Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSS infection. Bluescreen on boot.


  • This topic is locked This topic is locked
21 replies to this topic

#1 cm77

cm77

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 02 March 2011 - 07:22 AM

My PC started to bluescreen regularly on or shortly after booting a few weeks ago. I put it down to a hardware problem initially. More recently it started displaying obvious signs of malware infection (Google redirects, Ads in system tray, etc). Scanned it with a Kaspersky rescue CD which identified and attempted to clean Rootkit.Win32.TDSS.mbr + a couple of other things. Since doing this it now bluescreens with a 0x7E stop error at the welcome screen.

I can still get in in safe mode but haven't had any success fixing the problem. I tried creating a new user account but it disappeared on reboot. Registry changes also seem to revert back on every reboot. Unless this is a feature of safe mode (not used it on Vista before) then something odd is still going on. A couple of other things (Explorer hangs, some programs crashing at startup) made me think something nasty could still be active.

MBAM in windows and partial scans with other antivirus rescue CDs haven't turned up much. I confess I tried combofix. Sorry ;) . Got a couple of warnings about needing administrator, an error from PEV.cfxxe then a little later it shut down the computer whilst I wasn't looking. Not sure what if any effect it had.

I've run DDS and GMER in safe mode. In GMER all options except Services, Registry and Files are greyed out. DDS Log is below. Others are attached.



DDS (Ver_10-12-12.02) - NTFS_AMD64 NETWORK
Run by Chris at 11:33:30.32 on 02/03/2011
Internet Explorer: 8.0.6001.18928 BrowserJavaVersion: 1.6.0_15
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.44.1033.18.4094.3372 [GMT 0:00]

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Users\Chris\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/advanced_search
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~3\Office12\GRA8E1~1.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~3\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~3\Office12\REFIEBAR.DLL
Trusted Zone: halifax-online.co.uk\banking
Trusted Zone: halifax-online.co.uk\www
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://swi-vpn.intergraph.com/dana-cached/sc/JuniperSetupClient.cab
TCP: {4B0BB445-10D9-4067-A02C-E5395249B644} = 192.168.1.254,208.67.220.220
TCP: {E0A57135-CECA-4B55-8F0E-74F889ED68FE} = 192.168.2.250
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~2\MICROS~3\Office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\HmelyoffLabs\VHToolkit\Skype4COM.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~3\Office12\GRA8E1~1.DLL
mRun-x64: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun-x64: [RtHDVCpl] RAVCpl64.exe
mRun-x64: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 69.5.88.211 www.megaupload.com

================= FIREFOX ===================

FF - ProfilePath - C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\meaw6jlz.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/advanced_search
FF - component: C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\meaw6jlz.default\extensions\glasser@sixxgate.com\components\dwmxpcom.dll
FF - plugin: C:\Program Files (x86)\Downloader\npdd.dll
FF - plugin: C:\Users\Chris\AppData\Local\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\meaw6jlz.default\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}\plugins\npietab2.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: AutoPager: autopager@mozilla.org - %profile%\extensions\autopager@mozilla.org
FF - Ext: Glasser: glasser@sixxgate.com - %profile%\extensions\glasser@sixxgate.com
FF - Ext: translator (fixed): translatorfixed@dontfollowme.net - %profile%\extensions\translatorfixed@dontfollowme.net
FF - Ext: IE Tab 2 (FF 3.6+): {1BC9BA34-1EED-42ca-A505-6D2F1A935BBB} - %profile%\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}
FF - Ext: Nuke Anything Enhanced: {1ced4832-f06e-413f-aa14-9eb63ad40ace} - %profile%\extensions\{1ced4832-f06e-413f-aa14-9eb63ad40ace}
FF - Ext: Stop Autoplay: {2e61e246-e640-4c56-b1ed-f146dbed48cd} - %profile%\extensions\{2e61e246-e640-4c56-b1ed-f146dbed48cd}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Ext: ProfileSwitcher: {fa8476cf-a98c-4e08-99b4-65a69cb4b7d4} - %profile%\extensions\{fa8476cf-a98c-4e08-99b4-65a69cb4b7d4}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false

