Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HP Blue screen


  • This topic is locked This topic is locked
41 replies to this topic

#1 LAB811

LAB811

  • Members
  • 161 posts
  • OFFLINE
  •  
  • Local time:04:45 PM

Posted 06 October 2012 - 08:51 PM

I was advised to follow the guidelines. I already posted to the original HP blue screen topic the TDDSKILL log. Here is the GMER log. Let me know what to do next:
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-10-06 21:46:19
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-12 SAMSUNG_SP0802N/R rev.TK200-04
Running: gmer.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\kwxdafod.sys


---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[944] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 01180C00 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[944] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 013B7B4C C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[944] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 013B7B29 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[944] kernel32.dll!ValidateLocale + B130 7C844958 7 Bytes JMP 01183FAC C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[944] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 013B7AAA C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1776] USER32.dll!DefWindowProcA + 11A 7E42C298 7 Bytes JMP 105CDF63 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1776] USER32.dll!SetWindowLongA + 19 7E42C2B6 7 Bytes JMP 105CDEF2 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1776] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 10414536 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1776] USER32.dll!GetMenuContextHelpId + 1A 7E465319 7 Bytes JMP 10414B35 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \Driver\Tcpip \Device\Udp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \Driver\Tcpip \Device\RawIp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)

Device \FileSystem\Cdfs \Cdfs F7A7E400

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet003\Control\Session Manager@PendingFileRenameOperations ???:?E?????????????????so????(? ?4?9?#?'?9?9?9?9????? ???????:?????????????r?????????????????f??? ?????????????:???????r????????????&????????????????????5??? ???????9?????9?? ??:?r????????X????????0??? V??:???e?????????????:?????:????D??<????????h?????SW\{ddf4358e-bb2c-11d0-a42f-00a0c9223196}???????Microsoft??????:?????9???:??????????????? @?H:??????????????Microsoft Streaming Clock Proxy????????????????????s?????(? ?9?:?'?'?'?( :?:?'??{4D36E96C-E325-11CE-BFC1-08002BE10318}?????????????????????s?????????????????????6???6????N??:????????D?????? V??9??????????????? V??:??????????????{4D36E96C-E325-11CE-BFC1-08002BE10318}??????{4D36E96C-E325-11CE-BFC1-08002BE10318}\0006?????? ?#?$?$?$?$?%?%?%?4?????'???(?(? ? ?(?4?:?:? ??.NT???????N??:???6?????6?7??Microsoft???Processor???SW\{07dad662-22f1-11d1-a9f4-00c04fbbde8f}?????????N??:??????????????{4D36E96C-E325-11CE-BFC1-08002BE10318}???????????(???6?g?6???????2???0???e?????9????????????????????? ?????????????:???????r??L?????????&??????????????????????????:???9???????

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:45 PM

Posted 07 October 2012 - 06:22 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 LAB811

LAB811
  • Topic Starter

  • Members
  • 161 posts
  • OFFLINE
  •  
  • Local time:04:45 PM

Posted 08 October 2012 - 04:17 PM

Hi m0le thank you for responding. If you need to see the history of this problem & what narenxp had me do prior to posting here.
I will wait for your instructions.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:45 PM

Posted 08 October 2012 - 05:58 PM

Thanks, I found the topic you previously posted.

The Master Boot Record looks like it has been altered. Can you confirm that you can not run aswMBR at this time?
Posted Image
m0le is a proud member of UNITE

#5 LAB811

LAB811
  • Topic Starter

  • Members
  • 161 posts
  • OFFLINE
  •  
  • Local time:04:45 PM

Posted 08 October 2012 - 07:14 PM

I will try to run it again. I'm in safe mode. I still can't get into normal yet

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:45 PM

Posted 08 October 2012 - 07:31 PM

If we can get a fresh aswMBR log we can try and break the infected MBR hold. Of course, we can do it without too so if it's not running just come back to me. :)
Posted Image
m0le is a proud member of UNITE

#7 LAB811

LAB811
  • Topic Starter

  • Members
  • 161 posts
  • OFFLINE
  •  
  • Local time:04:45 PM

Posted 08 October 2012 - 07:36 PM

I got it running successfully. i will save the log & post when it finishes. Do I also click on FixMBR when it completes?

