TechSpot

Malware/BSOD

By shadows83
Feb 11, 2010
  1. I was trying to fix my cousin's computer (she had Internet Security 2010 and various other problems). Some of the other problems included "DCOM Server Process Launcher service terminated unexpectedly" and "Generic Host Process for Win32 Services encountered a problem". The DCOM message always wanted to force a reboot.

    In the process of doing scans, the computer shut down and supposedly did updates. I accidentally clicked for AVG to heal a file - C:\WINDOWS\SYSTEM32\6334.exe. - about 20-30 minutes before it shut down.
    After that, I got a BSOD screen 0x0000007F (0x0000000D, 0x00000000, 0x00000000, 0x00000000). This would not let me do anything (including safe mode). I am not sure if the 6334 file caused the BSOD or if it was caused by viruses/malware still on the computer.

    I posted this in the BSOD thread first and was advised to make that hard drive a slave and do a hard drive diagnosicts, then the 8 step virus/malware removal process. I have done all that, but not sure how to do a HJT log for the slave drive. Both drives are using Windows XP.

    I have attached the required logs. I am more concerned with the E drive than C being stable enough to use again on its own, and hopefully without any lingering issues.

    I would appreciate any help you can give me. Thank you.
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 47,039   +255

    Before we start....
    I assume, C drive is the primary drive in second, healthy computer, and drive E is a slaved drive from bad computer?
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Going to take some work here! you have a badly infected system

    Please reopen HijackThis to 'do system scan only.' Check each of the following if present: (Do NOT click on Fix Checked until all entries have been checked)

    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.xupiter.com/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.linkfind.com/iebar/%s
    R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - *{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.xupiter.com/toolbar"); (C:\Program Files\Netscape\Users\trn2000\prefs.js)
    O1 - Hosts: 64.200.25.145 gator.com #cooklop
    O1 - Hosts: 64.200.25.145 doubleclick.net #cooklop
    O1 - Hosts: 64.200.25.145 www.doubleclick.net #cooklop
    O1 - Hosts: 64.200.25.145 tripod.com #cooklop
    O1 - Hosts: 64.200.25.145 www.tripod.com #cooklop
    O1 - Hosts: 64.200.25.145 adultfriendfinder.com #cooklop
    O1 - Hosts: 64.200.25.145 www.adultfriendfinder.com #cooklop
    O1 - Hosts: 64.200.25.145 cj.com #cooklop
    O1 - Hosts: 64.200.25.145 www.cj.com #cooklop
    O1 - Hosts: 64.200.25.145 paypopup.com #cooklop
    O1 - Hosts: 64.200.25.145 www.paypopup.com #cooklop
    O1 - Hosts: 64.200.25.145 thehun.net #cooklop
    O1 - Hosts: 64.200.25.145 www.thehun.net #cooklop
    O1 - Hosts: 64.200.25.145 worldsex.com #cooklop
    O1 - Hosts: 64.200.25.145 www.worldsex.com #cooklop
    O1 - Hosts: 64.200.25.145 free6.com #cooklop
    O1 - Hosts: 64.200.25.145 www.free6.com #cooklop
    O1 - Hosts: 64.200.25.145 trafficmp.com #cooklop
    O1 - Hosts: 64.200.25.145 www.trafficmp.com #cooklop
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\Online Video Add-on\isfmntr.exe (Added by a variant of the Zlob Trojan)
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm42935
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O16 - DPF: {1678F7E1-C422-11D0-AD7D-00400515CAAA} - http://files.cometsystems.com/cometcursor/21_cometzone/comet.cab
    O16 - DPF: {1E89F686-B78D-4C85-9EFC-3474516E3FE2} - http://80.96.118.2/we/mw/MSN_QTPieJess01.exe
    O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
    O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
    O16 - DPF: {FA20A987-9D1E-45B6-923A-DBF23C83F013} - http://image.imgfarm.com/images/nocache/tensoftIWREG1.2.0.1.cab
    O22 - SharedTaskScheduler: aldoa - {adf64b1b-c68c-4ce8-bb55-258b7b8b0f81} - (no file)
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


    Close all Windows except HJT and click on "Fix Checked."

    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

      Important! Save the renamed download to your desktop.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Double click on the setup file on the desktop to run
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
      (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Rescan with HijackThis when finished and include new log in next reply.
     
  4. shadows83

    shadows83 TS Rookie Topic Starter

    Logs requested

    Broni - yes, C drive is the health(ier) master drive, and drive E is the bad slave drive.

    Bobbye- thank you for your help.

    I am sorry it took so long to do this, we had some issues with a snowstorm. Texas was not meant for this kind of weather. :)

    I have attached both the ComboFix and 2nd HijackThis logs.
     

    Attached Files:

  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    shadow, you are going to need to remove some programs as it appears that everything you downloaded was infected. If you continue using them, there's not much point in trying to clean the system:

    The following need to be uninstalled:
    c:\program files\TENSOFT\TENSOFT1\1.BIN\TENSOFT.EXE
    c:\program files\ORNUM\AORNUM1\1.BIN\AORNUM.EXE>> (Installed along with iWon Prize Machine. Based upon their privacy statement this can be regarded as spyware)
    O16 - DPF: {4EE301F2-2A6A-4BE0-9FBD-97CDAA40E3E4} - http://downloads.iwon.com/images/nocache/bingo/i1initialsetup1.0.0.2.cab
    c:\program files\Xupiter\XupiterStartup.exe>> Xupiter is adware and homepage hijacker.
    c:\program files\pcodec>> (PCODEC 6.0 Add or Remove Programs entry for Troj/Zlob-RU. Trojan Zlob-RU is a downloader Trojan for the Windows platform. The Trojan masquerades as an installer for PCodec 6.0. They are known for installing rogue anti-spyware programs like VirusBurst.)
    TriJinx.1.0.0.67
    c:\windows\Downloaded Program Files\popcaploader.dll
    c:\program files\FunWebProducts
    c:\program files\MySearch
    Totem shared- porn related


    You should also have HijackThis remove the following:
    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\trn2000\prefs.js)
    16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab>> (Computer Associates Internet AVscan CAB file.}


    For the programs you uninstall using Add/Remove Programs:

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    Use Windows Explorer: Windows key + E: My Computer> double click on Local Drive (C)> Programs> find each program for the program you uninstalled and do a right click> Delete on each folder

    Every piece of music, game, icon and other downloads you got from these programs were infected.

    When you have finished with the uninstalls and removals, I would like you to run Combofix again. Delete the first log on your desktop, and
    attach a new report in the next reply..

    Open
    Kaspersky Online Scanner in Internet Explorer


    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
    • Click Accept and the web scanner will begin to load
    • If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
    • You will be prompted to install an ActiveX component from Kaspersky, click Install
    • If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT and then Scan Settings
    • In the scan settings make that the following are selected:
      [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
      [o] Scan Options: Scan Archives> Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      [o] Select My Computer
    • The program will start to scan your system.
    • Once the scan is complete, click on the Save as Text button and save the file to your desktop
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

    I'll need to see this logs also.
     
  6. shadows83

    shadows83 TS Rookie Topic Starter

    I can't find any of these in the Add/Remove programs; or even if I use Windows Explorer. If i can find/delete them using the command prompt, and remove the directories, will that effectively uninstall them?

    Also, I finally found my old Microsoft Windows XP disc. Would it be easier or more effective to try to reformat and reinstall?
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Your system has been so badly infected, it would probably be best for you to do the reinstall. Please make a note of the programs I mentioned that delivered malware in their downloads are not reinstalled on the clean system.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.