Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan.FakeAV., Blue screen randomly pops up


  • This topic is locked This topic is locked
60 replies to this topic

#1 picture167148

picture167148

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:03:47 PM

Posted 01 July 2010 - 05:55 PM

My computer has limited or no connectivity but the internet connection is fine. it works with my laptop. Norton Antivirus 360 2010 randomly says it has automatically blocked Trojan.Fake.AV. but there is no internet or programs running. When I try to run a full system scan it starts and finishes but when it completes it says error scanning.Computer start up is slow and logging in takes time. Computer performance varies each time I log in, laggy, sometimes it freezes and sometimes it works normal. When my desktop loads the start menu is unaccessible, it has a hourglass and does not work until explorer.exe is stopped and restarted. I have tried to re-install Windows XP but I get a blue screen reading: A problem has been detected and Windows has been shut down to prevent damage to your computer. If it is the first time you've seen this Stop error screen, restart your computer. If this screen appears again, follow these steps: Check for viruses on your computer Remove any newly installed hard drives or hard drive controllers. Check your hard drive to make sure it is properly configured and terminated. Run CHKDSK /F to check for hard drive corruption and then restart your computer. Technical information: *** STOP: 0x0000007B (0xF8983524, 0x00000000, 0x00000000)

Microsoft Windows XP
Media Center Edition
Version 2002
Service Pack 2
Inter Core 2 CPU
6300 @1.86GHz
1.86 GHz, 512 MB of Ram
Physical Address Extension
It is a Dell XPS 410



DDS (Ver_10-03-17.01) - NTFSx86 MINIMAL
Run by Administrator at 17:37:45.90 on Wed 06/30/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.371 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator.VENEGAS1\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = hxxp://url.urtbk.com/cpv.jsp?p=113090&ip=70.243.202.179&url=http%3A%2F%2Fen-us.www.mozilla.com%2Fen-US%2Ffirefox%2F3.0.13%2Ffirstrun%2F&context=Welcome+to+Firefox&selectedKeyword=firefox+mozilla&selectedListingId=7543921&default=http%3A%2F%2F82.98.231.93%2F%3Fsource%3Dvenus_ron_090%26affid%3D201036%26guid%3D4daa1b553e463d4eba0bc134b16a4d3e%26uid%3D3aba74f0b04c11debf05201036ffffff%26rid%3Dota100001%26ver%3D21127%26m%3D1sc7%26b42%3D0.0049
mSearchAssistant = hxxp://www.google.com/ie
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\4.0.0.127\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\4.0.0.127\IPSBHO.DLL
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\4.0.0.127\coIEPlg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Uniblue SpyEraser] "c:\program files\uniblue\spyeraser\SpyEraser.exe" -m
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
LSA: Authentication Packages = msv1_0 nwprovau
LSA: Notification Packages = scecli hulahake.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1.ven\applic~1\mozilla\firefox\profiles\tnralsde.default\
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\coffplgn\components\coFFPlgn.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\browser\nppdf32.dll
FF - plugin: c:\program files\java\jre1.6.0_07\bin\npjpi160_07.dll
FF - plugin: c:\program files\microsoft silverlight\3.0.40624.0\npctrl.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0400000.07f\SymDS.sys [2010-6-27 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0400000.07f\SymEFA.sys [2010-6-27 172592]
S1 BHDrvx86;BHDrvx86;c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20091205.001\BHDrvx86.sys [2010-6-27 529456]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0400000.07f\cchpx86.sys [2010-6-27 501888]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0400000.07f\Ironx86.sys [2010-6-27 116272]
S2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
S2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-10-4 54752]
S2 N360;Norton 360;c:\program files\norton 360\engine\4.0.0.127\ccSvcHst.exe [2010-6-27 126392]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 IDSxpx86;IDSxpx86;c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20091105.001\IDSxpx86.sys [2010-6-27 329592]
S3 NAVENG;NAVENG;c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20091209.020\NAVENG.SYS [2010-6-27 84912]
S3 NAVEX15;NAVEX15;c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20091209.020\NAVEX15.SYS [2010-6-27 1323568]

=============== Created Last 30 ================

2010-06-30 04:57:58 0 d-----w- C:\WinSetupFromUSB
2010-06-30 04:57:58 0 d-----w- \WinSetupFromUSB
2010-06-30 04:14:58 0 d-----w- C:\WINXPCD
2010-06-30 04:14:58 0 d-----w- \WINXPCD
2010-06-30 00:48:40 0 d-----w- c:\docume~1\admini~1.ven\applic~1\Tific
2010-06-30 00:38:47 0 d-----w- c:\docume~1\admini~1.ven\applic~1\Uniblue
2010-06-29 23:40:33 0 d-sh--w- c:\documents and settings\administrator.venegas1\PrivacIE
2010-06-29 23:37:06 47408 ----a-r- c:\windows\system32\drivers\SymIM.sys
2010-06-28 22:05:34 0 d-----w- c:\windows\system32\%programfiles%
2010-06-28 22:05:34 0 d-----w- c:\windows\system32\%commonprogramfiles%
2010-06-28 03:06:28 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-06-28 03:06:28 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-06-28 03:06:28 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-06-28 03:06:28 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-06-28 03:05:43 0 d-----w- c:\windows\system32\drivers\N360
2010-06-28 01:42:17 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-06-28 01:42:17 21504 ----a-w- c:\windows\system32\hidserv.dll

