Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Only Safe Mode without networking now


  • This topic is locked This topic is locked
3 replies to this topic

#1 pjdm

pjdm

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 07 April 2012 - 05:23 PM

Hi and thanks for the forum: I have already started the preliminary tests in this previous post and I was directed to post further here for advanced help. In the past I have tried to find the source of continuing problems with no success. On April 1 I ran combofix and it had a results log which is still available on my PC with a 7Loader reference. I did not realize combofix was not to be used.

Leading up to these problems, I have had Immunet report a Trojan.OSX.(something) a few weeks ago but was removed. Now the PC restarts, BSODs and crashes when scanning for malware. The final clue was when a fake GMAIL login screen appeared and I removed Chrome as a precaution. Today, after repeated BSODs and repair failures I applied for help on the forum. As a result of further testing in the link above I was getting BSODs with MBAM after which I could no longer boot WIN7 normal without a crash. Safe mode with networking failed in a similar manner and now only safe mode without networking will work.

Recent steps:
1) Defogger found no emulation
2) Running DDS resulted in multiple Application Errors "the procedure * could not be located in the DLL USERENV.dll."
After clicking OK I see "SED.DAT: can't read temp00: no such file or directory"
Then "Freeware implementation of REG.EXE has stopped working" (three times) then it crashed dump with BSOD. Safe mode then crashed twice.

Windows repair started then another crash after "IRQL_NOT_LESS_OR_EQUAL" appeared in a BSOD.

I will try to get the log from DDS. Thanks in advance.

