TechSpot

Virus causing BSODs even after full partition restore

By gnznroses
Feb 6, 2011
  1. I was hit by a virus a few days ago and I believe it has infected my drivers. I'm getting constant BSODs (Windows 7 x64) and I thought I had the virus all removed so I started a thread in another subforum, here http://www.techspot.com/vb/topic160778.html
    It seems like it's not eliminated though so I was told to post here.

    At this point I have cleaned up the virus with multiple programs and then did a full restore of my Windows partition (from a backup from a few months ago). The problem still persists though. The only way I can do anything now is from BartPE, a "live"/bootable version of XP.


    Last night I ran GMER and it gave some hits:

    type: .text
    name: ntkrnlmp.exe!KelinitializeInterrupt + B67
    value: 8040623C 1 Byte [06]

    type: Device
    name: \Driver\ACPI_HAL\Device\.00000003
    value: halaacpi.dll

    then it listed about 100+ jpegs that i'm pretty sure are false positives. (i can check but they're all 24x24 and if there were anything injected into them the filesize difference would be apparent.)

    i'm not sure what to do about these two hits. i don't even know if this driver for instance is even on my harddrive or if it's a false positive found on the BartPE cd or running in memory. it doesn't list a location and BartPE would have it's own drivers just running in memory (if I'm not mistaken). I assume gmer writes a log but that since i ran it from a CDR it was unable to.

    In the other thread I also posted details on the BSODs and other things.

    Any help is greatly appreciated.
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I have asked that you other thread be closed. The pieces of entries you have given aren't of any help here. Taking an entry out of a log that you think is 'bad' is not the way we proceed.

    If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.


    NOTE: If necessary, download the scanning programs to a flash drive, then install them on the problem computer. Chances are good for both or either of these conditions:
    1. You didn't get rid of the malware original
    2. You may have reinfected the system.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  3. gnznroses

    gnznroses TS Rookie Topic Starter

    Hey,
    Everything was ran though before the partition was restored (except GMER), so all previous logs are gone. For GMER, the 8-step instructions say:

    "When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
    Click the Copy button and paste the results into your next reply. "

    There is no "Save" button. If I select Copy and paste that into Notepad it's the exact thing I already posted. Just those two entries with no additional details. After re-running GMER though I can say that what it's finding seems to be found on the BartPE cd itself, and so are false positives.

    You can't install software from within BartPE - so I cannot re-run MalwareBytes for example.
     
  4. gnznroses

    gnznroses TS Rookie Topic Starter

    I was able to recover a log from before I wiped/restored my partition from a backup.