============= SERVICES / DRIVERS ===============

R1 NEOFLTR_650_14951;Juniper Networks TDI Filter Driver (NEOFLTR_650_14951);C:\Windows\System32\drivers\NEOFLTR_650_14951.SYS [2010-2-2 100400]
R3 Point64;Microsoft IntelliPoint Filter Driver;C:\Windows\System32\drivers\point64k.sys [2007-8-21 27136]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;C:\Windows\System32\drivers\VBoxNetAdp.sys [2011-2-17 156080]
R3 VBoxNetFlt;VBoxNetFlt Service;C:\Windows\System32\drivers\VBoxNetFlt.sys [2011-2-17 175664]
R3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk60x64.sys [2007-12-6 391680]
S1 VBoxDrv;VirtualBox Service;C:\Windows\System32\drivers\VBoxDrv.sys [2011-2-27 228272]
S1 VBoxUSBMon;VirtualBox USB Monitor Driver;C:\Windows\System32\drivers\VBoxUSBMon.sys [2011-2-27 56688]
S2 BT848;Conexant's BtPCI WDM Video Capture (AMD64);C:\Windows\System32\drivers\BT848.sys [2005-10-16 421248]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 3xHybr64;Pinnacle PCTV 100i-110i-300i-310i-MCE;C:\Windows\System32\drivers\3xHybr64.sys [2008-1-12 1413592]
S3 bdfm;BDFM;C:\Windows\System32\drivers\bdfm.sys [2009-4-15 154632]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-8-24 19968]
S3 RivaTuner64;RivaTuner64;C:\Program Files (x86)\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner64.sys [2009-8-22 19952]
S3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;C:\Windows\System32\drivers\RTL8187.sys [2008-6-27 399360]
S3 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;C:\Windows\System32\drivers\RtlProt.sys [2010-10-19 25896]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;C:\Windows\System32\drivers\RTL8187.sys [2008-6-27 399360]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2010-9-28 51712]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\System32\drivers\WSDPrint.sys [2008-8-24 22528]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2008-8-24 93696]

=============== File Associations ===============

JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*

=============== Created Last 30 ================

2011-03-02 00:33:22 98816 ----a-w- C:\Windows\sed.exe
2011-03-02 00:33:22 89088 ----a-w- C:\Windows\MBR.exe
2011-03-02 00:33:22 256512 ----a-w- C:\Windows\PEV.exe
2011-03-02 00:33:22 161792 ----a-w- C:\Windows\SWREG.exe
2011-03-02 00:33:15 -------- d-s---w- C:\ComboFix
2011-03-02 00:19:11 6144 ------w- C:\Windows\System32\361D.tmp
2011-03-02 00:18:08 6144 ------w- C:\Windows\System32\3F31.tmp
2011-03-01 19:36:14 6144 ------w- C:\Windows\System32\82A.tmp
2011-03-01 19:35:22 -------- d-----w- C:\Program Files (x86)\Sophos
2011-03-01 11:52:44 -------- d-----w- C:\bd_logs
2011-02-28 21:45:43 -------- d-sh--w- C:\found.000
2011-02-28 17:47:31 92248 ----a-w- C:\Windows\System32\drivers\klmdb.sys
2011-02-27 22:49:29 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2011-02-27 21:07:54 -------- d-----w- C:\PROGRA~3\eKmHiDj06308
2011-02-27 20:16:27 -------- d-----w- C:\PROGRA~3\iEbFjJb06308
2011-02-27 19:10:04 228272 ----a-w- C:\Windows\System32\drivers\VBoxDrv.sys
2011-02-27 19:09:36 56688 ----a-w- C:\Windows\System32\drivers\VBoxUSBMon.sys
2011-02-27 19:09:26 -------- d-----w- C:\Program Files\Oracle
2011-02-17 17:21:12 156080 ----a-w- C:\Windows\System32\drivers\VBoxNetAdp.sys
2011-02-17 17:21:10 175664 ----a-w- C:\Windows\System32\drivers\VBoxNetFlt.sys
2011-02-16 20:45:44 99176 ----a-w- C:\Windows\SysWow64\PresentationHostProxy.dll
2011-02-16 20:45:44 49472 ----a-w- C:\Windows\SysWow64\netfxperf.dll
2011-02-16 20:45:44 48960 ----a-w- C:\Windows\System32\netfxperf.dll
2011-02-16 20:45:44 297808 ----a-w- C:\Windows\SysWow64\mscoree.dll
2011-02-16 20:45:44 1942856 ----a-w- C:\Windows\System32\dfshim.dll
2011-02-16 20:45:44 1130824 ----a-w- C:\Windows\SysWow64\dfshim.dll
2011-02-16 20:45:43 444752 ----a-w- C:\Windows\System32\mscoree.dll
2011-02-16 20:45:43 320352 ----a-w- C:\Windows\System32\PresentationHost.exe
2011-02-16 20:45:43 295264 ----a-w- C:\Windows\SysWow64\PresentationHost.exe
2011-02-16 20:45:43 109912 ----a-w- C:\Windows\System32\PresentationHostProxy.dll
2011-02-16 20:43:37 -------- d-----w- C:\Program Files (x86)\Freemake