==================== Find3M ====================

2010-06-30 12:26:24 1610612736 --sha-w- \pagefile.sys
2010-06-30 00:34:00 15 ----a-w- \resetlog.txt
2010-06-28 05:00:36 5852 -csha-w- c:\windows\system32\KGyGaAvL.sys
2010-04-26 16:42:22 209 --sh--w- \boot.ini
2010-04-26 16:24:13 318 ----a-w- \rkill.log
2010-04-26 16:23:58 97354 ----a-w- \dlcxscan.log
2010-04-26 16:23:58 84356 ----a-w- \dlcx.log
2010-04-17 03:18:38 203776 -csh--w- c:\windows\system32\unrar.exe
2009-10-05 01:42:18 268 ---ha-w- \sqmdata12.sqm
2009-10-05 01:42:18 244 ---ha-w- \sqmnoopt12.sqm
2009-10-05 00:30:07 268 ---ha-w- \sqmdata11.sqm
2009-10-05 00:30:07 244 ---ha-w- \sqmnoopt11.sqm
2009-10-04 20:17:27 268 ---ha-w- \sqmdata10.sqm
2009-10-04 20:17:26 244 ---ha-w- \sqmnoopt10.sqm
2009-10-04 18:44:55 268 ---ha-w- \sqmdata09.sqm
2009-10-04 18:44:55 244 ---ha-w- \sqmnoopt09.sqm
2009-10-04 15:31:01 268 ---ha-w- \sqmdata08.sqm
2009-10-04 15:31:00 244 ---ha-w- \sqmnoopt08.sqm
2009-10-04 04:26:05 268 ---ha-w- \sqmdata07.sqm
2009-10-04 04:26:05 244 ---ha-w- \sqmnoopt07.sqm
2009-10-04 04:20:40 268 ---ha-w- \sqmdata06.sqm
2009-10-04 04:20:40 244 ---ha-w- \sqmnoopt06.sqm
2009-10-04 00:03:18 244 ---ha-w- \sqmnoopt05.sqm
2009-10-04 00:03:18 244 ---ha-w- \sqmdata05.sqm
2009-10-03 18:35:47 4096 ----a-w- \jyba.exe
2009-08-24 21:45:49 268 ---ha-w- \sqmdata04.sqm
2009-08-24 21:45:49 244 ---ha-w- \sqmnoopt04.sqm
2009-08-24 21:30:55 268 ---ha-w- \sqmdata03.sqm
2009-08-24 21:30:55 244 ---ha-w- \sqmnoopt03.sqm
2009-08-22 02:03:19 268 ---ha-w- \sqmdata02.sqm
2009-08-22 02:03:19 244 ---ha-w- \sqmnoopt02.sqm
2009-08-15 08:05:29 268 ---ha-w- \sqmdata01.sqm
2009-08-15 08:05:29 244 ---ha-w- \sqmnoopt01.sqm
2009-08-13 08:10:52 268 ---ha-w- \sqmdata00.sqm
2009-08-13 08:10:52 244 ---ha-w- \sqmnoopt00.sqm
2009-08-09 17:27:35 268 ---ha-w- \sqmdata19.sqm
2009-08-09 17:27:35 244 ---ha-w- \sqmnoopt19.sqm
2009-08-09 17:22:18 268 ---ha-w- \sqmdata18.sqm
2009-08-09 17:22:18 244 ---ha-w- \sqmnoopt18.sqm
2009-08-07 14:52:59 268 ---ha-w- \sqmdata17.sqm
2009-08-07 14:52:59 244 ---ha-w- \sqmnoopt17.sqm
2009-08-01 21:47:40 268 ---ha-w- \sqmdata16.sqm
2009-08-01 21:47:40 244 ---ha-w- \sqmnoopt16.sqm
2009-08-01 21:39:56 268 ---ha-w- \sqmdata15.sqm
2009-08-01 21:39:56 244 ---ha-w- \sqmnoopt15.sqm
2009-08-01 21:34:08 268 ---ha-w- \sqmdata14.sqm
2009-08-01 21:34:08 244 ---ha-w- \sqmnoopt14.sqm
2009-08-01 21:30:45 268 ---ha-w- \sqmdata13.sqm
2009-08-01 21:30:45 244 ---ha-w- \sqmnoopt13.sqm
2008-11-24 22:15:29 690440 ----a-w- \VETlog.txt
2008-11-24 22:15:07 117 ----a-w- \FtpCmd.txt
2008-11-24 22:14:04 158 ----a-w- \YServer.txt
2008-11-24 22:10:12 120 ----a-w- \SystemInfo.ini
2008-05-18 05:28:36 1071562752 --sha-w- \hiberfil.sys
2007-07-24 03:08:23 4128 ----a-w- \INFCACHE.1
2006-12-21 00:38:46 7703 ---ha-r- \dell.sdr
2005-08-16 10:43:04 0 ---ha-w- \MSDOS.SYS
2005-08-16 10:43:04 0 ---ha-w- \IO.SYS
2005-08-16 10:43:04 0 ----a-w- \CONFIG.SYS
2005-08-16 10:43:04 0 ----a-w- \AUTOEXEC.BAT
2004-08-10 11:00:00 47564 --sha-r- \NTDETECT.COM
2004-08-10 11:00:00 250032 --sha-r- \ntldr

