BSOD 0x8E After a virus hit - seems inactivity time based

[deester]

Hello to all!!
I was diagnosing a NAS issue and disabled my firewall and within 5 minutes was promptly treated to a host of virus and Trojans.
After the first re-boot the BSOD 0x8E appeared. I then used PC Tools Spyware Doctor, Firewall plus (ESET NOD 32 no longer functioned), Desktop Maestro (registry cleaner) and Threatfire to start the long journey home. The BSOD 0x8E is consistently the code I can't seem to beat. For whatever reason to date, I still can not analyze or defrag the HD drive. (C drive programs, D drive partition for data).
I have created a new paging file. I have ran Memtest86+ multi-passes with no errors, ran Everest Home 2.20.405 -- CPU at 133deg F, GPU at 108deg F and HDD at 102deg F. I have never changed clock speeds and have no additional hardware configurations from stock.
It (whatever "it" is) seems to be time based to keyboard inactivity (I've seen it throw the error ranging from 4 to 6 minutes) however, if I keep working after multiple boots (about every third one is successful - usually freezes keyboard however mouse will move but no "click" is recognized) I can get hours of run time ( I just can't stop!!)
I've got to think this is something attaching to the kernel such that it is not able to be scrubbed by antivirus removal tools? Looking for thoughts and suggestions. My hair is becoming a precious commodity.

 

[mflynn]

Hi deester

Boot to Safe Mode Networking to Install and run the below.

Do the TechSpot 8 steps: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

Skip no steps (do not install another virus scanner if you already have one, nor Firewall for now).

Most importantly update MalwareBytes and SuperAntiSptware!

Before you scan with SuperAntiSpyWare do the below:

SuperAntispyware extra config

After installed double-click the icon on your desktop to run it.

Update the program definitions.

Click the Preferences button.

Then Scanning Control.

In Scanner Options make sure all boxes are checked except #3 Ignore System Restore.. are checked:

MalwareBytes extra config

After update but before running
Click settings and confirm all are Checked.

I repeat Update these 2 programs.

Run them and attach their logs.

Reboot to normal!

Mike

 

[deester]

Ran the 8-step

Hello mflynn!

Thanks for all the efforts in advance!!

As indicated, I ran the 8-step process and included the 3 requested logs. On the re-boot requested by Hijackthis, I did a "cold" start and it slowly locked up. I was able to get to the Task Manager and click on Shutdown. We rebooted and am running again but I have not let it "sit" inactive until I made this post. Looking forward to your suggestions. I will let it sit to see if we are winning or not. I will post either way.

Thanks!

Dee

 

[mflynn]

Hi deester

Run HJT Select and remove the below entries
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/first_usage&s=yp3HYNzj2gNvLBIMKITaOnvpzX8
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: {5a084ff4-34b2-098a-c324-8e4e7c102a45} - {54a201c7-e4e8-423c-a890-2b434ff480a5} - (no file
O2 - BHO: (no name) - {69B6A2C5-9CDF-46D3-AB96-6E880C857597} - (no file)
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O18 - Protocol: a5res - (no CLSID) - (no file)
O18 - Protocol: XBasic - (no CLSID) - (no file)

There was a lot found and cleaned on the last run of MBAM and SAS so we need to run them again to get leftovers and things that were exposed that the first runs never saw!

From normal mode, UPDATE and run MBAM and SAS Quick scan again. Attach logs. We are after clean logs!

Mike

 

[deester]

Second Run -- clean

Hello Mike!

I removed via HJT the indicated files. MBAM, SAS both ran clean. I also ran Spyware Doctor and Threatfire -- clean. So far, no BSOD with inactivity (15minutes -- wa-hoo!)
Log files attached. After all runs, I created a restore point.

Still have not rebooted or tried to defrag. Also noticed system tray is not consistent with objects (when expanded) I understand they "hide" but when expanded, I would expect them to be visible. ( I know, baby steps -- good progress as this point and I'm good with that!!)

Waiting on your well-tuned (and highly appreciated) next directions!

Thanks!

Dee

 

[mflynn]

OK the HJT things are still there, print this post so you will have it in Safe Mode!

There is a reason for this!

