Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 20 of 51 Posts

·
Registered
Joined
·
39 Posts
Discussion Starter · #1 ·
Hello,

I was told to repost in this forum for a better answer. Basically I have a laptop with Windows Vista. I installed a program from an unknown publisher (yes, I'm that stupid). Afterward, I uninstalled the program but problems only got worse. First, internet explorer wouldn't reopen after closing it. Logging off and then back on didn't fix the problem. I also kept getting error messages regarding adobe reader. I uninstalled the program but still no solution. I was about to uninstall Internet explorer but I wanted to restart the computer to make sure it wasn't fixable in that way.

After restarting, I went to log on and got the blue screen error (blue screen of death). It restarted and I chose safe mode this time. With "safe mode with networking", I'm able to use most programs (including IE) just fine. I ran a McAfee scan on my computer. It detected and fixed one problem. But my computer still only worked on safe mode. I tried the free internet scan on "Trend Micro"s website. It turned up results in the scan but had difficulty retrieving info on how to remove it (maybe b/c of safe mode, but maybe b/c of a virus). I researched more trying to find a virus scan that works in safe mode. I re-scanned with "Avira AntiVir" (which works in safe mode) but it turned up no results.

I also have uninstalled all the programs I installed around the time of the BSOD problem through "Control Panel --> Programs and Features". Not only that, I've tried using system restore. However, the restore point is long before the time this problems started occuring. Also, the computer had to restart to finish the restore. When it did, it said the restore was unsuccessful.

I haven't tried "rolling back the drivers" or anything else that some websites recommend when you see a blue screen of death because I don't think those are the causes. I think it has something to do with that unknown publisher's program. That's exactly the time problems started occurring.

I've also run a hijack this scan and the results should be attached. Any help is greatly appreciated. (I also apologize if I had terrible grammar above. It's late and I've been working on this for a while :().

-CouchPotatoGuy
 

Attachments

·
Registered
Joined
·
39 Posts
Discussion Starter · #2 ·
So just to clarify (I know it might be hard to read what I was trying to say), I think I have a virus, but I haven't been able to use any good virus scans that detect malware because I can only access my computer through safe mode. I used AntiVir (which has the benefit of working in safe mode) but it didn't turn up anything. If anyone knows any malware scanning software that's really good and works in safe mode, please suggest it.

Thanks
 

·
Registered
Joined
·
39 Posts
Discussion Starter · #3 ·
Not being impatient. I just found a way to capture more useful information that will hopefully make it easier to solve. I was able to stop the blue screen from flashing away before I could read the info. I snapped a picure of it and it can be found HERE. The relevant info (I think) is down below. It says:

Technical Information:

*** Stop: 0x0000008E (0xc0000005, 0x94c42B4B, 0x8A164FE0, 0x00000000)

-CouchPotatoGuy
 

·
Registered
Joined
·
1,896 Posts
Hello and welcome to TSG

IMPORTANT

Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
To make cleaning this machine easier:-
  • Continue to respond to this thread until I give you the All Clean!
  • Please DO NOT uninstall/install any programs unless asked to. It is more difficult when files/programs appear or disappear from the logs.
  • Please do not run any scans other than those requested and do not post any logs/reports unless specifically requested to do so.
  • Please follow all instructions in the order posted.
  • If you have any questions or do not understand instructions, please ask before continuing.
  • Please reply to this thread. Do not start a new topic.

Open Hijack This and select Do a System Scan Only place a check next to the below lines if still present


  • R3 - URLSearchHook: (no name) - - (no file)
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-5/myWebFaceInitialSetup1.0.1.2.cab
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{114F5C11-9BDC-4C18-8385-68D5B3C14B77}: NameServer = 85.255.112.147,85.255.112.103
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5FE3EEAA-32EE-4018-BAA4-72E385CA0165}: NameServer = 85.255.112.147,85.255.112.103
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.147,85.255.112.103
    O17 - HKLM\System\CS1\Services\Tcpip\..\{114F5C11-9BDC-4C18-8385-68D5B3C14B77}: NameServer = 85.255.112.147,85.255.112.103
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.147,85.255.112.103

Once selected close all windows except HJT an click on Fix Checked

See if you can now BOOT in Normal Mode

Please download Malwarebytes' Anti-Malware and save to your desktop. When saving RENAME to muppy.exe.

