TechSpot

BSOD errors.

By Wif.No_Micro
Apr 24, 2007
  1. Ummm, I've been getting these error for along time...BSOD
    0x0000008E (0xC0000005, 0x00000000, 0xB7D5AB88, 0x00000000)

    I get this whether or not I log in, I thought it was Rustock Rootkit but the remover didn't detect it so...I'm outta ideas. I'll try to post my minidump.

    Thanks for your time!
    -Cam

    Sorry, let me do the troubleshooting first then i'll post back here with whats goin on

    -Cam

    Question: Should I flash the BIOS or not? My computer has just recently been acting weird, let me write what's been happening down here.

    When I start up windows and go to the login screen, and wait for about 10-20 seconds, this blue screen pops up...

    The blue screen error message has the code
    0x0000008E (0xC0000005, 0x00000000, 0xB7D5AB88, 0x00000000)

    Even if I log in it still pops up with this error.
    Also something to note, before this problem happened I had messages saying "little or no connectivity to the network" for my connection which seemed to be solved by going to Command Prompt and typing both "ipconfig /flushdns" and "netsh winsock reset", then I restarted my computer and was able to get on the internet to run virus scans, I found the following:

    Spyware:Cookie/Advertising
    Spyware:Cookie/Atlas DMT
    Spyware:Cookie/Doubleclick
    Virus:Trj/Ldpinch.ABC
    Hacktool:Rootkit/Nurech.A
    Adware:Adware/SAHAgent
    Spyware:Cookie/Hitbox
    Spyware:Cookie/Hitbox
    Adware:Adware/SAHAgent
    Virus:Trj/Spammer.ZO
    Hacktool:Rootkit/Nurech.A
    Virus:W32/Nurech.H.worm
    Adware:Adware/WebAttaker

    When I re-run anti-virus programs in safemode nothing shows up so I am assuming they have been removed. Also, when I try booting windows in normal mode my panda software that is actively running says it is blocking new viruses and re-disinfecting viruses (spammer.ZO) even though it doesn't show up in safemode. I have tried looking up Spammer.ZO and there is nothing on that trojan (even at pandasoftware website).

    And one more thing, every so often I lose internet connection when I boot into safemode with network connection, and in order to get connection again I have to type those commands in Command Prompt (ipconfig /flushdns and netsh winsock reset) then I seem to be able to connect for a while.

    Running windows xp
    Mobo is Asus P4C800E-Delux with 2 sticks of 512 dual chnnl ddr400 (a-data)
    Intel pentium 4 3.2e
    ati radeon x800 pro (agp)
    creative labs audigy 2 zs
    3 western digital hds (two of them striped) and the one has windows
    ATX 420W power supply for AMD/Intel

    All this hardware has been in for more than a year, and I haven't had any problems with it so far. I have not tried installing any new hardware either, so I'm guessing its probably a virus or some malicious software that is changing things.

    Also everytime I log into normal mode and get bluescreen, my anti-virus finds more viruses/spyware/trojans so there's something it's not getting that is causing all of this.

    Sorry for all the unorganized writing
    Thanks for your time
    -Cam

    Here's a Hijackthis log if you know what the stuff means...
     

    Attached Files:

  2. Tmagic650

    Tmagic650 TS Ambassador Posts: 20,934   +167

    Do you feel alone Wif.No_Micro?

    There's a lot of stuff I don't recognize, but it is 11:38pm on Friday night. The lone minidump points to IPSEC.sys, and it looks like you are infected with a Trojan virus.

    Try posting this in the Security and the Web forum under a more descriptive title than "Help me plz!"...
     
  3. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Hello and welcome to Techspot.

    I have moved this thread to our Security and the Web forum.

    You`re using an outdated version of HijackThis and it hasn`t been renamed as per the instructions HERE.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the AVG Antirootkit scan.

    Regards Howard :wave: :wave:

    This thread is for the use of Wif.No_Micro only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  4. Wif.No_Micro

    Wif.No_Micro TS Rookie Topic Starter

    Okay, sorry this took so long to get back to you, mid-terms were overwhelming. So, I did most of the steps (I can only do things in safe mode). I could not install ad-aware SE because I got a windows installer error and it wouldn't install. "Look2Me-Destroyer" would not pop back up after I checked the box for "run as task". When I run Avg Anti-Rootkit, I try clicking on "In depth scan" but it says I need to reboot my computer before I use it...which I have tried rebooting many times (as well as in normal mode for as long as it will go for) but it keeps popping up with that message. I ran combofix, when it rebooted I let it go into normal mode (cause I don't think it will pop up in safemode) and it didn't quite finish but I did get logs from it so...
    Here's what I have.

    Thanks abunch for your time,
    -Cam

    Keep in mind too, I have to run things in safemode because my computer will come up with a BSOD if I boot in normal mode.
     
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it to your desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please attach the content of c:\avenger.txt into your reply, as well as fresh HJT and Combofix logs.

