previous malware, now BSOD.

[KDP922]

Hello-

I pretty much have the same problem as this guy

https://www.techspot.com/vb/topic145718.html

however I don't have the connectivity problems. My problem might run deeper, as I formerly had the Virtumundo virus and was never able to fully get it clean. Since I was able to restore my PC to full activity, no virus scanner can complete without blue screening my PC.

I had followed the instructions of http://wiki.castlecops.com/Malware_Removal:_Virtumundo to restore it to being able to use, but that site is defunct and now I have found yours.

Anyway, I have the XP Antivirus Pro issue, downloaded MalwareBytes and it seemed to remove the popups, but my searches were still hijacked. It seems as the only purpose is to get link referrals. The first few links upon PC startup work fine. Image searches work fine. But after a couple, the links get hijacked and never return to normal.

I have the following installed:

Spybot (only one that can do a complete scan)
MalwareBytes (seemed to fix issue, but since reboot won't run properly)
CCleaner
McAfee - never can complete a full scan without bluescreen. prior issue to recent search hijack.
ATF-Cleaner
CCleaner
HijackThis
FSBI
VirtumundoBeGone
VundoFix

I need help- any assistance would be much appreciated.

KDP

 

[Bobbye]

Welcome to TechSpot. I'll help you with the malware. Regarding the list of programs you left:
Spybot (only one that can do a complete scan)keep but don't run.
MalwareBytes (seemed to fix issue, but since reboot won't run properly)
CCleaner- uninstall
McAfee - never can complete a full scan without bluescreen. prior issue to recent search hijack.
ATF-Cleaner- uninstall
HijackThis- keep if it v1.0.2. If it not, uninstall
FSBI> the only thing I could find for this that was computer related was "Search engine promotion specialists getting ANY site found at top page placement at most ALL major search engines."
VirtumundoBeGone> uninstall
VundoFix> uninstall

But I can't do anything until I see something-so please follow the steps in out Preliminary Virus and Malware Removal thread HERE.

When you have finished, please leave the logs for all 3 programs to be reviewed. Based on what I see in the logs, I'll determine the best next steps.

Please don't use any other cleaning programs while I am helping you unless I askyou to. Don't run any Registry cleaner and don't make any registry changes.

You don't need two temp file cleaning programs CCleaner and ATF. I'm liking TFC- Temporary File Cleaner- better than either of those.

As for the blue screen, you should be getting a message with it- what does it say?

 

[KDP922]

Welcome to TechSpot. I'll help you with the malware. Regarding the list of programs you left:
Spybot (only one that can do a complete scan)keep but don't run.
MalwareBytes (seemed to fix issue, but since reboot won't run properly)
CCleaner- uninstall (uninstalled)
McAfee - never can complete a full scan without bluescreen. prior issue to recent search hijack.
ATF-Cleaner- uninstall (not on add/remove programs list) deleted from icon
HijackThis- keep if it v1.0.2. If it not, uninstall (was v2.0.2, uninstalled)
FSBI> the only thing I could find for this that was computer related was "Search engine promotion specialists getting ANY site found at top page placement at most ALL major search engines." (deleted, could not uninstall)
VirtumundoBeGone> uninstall (deleted)
VundoFix> uninstall (deleted)

But I can't do anything until I see something-so please follow the steps in out Preliminary Virus and Malware Removal thread HERE.

When you have finished, please leave the logs for all 3 programs to be reviewed. Based on what I see in the logs, I'll determine the best next steps.

Please don't use any other cleaning programs while I am helping you unless I askyou to. Don't run any Registry cleaner and don't make any registry changes.

You don't need two temp file cleaning programs CCleaner and ATF. I'm liking TFC- Temporary File Cleaner- better than either of those.

As for the blue screen, you should be getting a message with it- what does it say?

I'm going to force a blue screen to capture the information, then follow your preliminary guide and report back

thanks in advance!

 

[Bobbye]

Okay, but no need to quote my replies.