==================== Find3M ====================

2011-02-27 22:29:37 81984 ----a-w- C:\Windows\System32\bdod.bin
2011-02-17 17:21:10 320816 ----a-w- C:\Windows\System32\VBoxNetFltNotify.dll
2010-12-20 18:08:40 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys

============= FINISH: 11:34:37.11 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:04:23 PM

Posted 08 March 2011 - 12:02 PM

Hi cm77, and welcome to Bleeping Computer.

If you cannot boot into Normal Mode, please run the scan (&fix) with the tool below in Safe Mode:
  • Download TDSSKiller.zip and extract TDSSKiller.exe to your Desktop.
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
Posted Image

  • If Malicious objects are found, ensure Cure is selected (it should be by default).
  • Click Continue then click Reboot now.
  • Once complete, a log will be produced at the root drive which is typically C:\

    For example, C:\TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt
  • Please post that log here.


If, after running the tool above, you're able to get into Normal Mode, run this scan for me:

Download OTL.exe by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe.
  • In the "Custom Scans/Fixes" window (under the light green bar) paste the following in bold:

    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

  • Click Run Scan and let the program run uninterrupted.
  • When the scan completes, it will open two Notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Post both logs in this thread.
  • You may need to use two posts to get it all.

c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#3 cm77

cm77
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 08 March 2011 - 04:41 PM

Hi snemelk,
Thanks for coming to my aid. I tried TDSSKiller a few days ago and it identified a single file which I deleted but it didn't stop the bluescreen on booting to normal mode. Just to make sure I just ran it again (since it's had an update in the meantime) but it didn't find anything. I've attached the log file. Unfortunately I still can't get in in normal mode.

Attached Files



#4 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:04:23 PM

Posted 08 March 2011 - 05:01 PM

Hi again cm77!!.. :)

Ok, let's check something...

Firstly, in Safe Mode (or Safe Mode with Networking):
Download MBRCheck by a_d_13 to your Desktop from one of these locations:

http://ad13.geekstogo.com/MBRCheck.exe
http://download.bleepingcomputer.com/rootrepeal/MBRCheck.exe
http://www.kernelmode.info/MBRCheck.exe

Close all opened programs/ windows and double-click on MBRCheck.exe.
It will produce a log file saved automatically on your Desktop as "MBRCheck_[Date]_[Time].txt".

Press the "Enter" key to close the MBRCheck window and post the contents of the log file.

Secondly, reboot your computer, and just before your Windows loads hit/press F10 (the same as you try to access the Safe Mode, but press F10, instead of F8)... Tell me exactly what you see (you can take a photo or write the lines down on a piece of paper)... Then, you can go back to Safe Mode or turn the computer off...
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#5 cm77

cm77
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 08 March 2011 - 05:40 PM

MBRCheck log file is attached. The text of the F10 screen is :

Edit Boot Options

Edit Windows boot options for: Microsoft Windows Vista

Path: \Windows\system32\winload.exe

Partition: 1
Hard Disk: 2945cec4

[ /NOEXECUTE=OPTIN /BOOTLOG /SOS /MININT





ENTER=Submit ESC=Cancel

Attached Files



#6 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:04:23 PM

Posted 09 March 2011 - 12:43 PM

Hi again cm77!!.. :)

Please print out this set of instructions or save them in a Notepad. Read the entire post before proceeding, because it will make following the instructions easier.


Ok, please do the following:

Once again, please get to the "Edit Boot Options" screen, by pressing F10...

Please remove the part in bold:

[ /NOEXECUTE=OPTIN /BOOTLOG /SOS /MININT

Leaving only this:

[ /NOEXECUTE=OPTIN /BOOTLOG /SOS

Make sure the closing bracket ] is still there, intact...

Press Enter... That should make your computer boots normally into Normal Mode...

