Possible virus, Windows keeps shutting down

[maxjoyner1]

I hope someone can help.I Currently have Windows XP 2003. I have been using an external hard drive (set to partition) which has a 600gb of free space Most of my music and videos are stored on it. Recently when I try to access files on the drive I receive a warning saying that windows has to shut due to data execution prevention. When I click on debug an error message comes up saying that there is a problem with Dr Watson debugger and has to close as well as another error message saying windows is now going to close as well. Windows shuts and rebboots itself but any folders or applications also shut. As you can see from my logs my Avira program picked up a Trojan dropper.gen which it has now quarantined. I follow the 8 steps and noticed that the virus seems to located in a windows file and there are 3 files which cannot be opened. Could someone take a look at my logs to see if the virus is still there as windows keeps on crashing and also how to get rid of files that cannot be opened(as they keep generating warnings on scans)

Any assistance will be greatly appreciated.

Max Joyner

 

[mflynn]

Hi Max

This is DEP issue but lets handle the Malware first!

Run HJT scan only and remove the below
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O9 - Extra button: BT - {2ABF6374-AC54-445B-AEEE-ECFF074FFD82} - http://www.bt.com (file missing) (HKCU)
O9 - Extra button: Homepage - {964F2870-CB87-4DEB-8A01-69BEBE3D9A40} - http://bt.yahoo.com (file missing) (HKCU)

No problem with 2 iexplorers. Apparently IE was open twice while running HJT!

iexplore and explorer are 2 different programs/processes.

iexplore is the Microsoft Internet Explorer
explorer is the Windows GUI Windows Explorer (My Computer).

OK most of what MBAM and SAS found were minor except for the unknown.

So UPDATE both MBAM and SAS and run again Quick scans to ascertain they find no more and now have clean logs!

Then because of the unknown items found do the below.

Download SDFix to Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

On Desktop run SDdFix It will run (install) then close.

Then reboot into Safe Mode

As the computer starts up, tap the F8 key several times.

On the Boot menu Choose Safe Mode.

Click thu all the prompts to get to desktop.

At Desktop
My Computer C: drive. Double-click to open.

Look for a folder called SD Fix. Double-click to enter SD Fix.

Double-click to RunThis.bat. Type Y to begin.

SD Fix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt file to your next post.
=========================================
Download ComboFix

NOTE: If you have had ComboFix more than a few days old delete and re-download.

Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall.

For the DEP. Don't do this until after we agree you are clean.

Go to System properties and click Advanced the Performance Settings the Data Execution Prevention and tell me about the settings there. You may try a different setting but remember the current setting.

Mike

 

[maxjoyner1]

Hi Mike,

Thanks for your assistance in this matte. In Reply to your instructions please find attached the logs you requested.

 

[mflynn]

Yes ComboFix found more so run it again to confirm no more found and that we have a clean log.

Go to System properties and click Advanced the Performance Settings the Data Execution Prevention and tell me about the settings there.

You may try a different setting but remember the current setting. Then reboot.

Check for the problem get me a status on the system.

Mike

 

[maxjoyner1]

Hi Mike,

I have re run combo fix and i have attached the log. Unfortunately windows still seems to crash when i access files on my external hard drive. How can i check to see if this is a software or hardware problem also am having error messages stating that certain instructions cannot be written or read. Any suggestions?

max

 

[mflynn]

Ok you are clear of Malware but if you are going to use P2P file sharing (Limewire Bitcomet etc) you had better stay on top of you security and scans. This is the VERY BEST way to get infected!

Did you do anything with the below?

Go to System properties and click Advanced then Performance Settings then Data Execution Prevention and tell me about the settings there.

You may try a different setting but remember the current setting. Then reboot.

Check for the problem get me a status on the system.

Mike

 

[maxjoyner1]

Hi Mike,

Sorry for the delay in replying. I have been having problems with my web browser which would not let me access the internet. It is now corrected. In response to Data Execution problem, it no longers appears however i keep receiving an error message stating windows has ean error and needs to close. I have noticed that this only happens when i am accessing files on my external hard drive. I am keeping up my scans and even though i am not using p2p software i am receiving alerts that trojans are in system volume files. Are the problems connected. Even when my computer i clear of malware windows still shuts down. I was thinking is it the hardware conflicting with my computer. I have tried my eternal hard drive on different computers but its o.k.

Hope you can help.

Max

 

[mflynn]

OK are you saying you are being reinfected? Having to clean Malware often?

Lets clean temps and registry deeply and clear the System Volume Files.

Run CCleaner from the 8 Steps, again twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.

KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
Fantastic cleaner.
-------------------------------------------------------------------------------------
The issues can and are likely found is in System Restore so do the below

Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "While cleaning at TechSpot".

Then Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.