UPDATE: I can no longer enter safe mode or perform a repair. The repair process dies immediately and now I get BSOD "PAGE_FAULT_IN_NONPAGED_AREA".
UPDATE2: I can boot into WIN7 normally now. I have run DDS, logs attached. Thank you for reviewing.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by paul miller at 5:27:24 on 2012-04-08
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4094.2701 [GMT -4:00]
.
AV: Immunet 3.0 *Enabled/Updated* {065276D9-6EBF-968C-B5ED-7B8B1DCF4059}
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Spybot - Search && Destroy *Enabled/Updated* {1EAF1D03-5480-F3B2-EB14-11F0F5EE2699}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Immunet\3.0.5\agent.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
C:\Windows\system32\SearchIndexer.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\TeamViewer\Version7\TeamViewer.exe
C:\Program Files (x86)\TeamViewer\Version7\tv_w32.exe
C:\Program Files (x86)\TeamViewer\Version7\tv_x64.exe
C:\Windows\System32\WerFault.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\servicing\TrustedInstaller.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Immunet\clamav\freshclamwrap.exe
C:\Program Files\Immunet\clamav\freshclam.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHelper.dll
BHO: RoboForm Toolbar Helper: {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
TB: &RoboForm Toolbar: {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Customize Menu - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Save Forms - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Show RoboForm Toolbar - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHelper.dll
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 65.32.5.111 65.32.5.112
TCP: Interfaces\{0E211517-8E27-4D8C-8CE9-06E26A71AF1B} : DhcpNameServer = 65.32.5.111 65.32.5.112
TCP: Interfaces\{B43A5EDC-64A6-4C65-B44C-89D7B5F94367} : DhcpNameServer = 65.32.5.111 65.32.5.112
TCP: Interfaces\{BC857F9D-518C-4A10-8314-003097E4F70F} : DhcpNameServer = 65.32.5.111 65.32.5.112
TCP: Interfaces\{EF4DA620-CBA8-4729-8FB7-83AC92651FAF} : DhcpNameServer = 65.32.5.111 65.32.5.112
TCP: Interfaces\{EF4DA620-CBA8-4729-8FB7-83AC92651FAF}\34164716C60716 : DhcpNameServer = 65.32.5.111 65.32.5.112
Notify: SDWinLogon - SDWinLogon.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHelper.dll
BHO-X64: RoboForm Toolbar Helper: {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
BHO-X64: RoboForm BHO - No File
TB-X64: &RoboForm Toolbar: {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
TB-X64: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R1 ImmunetProtectDriver;ImmunetProtectDriver;C:\Windows\system32\DRIVERS\ImmunetProtect.sys --> C:\Windows\system32\DRIVERS\ImmunetProtect.sys [?]
R1 ImmunetSelfProtectDriver;ImmunetSelfProtectDriver;C:\Windows\system32\DRIVERS\ImmunetSelfProtect.sys --> C:\Windows\system32\DRIVERS\ImmunetSelfProtect.sys [?]
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]
R2 ImmunetProtect;Immunet 3.0;C:\Program Files\Immunet\3.0.5\agent.exe [2011-12-28 401576]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-2-22 2348352]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [2012-3-16 1181104]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2012-3-16 1185704]
R2 SDWSCService;Spybot-S&D 2 Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [2012-3-16 166528]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-2-9 382272]
R2 TeamViewer7;TeamViewer 7;C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2012-3-19 2666880]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;C:\Windows\system32\DRIVERS\RTL8192su.sys --> C:\Windows\system32\DRIVERS\RTL8192su.sys [?]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
R3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\system32\DRIVERS\WSDPrint.sys --> C:\Windows\system32\DRIVERS\WSDPrint.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 MEMSWEEP2;MEMSWEEP2;\??\C:\Windows\system32\8FFA.tmp --> C:\Windows\system32\8FFA.tmp [?]
S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
S3 pwdrvio;pwdrvio;\??\C:\Windows\system32\pwdrvio.sys --> C:\Windows\system32\pwdrvio.sys [?]
S3 pwdspio;pwdspio;\??\C:\Windows\system32\pwdspio.sys --> C:\Windows\system32\pwdspio.sys [?]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-04-08 09:21:50 8669240 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{F4F24F44-85A4-4B18-A727-0DC626C8D4AC}\mpengine.dll
2012-04-07 17:09:03 4731392 -c----w- C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MsMpEng.exe_a4b1be35c4e92b97c0ff8923265ae5bdb2c487_cab_056be7a0\aswMBR.exe
2012-04-07 17:03:43 -------- d-sh--w- C:\found.000
2012-04-07 15:45:00 -------- d-----w- C:\Windows\SysWow64\#onfig
2012-04-01 13:55:45 -------- d-----w- C:\$RECYCLE.BIN
2012-04-01 12:46:48 98816 ----a-w- C:\Windows\sed.exe
2012-04-01 12:46:48 518144 ----a-w- C:\Windows\SWREG.exe
2012-04-01 12:46:48 256000 ----a-w- C:\Windows\PEV.exe
2012-04-01 12:46:48 208896 ----a-w- C:\Windows\MBR.exe
2012-04-01 12:31:19 -------- d-----w- C:\Windows\pss
2012-03-27 01:57:38 -------- d-----w- C:\Users\paul miller\AppData\Local\ElevatedDiagnostics
2012-03-16 12:56:49 -------- d-----w- C:\ProcAlyzer Dumps
2012-03-16 12:05:46 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2012-03-16 12:05:23 17272 ----a-w- C:\Windows\System32\sdnclean64.exe
2012-03-16 12:05:16 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy 2
2012-03-15 02:51:53 6144 ------w- C:\Windows\System32\8FFA.tmp
2012-03-15 02:51:09 6144 ------w- C:\Windows\System32\E633.tmp
2012-03-14 17:38:27 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-14 14:05:56 5559152 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-03-14 14:05:54 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-03-14 14:05:53 3913584 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-03-14 12:27:41 6144 ------w- C:\Windows\System32\5ADC.tmp
2012-03-14 10:07:37 6144 ------w- C:\Windows\System32\A0F.tmp
2012-03-14 10:06:49 6144 ------w- C:\Windows\System32\4FF3.tmp
2012-03-14 10:06:42 -------- d-----w- C:\Program Files (x86)\Sophos
2012-03-14 09:53:53 3145728 ----a-w- C:\Windows\System32\win32k.sys
2012-03-14 09:53:46 1544192 ----a-w- C:\Windows\System32\DWrite.dll
2012-03-14 09:53:46 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll
2012-03-14 09:53:39 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
2012-03-14 09:53:39 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
2012-03-14 09:53:38 77312 ----a-w- C:\Windows\System32\rdpwsx.dll
2012-03-14 09:52:11 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-03-14 09:52:11 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-03-14 09:52:11 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-03-14 09:52:10 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-03-14 09:34:52 -------- d-----w- C:\Users\paul miller\AppData\Roaming\Malwarebytes
2012-03-14 09:34:49 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-03-14 09:34:49 -------- d-----w- C:\ProgramData\Malwarebytes
2012-03-14 09:34:49 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-03-14 09:31:44 927800 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{FCA06249-E7E0-4395-9E8C-CEA1E97FAC6F}\gapaengine.dll
2012-03-11 22:23:21 -------- d-----w- C:\Program Files\TradeStation 9.0
2012-03-11 10:58:59 -------- d-----w- C:\Windows\System32\appmgmt
.
==================== Find3M ====================
.
2012-03-07 11:05:10 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-10 03:14:04 6074176 ----a-w- C:\Windows\System32\nvcpl.dll
2012-02-10 03:14:01 3089728 ----a-w- C:\Windows\System32\nvsvc64.dll
2012-02-10 03:07:00 889664 ----a-w- C:\Windows\System32\nvvsvc.exe
2012-02-10 03:07:00 63296 ----a-w- C:\Windows\System32\nvshext.dll
2012-02-10 03:07:00 118080 ----a-w- C:\Windows\System32\nvmctray.dll
2012-02-10 01:05:44 416064 ----a-w- C:\Windows\SysWow64\nvStreaming.exe
2012-01-31 08:59:04 279656 ------w- C:\Windows\System32\MpSigStub.exe
.
============= FINISH: 5:28:09.52 ===============

Edited by pjdm, 08 April 2012 - 04:36 AM.


BC AdBot (Login to Remove)

 


#2 pjdm

pjdm
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 08 April 2012 - 04:46 AM

Attached File  Attach.txt   69.05KB   0 downloads

UPDATE: I was able to boot normally this morning and ran MBAM with nothing found. I am attaching the results. Reference previous post where MBAM would not run and BSODs resulted.

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.04.08.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
paul miller :: PAUL-ANTEC [administrator]

4/8/2012 5:52:12 AM
mbam-log-2012-04-08 (05-52-12).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 303235
Time elapsed: 28 minute(s), 13 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Edited by pjdm, 08 April 2012 - 08:36 AM.


#3 pjdm

pjdm
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 10 April 2012 - 11:36 AM

please cancel this thread. I've decided to recreate the PC from scratch. Thanks for all the continued support. I will reference the precautions for the new setup so this does not happen again.

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 PM

Posted 11 April 2012 - 04:42 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users