Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

All started with KB977165?


  • This topic is locked This topic is locked
41 replies to this topic

#1 dennisrmd01

dennisrmd01

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 30 March 2010 - 10:12 AM

Done everything that I know and still BSOD... STOP: 0x0000000A (0xF8A262C0, 0x...2, 0x...1, 0x804D9B68)

XP Home, SP3

Followed various fixes (including http://support.microsoft.com/kb/979682) but it still keeps coming back.... although not always when I boot - sometimes it is good for an hour?

Just run ComboFix but report file is too much for me (attached) sad.gif

Would welcome a little hand holding if anyone can help?

Driving me crazy - already spent 2 days and got nowhere and as ever, working on report I need to complete/email by end of March. Such is life?

Cheers

Den

PS Sorry posted this in 'introduction' as well by mistake. New to this.

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:07 AM

Posted 02 April 2010 - 07:26 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 dennisrmd01

dennisrmd01
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 03 April 2010 - 04:39 AM

Hi m0le... I welcome your help

Den

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:07 AM

Posted 03 April 2010 - 05:19 AM

The Combofix got cut off, can you post the rest please smile.gif
Posted Image
m0le is a proud member of UNITE

#5 dennisrmd01

dennisrmd01
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 03 April 2010 - 05:27 AM

This is all there was...


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:07 AM

Posted 03 April 2010 - 12:20 PM

Please go to Start >Run > and copy/paste the following, then press Enter

C:\QooBox\ComboFix-quarantined-files.txt

A log file should open. Please post that in your next reply.

Can you then rerun Combofix - hopefully I will get a full log this time. smile.gif
Posted Image
m0le is a proud member of UNITE

#7 dennisrmd01

dennisrmd01
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 04 April 2010 - 05:26 AM

Both files attached

Attached Files



#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:07 AM

Posted 04 April 2010 - 06:36 AM

Okay the PC may well have been infected with the TDSS rootkit at the time of the update which causes Blue Screens of Death.

The steps to do the most successful recovery are unfortunately fairly long.

A. Boot into Recovery Console

http://www.bleepingcomputer.com/tutorials/...l117.html#start


B. Follow these steps:
  1. Boot from your Windows XP CD or DVD and start the Recovery Console (see this link http://support.microsoft.com/default.aspx/kb/307654 on how to use recovery console)
  2. Once you are in the Repair Screen type this command: CHDIR $NtUninstallKB978262$\spuninst
  3. Type this command: BATCH spuninst.txt
  4. Type this command: systemroot
  5. Repeat steps 2 - 4 replacing the code after CHDIR $NtUninstall with each of the following:

    * KB978262
    * KB971468
    * KB978037
    * KB975713
    * KB978251
    * KB978706
    * KB977165
    * KB975560
    * KB977914
  6. When complete, type this command: exit
Your computer should restart and everything should be back to normal.


Now please run OTL so that we can trace the infected system file which caused all this
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Please copy the following into the Custom Scans box at the bottom

    CODE
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    /md5stop

  • Now click the Run Scan button on the toolbar.
  • Let it run until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it

Post the log in the next reply.
Posted Image
m0le is a proud member of UNITE

#9 dennisrmd01

dennisrmd01
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 05 April 2010 - 02:41 AM

m0le

Hi

Did the Recovery Console (already had it as boot option) bit OK but the PC appears less stable... BlueSOD a greater % of times etc.

OTL failed to comeplete... tried a couple of time (once in safe mode to maximise stabillity) but always stopped responding at
HKEY_CURRENT_USER\InternetExplorer settings

Points that may be relevent when you consider above...

My PC was obsessed with installing KB977165 - attempetd numerous times when the problem first started (at the time I was not aware of the problem).
I had already tried the KBUninstallKB977165 as the 'fix' instructed on the MSKB site.
I appear to have a KB977165a ?? which I also did the Uninstall on at the same time as KBUninstallKB977165 above.

This time KBUninstallKB977165 reported 'file not found' 3 or more times and then same number of '1 file copied'.

I installed (upgraded) to IE8 after the problem was clear (and before contacting you guys) to try and improve protection? more desperation than anything else!

Apprieciate you persistence, it is driving me slowly crazy and way beyond me smile.gif

Den




#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:07 AM

Posted 05 April 2010 - 04:10 AM

Let's see if Gmer can tell us where the rootkit is hiding

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Posted Image
m0le is a proud member of UNITE

#11 dennisrmd01

dennisrmd01
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 05 April 2010 - 11:08 AM

GMER downloaded and run... BSOD interupted it a couple of times - but finally got attached file in SAFE mode...

Attached Files

  • Attached File  GMER.log   1.79KB   11 downloads


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:07 AM

Posted 05 April 2010 - 03:14 PM

Yes, that's going to go now thumbup2.gif

First, this rootkit removal may kill the connection so please download this program first

Please download WinsockXPFix



Now back to Combofix

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
http://www.bleepingcomputer.com/forums/t/305928/all-started-with-kb977165/

Collect::
C:\WINDOWS\system32\ljtsxmeu.dll

Driver::
nlcbl

NetSvc::
nlcbl


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Thanks smile.gif
Posted Image
m0le is a proud member of UNITE

#13 dennisrmd01

dennisrmd01
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 06 April 2010 - 04:06 AM

m0le

I think it is looking good (hopefully not wishful thinking)... ComboFix log attached.

Cheers

Den



#14 dennisrmd01

dennisrmd01
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 06 April 2010 - 06:18 AM

Bad news - it is still doing BSOD on boot up - got Windows Update switched OFF but Internet on.

Is appears stable when it finally boots (1 in 5?) but it must still be lurking in there somewhere?

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:07 AM

Posted 06 April 2010 - 01:08 PM

Let's see if we can get a handle on the cause

We Need to Diagnose Your BlueScreen
  1. When you boot your machine, press F8 to list the startup options, exactly as you would if you were trying to enter Safe Mode
  2. Select "Disable Automatic Restart on System Failure", as shown here:
  3. When your system BSODs, write down the STOP error code, as well as any written out error message back here. The STOP error will always appear, but the message may not. You are looking for this:

When it does boot successfully...

Download BootCheck.exe to your desktop.
  • Double click BootCheck.exe to run the check
  • When complete, a Notepad window will open with some text in it
  • Save the Notepad file to your desktop as BootCheck.txt
  • Copy the contents of BootCheck.txt and post it in your next reply

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users