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:45 PM

Posted 08 October 2012 - 07:42 PM

No, don't use the FixMBR button.
Posted Image
m0le is a proud member of UNITE

#9 LAB811

LAB811
  • Topic Starter

  • Members
  • 161 posts
  • OFFLINE
  •  
  • Local time:04:45 PM

Posted 08 October 2012 - 07:44 PM

ok I won't

#10 LAB811

LAB811
  • Topic Starter

  • Members
  • 161 posts
  • OFFLINE
  •  
  • Local time:04:45 PM

Posted 08 October 2012 - 09:14 PM

I think that this is the aswMBR log:
Also the computer froze after the scan so I had to reboot and was able to boot but slowly into regular mode. There is a problem. I do not have amy avira av running. I was told to hold off on it during the other sessiom. That makes me nervous. I do Have PC Tools Firewall Plus installed.

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-10-04 20:27:12
-----------------------------
20:27:12.234 OS Version: Windows 5.1.2600 Service Pack 3
20:27:12.234 Number of processors: 1 586 0x2F02
20:27:12.359 ComputerName: YOUR-4DACD0EA75 UserName:
20:27:17.390 Initialze error C000010E - driver not loaded
20:27:19.625 write error "aswCmnB.dll". The process cannot access the file because it is being used by another process.
20:28:06.906 The log file has been saved successfully to "C:\Documents and Settings\HP_Administrator\My Documents\aswMBR.txt"


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-10-04 20:27:12
-----------------------------
20:27:12.234 OS Version: Windows 5.1.2600 Service Pack 3
20:27:12.234 Number of processors: 1 586 0x2F02
20:27:12.359 ComputerName: YOUR-4DACD0EA75 UserName:
20:27:17.390 Initialze error C000010E - driver not loaded
20:27:19.625 write error "aswCmnB.dll". The process cannot access the file because it is being used by another process.
20:28:06.906 The log file has been saved successfully to "C:\Documents and Settings\HP_Administrator\My Documents\aswMBR.txt"
20:28:17.843 AVAST engine defs: 12100500
20:29:18.453 Service scanning
20:31:52.703 Modules scanning
20:31:52.750 Disk 0 trace - called modules:
20:31:52.765
20:31:55.328 AVAST engine scan C:\WINDOWS
20:32:47.578 AVAST engine scan C:\WINDOWS\system32
20:55:35.031 AVAST engine scan C:\WINDOWS\system32\drivers
20:56:55.437 AVAST engine scan C:\Documents and Settings\HP_Administrator
21:33:55.765 AVAST engine scan C:\Documents and Settings\All Users
21:35:14.375 Scan finished successfully
21:36:10.843 The log file has been saved successfully to "C:\Documents and Settings\HP_Administrator\My Documents\aswMBR.txt"


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-10-04 20:13:15
-----------------------------
20:13:15.062 OS Version: Windows 5.1.2600 Service Pack 3
20:13:15.062 Number of processors: 1 586 0x2F02
20:13:15.062 ComputerName: YOUR-4DACD0EA75 UserName:
20:13:18.000 Initialize success
20:19:48.671 AVAST engine defs: 12100500
22:29:21.125 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-12
22:29:21.140 Disk 0 Vendor: SAMSUNG_SP0802N/R TK200-04 Size: 76351MB BusType: 3
22:29:21.218 Disk 0 MBR read successfully
22:29:21.250 Disk 0 MBR scan
22:29:27.484 Disk 0 unknown MBR code
22:29:27.515 Disk 0 Partition 1 00 0C FAT32 LBA RECOVERY 8714 MB offset 63
22:29:29.437 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 67625 MB offset 17848215
22:29:31.781 Disk 0 scanning sectors +156344580
22:29:31.890 Disk 0 malicious Win32:MBRoot code @ sector 156344583 !
22:29:33.296 Disk 0 scanning C:\WINDOWS\system32\drivers
22:31:39.062 Service scanning
22:33:57.687 Modules scanning
22:34:59.546 Disk 0 trace - called modules:
22:35:00.906 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
22:35:00.968 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x833d4ab8]
22:35:01.031 3 CLASSPNP.SYS[f86d6fd7] -> nt!IofCallDriver -> \Device\0000006b[0x83356998]
22:35:01.093 5 ACPI.sys[f85ff620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-12[0x8335cd98]
22:35:04.078 AVAST engine scan C:\WINDOWS
22:35:58.500 AVAST engine scan C:\WINDOWS\system32
22:59:29.156 AVAST engine scan C:\WINDOWS\system32\drivers
23:00:42.015 AVAST engine scan C:\Documents and Settings\HP_Administrator
23:43:33.921 AVAST engine scan C:\Documents and Settings\All Users
23:45:44.218 Scan finished successfully
08:17:46.250 Disk 0 MBR read successfully
08:17:46.359 Disk 0 scanning sectors +156344580
08:17:46.609 Disk 0 malicious Win32:MBRoot code @ sector 156344583 !
08:17:46.703 Disk 0 sector 156344583 cleaned
08:17:46.765 Verifying disinfection
08:17:57.062 Infection fixed successfully - please reboot ASAP
08:18:17.031 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\HP_Administrator\My Documents\MBR.dat"
08:18:17.093 The log file has been saved successfully to "C:\Documents and Settings\HP_Administrator\My Documents\aswMBR.txt"


