad-Aware & Spybot regularly. However, I recently obtained malware of some type that results in pop-up tabs in Firefox and Chrome (I never use IE). Most are seemingly harmless "Work at Home" variety or even www.viagra.com in Firefox, but Chrome is more suspicious. The address bar shows a very long string of characters and the pages always are blank. I suspect these pages are attempting to DL more malware. I have ZoneAlarm Firewall running now.

I have run scans with Malwarebytes, Trend-Micro Housecall, and my aforementioned regular scanning programs and removed or quarantined anything found and now results show no infections after multiple re-scans. However, the problem persists. I cannot boot in Safe Mode (blue screen) and suspect this is a result of the malware infection. I have run SafeBootKeyRepair at the advice of another forum discussion attempting to resolve the Safe Mode issue. As this is written, I am running Kaspersky Online Scanner.

RESULTS OF KASPERSKY:

Monday, December 7, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, December 07, 2009 10:33:27
Records in database: 3339747
Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes
Scan area My Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
Scan statistics
Objects scanned 165027
Threats found 1
Infected objects found 1
Suspicious objects found 0
Scan duration 04:08:34

File name Threat Threats count
D:\i386\Apps\App00577\comps\toolbar\toolbr.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1
Selected area has been scanned.

Edited by Exoleti, 07 December 2009 - 12:07 PM.


BC AdBot (Login to Remove)

 


#2 azfreetech

azfreetech

  • Members
  • 182 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mesa, AZ
  • Local time:06:42 PM

Posted 07 December 2009 - 05:35 PM

I would initially run Malwarebytes and then SUPERAntiSpyware and remove what they find.
DJ Digital Gem

I gave up on computers and now I just DJ!

#3 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:11:42 AM

Posted 07 December 2009 - 06:58 PM

Exoleti,
Hello there, once again!

Please open the Spybot user interface and disable Spybot's TeaTimer resident scanner. This can interfer with the operation of other antispyware tools, in their effort to remove malware.

Likewise with AdAware: Open the user interface and disable Ad-Watch if it is enabled.

Restart the system.

There has been a new version of Malwarebytes Anti-Malware released in the last few days. Please ensure that you download and use the latest version (1.42). Run the "Quick Scan" first. When the other steps ... below ... have been completed, update MBAM again, and this time, run a "Full Scan".

Ensure that you update the definitions files of both MBAM and SAS before you run them. Remove any malware that is detected and then post the resulting log file (the whole log).

Download and run Dr.Web CureIt! Remove any malware. Remove and malware found.

There are some handy instructions provided here ...
Use the instructions provided in post #2 by garmanma at the following link, to run MBAM (Quick Scan), ATF Cleaner, SAS and Dr.Web CureIt!
http://www.bleepingcomputer.com/forums/ind...t&p=1499922

If you can't access Safe Mode, when the instructions call for doing so, just use Windows in normal mode.
Remove all problems found: Then post the logs from each of the scans (no log from ATF Cleaner).

Follow that up with a Full Scan by MBAM, and post the log from that too.

In your next post, please include the 4 requested logs, with a comment on whether the redirection and Safe Mode issues still persist.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#4 Exoleti

Exoleti
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England
  • Local time:09:42 PM

Posted 08 December 2009 - 06:27 PM

OK....the good news....

The redirect seems to have been resolved. At least in Firefox - I uninstalled Chrome earlier as it seemed to be more affected than anything else.