  • Double-click muppy.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:

    Update Malwarebytes' Anti-Malware
    Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply

    Note:
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when Malwarebytes' Anti-Malware is started.

Please reply with:-
  • MBAM log
  • New HJT log
 

·
Registered
Joined
·
39 Posts
Discussion Starter · #10 ·
I did everything up to "boot in normal mode". After clicking "fix checked" and restarting, I was unable to login without the blue screen popping up again. I still was able to install MBAM. But it doesn't run in safe mode. I do apologize. I accidentally installed another program that I thought was MBAM but instead was just a popup. Attached is my new HiJackThis log.
 

Attachments

·
Registered
Joined
·
1,896 Posts
Download and Run: RSIT

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
 

·
Registered
Joined
·
1,896 Posts
I installed a program from an unknown publisher (yes, I'm that stupid). Afterward, I uninstalled the program but problems only got worse.
What Program was it please?

Do you know what these are?
  • C:\Program Files\Causes
    C:\Program Files\African Safari

Double check MBAM was renamed and try to run again make sure you right click and choose run as administrator

If no luck please run GMER
  • Download GMER by GMER from one of the links below:
    Link1
    Link2
  • Unzip it to a folder on your desktop
  • Double click on gmer.exe to launch GMER
  • If asked, allow the gmer.sys driver load
  • If it warns you about rootkit activity and asks if you want to run scan, click OK
  • If you don't get a warning then
    • Click the rootkit tab
    • Click Scan
  • Once the scan has finished, click copy
  • Paste the log into notepad using Ctrl+V
  • Save it to your desktop as gmerrk.txt
  • Click on the >>> tab
  • This will open up the rest of the tabs for you
  • Click on the Autostart tab
  • Click on Scan
  • Once the scan has finished, click copy
  • Paste the log into notepad using Ctrl+V
  • Save it to your desktop as gmerautos.txt
  • Copy and paste the contents of gmerautos.txt and gmerrk.txt as a reply to this topic

Please reply with:-
  • MBAM log
  • 2 x GMER Logs
 

·
Registered
Joined
·
39 Posts
Discussion Starter · #16 ·
What Program was it please?
Check your PM.

Do you know what these are?
  • C:\Program Files\Causes
    C:\Program Files\African Safari
Yes, those are facebook applications. Not sure if facebook applications are actually downloaded to the computer. Even still, I'm fairly certain those are harmless.

Double check MBAM was renamed and try to run again make sure you right click and choose run as administrator

If no luck please run GMER
  • Download GMER by GMER from one of the links below:
    Link1
    Link2
  • Unzip it to a folder on your desktop
  • Double click on gmer.exe to launch GMER
  • If asked, allow the gmer.sys driver load
  • If it warns you about rootkit activity and asks if you want to run scan, click OK
  • If you don't get a warning then
    • Click the rootkit tab
    • Click Scan
I got to here. (I uninstalled MBAM and removed the installer. I then redownloaded the installer (renaming it "muppy.exe") and reinstalled MBAM. MBAM still didn't work. I'm guessing it's because I'm in safe mode?) (Just to clarify, I was only supposed to rename the installer, not the actual program?) Afterward, I followed the instructions regarding gmer. It did warn me about rootkit activity. I clicked ok (or yes or whatever) and it began scanning. It stopped about 1 minute in saying, "This program has stopped working. Windows is checking for a solution to the problem" or something like that and I had to close the program. When I went to try it again, I got the blue screen error. This was a first. I've never received the error while in safe mode. Maybe it was the program. But maybe it's my computer getting worse with the passage of time (?) (I think they call that a "worm" where the virus keeps copying itself and the computer worsens over time). Anyway, the computer restarted and I tried scanning again. Again the program closed. Again I got the blue screen error. The strange thing is the program closed at about the same time into the scan (maybe even stopping at the same file). I can jot down what program it stops at if that helps. I can also snap a picture of the blue screen error that appears after gmer is closed (I'm not sure if it gives the same info as the picture given in a previous post).