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-10-08 20:15:53
-----------------------------
20:15:53.140 OS Version: Windows 5.1.2600 Service Pack 3
20:15:53.140 Number of processors: 1 586 0x2F02
20:15:53.203 ComputerName: YOUR-4DACD0EA75 UserName:
20:15:59.546 Initialize success
20:20:16.140 AVAST engine defs: 12100500
20:20:21.156 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-12
20:20:21.171 Disk 0 Vendor: SAMSUNG_SP0802N/R TK200-04 Size: 76351MB BusType: 3
20:20:21.328 Disk 0 MBR read successfully
20:20:21.343 Disk 0 MBR scan
20:20:21.765 Disk 0 unknown MBR code
20:20:21.843 Disk 0 Partition 1 00 0C FAT32 LBA RECOVERY 8714 MB offset 63
20:20:21.953 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 67625 MB offset 17848215
20:20:22.390 Disk 0 scanning sectors +156344580
20:20:23.234 Disk 0 scanning C:\WINDOWS\system32\drivers
20:23:17.093 Service scanning
20:25:54.859 Modules scanning
20:27:11.265 Disk 0 trace - called modules:
20:27:11.359 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
20:27:12.593 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x833d7ab8]
20:27:12.656 3 CLASSPNP.SYS[f86d6fd7] -> nt!IofCallDriver -> \Device\0000006b[0x833799e8]
20:27:12.734 5 ACPI.sys[f862d620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-12[0x8337ed98]
20:27:17.671 AVAST engine scan C:\WINDOWS
20:28:51.578 AVAST engine scan C:\WINDOWS\system32
21:01:18.140 AVAST engine scan C:\WINDOWS\system32\drivers
21:03:25.593 AVAST engine scan C:\Documents and Settings\HP_Administrator
21:38:38.015 AVAST engine scan C:\Documents and Settings\All Users
21:38:38.078 Scan finished successfully
21:39:40.687 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\HP_Administrator\My Documents\MBR.dat"
21:39:40.781 The log file has been saved successfully to "C:\Documents and Settings\HP_Administrator\My Documents\aswMBR.txt"

#11 LAB811

LAB811
  • Topic Starter

  • Members
  • 161 posts
  • OFFLINE
  •  
  • Local time:04:45 PM

Posted 08 October 2012 - 09:36 PM

Signing off for the night. 4:30 AM rolls around quickly. Will check in the AM.

#12 LAB811

LAB811
  • Topic Starter

  • Members
  • 161 posts
  • OFFLINE
  •  
  • Local time:04:45 PM

Posted 09 October 2012 - 04:10 AM

Will check back in this after noon. I don't know if it is important or not but when my computer gets rebooted PC Firewall has been asking to allow or disallow facebook installer and other Adobe Flash because binaries have changed. Also on this last reboot there was a pop up that said, Skype Unexpected end tag expected b actual"font". Before this i had a similar one for HP that said it was missing "-" or something like that. I don't know if it means anything but thought I'd throw it out there. Thanks again.

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:45 PM

Posted 09 October 2012 - 07:33 PM

I am concerned that you have no antivirus running at the moment but you say you now have normal mode (although it's quite slow)

If you are able to, please install Avira.

The aswMBR logs show that the fix was carried out and removed the MBR problem. In that case I would like you to run Combofix. In normal mode if possible or else boot into safe mode and run it from there.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

If you receive the message "Illegal operation attempted on a registry key that has been marked for deletion." then please reboot the system.
Posted Image
m0le is a proud member of UNITE

#14 LAB811

LAB811
  • Topic Starter

  • Members
  • 161 posts
  • OFFLINE
  •  
  • Local time:04:45 PM

Posted 09 October 2012 - 08:28 PM

M0le I had Avira but for some reason it is not in my sys tray anymore. Should I run it from my desktop or download a new one? Should I do this before Combo fix?

Edited by LAB811, 09 October 2012 - 08:32 PM.


#15 LAB811

LAB811
  • Topic Starter

  • Members
  • 161 posts
  • OFFLINE
  •  
  • Local time:04:45 PM

Posted 09 October 2012 - 08:31 PM

Since the antivirus has to be turned off anyway when running Combo fix I'll start that.

Edited by LAB811, 09 October 2012 - 08:32 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users