The bad news - still cannot start in Safe mode. I receive the error message:

STOP: 0X0000007E (0XC0000005, 0X80537009, 0XF78BE508, 0XF78BE204)

The 4 logs you requested:
First MAB Quick Scan:
Malwarebytes' Anti-Malware 1.42
Database version: 3313
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/7/2009 7:51:09 PM
mbam-log-2009-12-07 (19-51-09).txt

Scan type: Quick Scan
Objects scanned: 131043
Time elapsed: 6 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

The SAS Scan:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/07/2009 at 11:04 PM

Application Version : 4.31.1000

Core Rules Database Version : 4344
Trace Rules Database Version: 2193

Scan type : Complete Scan
Total Scan Time : 01:51:38

Memory items scanned : 560
Memory threats detected : 0
Registry items scanned : 7596
Registry threats detected : 0
File items scanned : 161378
File threats detected : 0

The Dr. Web Scan:
Process in memory: C:\WINDOWS\system32\spoolsv.exe:196;;BackDoor.Tdss.565;Eradicated.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;Incurable.Moved.;
RegUBP2b-Owner.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
09265361.FIL\srvany.exe;C:\My Backup -- 07-09-29 1259PM\$VAULT$.AVG\09265361.FIL;Program.SrvAny;;
09265361.FIL;C:\My Backup -- 07-09-29 1259PM\$VAULT$.AVG;Archive contains infected objects;Moved.;
23369422.FIL\srvany.exe;C:\My Backup -- 07-09-29 1259PM\$VAULT$.AVG\23369422.FIL;Program.SrvAny;;
23369422.FIL;C:\My Backup -- 07-09-29 1259PM\$VAULT$.AVG;Archive contains infected objects;Moved.;
74835234.FIL\IMNames.exe;C:\My Backup -- 07-09-29 1259PM\$VAULT$.AVG\74835234.FIL;Adware.SearchTwo;;
74835234.FIL\main.exe;C:\My Backup -- 07-09-29 1259PM\$VAULT$.AVG\74835234.FIL;Adware.SearchTwo;;
74835234.FIL/2.exe\srvany.exe;C:\My Backup -- 07-09-29 1259PM\$VAULT$.AVG\74835234.FIL/2.exe;Program.SrvAny;;
2.exe;C:\My Backup -- 07-09-29 1259PM\$VAULT$.AVG;Archive contains infected objects;;
74835234.FIL\1.exe;C:\My Backup -- 07-09-29 1259PM\$VAULT$.AVG\74835234.FIL;Adware.SearchTwo;;
74835234.FIL;C:\My Backup -- 07-09-29 1259PM\$VAULT$.AVG;Archive contains infected objects;Moved.;
GTDownAO_106.ocx;C:\My Backup -- 07-09-29 1259PM\Program Files\Common Files\AolCoach\en_en;Adware.Gdown;Incurable.Moved.;
spywareblaster.exe;C:\My Backup -- 07-09-29 1259PM\Program Files\SpywareBlaster;Trojan.Packed.149;Deleted.;
aolcinst.exe\core.cab\GTDOWNAO_106.ocx;D:\i386\Apps\App00577\comps\coach\aolcinst.exe;Adware.Gdown;;
aolcinst.exe;D:\i386\Apps\App00577\comps\coach;Archive contains infected objects;Moved.;

The final MAB Complete Scan:
Malwarebytes' Anti-Malware 1.42
Database version: 3313
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/8/2009 6:13:28 PM
mbam-log-2009-12-08 (18-13-28).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 295750
Time elapsed: 1 hour(s), 24 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#5 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:11:42 AM

Posted 08 December 2009 - 08:54 PM

The Dr. Web Scan:
Process in memory: C:\WINDOWS\system32\spoolsv.exe:196;;BackDoor.Tdss.565;Eradicated.;

Exoleti,
Oh bother: Oh BIG bother! Most likely you have a serious rootkit issue.
I will request advice "from above" on how best to confirm this.

In the meantime ...
Have a read of jamesr01's thread:
related problems? antivirus system pro, google redirect, blue screen on safe mode boot
http://www.bleepingcomputer.com/forums/t/274972/related-problems-antivirus-system-pro-google-redirect-blue-screen-on-safe-mode-boot/

quietman7 based the diagnosis on one line from the Dr.Web CureIt! log
Process in memory: C:\WINDOWS\system32\svchost.exe:208;;BackDoor.Tdss.565;Eradicated.; <<< you have similar line
and one line from Kaspersky's TDSSKiller log
23:8:47:921 1300 Driver atapi infected by TDSS rootkit ... 23:8:47:921 1300 TDL3_HookCure

You may wish to also post a log from Kaspersky's TDSSKiller.