As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

It clears what is known as Shadow copies which are used by specialized back up programs.

This is if you have the Volume Shadow Copy running which is the default.

Reboot here

Then
Start-Run
type
chkdsk d: /r (change the d: to the actual drive letter of your external drive)
If it wants to reboot to do this then reboot!

Finally..

Download Dial-A-Fix (DAF)
http://wiki.djlizard.net/Dial-a-fix#...C_and_articles
http://djlizard.net.nyud.net:8080/software/Dial-a-fix-v0.60.0.24.zip

Have XP CD available in case DAF needs a file.

Check all boxes on the screen (clear any restrictions if it shows any)
Then click GO!

When the entire page is finished click the HammerHead at bottom to go to the second DAF page.

Here 1 at a time do the below

Flush DNS
Repair Permissions
Reset networking
Watch for any File not found or other errors and make note as this may lead to the fix!

Reboot retest! Get back with results.

Mike

 

[maxjoyner1]

Hi Mike,

Thanks for the info. i am at the chkdsk stage checking my external hard drive. It seems as that on stage 4 of the process where it is checking file data, it has been on 87% completed for about 45 minutes.

Should i restart the process?

Max

 

[mflynn]

Absoloutly NOT!

External drive communicate slower than internals and being external and move around are more subject to damage.

Let it go if it takes more than 3 hours get back to me!

Mike

 

[maxjoyner1]

Dont worry about my last message mike!

Sorry

 

[mflynn]

I wasn't worried!

Mike

 

[maxjoyner1]

Hi Mike

I am on the Re-installing of BITS part of dial a fix. I have encountered an error message stating set up cannot copy the file qmgr.dll. I have tried inserting the xp cd and still no luck.

Also when i first ran dial a fix it said error 127 c;windows\system32\iesetup is not registerable or a file is corrupt, your version of ie is 8.00.6001.18372.some dll will be missed.

any suggestions

Max

 

[mflynn]

Well I really only wanted you to do the first page, and only the 3 entries I listed on page 2..

Abort out and confirm the first page completed successfully and confirm just these 3 did complete on the Hammerhead (2nd page)

Flush DNS
Repair Permissions
Reset networking

then do the
Reset WMI/WBEM (not reinstall)

Then after the above lets restart and run the system for a while and check the performance, and the error when accessing the external drive!

If all else seems OK we will address the IE and other errors reported by DAF!

Mike

 

[maxjoyner1]

Hi Mike,

I have tried to reset WMI/WBEM however i received an error message saying access violation at address 77c0154d in module 'version.dll'. read of address 00000004

Max

 

[mflynn]

D/L and install Windows 2003 Server Resource Kit (it works with 2K XP and Vista)

http://www.microsoft.com/downloads/...69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en

Lets just take the time to get you a redundent Registry backup.

Download and install ERUNT Registry backup http://www.larshederer.homepage.t-online.de/erunt/
Install let it add entry to Startup and let it back up now.

Then..

Left Drag mouse and Copy for Pasting all text in the box below.
Make sure the slider bar goes to bottom from the @ to the end of the second exit.
Then paste to the black screen of an open command prompt.

@echo off
:: Fix Access denied
cd /d "%ProgramFiles%\Windows Resource Kits\Tools"
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f
subinacl /subdirectories %SystemDrive% /grant=administrators=f /grant=system=f
subinacl /subdirectories %windir%\*.* /grant=administrators=f /grant=system=f
secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose
exit
exit

Let finish do not abort

This can run an hour or more based on Processor speed and Size of registry.

Restart when finished.

Run DAF again do only the ones that failed which appear to be
Reset WMI/WBEM and Repair BITS.

OK what is the status of system in general and specifically acces to the external drive?

Mike

 

[maxjoyner1]

The access to external drive seems to be working fine i am not receiving the error message.Thanks. However when i re-ran dial a fix it still said error 127 c;windows\system32\iesetup is not registerable or a file is corrupt, your version of ie is 8.00.6001.18372.some dll will be missed.

Having i got a wrong internet explorer?

 

[mflynn]

Ok a little research indicates DAF is not ready for IE8 or visi versi so let it go.

OK so looks like we are finished. Unless you have something else?

Mike

 

[maxjoyner1]

Hi Mike,

My hard drive seems fine when i access it now however i seem to receive the error message when i am transferring data to it. Everything else seems fine.

Thanks

Max

 

[mflynn]

Is this external HD

1. USB or eSata?
2. If USB is it powered via USB or have it own power plug?

If USB have you tried other USB ports?

And since it was chkdsked do a defrag on it also. This may help but Defrag can show other problems if it can't run for some reason.

Mike

 

[maxjoyner1]

It is USB and it does have it own power supply. I have tried it in different ports. I will let you know the outcome of the defrag.