Once you get the blue screen, note the time on the computer clock. Then go to the Event Viewer and look for Error corresponding to time of BSOD. The Events are time codes so that should help. Post Event(s) here per the following:

Start> Run> type in eventvwr

Do this on each the System and the Applications logs:
[1]. Click to open the log>
[2]. Look for the Error>
[3] .Right click on the Error> Properties>
[4]. Click on Copy button, top right, below the down arrow >
[5]. Paste here (Ctrl V)
[6].NOTES

• You can ignore Warnings and Information Events.
• If you have a recurring Error with same ID#, same Source and same Description, only one copy is needed.
• You don't need to include the lines of code in the box below the Description, if any.
• Please do not copy the entire Event log.

Errors are time coded.

 

[KDP922]

BSOD code

*** STOP: 0x0000007E (0xc0000005, 0x80509881, 0x79255x4, 0xf79252c0)


Windows has recovered from serious error:

Bccode: 1000007E
BCP1: C0000005
BCP2: 80509881
BCP3: F79255c4
BCP4: F79252C0
Osver: 5_1_2600
SP: 3_0 PRODUCT: 256_1

 

[KDP922]

System errors

Event Type: Error
Event Source: System Error
Event Category: (102)
Event ID: 1003
Date: 4/10/2010
Time: 11:31:13 AM
User: N/A
Computer: ADCPRODUCTIONS
Description:
Error code 1000007e, parameter1 c0000005, parameter2 80509881, parameter3 f79255c4, parameter4 f79252c0.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 53 79 73 74 65 6d 20 45 System E
0008: 72 72 6f 72 20 20 45 72 rror Er
0010: 72 6f 72 20 63 6f 64 65 ror code
0018: 20 31 30 30 30 30 30 37 1000007
0020: 65 20 20 50 61 72 61 6d e Param
0028: 65 74 65 72 73 20 63 30 eters c0
0030: 30 30 30 30 30 35 2c 20 000005,
0038: 38 30 35 30 39 38 38 31 80509881
0040: 2c 20 66 37 39 32 35 35 , f79255
0048: 63 34 2c 20 66 37 39 32 c4, f792
0050: 35 32 63 30 52c0


Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7009
Date: 4/10/2010
Time: 11:31:15 AM
User: N/A
Computer: ADCPRODUCTIONS
Description:
Timeout (30000 milliseconds) waiting for the Media Center Receiver Service service to connect.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 4/10/2010
Time: 11:31:15 AM
User: N/A
Computer: ADCPRODUCTIONS
Description:
The Media Center Scheduler Service service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7022
Date: 4/10/2010
Time: 11:31:36 AM
User: N/A
Computer: ADCPRODUCTIONS
Description:
The SQL Server VSS Writer service hung on starting.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7034
Date: 4/10/2010
Time: 11:31:36 AM
User: N/A
Computer: ADCPRODUCTIONS
Description:
The SQL Server VSS Writer service terminated unexpectedly. It has done this 1 time(s).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

 

[KDP922]

Application errors

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 4/10/2010
Time: 11:32:28 AM
User: N/A
Computer: ADCPRODUCTIONS
Description:
Faulting application wgatray.exe, version 1.5.540.0, faulting module unknown, version 0.0.0.0, fault address 0x00b51d10.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 77 67 61 ure wga
0018: 74 72 61 79 2e 65 78 65 tray.exe
0020: 20 31 2e 35 2e 35 34 30 1.5.540
0028: 2e 30 20 69 6e 20 75 6e .0 in un
0030: 6b 6e 6f 77 6e 20 30 2e known 0.
0038: 30 2e 30 2e 30 20 61 74 0.0.0 at
0040: 20 6f 66 66 73 65 74 20 offset
0048: 30 30 62 35 31 64 31 30 00b51d10
0050: 0d 0a ..

 

[KDP922]

Avira AntiVir Results (editing)

ADSPY/P2PNet

 

[Bobbye]

I'm going to ask the moderator to move this thread over to the BSOD forum. I don't read minidumps and the 0x7e error is usually from hardware. You need to describe "previous malware, now BSOD."