----------------------------------------------------------------------------------------------------------------------
Download ComboFix

NOTE: If you have had ComboFix more than a few days old delete and re-download.

Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe

Then

Download SD Fix to Desktop among other things Catchme to look for RootKits.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

On Desktop run SDdFix It will run (install) then close.

Then reboot into Safe Mode

As the computer starts up, tap the F8 key several times.

On the Boot menu Choose Safe Mode.

Click thu all the prompts to get to desktop.

At Desktop

Run HJT Scan only Select and try to remove again
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: {5a084ff4-34b2-098a-c324-8e4e7c102a45} - {54a201c7-e4e8-423c-a890-2b434ff480a5} - (no file)
O2 - BHO: (no name) - {69B6A2C5-9CDF-46D3-AB96-6E880C857597} - (no file)
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O18 - Protocol: a5res - (no CLSID) - (no file)
O18 - Protocol: XBasic - (no CLSID) - (no file)

Then..

Double click combofix.exe follow the prompts.

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall

Now for SDFix if a reboot was incurred then reboot back to Safe Mode.

My Computer C: drive. Double-click to open.

Look for a folder called SD Fix. Double-click to enter SD Fix.

Double-click to RunThis.bat. Type Y to begin.

SD Fix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt file to your next post.

Now run ComboFix
Double click combofix.exe follow the prompts.

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall

Mike

 

[deester]

ComboFix and SD Fix

Well that keeps it interesting!
As a side note, the system tray has re-populated properly.

When trying to download the ComboFix and SD fix, I believe the little critter was corrupting the files so I downloaded them on a thumb drive and loaded them clean.

Attached reports as requested. There are 6 reports but only 5 could be attached to this post. The last report will be on the next post.

Thanks!

Dee

 

[deester]

Report #6 HJT

Here is the 6th report.

Thanks!

Dee

 

[mflynn]

OK that did it!

It is late for me so I will post a thread closing tomorrow.

I meant to tell you I am glad you are using ThreatFire but lets reset it! This will cause you to have to re approve everything for a day or so, but it will be worth it in case something bad got approved.

RT click TF in System Tray then click threat control then on each of the Tabs at top click Select all then Remove.

Then click Settings and slide Sensitivity to max.Update and then do a scan when you can.

This will make TF very inqusitive so approve carefully, use the Google search function and or ask me here if not sure. Remember the Quarantine will allow you to put it back.

You have done a fabulous job!

After using computer for a few hours let me know how it runs and if there are any other issues.

Mike

 

[deester]

Threatfire

Hello Mike!

Thanks for all the help.

I will be running a scan on Threatfire. The computer had trouble booting -- it took 3 tries but seems to be funcitoning now. I am going to run a HJT to see if any of the files are back.

In the other programs we used, do I permenantly delete the files it quarintened?

I'm thinking there has to be corrupt or damaged files causing some of the boot issues. Is that a fair thought??

Thanks!

Dee

 

[mflynn]

Is the boot issue consistent every time or occasionally?

Mike

 

[deester]

boot issue

It is slightly different in that the system tray has a reduced amount of applications. (starting to see it as a quazi indicator of what kind of boot-up is in store)

To the point, Firefox and Thunderbird when invoked will "seem" to start but not spawn. I checked the task manager and the process IS running. (Firefox). I end the process and try to start it again but same results. Interestingly enough, Chrome will come up as well as a shortcut to a particular folder, for example. I have noticed the machine is slower.

ThreatFire on the 3rd re-boot was very inquisitive but I found nothing out of sorts -- auto-updates for the PC Tools and launching thier processes. Nothing else. This time (3rd reboot) Firefox spawned properly. FYI - I am also running Browser Defender on Firefox.

Spyware Doctor on an intelli-scan found a Trojan.Generic in HKEY_USERS\S-5-21... are\Wget.

also HKEY_LOCAL\MACHINE\SOFTWARE\Swearware.

I have updated SAS and am running a full scan to see what it finds.

Running HJT -- Found the O18 a5res and Xbasic again. No R1,R3, O2, O9.

I would assume to remove the O18's?

SAS is still running.

 

[mflynn]

You may be getting reinfected watch TH!