    Autoscan: malfunction (events: 3, objects: 0, time: Unknown)
    2/3/2011 7:43:44 PM Detected: C:\$Recycle.Bin\S-1-5-21-2554755257-2766985400-2170209292-1001\$R5JANOD.tmp\setup.exe/UPX
    2/3/2011 7:43:44 PM Detected: C:\$Recycle.Bin\S-1-5-21-2554755257-2766985400-2170209292-1001\$RXTJV52.tmp\setup.exe/UPX
    2/3/2011 7:42:43 PM Task started
    Autoscan: completed 2 hours ago (events: 4, objects: 891, time: 00:01:47)
    2/3/2011 8:05:29 PM Task completed
    2/3/2011 8:04:24 PM Deleted: Backdoor.Win32.Agent.bfof C:\windows\syswow64\fastuv32.dll
    2/3/2011 8:04:03 PM Detected: Backdoor.Win32.Agent.bfof C:\windows\syswow64\fastuv32.dll
    2/3/2011 8:03:42 PM Task started
    Autoscan: completed 23 minutes ago (events: 55, objects: 1624530, time: 01:53:16)
    2/3/2011 8:05:48 PM Task started
    2/3/2011 8:06:37 PM Detected: HEUR:Trojan.Win32.Generic C:\$Recycle.Bin\S-1-5-21-2554755257-2766985400-2170209292-1001\$R5JANOD.tmp\setup.exe/UPX
    2/3/2011 8:06:39 PM Detected: HEUR:Trojan.Win32.Generic C:\$Recycle.Bin\S-1-5-21-2554755257-2766985400-2170209292-1001\$RXTJV52.tmp\setup.exe/UPX
    2/3/2011 8:12:12 PM Detected: Trojan-Downloader.Java.OpenConnection.cf C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\51063600-2cd92310/bpac/a.class
    2/3/2011 8:12:12 PM Detected: Exploit.Java.Agent.f C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\1697a940-3f891d62/myf/y/AppletX.class
    2/3/2011 8:12:16 PM Detected: Trojan-Downloader.Java.Agent.ej C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\2c1c775e-5f85847d/sunny/MyBuilds.class
    2/3/2011 8:30:49 PM Deleted: Trojan-Downloader.Java.OpenConnection.cf C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\51063600-2cd92310/bpac/a.class
    2/3/2011 8:30:49 PM Deleted: Exploit.Java.Agent.f C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\1697a940-3f891d62/myf/y/AppletX.class
    2/3/2011 8:30:49 PM Detected: Trojan-Downloader.Java.OpenConnection.cg C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\51063600-2cd92310/bpac/KAVS.class
    2/3/2011 8:30:49 PM Detected: Trojan-Downloader.Java.OpenStream.ad C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\1697a940-3f891d62/myf/y/PayloadX.class
    2/3/2011 8:30:49 PM Deleted: Trojan-Downloader.Java.Agent.ej C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\2c1c775e-5f85847d/sunny/MyBuilds.class
    2/3/2011 8:30:49 PM Detected: Trojan-Downloader.Java.Agent.ek C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\2c1c775e-5f85847d/sunny/MyFiles.class
    2/3/2011 8:30:51 PM Deleted: Trojan-Downloader.Java.OpenConnection.cg C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\51063600-2cd92310/bpac/KAVS.class
    2/3/2011 8:30:51 PM Detected: Exploit.Java.Agent.f C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\da2101f-1266c55d/vmain.class
    2/3/2011 8:30:53 PM Deleted: Trojan-Downloader.Java.OpenStream.ad C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\1697a940-3f891d62/myf/y/PayloadX.class
    2/3/2011 8:30:53 PM Detected: Trojan-Downloader.Java.Agent.ft C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\653f5167-5bf72705/dev/s/AdgredY.class
    2/3/2011 8:30:54 PM Deleted: Trojan-Downloader.Java.Agent.ek C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\2c1c775e-5f85847d/sunny/MyFiles.class
    2/3/2011 8:30:54 PM Detected: Exploit.Java.Agent.f C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\3efada6c-50eb1b86/myf/y/AppletX.class
    2/3/2011 8:30:57 PM Deleted: Exploit.Java.Agent.f C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\da2101f-1266c55d/vmain.class
    2/3/2011 8:30:57 PM Deleted: Trojan-Downloader.Java.Agent.ft C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\653f5167-5bf72705/dev/s/AdgredY.class
    2/3/2011 8:30:57 PM Detected: Trojan-Downloader.Java.Agent.fu C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\653f5167-5bf72705/dev/s/DyesyasZ.class
    2/3/2011 8:30:57 PM Deleted: Exploit.Java.Agent.f C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\3efada6c-50eb1b86/myf/y/AppletX.class
    2/3/2011 8:30:57 PM Detected: Trojan-Downloader.Java.OpenStream.ad C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\3efada6c-50eb1b86/myf/y/PayloadX.class
    2/3/2011 8:30:57 PM Detected: Exploit.Java.Agent.f C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46\364f71ee-5ffb6b81/myf/y/AppletX.class
    2/3/2011 8:31:01 PM Deleted: Trojan-Downloader.Java.Agent.fu C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\653f5167-5bf72705/dev/s/DyesyasZ.class
    2/3/2011 8:31:02 PM Detected: Trojan-Downloader.Java.Agent.fv C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\653f5167-5bf72705/dev/s/LoaderX.class
    2/3/2011 8:31:05 PM Deleted: Trojan-Downloader.Java.OpenStream.ad C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\3efada6c-50eb1b86/myf/y/PayloadX.class
    2/3/2011 8:31:06 PM Detected: Exploit.Java.Agent.s C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\5749e272-7bbaef1f/C.class
    2/3/2011 8:31:06 PM Deleted: Trojan-Downloader.Java.Agent.fv C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\653f5167-5bf72705/dev/s/LoaderX.class
    2/3/2011 8:31:06 PM Deleted: Exploit.Java.Agent.f C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46\364f71ee-5ffb6b81/myf/y/AppletX.class
    2/3/2011 8:31:07 PM Detected: Trojan-Downloader.Java.OpenStream.ad C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46\364f71ee-5ffb6b81/myf/y/PayloadX.class
    2/3/2011 8:31:07 PM Detected: Exploit.Java.Agent.f C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56\9b47178-2ac17199/vmain.class
    2/3/2011 8:31:08 PM Deleted: Trojan-Downloader.Java.OpenStream.ad C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\46\364f71ee-5ffb6b81/myf/y/PayloadX.class
    2/3/2011 8:31:09 PM Deleted: Exploit.Java.Agent.s C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\5749e272-7bbaef1f/C.class
    2/3/2011 8:31:09 PM Detected: Exploit.Java.Agent.s C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\5749e272-7bbaef1f/F.class
    2/3/2011 8:31:09 PM Deleted: Exploit.Java.Agent.f C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56\9b47178-2ac17199/vmain.class
    2/3/2011 8:31:09 PM Detected: Exploit.Java.Agent.h C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\4d8a9606-58402b33/C.class
    2/3/2011 8:31:10 PM Detected: Trojan-Downloader.Java.Agent.eo C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\a5d0088-2cbe48c6/lorry/Cloners.class
    2/3/2011 8:31:10 PM Deleted: Exploit.Java.Agent.s C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\5749e272-7bbaef1f/F.class
    2/3/2011 8:31:10 PM Detected: Exploit.Java.Agent.s C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\5749e272-7bbaef1f/Google.class
    2/3/2011 8:31:14 PM Deleted: Exploit.Java.Agent.s C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\5749e272-7bbaef1f/Google.class
    2/3/2011 8:31:14 PM Deleted: Exploit.Java.Agent.h C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\4d8a9606-58402b33/C.class
    2/3/2011 8:31:14 PM Detected: Exploit.Java.Agent.i C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\4d8a9606-58402b33/Google.class
    2/3/2011 8:31:14 PM Deleted: Trojan-Downloader.Java.Agent.eo C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\a5d0088-2cbe48c6/lorry/Cloners.class
    2/3/2011 8:31:14 PM Detected: Exploit.Java.Agent.t C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\a5d0088-2cbe48c6/lorry/Debuggr.class
    2/3/2011 8:31:15 PM Deleted: Exploit.Java.Agent.i C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\4d8a9606-58402b33/Google.class
    2/3/2011 8:31:16 PM Deleted: Exploit.Java.Agent.t C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\a5d0088-2cbe48c6/lorry/Debuggr.class
    2/3/2011 8:31:16 PM Detected: Trojan-Downloader.Java.Agent.ep C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\a5d0088-2cbe48c6/lorry/Patchers.class
    2/3/2011 8:31:17 PM Deleted: Trojan-Downloader.Java.Agent.ep C:\Documents and Settings\Jeremy\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\a5d0088-2cbe48c6/lorry/Patchers.class
    2/3/2011 9:40:06 PM Detected: HEUR:Trojan.Win32.Generic C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YMOG3BAJ\sjnlgn[1].htm
    2/3/2011 9:59:04 PM Task completed


