Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

0x0000008E BSOD after hitman clean


  • This topic is locked This topic is locked
3 replies to this topic

#1 nixadm

nixadm

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 27 January 2012 - 11:36 AM

Hello, I am normally pretty good at removing malware, this however has proved challenging for me. I cleaned a system up with hitman which found viruses and rootkits, wanted to clean more on reboot, which I did. Since then its been blue screening at login screen, safe mode works fine, but I can not repair or clean the virus.

0x0000008E (0xC0000005, 0x826711A7, 0x8E2dd91C,


It won't boot to windows vista cd, it won't boot to vista usb drive, it will boot to hirens. please help very frustrated.
Rustock.b rootkit was not detected, looked like it could be pe386.


Combofix log:


ComboFix 12-01-27.01 - Owner 01/27/2012 11:06:29.1.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3538.2982 [GMT -6:00]
Running from: c:\users\Owner\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-12-27 to 2012-01-27 )))))))))))))))))))))))))))))))
.
.
2012-01-27 17:17 . 2012-01-27 17:17 -------- d-----w- c:\users\Owner\AppData\Local\temp
2012-01-27 17:17 . 2012-01-27 17:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-27 17:17 . 2012-01-27 17:17 -------- d-----w- c:\users\Alison\AppData\Local\temp
2012-01-27 16:56 . 2012-01-27 16:57 -------- d-----w- c:\windows\panther
2012-01-27 16:37 . 2012-01-27 16:37 54016 ----a-w- c:\windows\system32\drivers\ipii.sys
2012-01-27 13:30 . 2012-01-27 13:30 -------- d-----w- C:\Temp
2012-01-27 05:10 . 2012-01-27 05:10 98992 ----a-w- c:\windows\system32\drivers\12698917.sys
2012-01-27 04:29 . 2012-01-27 04:29 24576 ----a-w- c:\windows\system32\FoolishEventLogMsgHelper.dll
2012-01-27 04:00 . 2012-01-27 04:00 54016 ----a-w- c:\windows\system32\drivers\rjbtv.sys
2012-01-27 02:30 . 2012-01-27 02:30 98992 ----a-w- c:\windows\system32\drivers\95094716.sys
2012-01-27 02:18 . 2012-01-27 02:18 -------- d-----w- c:\programdata\Hitman Pro
2012-01-27 02:09 . 2012-01-27 02:16 -------- d-----w- c:\programdata\HitmanPro
2012-01-27 01:43 . 2012-01-27 01:45 -------- d-----w- c:\users\Owner\dd
2012-01-26 23:23 . 2011-11-28 17:53 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-01-26 23:23 . 2011-11-28 17:53 314456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-01-26 23:23 . 2011-11-28 17:52 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-01-26 23:23 . 2011-11-28 17:52 52952 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-01-26 23:23 . 2011-11-28 17:51 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-01-26 23:23 . 2011-11-28 17:52 55128 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-01-26 23:23 . 2011-11-28 18:01 41184 ----a-w- c:\windows\avastSS.scr
2012-01-26 23:23 . 2011-11-28 18:01 199816 ----a-w- c:\windows\system32\aswBoot.exe
2012-01-26 23:22 . 2012-01-26 23:22 -------- d-----w- c:\programdata\AVAST Software
2012-01-26 23:22 . 2012-01-26 23:22 -------- d-----w- c:\program files\AVAST Software
2012-01-26 23:09 . 2012-01-26 23:09 -------- d-----w- C:\TDSSKiller_Quarantine
2012-01-26 22:35 . 2012-01-26 22:35 54016 ----a-w- c:\windows\system32\drivers\rrjkg.sys
2012-01-26 22:25 . 2012-01-26 22:25 -------- d-----w- c:\users\Owner\AppData\Roaming\Malwarebytes
2012-01-26 22:24 . 2012-01-26 22:24 -------- d-----w- c:\programdata\Malwarebytes
2012-01-26 22:24 . 2011-12-10 21:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-26 22:24 . 2012-01-26 22:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-26 08:11 . 2012-01-26 08:11 -------- d-----w- c:\users\Owner\AppData\Roaming\PC Unleashed Online
2012-01-26 08:11 . 2012-01-26 08:11 -------- d-----w- c:\users\Owner\AppData\Roaming\DriverCure
2012-01-26 08:11 . 2012-01-26 22:24 -------- d-----w- c:\programdata\PC Unleashed Online
2012-01-26 02:10 . 2012-01-26 02:10 -------- d-----w- c:\windows\Sun
2012-01-24 23:18 . 2012-01-06 04:19 6557240 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{33D94191-87B3-4C45-B5EA-1CB9A3F01C72}\mpengine.dll
2012-01-24 18:32 . 2008-01-21 02:32 89600 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\HPZPPLHN.DLL
