All started with KB977165?

Done everything that I know and still BSOD... STOP: 0x0000000A (0xF8A262C0, 0x...2, 0x...1, 0x804D9B68)

XP Home, SP3

Followed various fixes (including http://support.microsoft.com/kb/979682) but it still keeps coming back.... although not always when I boot - sometimes it is good for an hour?

Just run ComboFix but report file is too much for me (attached)

Would welcome a little hand holding if anyone can help?

Driving me crazy - already spent 2 days and got nowhere and as ever, working on report I need to complete/email by end of March. Such is life?

Cheers

Den

PS Sorry posted this in 'introduction' as well by mistake. New to this.

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

• Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.
  
  
• Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  
  
• Please reply to this post so I know you are there.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks

Hi m0le... I welcome your help

Den

The Combofix got cut off, can you post the rest please

This is all there was...

Please go to Start >Run > and copy/paste the following, then press Enter

C:\QooBox\ComboFix-quarantined-files.txt

A log file should open. Please post that in your next reply.

Can you then rerun Combofix - hopefully I will get a full log this time.

Both files attached

Okay the PC may well have been infected with the TDSS rootkit at the time of the update which causes Blue Screens of Death.

The steps to do the most successful recovery are unfortunately fairly long.

A. Boot into Recovery Console

http://www.bleepingcomputer.com/tutorials/...l117.html#start


B. Follow these steps:

1. Boot from your Windows XP CD or DVD and start the Recovery Console (see this link http://support.microsoft.com/default.aspx/kb/307654 on how to use recovery console)
2. Once you are in the Repair Screen type this command: CHDIR $NtUninstallKB978262$\spuninst
3. Type this command: BATCH spuninst.txt
4. Type this command: systemroot
5. Repeat steps 2 - 4 replacing the code after CHDIR $NtUninstall with each of the following:
   
   * KB978262
   * KB971468
   * KB978037
   * KB975713
   * KB978251
   * KB978706
   * KB977165
   * KB975560
   * KB977914
   
6. When complete, type this command: exit

Your computer should restart and everything should be back to normal.


Now please run OTL so that we can trace the infected system file which caused all this

• Download OTL to your desktop.
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Output at the top change it to Minimal Output.
• Under the Standard Registry box change it to All.
• Check the boxes beside LOP Check and Purity Check.
• Please copy the following into the Custom Scans box at the bottom
  
  
  CODE
  /md5start
  eventlog.dll
  scecli.dll
  netlogon.dll
  cngaudit.dll
  sceclt.dll
  ntelogon.dll
  logevent.dll
  iaStor.sys
  nvstor.sys
  atapi.sys
  IdeChnDr.sys
  viasraid.sys
  AGP440.sys
  vaxscsi.sys
  nvatabus.sys
  viamraid.sys
  nvata.sys
  nvgts.sys
  iastorv.sys
  ViPrt.sys
  /md5stop
  
  
• Now click the Run Scan button on the toolbar.
• Let it run until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it

Post the log in the next reply.

m0le

Hi

Did the Recovery Console (already had it as boot option) bit OK but the PC appears less stable... BlueSOD a greater % of times etc.

OTL failed to comeplete... tried a couple of time (once in safe mode to maximise stabillity) but always stopped responding at
HKEY_CURRENT_USER\InternetExplorer settings

Points that may be relevent when you consider above...

My PC was obsessed with installing KB977165 - attempetd numerous times when the problem first started (at the time I was not aware of the problem).
I had already tried the KBUninstallKB977165 as the 'fix' instructed on the MSKB site.
I appear to have a KB977165a ?? which I also did the Uninstall on at the same time as KBUninstallKB977165 above.

This time KBUninstallKB977165 reported 'file not found' 3 or more times and then same number of '1 file copied'.

I installed (upgraded) to IE8 after the problem was clear (and before contacting you guys) to try and improve protection? more desperation than anything else!

Apprieciate you persistence, it is driving me slowly crazy and way beyond me

Den

Let's see if Gmer can tell us where the rootkit is hiding

Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

• Disconnect from the Internet and close all running programs.
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
• Now click the Scan button. If you see a rootkit warning window, click OK.
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
• Click the Copy button and paste the results into your next reply.
• Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

GMER downloaded and run... BSOD interupted it a couple of times - but finally got attached file in SAFE mode...

Yes, that's going to go now

First, this rootkit removal may kill the connection so please download this program first

Please download WinsockXPFix



Now back to Combofix

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:



Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Thanks

m0le

I think it is looking good (hopefully not wishful thinking)... ComboFix log attached.

Cheers

Den

Bad news - it is still doing BSOD on boot up - got Windows Update switched OFF but Internet on.

Is appears stable when it finally boots (1 in 5?) but it must still be lurking in there somewhere?

Let's see if we can get a handle on the cause

We Need to Diagnose Your BlueScreen

1. When you boot your machine, press F8 to list the startup options, exactly as you would if you were trying to enter Safe Mode
2. Select "Disable Automatic Restart on System Failure", as shown here:
   
3. When your system BSODs, write down the STOP error code, as well as any written out error message back here. The STOP error will always appear, but the message may not. You are looking for this:
   

When it does boot successfully...

Download BootCheck.exe to your desktop.

• Double click BootCheck.exe to run the check
• When complete, a Notepad window will open with some text in it
• Save the Notepad file to your desktop as BootCheck.txt
• Copy the contents of BootCheck.txt and post it in your next reply

Thanks