    Since I can only boot into BartPE now, I'm unable to re-run Kaspersky or MalwareBytes, or anything else that needs installed.

    I think though that I have a dirver problem and not a virus. All files on the system were restored from backup. I don't see a virus surviving that... It could have infected my other partitions sure, but only the Windows 7 partition that was wiped is bootable. The virus would need to latch onto the boot process to have any effect.
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'm not going to be able to help you under the circumstances here. You can't run scans, I can't see what's on the system now. There was a great deal of malware previously. You will need to get remote help or take the system to a shop.
     
  6. gnznroses

    gnznroses TS Rookie Topic Starter

    i understand.
    i'm in the process now of backing up everything to a new HDD and then i'm going to doa full format and fresh install of Windows. if there's still a problem then it's not virus related (unless it were in the bios).
    will update shortly and ask this to be closed and/or the other thread re-opened if needed.

    thanks
     
  7. gnznroses

    gnznroses TS Rookie Topic Starter

    Problem is solved now. Had to install Windows fresh on a new HDD. Once I did I installed Kaspersky AV. After reconnecting the old HDDs, Kaspersky found a virus in the MBR and cleaned it.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thank you for the update. Stay safe.
    Tips for added security and safer browsing:
    1. Browser Security Settings: Custom is fine if the user did the settings. Mine are Custom. Default is okay too, but sometimes too restrictive.
      This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features: Make Internet Explorer safer.
    2. Have layered Security:
      • Antivirus Software(only one):Both of the following programs are free and known to be good:
        [o]Avira Free
        [o]Avast Home
      • Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
        [o]Comodo
        [o]Zone Alarm
      • Antispyware: I recommend all of the following:
        [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
      [o]Download ZonedOut and save to your desktop. this replaces IE/Spyad and manages the Zones in Internet explorer. This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
      For IE7 and IE8, Windows 2000 thru Vista. No Windows 7 yet.
      IE/Spyad is not longer being supported. If you have this on your system, you should replace it with the following program. Make sure your IE8 is Up-to-date before adding sites to your restricted zone.
      Known issue: If you have "immunized" your computer with Spybot Search and Destroy, and use ZonedOut to "Remove All" restricted sites - ZonedOut will remove your trusted sites as well. Note that if you remove Spybot Search and Destroys Immunization the problem goes away...
      [o]Replace the Host Files
      MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
      [o]Google Toolbar Get the free google toolbar to help stop pop up windows.
    3. Stay current on updates:
      [o] Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates.
      [o]Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
      [o]Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
    4. Reset Cookies to prevent Tracking Cookies:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
    5. Do regular Maintenance
      Remove Temporary Internet Files regularly:
      [o]ATF Cleaner by Atribune
      OR
      [o]TFC
      Disable and Enable System Restore:
      [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
    6. Practice Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...