Did you install a driver right before this:
Date: 4/10/2010
Time: 11:31:13 AM
Event Source: System Error/Event ID: 1003/Desc. 0x7e

Date: 4/10/2010
Time: 11:32:28 AM
Event Source: Application Error/Event ID: 1000/Faulting application wgatray.exe is the Windows Genuine Advantage Notification.

It looks like validation might have failed and the system crashed. Are you using a legitimate version of the OS?

Referring for BSOD> It is possible that the system may have been damaged from either a malware infections or efforts to remove it- or more likely, both.

 

[KDP922]

I've tried to run the Avira AV software, and I crash everytime. I can't seem to find a log of where it crashes, or any previous AV software for that matter.

I've also gotten the following BSOD code:

Kernel_Stack_Inpage_Error

0x00000077 (0x00000001, 0x00000000, 0x00000000, 0xf7915d24)


I'm running a legit version of the OS, Dell XPS400 direct from Manufacturer. I have been getting WGA failure notificiations since this recent infection, but this is the first I've seen of it and the BSOD issue predates this by alot.



If I am getting moved over, thanks for your help to this point Bobbye-

 

[KDP922]

Finally was able to run virus check without BlueScreen

Did a lot of work in my personal files, moved over to external hard drive and deleted originals. the last scan i had run seemed to blue screen in one of my downloaded pic folders.

Here's what Avira found:



gewapaba.exe (Comodo prompted me to block SEVERAL installation attempts. global hook dlls, connect to svchost and spool, connect to internet, etc)
wvUIJaBs.dll.bad
uydqwymn.dll.bad
uehxynii.dll.bad
tjqnlyty.dll.bad
silent.dll[1].bak.bad
quaddcbw.dll.bad
ljJATNGW.dll.bad
liromiby.dll.bad
gqpfrtxx.dll.bad
fvbwaoco.dll.bad
fhhnumlo.dll.bad
chohgyem.dll.bad
awttsSIA.dll.bad
A0242711.exe
HudMoveDLL.dll
dnscache.dll
UPS_invoice_4845.zip
DATA.CAB









Getting ready to run ccleaner.

 

[Bobbye]

KDP, you are in the BSOD forum now. I'm still subscribed to your thread so got notice of your reply. I did some searching for the ADSPY/P2PNet and came up with this: if the BSOD people will allow me, I'll try and get you running so we can do a full malware workup: My apology- I passed right over the reply you edited with this name.

Each AV program gives malware a name. Avira gave it ADSPY/P2PNet. By anther name it's W32/Downloader.AAT and more importantly W32/Autorun.worm.gen.za!0497c6fc8c31. It spreads through Removable storage devices and Peer-to-peer file sharing. That's the P2PNet part in the name.

The 'autorun' designation means that every time you log on, it runs.Worms infect computers, but do not infect files. They can be identified and deleted. However, they often make registry or startup file changes so that they are executed on boot-up> this is the autorun feature.

If you can get passed the BSOD- we need to stop the autorun in order to remove it:

Windows Worms Doors Cleaner will detect the enabled services by checking registry entries, the running services and the local open ports.To disable something, it only modifies existing registry entries, it doesn't install anything nor modify any files.
Here are some key features of "Windows Worms Doors Cleaner":

• 
  [·] disabling the critical windows services used by the worms
  [·] closing so indirectly the critical ports
  [·] displays the local opened ports
  [·] runnable with command line parameters
  [·] check at start the name of running processes (to detect famous worms)
  [·] check svchost memory usage

Please download the Windows Worms Doors Cleaner from one of the mirrors here: http://www.softpedia.com/progDownload/Windows-Worms-Doors-Cleaner-Download-107294.html and save to the desktop.

• Double-click the setup to run.
• Follow the onscreen prompts.
• Save the log and paste in your next reply.

NOTE: If you have problems downloading Windows Worms Doors Cleaner, please try to stop using your download manager and avoid right clicking on files. Also, check your firewall settings, because some mirrors may require that you do not block the HTTP referers.