2012-01-24 18:30 . 2011-11-16 16:23 278528 ----a-w- c:\windows\system32\schannel.dll
2012-01-24 18:30 . 2011-11-17 06:48 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-24 18:30 . 2011-11-16 16:23 377344 ----a-w- c:\windows\system32\winhttp.dll
2012-01-24 18:30 . 2011-11-16 16:23 72704 ----a-w- c:\windows\system32\secur32.dll
2012-01-24 18:30 . 2011-11-16 16:21 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-24 18:30 . 2011-11-16 14:12 9728 ----a-w- c:\windows\system32\lsass.exe
2012-01-24 17:56 . 2012-01-24 17:56 -------- d-----w- C:\6c1f18606f9ce4fb78fde489ca
2012-01-24 17:51 . 2011-05-22 21:42 17296 ----a-w- c:\windows\system32\drivers\easytthr.sys
2012-01-24 17:51 . 2012-01-24 17:51 -------- d-----w- c:\program files\Mobile Stream
2012-01-24 17:50 . 2009-07-14 12:12 16896 ----a-w- c:\windows\system32\winusb.dll
2012-01-24 17:50 . 2009-07-13 23:51 34944 ----a-w- c:\windows\system32\drivers\winusb.sys
2012-01-24 17:45 . 2009-07-14 17:45 445008 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2012-01-24 17:45 . 2009-07-14 17:45 38480 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2012-01-24 17:11 . 2012-01-24 17:11 -------- d-----w- c:\users\Owner\AppData\Roaming\BACS.exe
2012-01-14 01:50 . 2011-10-14 16:03 189952 ----a-w- c:\windows\system32\winmm.dll
2012-01-14 01:50 . 2011-10-14 16:00 23552 ----a-w- c:\windows\system32\mciseq.dll
2012-01-14 01:50 . 2011-11-18 20:23 1205064 ----a-w- c:\windows\system32\ntdll.dll
2012-01-14 01:50 . 2011-11-18 17:47 66560 ----a-w- c:\windows\system32\packager.dll
2012-01-14 01:50 . 2011-11-25 15:59 376320 ----a-w- c:\windows\system32\winsrv.dll
2012-01-14 01:50 . 2011-12-01 15:21 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-01-14 01:50 . 2011-10-25 15:58 1314816 ----a-w- c:\windows\system32\quartz.dll
2012-01-14 01:50 . 2011-10-25 15:58 497152 ----a-w- c:\windows\system32\qdvd.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-26 21:57 . 2009-04-04 13:37 0 ----a-w- c:\users\Owner\AppData\Local\WavXMapDrive.bat
2012-01-26 20:38 . 2009-04-04 17:28 0 ----a-w- c:\users\Alison\AppData\Local\WavXMapDrive.bat
2011-11-23 13:37 . 2011-12-13 22:59 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-11-15 20:29 . 2009-10-04 23:05 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-11-08 14:42 . 2011-12-13 22:58 2048 ----a-w- c:\windows\system32\tzres.dll
2011-11-03 22:47 . 2011-12-15 03:54 1798144 ----a-w- c:\windows\system32\jscript9.dll
2011-11-03 22:40 . 2011-12-15 03:54 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-03 22:39 . 2011-12-15 03:54 1127424 ----a-w- c:\windows\system32\wininet.dll
2011-11-03 22:31 . 2011-12-15 03:54 2382848 ----a-w- c:\windows\system32\mshtml.tlb
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2008-11-09 23:10 40960 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2008-11-09 23:10 40960 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-10-28 200704]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-13 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-13 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-13 145944]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-06-15 178712]
"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2008-08-18 598016]
"DellConnectionManager"="c:\program files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe" [2008-10-01 1454080]
"ChangeTPMAuth"="c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe" [2008-09-24 184320]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2008-09-26 134144]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2008-11-10 656696]
"EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2008-11-10 91448]
"USCService"="c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe" [2009-01-16 24576]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-21 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 215552]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-12-02 483420]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2010-12-13 135536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0bootdelete