Edit: I have requested quietman7 to have a look at your thread.

Edited by AustrAlien, 08 December 2009 - 09:19 PM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#6 Exoleti

Exoleti
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England
  • Local time:09:42 PM

Posted 08 December 2009 - 09:49 PM

BINGO!

OK, so I ran TDSSKiller, however I could not generate a log file (guess I did not understand the instructions on the site to do so). But after my system rebooted I then was able to reboot in Safe Mode!

I am now running MAB in Safe Mode and will await further instruction.

At least I'm in Safe Mode now!

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:42 PM

Posted 08 December 2009 - 09:55 PM

Yes Dr.WebCureIt will detect some variants of TDSS. In fact, in some cases it can remove enough of the infection so that other tools like MalwareBytes can run if the malware is stopping it from scanning. The problem with this type of infection is that it can vary in the amount of damage it causes depending on what other malicious files it was able to download so Dr.Web may not catch everything.

You may wish to also post a log from Kaspersky's TDSSKiller.

That would be my suggestion as well.

Please download TDSSKiller.zip and save it to your Desktop.
Be sure to print out and follow the instructions provided on that same page for performing a scan.
  • Extract (unzip) the file. (click here if you're not sure how to do this. Vista users refer to these instructions.)
  • Double-click on TDSSKiller.exe to run the tool.
  • If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.
  • After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:11:42 AM

Posted 09 December 2009 - 01:16 AM

Please post the log from TDSSKiller if you can find it.
Is there no log saved as "report.txt" (in the folder with TDSSKiller.exe)?

Post the log from your MBAM scan in Safe Mode, too.

Now that you can get into Safe Mode, it would be timely to run SuperAntiSpyware in Safe Mode.
Please follow quietman7's instructions in post #14 at the following link to run TFC and SAS (and post the log).
http://www.bleepingcomputer.com/forums/ind...t&p=1522681

How is everything looking now?
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#9 Exoleti

Exoleti
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England
  • Local time:09:42 PM

Posted 09 December 2009 - 11:21 AM

So I let MAB run overnight, as it takes several hours, and I woke up this morning to another blue screen, stating an attempt was made to write to read only memory. I attempted to restart in Safe Mode and have not been able to move past the screen which lists all the system 32 drivers (I guess a list of what is starting up?). No blue screen yet, but no Safe Mode yet either. Still trying....

#10 Exoleti

Exoleti
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England
  • Local time:09:42 PM

Posted 09 December 2009 - 11:42 AM

And now the computer is not rebooting at all - just beeping. It did this a few months ago and I replaced the RAM and it was OK. One step foward, two steps back...

#11 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:11:42 AM

Posted 09 December 2009 - 01:33 PM

And now the computer is not rebooting at all - just beeping. It did this a few months ago and I replaced the RAM and it was OK. One step foward, two steps back...

Turn off the power to the computer.
Ground yourself by touching the metal box itself.
Pull the RAM sticks out and then push back in, making sure they are re-seated firmly and properly.
Turn power on, and try again.

If the problem persists ....
Describe the problem fully:
What do you see on the screen?
When do the beeps start ?
What is the sequence of beeps ? continual ?, long/short ?
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:42 PM

Posted 09 December 2009 - 01:50 PM

Beeping noises after startup are usually a sign of hardware related issues, faulty RAM or an indication of high temperatures due to overheating and faulty processor fans. The latter sometimes can be attributed to dirty components inside your computer, loose connections or even a heat sink blocked with dust or debris.

