Malware/BSOD

Status
Not open for further replies.
S

shadows83

I was trying to fix my cousin's computer (she had Internet Security 2010 and various other problems). Some of the other problems included "DCOM Server Process Launcher service terminated unexpectedly" and "Generic Host Process for Win32 Services encountered a problem". The DCOM message always wanted to force a reboot.

In the process of doing scans, the computer shut down and supposedly did updates. I accidentally clicked for AVG to heal a file - C:\WINDOWS\SYSTEM32\6334.exe. - about 20-30 minutes before it shut down.
After that, I got a BSOD screen 0x0000007F (0x0000000D, 0x00000000, 0x00000000, 0x00000000). This would not let me do anything (including safe mode). I am not sure if the 6334 file caused the BSOD or if it was caused by viruses/malware still on the computer.

I posted this in the BSOD thread first and was advised to make that hard drive a slave and do a hard drive diagnosicts, then the 8 step virus/malware removal process. I have done all that, but not sure how to do a HJT log for the slave drive. Both drives are using Windows XP.

I have attached the required logs. I am more concerned with the E drive than C being stable enough to use again on its own, and hopefully without any lingering issues.

I would appreciate any help you can give me. Thank you.
 

Attachments

  • AntiMalware.txt
    5.9 KB · Views: 2
  • AntiSpyware.txt
    102.8 KB · Views: 2
  • HJTlog.txt
    12.9 KB · Views: 2
Before we start....
I assume, C drive is the primary drive in second, healthy computer, and drive E is a slaved drive from bad computer?
 
Going to take some work here! you have a badly infected system

Please reopen HijackThis to 'do system scan only.' Check each of the following if present: (Do NOT click on Fix Checked until all entries have been checked)

C:\Program Files\Viewpoint\Common\ViewpointService.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.xupiter.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.linkfind.com/iebar/%s
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - *{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.xupiter.com/toolbar"); (C:\Program Files\Netscape\Users\trn2000\prefs.js)
O1 - Hosts: 64.200.25.145 gator.com #cooklop
O1 - Hosts: 64.200.25.145 doubleclick.net #cooklop
O1 - Hosts: 64.200.25.145 www.doubleclick.net #cooklop
O1 - Hosts: 64.200.25.145 tripod.com #cooklop
O1 - Hosts: 64.200.25.145 www.tripod.com #cooklop
O1 - Hosts: 64.200.25.145 adultfriendfinder.com #cooklop
O1 - Hosts: 64.200.25.145 www.adultfriendfinder.com #cooklop
O1 - Hosts: 64.200.25.145 cj.com #cooklop
O1 - Hosts: 64.200.25.145 www.cj.com #cooklop
O1 - Hosts: 64.200.25.145 paypopup.com #cooklop
O1 - Hosts: 64.200.25.145 www.paypopup.com #cooklop
O1 - Hosts: 64.200.25.145 thehun.net #cooklop
O1 - Hosts: 64.200.25.145 www.thehun.net #cooklop
O1 - Hosts: 64.200.25.145 worldsex.com #cooklop
O1 - Hosts: 64.200.25.145 www.worldsex.com #cooklop
O1 - Hosts: 64.200.25.145 free6.com #cooklop
O1 - Hosts: 64.200.25.145 www.free6.com #cooklop
O1 - Hosts: 64.200.25.145 trafficmp.com #cooklop
O1 - Hosts: 64.200.25.145 www.trafficmp.com #cooklop
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\Online Video Add-on\isfmntr.exe (Added by a variant of the Zlob Trojan)
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm42935
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {1678F7E1-C422-11D0-AD7D-00400515CAAA} - http://files.cometsystems.com/cometcursor/21_cometzone/comet.cab
O16 - DPF: {1E89F686-B78D-4C85-9EFC-3474516E3FE2} - http://80.96.118.2/we/mw/MSN_QTPieJess01.exe
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {FA20A987-9D1E-45B6-923A-DBF23C83F013} - http://image.imgfarm.com/images/nocache/tensoftIWREG1.2.0.1.cab
O22 - SharedTaskScheduler: aldoa - {adf64b1b-c68c-4ce8-bb55-258b7b8b0f81} - (no file)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Close all Windows except HJT and click on "Fix Checked."