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^DisplayKEY eSYNC Info.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\DisplayKEY eSYNC Info.lnk
backup=c:\windows\pss\DisplayKEY eSYNC Info.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileHippo.com]
2009-07-27 09:44 155648 ----a-w- c:\program files\FileHippo.com\UpdateChecker.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hiyo]
2010-11-05 15:38 238960 ----a-w- c:\program files\HiYo\Bin\HiYo.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ymetray]
2005-08-12 16:05 40960 ----a-w- c:\program files\Yahoo!\Yahoo! Music Engine\ymetray.exe
.
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_505c1590\aestsrv.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ECACHE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-25 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3012132611-697970637-4171795258-1001Core.job
- c:\users\Owner\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-12 16:05]
.
2012-01-26 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3012132611-697970637-4171795258-1001UA.job
- c:\users\Owner\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-12 16:05]
.
2012-01-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 14:03]
.
2012-01-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 14:03]
.
2012-01-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3012132611-697970637-4171795258-1000Core.job
- c:\users\Alison\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-22 02:53]
.
2012-01-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3012132611-697970637-4171795258-1000UA.job
- c:\users\Alison\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-22 02:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/stp/yme/*http://www.yahoo.com
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/yme/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/yme/*http://www.yahoo.com
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-IspAssistant-Mp3Tube - c:\program files\Mp3Tube Toolbar\uninstall.exe
AddRemove-McAfee Security Scan - c:\program files\McAfee Security Scan\uninstall.exe
AddRemove-McAfeeLiteScanner - c:\program files\McAfeeScanAndRepair\uninst.exe
AddRemove-OpenSSL_is1 - c:\openssl\unins000.exe
AddRemove-Yahoo! Companion - c:\progra~1\Yahoo!\Common\UNYT_W~1.EXE
AddRemove-Yahoo! Toolbar - c:\progra~1\Yahoo!\Common\UNYT_W~1.EXE
AddRemove-{A8A98F85-9CC8-418D-B65B-FDE1EC737C47} - c:\program files\PC Unleashed Online\Suite\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-27 11:17
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HitmanPro35CrusaderBoot]
"ImagePath"="\"f:\hitmanpro35.exe\" /crusader:boot"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hitmanpro35]
"ImagePath"="\??\c:\windows\system32\drivers\hitmanpro35.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msiserver]
"ImagePath"="%systemroot%\system32\msiexec /V"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(560)
c:\windows\system32\wvauth.dll
.
- - - - - - - > 'Explorer.exe'(708)
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
Completion time: 2012-01-27 11:20:56
ComboFix-quarantined-files.txt 2012-01-27 17:20
ComboFix2.txt 2012-01-27 05:19
.
Pre-Run: 6,842,654,720 bytes free
Post-Run: 6,791,327,744 bytes free
.
- - End Of File - - 6895A206542A87600CD7EC277C56E8C9

BC AdBot (Login to Remove)

 


#2 nixadm

nixadm
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 27 January 2012 - 11:43 AM

Also, if I remember right hitman found alureon rootkit variant.

And, if I remove all non-ms services & startup items it doesn't save when I reboot their all back.

I was thinking about slaving the drive to another computer and running a full scan on it with avast.

Edited by nixadm, 27 January 2012 - 11:46 AM.


#3 nixadm

nixadm
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 27 January 2012 - 03:35 PM

Finally got it fixed, had to deleted MBR & re-install using vista recovery. Not sure if it was hitman but I won't be doing the "scan on boot" again.

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:30 PM

Posted 29 January 2012 - 05:42 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users