Once in Normal Mode, please do the following:

Firstly,
Open Notepad and copy and paste next present in the quotebox:

bcdedit /export "C:\BCD_Backup.dat"
bcdedit /set {current} winpe no

Save this as fix.bat , choose to save as *all files and place it on your Desktop.
It should look like this: Posted Image
Right-click on it and choose: Run as administrator (this is important!)...

Afterwards (a Command line window should just flash for a moment), please reboot - check if it boots up ok into Normal Mode... If yes, proceed to the second step:


Open Notepad and copy and paste next present in the quotebox:

bcdedit /deletevalue {current} winpe

Save this as fix2.bat , choose to save as *all files and place it on your Desktop.
It should look like this: Posted Image
Right-click on it and choose: Run as administrator (this is important!)...

Afterwards, reboot once again - confirm if the computer still boots up properly...

Let me know how it goes!!..
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#7 cm77

cm77
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 09 March 2011 - 03:49 PM

Ok. I created the two batch files on the laptop I'm using and put them on a USB drive. I removed /MININT and was able to boot into windows, past the previous crash point. Unfortunately it didn't stay up very long. I tried again and this time was able to follow your instructions, performing the two reboots. Unfortunately it then crashed and rebooted a few times and the problem came back (/MININT reappeared at the F10 screen again).

I tried again, this time just using Fix.bat, but the problem came back again.

After a run of bluescreens and reboots and another try with Fix.bat (only) the BCD changes seem to be holding and Windows is staying up at least for the moment (not sure what'll happen at the next reboot though). I've just run BlueScreenView (which I already had installed) and the blue screens that left crash dumps have a variety of different causes and sources. Most look similar to what was happening before the ill-fated Kasperksy run that locked me out of normal mode though ndis.sys as a source hasn't appeared before.

Since Windows appears to be staying up at the moment I didn't try Fix2 again. Thought it would be better to check with you how to proceed.

Edit : Spoke to soon about stability. Windows has bluescreened a couple of times now. Setting winpe to no seems to be holding though.

Edited by cm77, 09 March 2011 - 04:15 PM.


#8 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:04:23 PM

Posted 09 March 2011 - 05:20 PM

Hi again cm77!!.. :)

Thanks for the information!.. That's interesting - maybe a portion of the infection is still active...

A question - do you have your Windows Vista DVD??.. We may need it...
Alternatively, if this is a laptop, please tell me the model of it...

I'd like to see if infection made any changes to MBR - please run MBRCheck once again (either in Normal or Safe Mode, as convenient)... If the line below appears in the log, you do not have to post/attach the logfile:

698 GB \\.\PhysicalDrive0 Windows 2008 MBR code detected

Otherwise, attach that log for me to see...
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#9 cm77

cm77
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 09 March 2011 - 06:07 PM

I have a Vista DVD if needed. The machine with the problem is a desktop. I'm using an old laptop to post here. Sorry for any confusion.

I ran MBRCheck from safe mode and the line specified appeared in the file.

Just to warn you I just tried a couple of Orthos runs in safe mode and got failures so there may be an underlying hardware problem as well.

#10 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:04:23 PM

Posted 10 March 2011 - 09:06 AM

Hi again cm77!!.. :)

I have a Vista DVD if needed.

That's good, you'll use it now... You may want to get accustomed with this tutorial first: How to use the Command Prompt in the Vista Windows Recovery Environment

  • Put the Windows Vista installation disc in the disc drive, and then reboot the computer. Note: you may need to configure your Bios, so that you boot from CD/DVD, not a hard drive: How to Set BIOS to Boot from CDROM
  • Press a key when you are prompted.
  • Select a language, a time, a currency, and a keyboard or another input method, and then click Next.
  • Click Repair your computer.
  • Click the operating system that you want to repair, and then click Next.
  • In the System Recovery Options dialog box, click Command Prompt.
  • Type the following commands in the order in which they are presented. Press ENTER after each command (watch the spaces!):

    bcdedit /export C:\BCD_Backup
    c:
    cd boot
    attrib bcd -s -h -r
    ren c:\boot\bcd bcd.old
    bootrec /RebuildBcd

  • When you're done, type exit and click Enter... Restart the computer.

If everything runs smoothly, the re-appearing /MININT will no longer be a problem... Please do not perform any batch fixes, however, you can reboot once more to confirm the problem is indeed gone...