Sorry my computer is so stubborn :(
 

·
Registered
Joined
·
1,896 Posts
Hi, I read the PM.

Maybe it was the program. But maybe it's my computer getting worse with the passage of time (?)
Very true, so with that in mind please read what is below carefully.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.
Lets see if Combofix will run, please rename it as described below.

Download and run Combofix
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop Rename it Combo-fix (include the hyphen)

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • If you need help to disable your protection programs see here.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please reply with:-
  • Combofix log
  • New HJT log
 

·
Registered
Joined
·
39 Posts
Discussion Starter · #18 ·
I noticed we're now starting to pull out more of the "big guns". I just want to make sure this is necessary before going ahead with it. After doing some research (very brief) on the website mentioned in PM, I found the same blog mentions a solution (by "Panda Security"). I tried the free scan (ActiveScan 2.0). I apologize. I forgot that I'm not supposed to scan unless requested. But it appears to have found the problem. It found some 32 "infected" files and 1 suspicious file. I'm not sure if all the cookies are harmful. But I'm pretty sure the virus, adware, and spyware are harmful.

Panda Security appears to be a legitimate company as it is detailed on Wikipedia as such (HERE). And ActiveScan 2.0 is mentioned as one of their products.

The problem, of course, is that it won't remove the stuff without me paying for the product. Even still, it details the viruses, etc. found. I've attached the log ActiveScan produced.

Just want to make sure all the info is available before we use the more powerful scanners. Again I apologize for scanning. It just seemed like a really good fit. That blog detailed my exact problem and provided a potential solution.
 

Attachments

·
Registered
Joined
·
1,896 Posts
1. Ok, Cookies are a part of everyday internet life and sadly clearing what you have presented will not fix your computer. I like to use ATF for clearing cookies and temp files. Please run it now, and it can be used whenever you feel like it.

Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
Make sure that all browser windows are closed.

  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Uncheck Cookies if you do not want them deleted. (If deleted, you will likely need to re-enter your passwords at all sites where a cookie is used to recognize you when you visit). Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
    Uncheck Cookies if you do not want them deleted.
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
    Uncheck Cookies if you do not want them deleted
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

2. Re-reading your post I am wondering if you re-named MBAM correctly.

1. Right click Start/Windows Icon in Vista then Click Explore
2. Navigate to: c:\program files\malwarebytes' Anti-Malware Right click on mbam.exe (The one that looks like the desktop icon) - click Rename
3. Type into the name box: muppy.exe

You are actually renaming the .exe not the installer.

See if it will run, post the log if it does.
 

·
Registered
Joined
·
39 Posts
Discussion Starter · #20 ·
Alright, I've actually typed this once before but my computer got the blue screen error before I could finish (which is interesting). I'm following the instructions regarding MBAM you wrote in an earlier post.

I cleared the cookies via ATF Cleaner. I renamed MBAM (the program not just the installer). The program was then able to run. When it did, it kept freezing at a spot in the D drive (after scanning the C drive entirely). The spot at which it freezes is always D:\Windows\System32\config\SECURITY

It took me a while because it kept freezing. While scanning, it kept finding exactly 21 infected files (prior to the D drive freeze). I stopped it after it found those files (relatively early in the process) and removed them. I then rescanned just the C drive (since it freezes at the D drive). It found 18 new infected files (that showed up at the end of the scan - way after I had stopped it in the previous scan). So I removed those as well. Finally, I did a HJT scan. All three logs should be attached (mbam1 and mbam2 are the first and second scans (21 infected files and 18 infected files), respectively.

Here's about where I got to in my post. I was about to say that McAfee Security Center has a problem. When I click the "fix" button, it always says that the problem couldn't be fixed due to an error. I thought it was worth mentioning. When I went to double check that the error could not be fixed (now that the infected files were removed), I got the blue screen error. (I double clicked on the small McAfee icon at the bottom right of my screen and the blue screen instantly popped up). This also erased my first attempt to post this.
 

Attachments

1 - 20 of 51 Posts
Status
Not open for further replies.
Top