Drag mouse Highlight and copy all text inside box below and paste to an Open Command prompt!

@echo off
reg delete HKLM\SOFTWARE\swearware /f
reg delete HKCU\Software\Wget /f
reg delete HKLM\Software\Classes\CLSID\{CD363BEC-7150-B887-530D-5F3E2E0424EA} /f
exit
exit

After this reboot and reun HJT and remove those entries and post log.

Mike

 

[deester]

Mike, I'm sorry, I'm not sure exactly what you ask --

Start - Run - type "command" Enter, Command window is open but pasting multiple lines does not seem to work? Sorry, one of the 14 brain cells I have left left!! I need the hand hold method here.

 

[mflynn]

It should! Get the text only from inside the box not the box itself .

What happens?

Try it one line at a time hitting enter twice after each paste.

Mike

 

[deester]

When I paste into the command line ( C:\> ) I get the ^V character.

I typed the lines in and it says "The system was unable to find the specified registry key or value.

 

[deester]

Just for kicks, I tried to copy / paste something outside the box and it still gave me the ^V character. ????????

 

[mflynn]

Reboot to Safe mode Networking and try it!

Mike

 

[deester]

Mike!

Ive been called out.
I'm on the side for a couple of hours.

Q? I am a mobile business. What do you use to keep the system clean?

Thanks!

Dee

 

[mflynn]

Hmm!

Try this first!

Open IE, Click Tools-Internet Options-Security, then at bottom Right click Custom level,
look 3/4 way down for the Drag and drop or copy and paste entry.

Set to enabled, if it is not enabled!

In answer to your question in cleanup.

On my and my Clients systems I use the same programs as we are using here.

For Temp cleanup use these

Run CCleaner again twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

D/L install and run ATF-Cleaner http://www.majorgeeks.com/ATF_Cleaner_d4949.html clear all except passwords in all browsers you have. Run repeatedly until no more found.

Very good: KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe

So do these now.

Finally since we should be clean, a general Windows check and repair to make sure nothing tinkered with the normal know windows DLL's. This will possibly also address the Copy/Paste issue if the above was not the case.

Do the below.

Download Dial-A-Fix (DAF)
http://wiki.djlizard.net/Dial-a-fix#...C_and_articles
http://djlizard.net.nyud.net:8080/software/Dial-a-fix-v0.60.0.24.zip

Have XP CD available in case DAF needs a file.

Check all boxes on the screen (clear any restrictions if it shows any)
Then click GO!

When the entire page is finished click the HammerHead at bottom to go to the second DAF page.

Here 1 at a time do the below

Flush DNS
Flush Icons
Process Idle Tasks
Repair Permissions
Reset WMI/WBEM (not reinstall)
Watch for any File not found or other errors and make note as this may lead to the fix! This is absolutely the best way to fin out if you are missing a required standard/known DLL.

Reboot retest!

Get back with log file and results.

Mike

 

[deester]

Hello Mike!

I have returned.
Well well well...... It looks like I'm going to be occupied this evening. (If we go any further, your going to have to break the news to my wife!! HA!)

As always, thanks for all of your efforts and I'll report back!

BTW.... I'm very courious about your system comment about 5-screens!

 

[mflynn]

I administer 55 networks in 5 states comprising 744 computers.

I do this remotely using Terminal Services (Remote Desktop) and UltraVNC.

So I have (actually now) 4 screens (computers to work with).

I may be online here working with you on one, while connected to one of my clients on another and emailing etc on another.

I could have multiple windows open on one computer but I would be switching windows constantly.

And I have things I have to watch in full screen to see when something happens that I need to address. With my setup it is only a glance to see if I need to intervene.

EDIT: We are almost done the last post is not as complex as it looks. Additionally this is your thread and you will be able to use it later to maintain your system.

Mike

 

[deester]

Hello Mike!

It came back with vengeance. Locked me up tight. I have resurrected an older unit to limp along with. Once I am able to get to Safe Mode, I will go thru the motions again.

Thanks for all of your efforts!

Dee

 

[mflynn]

OK take it one step at a time and step back thu the thread. Posting logs as you go.

Mike