TechSpot

Virus/Malware Problem: Endless Reboot

By aquaman8
Oct 17, 2007
  1. Hello All,

    Back gain after about 5 months trouble free after ridding myself of Pestrap thanks to the generous assistance of Howard...now a new problem.

    During use my laptop (running windows 200 Professional) gave me a blue screen of death with following message:

    ***Stop 0x0000007F...............................................
    UNEXPECTED_KERNAL_MODE_TRAP

    (not sure of exact details of first line as message flashed very briefly before rebooting)

    Each time the system rebooted the sequence repeated until I forced a shutdown using the power button.

    I did manage to get Windows running but only in SAFE MODE. I ran through Howard's preliminary removal instructions IN SAFE MODE and found some Trojans, etc. which I removed.

    Here are some things I noted:

    1) Panda did not report any findings of rootkit

    2) SpyBot would not run in SAFE mode as directed in Howard's instructions



    Once I made a pass through in SAFE mode, I could get the computer to boot up and get into Windows in normal mode, but I am concerned that there still may be programs in my system that should be removed.

    To that end I have attached the 3 logs that are requested.

    Any help would be greatly appreciated.

    All the best,


    Mitch
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your system is a mess. You really need to learn how to take care when using the internet etc. Otherwise, this is just going to keep on happening.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.


    Delete the following folders.

    C:\avenger\backup.zip

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Microsoft Internet Explorer<This is nasty

    Close the services window.


    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it to your desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please attach the content of c:\avenger.txt into your reply, as well as fresh HJT, Combofix and AVG Antispyware logs.

    Regards Howard :)

    This thread is for the use of aquaman8 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. aquaman8

    aquaman8 TS Rookie Topic Starter

    Hello Howard,

    Once again thanks you so much for your help.

    This is a field laptop and spends time out on the road, so difficult to control...I'm working on it!

    I executed all the operations in Windows (not SAFE mode). Hope that is ok. Also,

    1) the Microsoft Internet Explorer file was STOPPED and when I looked at it,
    2) I followed your instructions and DISABLED it prior to running Avenger.

    I did exactly as you instructed. The requested files are attached.

    Thanks again,

    Mitch
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    _svchost.exe<Not to be confused with svchost.exe, which doesn`t have the underscore.
    clcl16.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

    O4 - HKLM\..\Run: [clcl16] C:\WINNT\system32\clcl16.exe

    O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINNT\system32\_svchost.exe

    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Lotek.com

    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Lotek.com

    Fix the above 017 entries, if you don`t recognise the domain.

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\windows\system32\blank.htm
    C:\WINNT\system32\clcl16.exe
    C:\WINNT\system32\_svchost.exe<Not to be confused with svchost.exe, which doesn`t have the underscore.
    C:\avenger\backup.zip

    Reboot into normal mode and rehide your protected OS files.

    Post fresh HJT and Combofix logs.

    Regards Howard :)

    This thread is for the use of aquaman8 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. aquaman8

    aquaman8 TS Rookie Topic Starter

    Hello Howard,

    Thanks for the quick response!

    Followed your instructions and noted the following:

    1) In task manager, neither _svchost.exe or clc116.exe were there
    2) In HJT, Lotek.com is a valid domain for me
    3) Of the bold files, only C:avenger/backup.zip was there and I deleted it.

    Attached please find the latest HJT and Combofix file.

    Thanks again,

    Mitch

    Howard,

    Just noticed that I sent .log version of HJT log. Sorry.

    Here is .txt version.

    Mitch
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    .log or .txt doesn`t matter, either will do.

    Your HJT log is clean. You`re running multiple antivirus programmes. This is not recommended, will seriously slow your system down and can cause conflicts.

    Go and follow the instructions in this post.

    Then, do the same in this post too.

    Post a fresh HJT log when done.

    Regards Howard :)

    This thread is for the use of aquaman8 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. aquaman8

    aquaman8 TS Rookie Topic Starter

    Howard,

    Thanks so much for your much appreciated help!

    I am off on a business trip tomorrow, but when I get back I will address the multiple antivirus issues and send you a new HJT log when done.

    Have a great week end,


    Mitch
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Ok, mate, no problem.

    Enjoy your weekend too.

    Regards Howard :)

    This thread is for the use of aquaman8 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...