BSOD errors.

[Wif.No_Micro]

Ummm, I've been getting these error for along time...BSOD
0x0000008E (0xC0000005, 0x00000000, 0xB7D5AB88, 0x00000000)

I get this whether or not I log in, I thought it was Rustock Rootkit but the remover didn't detect it so...I'm outta ideas. I'll try to post my minidump.

Thanks for your time!
-Cam

Sorry, let me do the troubleshooting first then I'll post back here with whats goin on

-Cam

Question: Should I flash the BIOS or not? My computer has just recently been acting weird, let me write what's been happening down here.

When I start up windows and go to the login screen, and wait for about 10-20 seconds, this blue screen pops up...

The blue screen error message has the code
0x0000008E (0xC0000005, 0x00000000, 0xB7D5AB88, 0x00000000)

Even if I log in it still pops up with this error.
Also something to note, before this problem happened I had messages saying "little or no connectivity to the network" for my connection which seemed to be solved by going to Command Prompt and typing both "ipconfig /flushdns" and "netsh winsock reset", then I restarted my computer and was able to get on the internet to run virus scans, I found the following:

Spyware:Cookie/Advertising
Spyware:Cookie/Atlas DMT
Spyware:Cookie/Doubleclick
Virus:Trj/Ldpinch.ABC
Hacktool:Rootkit/Nurech.A
Adware:Adware/SAHAgent
Spyware:Cookie/Hitbox
Spyware:Cookie/Hitbox
Adware:Adware/SAHAgent
Virus:Trj/Spammer.ZO
Hacktool:Rootkit/Nurech.A
Virus:W32/Nurech.H.worm
Adware:Adware/WebAttaker

When I re-run anti-virus programs in safemode nothing shows up so I am assuming they have been removed. Also, when I try booting windows in normal mode my panda software that is actively running says it is blocking new viruses and re-disinfecting viruses (spammer.ZO) even though it doesn't show up in safemode. I have tried looking up Spammer.ZO and there is nothing on that trojan (even at pandasoftware website).

And one more thing, every so often I lose internet connection when I boot into safemode with network connection, and in order to get connection again I have to type those commands in Command Prompt (ipconfig /flushdns and netsh winsock reset) then I seem to be able to connect for a while.

Running windows xp
Mobo is Asus P4C800E-Delux with 2 sticks of 512 dual chnnl ddr400 (a-data)
Intel pentium 4 3.2e
ati radeon x800 pro (agp)
creative labs audigy 2 zs
3 western digital hds (two of them striped) and the one has windows
ATX 420W power supply for AMD/Intel

All this hardware has been in for more than a year, and I haven't had any problems with it so far. I have not tried installing any new hardware either, so I'm guessing its probably a virus or some malicious software that is changing things.

Also everytime I log into normal mode and get bluescreen, my anti-virus finds more viruses/spyware/trojans so there's something it's not getting that is causing all of this.

Sorry for all the unorganized writing
Thanks for your time
-Cam

Here's a Hijackthis log if you know what the stuff means...

 

[Tmagic650]

Do you feel alone Wif.No_Micro?

There's a lot of stuff I don't recognize, but it is 11:38pm on Friday night. The lone minidump points to IPSEC.sys, and it looks like you are infected with a Trojan virus.

Try posting this in the Security and the Web forum under a more descriptive title than "Help me plz!"...

 

[howard_hopkinso]

Hello and welcome to Techspot.

I have moved this thread to our Security and the Web forum.

You`re using an outdated version of HijackThis and it hasn`t been renamed as per the instructions HERE.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

Also, let me know the results of the AVG Antirootkit scan.

Regards Howard :wave: :wave:

This thread is for the use of Wif.No_Micro only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Wif.No_Micro]

Okay, sorry this took so long to get back to you, mid-terms were overwhelming. So, I did most of the steps (I can only do things in safe mode). I could not install ad-aware SE because I got a windows installer error and it wouldn't install. "Look2Me-Destroyer" would not pop back up after I checked the box for "run as task". When I run Avg Anti-Rootkit, I try clicking on "In depth scan" but it says I need to reboot my computer before I use it...which I have tried rebooting many times (as well as in normal mode for as long as it will go for) but it keeps popping up with that message. I ran combofix, when it rebooted I let it go into normal mode (cause I don't think it will pop up in safemode) and it didn't quite finish but I did get logs from it so...
Here's what I have.

Thanks abunch for your time,
-Cam

Keep in mind too, I have to run things in safemode because my computer will come up with a BSOD if I boot in normal mode.

