Solved 8 steps of malware removal required

[maddy04]

hi

i have been getting a blue screen error 0x00000c2.

after running BlueScreenView program, the cause is found to be srvk32.sys file. this was told to in forums. the person helping me susptected that this is not a legit file, and my computer is infected by malware.
he told me to start a new topic here and carry out the 8 steps.

i read in the forums that 8 steps should bot be carried out without any trained supervision

NOTE: because of blue screen my machine only starts in safe mode at the momment.

please help me out for the removal of malware and to carry out the 8 steps.

 

[Broni]

Restart computer in Safe Mode with Networking.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!


Download HijackThis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
by clicking on Installer under Version 2.0.2
[DO NOT download version 2.0.3 (beta)]
Install, and run it.
Post HijackTHis log.
Do NOT attempt to fix anything!

NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator

 

[maddy04]

hi broni

thx for getting back at me.

broni as guided i downloaded both the softwares i.e. combofix.exe and HijackThis v 2.0.2

i ran combofix, it asked for my permission and i clicked on yes. then scan started and machine rebooted. then i pressed f8 and selected safe mode with networking

when the desktop reappeared, there was no combofix.txt file created on the desktop. A folder in c drive gets created named ComboFix. but there is no text file in this folder.
do i have to search for this file eslewhere?

i again ran combofix.exe and when the computer restarted the blue screen appeared. so i pressed f8 and logged in as safemode with networking.

i then ran HijackThis and installed it. after it i ran the scan. a file was created in the place where the software is installed HijackThis.txt
the contents of the file are posted below :




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:46:55 PM, on 3/11/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=explorer.exe rundll32.exe ufmduo
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\RunOnce: [GrpConv] grpconv -o
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

--
End of file - 4252 bytes






waiting for further instructions....

 

[Broni]

A folder in c drive gets created named ComboFix. but there is no text file in this folder.

combofix.txt file (if created) won't be inside that folder but in root C:\ directory.
If it's not there, try to run Combofix from Safe Mode with Networking.

 

[maddy04]

Hi broni

I looked for it in c:\root directory but the file is not there.

I ran the combofix software 2 more times, but the file is not being created.

I had also switched off my firewall so I guess there is no chance that the software is being blocked.

I have attached a file in this attachment, which clearly shows that the search result could not find the file combofix.txt. instead a file name combo-fix.sys is found( u can check the image that I have uploaded).
is this the file u r asking for?

plz guide me further to remove the blue sceen...

thx

 

[Broni]

Delete your Combofix file.
Download fresh one and rename combofix.exe to broni.exe BEFORE saving it to the desktop.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.pif
* Rkill.exe

* Double-click on the Rkill desktop icon to run the tool.
* If using Vista or Windows 7 right-click on it and choose Run As Administrator.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* If not, delete the file, then download and use the one provided in Link 2.
* If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
* Do not reboot until instructed.
* If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run then try to immediately run broni.exe.

 

[maddy04]

broni

i downloaded the file rkill.com ( from d 1st link)
when i right clicked the file, the option ' RUN AS ADMINISTRATOR ' does not appear.

so i just double clicked on it and ran the file. the log is pasted below :



This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Madhav on 03/13/2010 at 8:38:22.


Processes terminated by Rkill or while it was running:


C:\Users\Madhav\Desktop\rkill.com


Rkill completed on 03/13/2010 at 8:38:23.







then i ran broni.exe , stil i am getting the same results. a folder named broni is created and only a text file named Resident.txt is created in the folder C:\broni
NO text file gets created in the c:\root directory.

 

[Broni]

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.

 

[maddy04]

broni i did what u said

but when i pressed enter at run to execute the command, a dos box appeared, and some msgs came 'scanning...' and it asked me to press key to continue and i did.
there was no msg like ' hidden status detected' as said in your msg.

the contents of the file TDSSkiller.txt , am pasting them below...

w8ing for your further instructions...








09:57:25:534 1868 TDSS rootkit removing tool 2.2.8 Mar 10 2010 15:53:20
09:57:25:534 1868 ================================================================================
09:57:25:534 1868 SystemInfo:

09:57:25:534 1868 OS Version: 6.0.6002 ServicePack: 2.0
09:57:25:534 1868 Product type: Workstation
09:57:25:534 1868 ComputerName: MADHAV-PC
09:57:25:534 1868 UserName: Madhav
09:57:25:534 1868 Windows directory: C:\Windows
09:57:25:534 1868 Processor architecture: Intel x86
09:57:25:534 1868 Number of processors: 2
09:57:25:534 1868 Page size: 0x1000
09:57:25:534 1868 Boot type: Safe boot with network
09:57:25:534 1868 ================================================================================
09:57:25:534 1868 UnloadDriverW: NtUnloadDriver error 2
09:57:25:534 1868 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
09:57:44:426 1868 wfopen_ex: Trying to open file C:\Windows\system32\config\system
09:57:44:426 1868 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
09:57:44:426 1868 wfopen_ex: Trying to KLMD file open
09:57:44:426 1868 wfopen_ex: File opened ok (Flags 2)
09:57:44:441 1868 wfopen_ex: Trying to open file C:\Windows\system32\config\software
09:57:44:441 1868 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
09:57:44:441 1868 wfopen_ex: Trying to KLMD file open
09:57:44:441 1868 wfopen_ex: File opened ok (Flags 2)
09:57:44:441 1868 Initialize success
09:57:44:441 1868
09:57:44:441 1868 Scanning Services ...
09:57:45:658 1868 GetAdvancedServicesInfo: Raw services enum returned 435 services
09:57:45:674 1868
09:57:45:674 1868 Scanning Kernel memory ...
09:57:45:674 1868 Devices to scan: 2
09:57:45:674 1868
09:57:45:674 1868 Driver Name: USBSTOR
09:57:45:674 1868 IRP_MJ_CREATE : 86C7E1F8
09:57:45:674 1868 IRP_MJ_CREATE_NAMED_PIPE : 8285EA22
09:57:45:674 1868 IRP_MJ_CLOSE : 86C7E1F8
09:57:45:674 1868 IRP_MJ_READ : 86C7E1F8
09:57:45:674 1868 IRP_MJ_WRITE : 86C7E1F8
09:57:45:674 1868 IRP_MJ_QUERY_INFORMATION : 8285EA22
09:57:45:674 1868 IRP_MJ_SET_INFORMATION : 8285EA22
09:57:45:674 1868 IRP_MJ_QUERY_EA : 8285EA22
09:57:45:674 1868 IRP_MJ_SET_EA : 8285EA22
09:57:45:674 1868 IRP_MJ_FLUSH_BUFFERS : 8285EA22
09:57:45:674 1868 IRP_MJ_QUERY_VOLUME_INFORMATION : 8285EA22
09:57:45:674 1868 IRP_MJ_SET_VOLUME_INFORMATION : 8285EA22
09:57:45:674 1868 IRP_MJ_DIRECTORY_CONTROL : 8285EA22
09:57:45:674 1868 IRP_MJ_FILE_SYSTEM_CONTROL : 8285EA22
09:57:45:674 1868 IRP_MJ_DEVICE_CONTROL : 86C7E1F8
09:57:45:674 1868 IRP_MJ_INTERNAL_DEVICE_CONTROL : 86C7E1F8
09:57:45:674 1868 IRP_MJ_SHUTDOWN : 8285EA22
09:57:45:674 1868 IRP_MJ_LOCK_CONTROL : 8285EA22
09:57:45:674 1868 IRP_MJ_CLEANUP : 8285EA22
09:57:45:674 1868 IRP_MJ_CREATE_MAILSLOT : 8285EA22
09:57:45:674 1868 IRP_MJ_QUERY_SECURITY : 8285EA22
09:57:45:674 1868 IRP_MJ_SET_SECURITY : 8285EA22
09:57:45:674 1868 IRP_MJ_POWER : 86C7E1F8
09:57:45:674 1868 IRP_MJ_SYSTEM_CONTROL : 86C7E1F8
09:57:45:674 1868 IRP_MJ_DEVICE_CHANGE : 8285EA22
09:57:45:674 1868 IRP_MJ_QUERY_QUOTA : 8285EA22
09:57:45:674 1868 IRP_MJ_SET_QUOTA : 8285EA22
09:57:45:674 1868 C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
09:57:45:674 1868
09:57:45:689 1868 Driver Name: atapi
09:57:45:689 1868 IRP_MJ_CREATE : 85F101F8
09:57:45:689 1868 IRP_MJ_CREATE_NAMED_PIPE : 8285EA22
09:57:45:689 1868 IRP_MJ_CLOSE : 85F101F8
09:57:45:689 1868 IRP_MJ_READ : 8285EA22
09:57:45:689 1868 IRP_MJ_WRITE : 8285EA22
09:57:45:689 1868 IRP_MJ_QUERY_INFORMATION : 8285EA22
09:57:45:689 1868 IRP_MJ_SET_INFORMATION : 8285EA22
09:57:45:689 1868 IRP_MJ_QUERY_EA : 8285EA22
09:57:45:689 1868 IRP_MJ_SET_EA : 8285EA22
09:57:45:689 1868 IRP_MJ_FLUSH_BUFFERS : 8285EA22
09:57:45:689 1868 IRP_MJ_QUERY_VOLUME_INFORMATION : 8285EA22
09:57:45:689 1868 IRP_MJ_SET_VOLUME_INFORMATION : 8285EA22
09:57:45:689 1868 IRP_MJ_DIRECTORY_CONTROL : 8285EA22
09:57:45:689 1868 IRP_MJ_FILE_SYSTEM_CONTROL : 8285EA22
09:57:45:689 1868 IRP_MJ_DEVICE_CONTROL : 85F101F8
09:57:45:689 1868 IRP_MJ_INTERNAL_DEVICE_CONTROL : 85F101F8
09:57:45:689 1868 IRP_MJ_SHUTDOWN : 8285EA22
09:57:45:689 1868 IRP_MJ_LOCK_CONTROL : 8285EA22
09:57:45:689 1868 IRP_MJ_CLEANUP : 8285EA22
09:57:45:689 1868 IRP_MJ_CREATE_MAILSLOT : 8285EA22
09:57:45:689 1868 IRP_MJ_QUERY_SECURITY : 8285EA22
09:57:45:689 1868 IRP_MJ_SET_SECURITY : 8285EA22
09:57:45:689 1868 IRP_MJ_POWER : 85F101F8
09:57:45:689 1868 IRP_MJ_SYSTEM_CONTROL : 85F101F8
09:57:45:689 1868 IRP_MJ_DEVICE_CHANGE : 8285EA22
09:57:45:689 1868 IRP_MJ_QUERY_QUOTA : 8285EA22
09:57:45:689 1868 IRP_MJ_SET_QUOTA : 8285EA22
09:57:45:705 1868 C:\Windows\system32\drivers\atapi.sys - Verdict: 1
09:57:45:705 1868
09:57:45:705 1868 Completed
09:57:45:705 1868
09:57:45:705 1868 Results:
09:57:45:705 1868 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
09:57:45:705 1868 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
09:57:45:720 1868 File objects infected / cured / cured on reboot: 0 / 0 / 0
09:57:45:720 1868
09:57:45:720 1868 fclose_ex: Trying to close file C:\Windows\system32\config\system
09:57:45:720 1868 fclose_ex: Trying to close file C:\Windows\system32\config\software
09:57:45:720 1868 KLMD(ARK) unloaded successfully