When a computer is first turned on or rebooted, its BIOS performs a Power On Self Test (POST) to test the system's hardware. The BIOS checks to make sure that all of the system's hardware components are working properly and that it meets the necessary system requirements before booting up. If BIOS detects an error and fails the POST, the computer returns a pattern of beeps indicating what is causing the problem.

Beep codes can be in several different patterns, depending on the BIOS that you are using. Some BIOSes use simple beep codes in a pattern of varying numbers of short beeps, while others may mix short and long beeps. The exact meaning of the beep codes depends on the type and version of BIOS that you have. The three most popular types of BIOS are those made by Award, American Megatrends (AMI) and Phoenix.

In order to interpret the beep code pattern you are receiving you need to answer AustrAlien's questions and be specific.

You also need to know exactly what version of BIOS your computer has. There are several ways to do that:.

Edited by quietman7, 09 December 2009 - 01:53 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Exoleti

Exoleti
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England
  • Local time:09:42 PM

Posted 09 December 2009 - 02:00 PM

Although I had done exactly what you described twice before you posted that, I just did it again and the system has started up. Only difference is the system sat unplug for about an hour with the RAM sticks out while I stared at it and cursed. Perhaps that helped. :thumbsup:

The system is now restarting in Safe Mode. It is taking a VERY long time on the Advanced Options screen. A thermometer-style time lapse bar appeared on the bottom of the screen, quickly went to full, and then the hard-drive light keeps flickering indicating it is running....so far, nothing else...same screen....

A screen first appeared stating to reset the CPU frequency in CMOS Press F1 to Continue or F2 to Exit (I think?); I selected F1 and arrived at the Advanced Options Menu screen where I am now.

OK, the system just booted, but not in Safe Mode - it started normally. Should I try reboot into Safe Mode or login in Normal Mode? (As normal as this computer has been lately, that is....)

And to describe the beeps, it was a solid one second beep with a two second interval - repeating.

BIOS: Phoenix Technologies, LTD 6.00 PG 02/23/2006 (from BeLarc Advisor)

And I'm back in Safe Mode!

Edited by Exoleti, 09 December 2009 - 02:23 PM.


#14 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:11:42 AM

Posted 09 December 2009 - 02:19 PM

I am thinking this is most likely a RAM problem at this time. Plus, for some reason, the CPU settings have been re-set to minimal, and need to be changed to the correct setting. Did you by any chance, remove the motherboard battery for that hour while you stared and cursed it?

Turn off computer.
Remove all but one stick of RAM (leave the one in the first slot, the slot on the left-hand-side, closest to the CPU).
Attempt to restart the computer.

You wrote: "A screen first appeared stating to reset the CPU frequency in CMOS Press F1 to Continue or F2 to Exit (I think?)"
F2 would probably take you to the BIOS Setup Menu.
This time I want you to press F2: Go to the BIOS Setup menu.
On the last page/tab of the menu, select "default settings" or "safe settings" (something like that). The wording will depend on your particular BIOS.
Choose to "Save and Exit".
Allow the system to start normally. (Let's stick with starting "normally" at this time .... )

What happens?
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#15 Exoleti

Exoleti
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England
  • Local time:09:42 PM

Posted 09 December 2009 - 02:45 PM

Sorry Aust - in the time between responses, I started the system normally and ran Belarc Advisor to obtain the BIOS information previously requested. After that I decided to try to reboot in Safe Mode and was able to do so with no problems. I am now running a SAS scan in Safe Mode as you previously indicated before this weird RAM issue arose (which occured during a MAB scan in Safe Mode, so let's see what happens with SAS).

Also, I checked the folder with TDSSKiller.exe and no log, just the end user agreement and the executable file. If I read the instructions correctly, I need to enter some code in order for it to generate the log file? I somehow did not do that step correctly when I ran TDSS earlier.

SAS scanning in Safe Mode now...no threats found yet. Will update when complete




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users