If everything runs fine, perform a scan with OTL.exe as instructed in one of my earlier posts!.. :)
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#11 cm77

cm77
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 11 March 2011 - 06:56 AM

Hi again snemelk,
Apologies for the lack of contact yesterday. Things got a bit late.

I exported and rebuilt the bcd at the recovery command prompt as instructed. So far I haven't had /MININT reappear.

Windows is still very unstable and it took a couple of attempts but I managed to get the OTL scan to run all the way through in the end. The logs are attached.

Edit : Deleted logs whilst I still can to free up attachment space.

Edited by cm77, 11 March 2011 - 06:06 PM.


#12 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:04:23 PM

Posted 11 March 2011 - 02:29 PM

Hi again cm77!!.. :)

I exported and rebuilt the bcd at the recovery command prompt as instructed. So far I haven't had /MININT reappear.

That's a good news!..

Windows is still very unstable and it took a couple of attempts but I managed to get the OTL scan to run all the way through in the end.

I see... Logs look ok to me - there are some leftovers that need to be removed, but I do not see any active malware...

And yes, it may be a hardware issue as well... Was your system unstable before that malware problem??.. Were there any errors when you ran Orthos??..

There are quite many errors of this kind visible in the Event Log:

Error - 10/03/2011 20:18:59 | Computer Name = Redwidow | Source = Ntfs | ID = 262199
Description = The file system structure on the disk is corrupt and unusable. Please
run the chkdsk utility on the volume \Device\HarddiskVolume1.


I suggest this is your first step... So, firstly,
- boot into System Recovery Options with your Windows DVD (as instructed in my previous post), choose Command Prompt,
- execute the following commands:

chkdsk C: /r
chkdsk D: /r


- reboot the computer...
- for more information, you can take a look at this topic: How to Run Check Disk at Startup in Vista or Windows 7

Secondly,
Please run OTL.exe.
  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :OTL
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    [2011/02/27 21:07:54 | 000,000,000 | ---D | C] -- C:\ProgramData\eKmHiDj06308
    [2011/02/27 20:16:27 | 000,000,000 | ---D | C] -- C:\ProgramData\iEbFjJb06308
    [2010/11/03 12:52:22 | 000,000,120 | ---- | C] () -- C:\Users\Chris\AppData\Local\Wxusitamagabobi.dat
    [2010/11/03 12:52:22 | 000,000,000 | ---- | C] () -- C:\Users\Chris\AppData\Local\Ucozunazi.bin
    [2010/04/03 08:57:50 | 000,001,422 | -HS- | C] () -- C:\Users\Chris\AppData\Local\Wv7V1mEL4UH
    [2010/04/03 08:57:50 | 000,001,422 | -HS- | C] () -- C:\ProgramData\Wv7V1mEL4UH
    :Reg
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "TCP Query User{71CC8B9D-A60E-4CDC-9074-1797A20F9A9E}C:\users\chris\appdata\roaming\osaryc\ysko.exe"=-
    "TCP Query User{C87FBCDD-B2F7-4867-B14B-A78AA568175F}C:\users\chris\appdata\roaming\moawad\ovma.exe"=-
    "TCP Query User{F0F522E4-F4E4-464D-B81C-52424B626477}C:\users\chris\appdata\roaming\ypcaek\evysw.exe"=-
    "UDP Query User{0620118A-686A-47D3-BC72-A6B217AEC57E}C:\users\chris\appdata\roaming\ypcaek\evysw.exe"=-
    "UDP Query User{0D4E6610-6885-4CB1-8219-56E6EDCE7C2F}C:\users\chris\appdata\roaming\moawad\ovma.exe"=-
    "UDP Query User{60615AAC-AF39-40CC-8C5A-E5B987AC0135}C:\users\chris\appdata\roaming\osaryc\ysko.exe"=-
    :Commands
    [EmptyTemp]
    [EMPTYFLASH]

  • Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.
  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Thirdly,
  • Close all windows and double click OTL.exe.
  • On the upper bar, click None.
  • In the "Custom Scans/Fixes" window (under the light green bar) paste the following in bold:

    C:\Windows\System32\rundll32.exe /md5 /64
    C:\Windows\System32\appmgmts.dll /md5 /64

  • Click Run Scan and let the program run uninterrupted.
  • When the scan completes, it will open one Notepad window. OTL.Txt - saved in the same location as OTL. Post the log in this thread.