 

[Broni]

Try rkil and broni.exe again.

 

[maddy04]

broni

its the same case again.

after running rkill and then running broni.exe, another folder named broni11578b is created but no text file combofix.txt or bronifix.txt is created.

i will wait for ur further instructions...


broni can u plz tell me what is that we are trying to do. how did the initial step running bluscreenview helped us? what this software combofix.exe , hijackthis, rkill and tdssdkiller are doing?

i am not a computer expert like you but i would definately like to learn.


waiting for your further instructions on curing the problem...

 

[Broni]

Well, your computer is definitely infected and we've been trying various tools to find out what's going on.

Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

 

[maddy04]

broni

i downloaded the software and installed it. it asked for an update and i clicked yes and then carried out a quick scan.

there were 6-8 errors and then i clicked on remove all


the log generated is posted below








Malwarebytes' Anti-Malware 1.44
Database version: 3862
Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18882

3/13/2010 1:02:04 PM
mbam-log-2010-03-13 (13-02-04).txt

Scan type: Quick Scan
Objects scanned: 107708
Time elapsed: 5 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rndismex (Spyware.EliteKeylogger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ROUA3O12PW (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\TOY5KNQ8OC (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (C:\RECYCLER\S-1-5-21-1980998268-1022546200-537814393-5763\wnzip32.exe,explorer.exe,C:\RECYCLER\S-1-5-21-7549570908-3108869973-364522532-3715\windll.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe rundll32.exe ufmduo) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\ProgramData\MPK (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\ProgramData\MPK\1 (Refog.Keylogger) -> Quarantined and deleted successfully.

Files Infected:
C:\Windows\System32\igfxsvr.exe (Spyware.EliteKeylogger) -> Quarantined and deleted successfully.
C:\Windows\System32\mprd32.dll (Spyware.EliteKeylogger) -> Quarantined and deleted successfully.
C:\Windows\System32\mtxx86.dll (Spyware.EliteKeylogger) -> Quarantined and deleted successfully.
C:\Windows\System32\nshEFF.tmp (Spyware.EliteKeylogger) -> Quarantined and deleted successfully.
C:\Windows\System32\nsv12A7.tmp (Spyware.EliteKeylogger) -> Quarantined and deleted successfully.
C:\Windows\System32\drivers\RNDISMex.sys (Spyware.EliteKeylogger) -> Quarantined and deleted successfully.
C:\ProgramData\MPK\M0000 (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\ProgramData\MPK\1\D0000 (Refog.Keylogger) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.





i restarted the computer, but the bluescreen was still coming so as been doing i restrted in safemode with netwrking.

looking forward for further instructions...