 

[howard_hopkinso]

1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply, as well as fresh HJT and Combofix logs.

Regards Howard

This thread is for the use of Wif.No_Micro only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Wif.No_Micro]

Ok, here's what I got.

I'll try to get a hijackthis scan in normal mode while i'm waiting for a reply.
(if it will help any)
thnx
-Cam

I was barely able to get it off...I don't know if this will do any good.

-Cam

Nvm, I guess it's the same file reguardless if I run it in normal mode or not.

 

[howard_hopkinso]

Download LSPFix from http://cexx.org/lspfix.htm
1. Disconnect from the Internet, go to the LSPfix file and extract/unzip LSP-Fix into its own folder [C:\lspfix].
2. Open the lspfix folder and double-click on LSPFix.exe to start the program.
3. Check the "I know what I am doing" checkbox.
4. Select (highlight) all instances of 'vjury.dll' in the left column under "Keep".
5. Click the arrow >> so it goes over to the right column under "Remove".
6. Click "Finish" and LSPfix will remove references to the file and restore the chain numbers.
7. Restart your computer and reconnect to the net.

Download the Pocket Killbox programme from HERE.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

This is the filepath you need to enter into killbox.

c:\windows\system32\vjury.dll

Once your system has rebooted, post a fresh HJT log from normal mode(if you can). I also want to see a fresh Combofix log.

Regards Howard

This thread is for the use of Wif.No_Micro only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Wif.No_Micro]

So, when I run lspfix 'vjury.dll' isn't on the list. Also, when I run Pocket Killbox I get this message...PendingFileRenameOperations Registry Data has been Removed by External Process! And, I still can't boot into normal mode...hmmmm...here's my hijack log and combofix (i'm not sure what happened with the combofix log, I ran combofix and it had to restart to make a log, but when I restarted into normal mode it froze, so I started in safemode and ran it, and it ran combofix AND did a log in one sitting so...)

Thanks
-Cam

--I also tried putting in a different harddrive (so I could lan with my friends but it wouldn't fully load windows so I pulled it out and plugged my old hd's in again)

 

[peterdiva]

Could you post a new minidump file so I can check the module list. Your original dump has a known infection.

 

[Wif.No_Micro]

okey-dokey

Thanks
-Cam

 

[peterdiva]

The file's gone (windev-6b53-3d3e.sys).

 

[Tmagic650]

This minidump points to ipsec.sys (Internet Protocol Security) that is part of the Windows XP, SP2 firewall. What firewall are you using Cam?

 

[Wif.No_Micro]

ummmm....none...I turned off windows firewall, errr I do have a router tho. D-Link Gamer Lounge

Thanks
-Cam

 

[howard_hopkinso]

Download LSPFix from http://cexx.org/lspfix.htm
1. Disconnect from the Internet, go to the LSPfix file and extract/unzip LSP-Fix into its own folder [C:\lspfix].
2. Open the lspfix folder and double-click on LSPFix.exe to start the program.
3. Check the "I know what I am doing" checkbox.
4. Select (highlight) all instances of 'tkrzmfk.dll' in the left column under "Keep".
5. Click the arrow >> so it goes over to the right column under "Remove".
6. Click "Finish" and LSPfix will remove references to the file and restore the chain numbers.
7. Locate and delete the following bold files and/or directories(if there).
c:\windows\system32\tkrzmfk.dll
8.Restart your computer and reconnect to the net.

Post a fresh HJT log from normal mode(if you can) as well as a fresh Combofix log.

Regards Howard

This thread is for the use of Wif.No_Micro only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Wif.No_Micro]

Hmmm, the only ones that are there are:
mswsock.dll
winrnr.dll
nwprovau.dll
rbdht.dll
rsvpsp.dll

Thanks
-Cam

 

[howard_hopkinso]

Ok, please post fresh HJT and Combofix logs.

Regards Howard

This thread is for the use of Wif.No_Micro only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Wif.No_Micro]

kk

Thnx
-Cam

 

[howard_hopkinso]

Your HJT log is clean. However, without seeing a HJT log from normal mode, it`s impossible for me to say if your system is clean or not. Your Combofix log is extraordinarily long and looking for malware is like looking for a needle in a haystack.

I did find at least on trojan dropper, but whether this is responsible for your problems I don`t know.

It may well be time for you to consider backing up your important data and reformatting the system.

1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT log from normal mode. If you still can`t post from normal mode, I suggest you reformat the system.

Regards Howard

This thread is for the use of Wif.No_Micro only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.