Please download ComboFix HERE:
  • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

    Important! Save the renamed download to your desktop.
  • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
  • Double click on the setup file on the desktop to run
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
    (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    whatnext.png
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
Notes:

  • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Rescan with HijackThis when finished and include new log in next reply.
 
Logs requested

Broni - yes, C drive is the health(ier) master drive, and drive E is the bad slave drive.

Bobbye- thank you for your help.

I am sorry it took so long to do this, we had some issues with a snowstorm. Texas was not meant for this kind of weather. :)

I have attached both the ComboFix and 2nd HijackThis logs.
 

Attachments

  • hjt2.txt
    9.1 KB · Views: 1
  • ComboFix.txt
    57.4 KB · Views: 2
shadow, you are going to need to remove some programs as it appears that everything you downloaded was infected. If you continue using them, there's not much point in trying to clean the system:

The following need to be uninstalled:
c:\program files\TENSOFT\TENSOFT1\1.BIN\TENSOFT.EXE
c:\program files\ORNUM\AORNUM1\1.BIN\AORNUM.EXE>> (Installed along with iWon Prize Machine. Based upon their privacy statement this can be regarded as spyware)
O16 - DPF: {4EE301F2-2A6A-4BE0-9FBD-97CDAA40E3E4} - http://downloads.iwon.com/images/nocache/bingo/i1initialsetup1.0.0.2.cab
c:\program files\Xupiter\XupiterStartup.exe>> Xupiter is adware and homepage hijacker.
c:\program files\pcodec>> (PCODEC 6.0 Add or Remove Programs entry for Troj/Zlob-RU. Trojan Zlob-RU is a downloader Trojan for the Windows platform. The Trojan masquerades as an installer for PCodec 6.0. They are known for installing rogue anti-spyware programs like VirusBurst.)
TriJinx.1.0.0.67
c:\windows\Downloaded Program Files\popcaploader.dll
c:\program files\FunWebProducts
c:\program files\MySearch
Totem shared- porn related

You should also have HijackThis remove the following:
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\trn2000\prefs.js)
16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab>> (Computer Associates Internet AVscan CAB file.}

For the programs you uninstall using Add/Remove Programs:

Boot into Safe Mode
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
Use Windows Explorer: Windows key + E: My Computer> double click on Local Drive (C)> Programs> find each program for the program you uninstalled and do a right click> Delete on each folder

Every piece of music, game, icon and other downloads you got from these programs were infected.

When you have finished with the uninstalls and removals, I would like you to run Combofix again. Delete the first log on your desktop, and
attach a new report in the next reply..

Open
Kaspersky Online Scanner in Internet Explorer

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Click Accept and the web scanner will begin to load
  • If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
  • You will be prompted to install an ActiveX component from Kaspersky, click Install
  • If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT and then Scan Settings
  • In the scan settings make that the following are selected:
    [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
    [o] Scan Options: Scan Archives> Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    [o] Select My Computer
  • The program will start to scan your system.
  • Once the scan is complete, click on the Save as Text button and save the file to your desktop
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

I'll need to see this logs also.
 
I can't find any of these in the Add/Remove programs; or even if I use Windows Explorer. If i can find/delete them using the command prompt, and remove the directories, will that effectively uninstall them?

Also, I finally found my old Microsoft Windows XP disc. Would it be easier or more effective to try to reformat and reinstall?
 
Your system has been so badly infected, it would probably be best for you to do the reinstall. Please make a note of the programs I mentioned that delivered malware in their downloads are not reinstalled on the clean system.
 
Status
Not open for further replies.

Similar threads

Daniel Sims
Linux is getting a BSOD that might actually be helpful
Replies
10
Views
407
ZedRM
ZedRM
H
Freezes after BSOD
Replies
10
Views
1K
bazz2004
B
midian182
Microsoft investigating Windows 11 update that is causing blue screens of death
Replies
6
Views
535
StrikerRocket
S

Latest posts

Back