 

[Broni]

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:


netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
CREATERESTOREPOINT


* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[maddy04]

Broni the content of both the files are exceeding the length so cannot post the contents.

am enclosing them as attachments..

OTL.txt attachment here...

 

[maddy04]

Extras.txt is attached in this post...

hope u are able to c both the files...


hope that my problem will be resolved soon

 

[Broni]

You're running out of space on drive C:
Drive C: | 116.42 Gb Total Space | 14.56 Gb Free Space | 12.51% Space Free
When we're done, you'll have to start moving some stuff out of it.


Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
  O4 - HKLM..\RunOnce: [] File not found
  O33 - MountPoints2\{4e18fa65-7531-11de-99c0-00234e1adf2f}\Shell - "" = AutoRun
  O33 - MountPoints2\{4e18fa65-7531-11de-99c0-00234e1adf2f}\Shell\AutoRun\command - "" = F:\AutoExec.exe -- File not found
  O33 - MountPoints2\{b6e63f2d-747a-11de-8c8c-002269be7739}\Shell\AutoRun\command - "" = I:\CLEANUP.EXE -- File not found
  O33 - MountPoints2\{b6e63f30-747a-11de-8c8c-002269be7739}\Shell - "" = AutoRun
  O33 - MountPoints2\{b6e63f30-747a-11de-8c8c-002269be7739}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -- File not found
  O33 - MountPoints2\{fd3eff11-747c-11de-8e38-002269be7739}\Shell\AutoRun\command - "" = G:\SEARCHINDEXER.EXE -- File not found
  [2010/03/07 12:35:26 | 000,000,001 | ---- | M] () -- C:\Windows\System32\ek_check.stp
  [2010/03/07 03:53:12 | 000,012,450 | ---- | M] () -- C:\Windows\System32\WlScache.dll
  [2010/03/07 01:53:43 | 000,598,528 | ---- | C] () -- C:\Windows\System32\drivers\srv2k.sys
  [2010/03/07 01:53:43 | 000,010,752 | ---- | C] () -- C:\Windows\System32\drivers\asyncmnt.sys
  
  
  :Services
  
  :Reg
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [resethosts]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

 

[maddy04]

Broni asked here are the logs as attachments



the log after running fix scan is attached here...

 

[maddy04]

The log generated after running a quick scan is attached here...



broni, I am little confused...I have 15.6 GB free space on c drive, dont mind me asking, but y do u think this is less? I have used c drive when there was only 2 GB free space. I had no problems then.

does less free space is causing blue screen error?

 

[Broni]

i have used c drive when there was only 2 GB free space

When free space on your main drive drops too low, you may find your computer not bootable at all.
Windows needs 15% of a free space to operate correctly. In your case, it'd be 17.5GB.

Try to restart computer in normal mode.

 

[maddy04]

BRONI!

IT HAS STARTED IN NORMAL MODEE!


thx a ton. i am really happy...thx a lot for all ur guidance and help.

broni i dint clear my hardisk, i started with 15.6GB free. when the part comes to load windows, it is very slow.
so do i need to clear the harddisk now?

broni what settings should i do to make the my settings as orignal? if u remember, we had switched off all the settings in startup mode, so what programs should i put on again?

 

[maddy04]

broni

i am really thankful to u for the concern u have shown to me.

do i need to keep all the softwares we used installed or keeping the setups would server the purpose?

broni can u teach me what u did exactly at every step so in situations like this further i can use the software on my own?
can u teach me what exactly u infferred from each log?

can i use the softwares on my own?

can we have chat in person at anytime?

 

[Broni]

Very good
Hold your horses, we're not done yet
Cleaning your hard drive can wait for now. When we're done with malware cleaning, we'll go there.
Go back to "msconfig" and re-enable everything you disabled before.
Restart computer.

I wish I had more time for chatting etc., but it's not possible. There are a lot of computer here and on other forums, which need help.

When you're done with the above, try to run broni.exe again.

 

[maddy04]

broni

when i opened msconfig, the servies which we had disabled were already enabled. the startup programs were disabled and i enabled some of them which i use.

i restarted my computer and then ran broni.exe
the same porcedure was carried out and after restart, a dosbox was still there. it was creating some resotre point and then scanning was done for infected files.

48 stages are completed, i will post u the log as soon as scan gets completed.

broni i had installed a software, which had asked me to restart my pc, and when i did so, the blue screen appeared since then. i had tried to uninstall it in safe-mode but the process was not being carried out fully. so i deleted the folder manually.
the name of that software files was not there in the ones infected.

does this software installation can have anything to do with the bluescreen error?

 

[Broni]

You shouldn't be running any other tasks while Combofix is running!