Finally,
I suggest you get to know the manufactirer of your Hard Drive, then check if that company has a special utility to check the disk for errors... If yes, I'd try running it and see what the outcome is...
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#13 cm77

cm77
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 11 March 2011 - 06:15 PM

Chkdsk on C has been running for several hours now and still isn't finished. Will post an update tomorrow.

#14 cm77

cm77
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 12 March 2011 - 05:54 PM

I ran chkdsk on both c and d as instructed and it found a few unindexed files but not much else. There was an error 'Failed to transfer logged messages to the event log with status 50' at the end of both runs, though I'm guessing that was just due to running it from the repair command prompt. Windows bluescreened half way through my first attempt at running the fix in OTL.

I think I've finally sorted out the blue screens now though. After getting errors from Memtest86+ I removed one of the sticks of RAM and since then I've so far not had any more blue screens. Vista's had 4 successful reboots in a row (for the first time in about a month :) ) and Orthos has been running now for the last 3 hours or so without any errors.

I re-ran the OTL fix and let it reboot, then ran the scan you instructed. The log files are attached.

I checked the SMART information for the hard drives in Speedfan and it looked ok. Since the blue screens have now stopped and chkdsk didn't find anything much I didn't bother trying to search out a more comprehensive hard drive checker.

Edit : Removed attachments

Edited by cm77, 13 March 2011 - 03:45 PM.


#15 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:04:23 PM

Posted 12 March 2011 - 07:03 PM

Hi again cm77!!.. :)

Good to see that you've managed to solve that blue screen error!!.. :thumbup2:
I reckon there are no malware related problems present anymore, right??..

I re-ran the OTL fix and let it reboot, then ran the scan you instructed. The log files are attached.

Thanks!.. Log looks ok to me - those 2 files I wanted to have checked are valid MS files (they have no company name, though)...

Please do the following:

Firstly,
We need to update outdated programs (with security vulnerabilities) on your machine:

- Adobe Acrobat Reader:

You're using an old version of Adobe Acrobat Reader, this can leave your PC open to vulnerabilities, you can update it here (uninstall version 9.4 first):
Adobe Reader X

Note: I suggest you uncheck an optional, third-party download (eg. McAfee Security Scan Plus).

After successfully installing Adobe Reader X, see this article on how to make this program more secure: Adobe Reader X secures itself by playing in the sandbox.

- Java

Go to Start -> Control Panel -> Programs and Features, highlight a program to see the available option on the toolbar for it. Choose Uninstall for:
Java™ 6 Update 15

Then,
  • Download the latest version of Java Runtime Environment (JRE) 6.
  • Scroll down to where it says Java Platform, Standard Edition / "Java SE 6 Update 24".
  • Click the "Download JRE" button to the right.
  • In the Window that opens, select Windows, your Language, check the "agree" box and click Continue.
  • Click on the link to download Windows Offline Installation and save to your Desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on jre-6u24-windows-i586.exe that you downloaded to install the newest version.

- Mozilla Firefox (3.6.7) --> Help --> Check for updates - let it update to the newest version - 3.6.15

- Skype™ 4.1 --> I suggest you install the newest version: Skype

- Adobe Flash Player:

To make sure you have the latest version of Adobe Flash Player installed:
1. To uninstall an older version, download this file to your Desktop: uninstall_flash_player.exe
2. Quit ALL running applications, including all Internet Explorer or other browser windows, and messenger applications (like AOL Instant Messenger, Yahoo Messenger, MSN Messenger.
3. Double-click on the file you've downloaded to uninstall Flash.
4. If uninstalled successfully, go to this site: Install Adobe Flash Player, and choose Agree and install now. This will install the newest version of Flash for your browser (note: Flash plugins for IE and Firefox must be installed separately).
Note: I recommend you uncheck an optional install (Free McAfee Security Scan or Free Google Toolbar).

Secondly,
Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer (32 bit version - Start --> All programs --> Internet Explorer) for this scan. Internet Explorer must be run as administrator - right click and choose: Run as administrator.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files (x86)\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Thirdly,
Please consider updating to Windows Vista Service Pack 2 (SP2).
Windows Vista Service Pack 2 (SP2) contains all the updates released since SP1 plus support for new types of hardware and emerging hardware standards.
It is now available via Windows Update or as a standalone installation here.
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users