    Regards Howard :)

    This thread is for the use of Wif.No_Micro only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  6. Wif.No_Micro

    Wif.No_Micro TS Rookie Topic Starter

    Ok, here's what I got.

    I'll try to get a hijackthis scan in normal mode while i'm waiting for a reply.
    (if it will help any)
    thnx
    -Cam

    I was barely able to get it off...I don't know if this will do any good.

    -Cam

    Nvm, I guess it's the same file reguardless if I run it in normal mode or not.
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Download LSPFix from http://cexx.org/lspfix.htm
    1. Disconnect from the Internet, go to the LSPfix file and extract/unzip LSP-Fix into its own folder [C:\lspfix].
    2. Open the lspfix folder and double-click on LSPFix.exe to start the program.
    3. Check the "I know what I am doing" checkbox.
    4. Select (highlight) all instances of 'vjury.dll' in the left column under "Keep".
    5. Click the arrow >> so it goes over to the right column under "Remove".
    6. Click "Finish" and LSPfix will remove references to the file and restore the chain numbers.
    7. Restart your computer and reconnect to the net.

    Download the Pocket Killbox programme from HERE.

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

    This is the filepath you need to enter into killbox.

    c:\windows\system32\vjury.dll

    Once your system has rebooted, post a fresh HJT log from normal mode(if you can). I also want to see a fresh Combofix log.

    Regards Howard :)

    This thread is for the use of Wif.No_Micro only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  8. Wif.No_Micro

    Wif.No_Micro TS Rookie Topic Starter

    So, when I run lspfix 'vjury.dll' isn't on the list. Also, when I run Pocket Killbox I get this message...PendingFileRenameOperations Registry Data has been Removed by External Process! And, I still can't boot into normal mode...hmmmm...here's my hijack log and combofix (i'm not sure what happened with the combofix log, I ran combofix and it had to restart to make a log, but when I restarted into normal mode it froze, so I started in safemode and ran it, and it ran combofix AND did a log in one sitting so...)

    Thanks
    -Cam

    --I also tried putting in a different harddrive (so I could lan with my friends but it wouldn't fully load windows so I pulled it out and plugged my old hd's in again)
     
  9. peterdiva

    peterdiva TechSpot Ambassador Posts: 1,202

    Could you post a new minidump file so I can check the module list. Your original dump has a known infection.
     
  10. Wif.No_Micro

    Wif.No_Micro TS Rookie Topic Starter

    okey-dokey

    Thanks
    -Cam
     
  11. peterdiva

    peterdiva TechSpot Ambassador Posts: 1,202

    The file's gone (windev-6b53-3d3e.sys).
     
     
  12. Tmagic650

    Tmagic650 TS Ambassador Posts: 20,934   +167

    This minidump points to ipsec.sys (Internet Protocol Security) that is part of the Windows XP, SP2 firewall. What firewall are you using Cam?
     
  13. Wif.No_Micro

    Wif.No_Micro TS Rookie Topic Starter

    ummmm....none...I turned off windows firewall, errr I do have a router tho. D-Link Gamer Lounge

    Thanks
    -Cam
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Download LSPFix from http://cexx.org/lspfix.htm
    1. Disconnect from the Internet, go to the LSPfix file and extract/unzip LSP-Fix into its own folder [C:\lspfix].
    2. Open the lspfix folder and double-click on LSPFix.exe to start the program.
    3. Check the "I know what I am doing" checkbox.
    4. Select (highlight) all instances of 'tkrzmfk.dll' in the left column under "Keep".
    5. Click the arrow >> so it goes over to the right column under "Remove".
    6. Click "Finish" and LSPfix will remove references to the file and restore the chain numbers.
    7. Locate and delete the following bold files and/or directories(if there).
    c:\windows\system32\tkrzmfk.dll
    8.Restart your computer and reconnect to the net.

    Post a fresh HJT log from normal mode(if you can) as well as a fresh Combofix log.

    Regards Howard :)

    This thread is for the use of Wif.No_Micro only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  15. Wif.No_Micro

    Wif.No_Micro TS Rookie Topic Starter

    Hmmm, the only ones that are there are:
    mswsock.dll
    winrnr.dll
    nwprovau.dll
    rbdht.dll
    rsvpsp.dll

    Thanks
    -Cam
     
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Ok, please post fresh HJT and Combofix logs.

    Regards Howard :)

    This thread is for the use of Wif.No_Micro only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  17. Wif.No_Micro

    Wif.No_Micro TS Rookie Topic Starter

    kk

    Thnx
    -Cam
     
  18. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Your HJT log is clean. However, without seeing a HJT log from normal mode, it`s impossible for me to say if your system is clean or not. Your Combofix log is extraordinarily long and looking for malware is like looking for a needle in a haystack.

    I did find at least on trojan dropper, but whether this is responsible for your problems I don`t know.

    It may well be time for you to consider backing up your important data and reformatting the system.

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it to your desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT log from normal mode. If you still can`t post from normal mode, I suggest you reformat the system.

    Regards Howard :)

    This thread is for the use of Wif.No_Micro only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.