============= FINISH: 17:37:54.07 ===============






BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:47 PM

Posted 06 July 2010 - 06:29 AM

Hello picture167148

Welcome to BleepingComputer smile.gif
========================
Ok it appears that your problems are caused by a corrupted file system.
From your event log shows this:
QUOTE
The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:


May be a good time to back up anything important.
Go to Start >Run type in cmd then hit ok.
THen type in this chkdsk /r /f then hit enter.
Type in Y at the prompt and then restart the computer.
Let it run through this check and then let me know how it goes.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 picture167148

picture167148
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:03:47 PM

Posted 06 July 2010 - 09:39 PM

Verified files, verified index, verified security descriptors, verified Usn Journal, verified file data, verified free space. Nothing came up on the disk check

#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:47 PM

Posted 07 July 2010 - 06:27 AM

Nothing will come up it will just restart the computer.
Did it seem to help the system speed up a bit?

If the computer is still acting funny you may in need for a new hard drive.

But let's dig a bit deeper to verify nothing is hiding.



Download the following GMER Rootkit Scanner from Here
  • Download the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.
  • Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on Run
  • It may take a minute to load and become available.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically only C:\ should be checked)
  • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop
  • **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  • Click OK and quit the GMER program.
  • Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.
  • Post that log in your next reply.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 picture167148

picture167148
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:03:47 PM

Posted 07 July 2010 - 07:36 PM

It did speed it up, the startup and log in does not take any time at all. It is now speedy and does not lag. I tried running the program & before it could finish a blue screen came up, I've attached a picture of the screen. If I need to write out what it says I can do that.

#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:47 PM

Posted 07 July 2010 - 08:04 PM

No not necessary. smile.gif
Gmer is causing that blue screen.
It can do that with a lot of different systems.
===============================
Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 picture167148

picture167148
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:03:47 PM

Posted 07 July 2010 - 11:19 PM

I need an active internet connection to install "Microsoft Windows recovery console", as I stated when the computer is connected to the internet it displays a limited or no connection sign. Even though the internet connection works.

When settings are to automatically detect IP address and DNS & I click repair on the connection it doesn't even start and says cannot aquire IP address. When I manually enter the IP adress and DNS etc. it starts to repair connection and then stops and says cannot connect with/to DHCP

Edited by picture167148, 07 July 2010 - 11:33 PM.


#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:47 PM

Posted 08 July 2010 - 06:35 AM

Ok from another computer do the following:
Click on the following link http://support.microsoft.com/kb/310994 and download the version of the floppy setup disks for XP Home.
SP2 version will be fine.
Transfer it from another computer and then drag and drop the package onto Combofix.
It will install it then continue to scan for malware.

Post that log when completed please.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 picture167148

picture167148
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:03:47 PM

Posted 08 July 2010 - 06:29 PM

I downloaded the file and transferred it over. Everything was going fine it installed but when it was starting to scan for malware the hard drive made a noise as if it turned off, and I was met with this blue screen.. sad.gif

Edited by picture167148, 08 July 2010 - 06:30 PM.


#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:47 PM

Posted 09 July 2010 - 07:43 AM

Please try it from Safe Mode.
You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#11 picture167148

picture167148
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:03:47 PM

Posted 09 July 2010 - 05:12 PM

I did the same thing in safe mode and I was greeted with the same blue screen.

#12 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:47 PM

Posted 10 July 2010 - 08:29 AM

Download Bootkit remover to your desktop
This is a rar file if you do not have a program to open it then download and install Peazip

Extract Remover.exe to your desktop
Double click Remover.exe.
It will show a Black screen with some data on it
Right click on the screen and select > Select All
Press Control+C
Open a notepad and press Control+V

Post the resultant log here please
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#13 picture167148

picture167148
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:03:47 PM

Posted 10 July 2010 - 11:52 PM

Text file attached

#14 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:47 PM

Posted 11 July 2010 - 06:54 AM

Hi is that the entire output?
It just looks like some numbers can you please try it again to see if you get the same result?
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#15 picture167148

picture167148
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:03:47 PM

Posted 11 July 2010 - 11:53 AM

All I do is run the program from the desktop and copy what shows up? I don't click or type anything else?

EDIT there we go. is that the correct information?

Attached Files


Edited by picture167148, 11 July 2010 - 12:17 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users