1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

8 steps of malware removal required

By maddy04 ยท 66 replies
Mar 10, 2010
  1. hi

    i have been getting a blue screen error 0x00000c2.

    after running BlueScreenView program, the cause is found to be srvk32.sys file. this was told to in forums. the person helping me susptected that this is not a legit file, and my computer is infected by malware.
    he told me to start a new topic here and carry out the 8 steps.

    i read in the forums that 8 steps should bot be carried out without any trained supervision

    NOTE: because of blue screen my machine only starts in safe mode at the momment.

    please help me out for the removal of malware and to carry out the 8 steps.
  2. Broni

    Broni Malware Annihilator Posts: 53,860   +370

    Restart computer in Safe Mode with Networking.

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

    Download HijackThis:
    by clicking on Installer under Version 2.0.2
    [DO NOT download version 2.0.3 (beta)]
    Install, and run it.
    Post HijackTHis log.
    Do NOT attempt to fix anything!

    NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator
  3. maddy04

    maddy04 TS Rookie Topic Starter Posts: 62

    hi broni

    thx for getting back at me.

    broni as guided i downloaded both the softwares i.e. combofix.exe and HijackThis v 2.0.2

    i ran combofix, it asked for my permission and i clicked on yes. then scan started and machine rebooted. then i pressed f8 and selected safe mode with networking

    when the desktop reappeared, there was no combofix.txt file created on the desktop. A folder in c drive gets created named ComboFix. but there is no text file in this folder.
    do i have to search for this file eslewhere?

    i again ran combofix.exe and when the computer restarted the blue screen appeared. so i pressed f8 and logged in as safemode with networking.

    i then ran HijackThis and installed it. after it i ran the scan. a file was created in the place where the software is installed HijackThis.txt
    the contents of the file are posted below :

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:46:55 PM, on 3/11/2010
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v8.00 (8.00.6001.18882)
    Boot mode: Safe mode with network support

    Running processes:
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    F2 - REG:system.ini: Shell=explorer.exe rundll32.exe ufmduo
    F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
    O1 - Hosts: ::1 localhost
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
    O4 - HKLM\..\RunOnce: [GrpConv] grpconv -o
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O13 - Gopher Prefix:
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

    End of file - 4252 bytes

    waiting for further instructions....
  4. Broni

    Broni Malware Annihilator Posts: 53,860   +370

    combofix.txt file (if created) won't be inside that folder but in root C:\ directory.
    If it's not there, try to run Combofix from Safe Mode with Networking.
  5. maddy04

    maddy04 TS Rookie Topic Starter Posts: 62

    hi broni

    i looked for it in c:\root directory but the file is not there.

    i ran the combofix software 2 more times, but the file is not being created.

    i had also switched off my firewall so i guess there is no chance that the software is being blocked.

    i have attached a file in this attachment, which clearly shows that the search result could not find the file combofix.txt. instead a file name combo-fix.sys is found( u can check the image that i have uploaded).
    is this the file u r asking for?

    plz guide me further to remove the blue sceen...


    Attached Files:

  6. Broni

    Broni Malware Annihilator Posts: 53,860   +370

    Delete your Combofix file.
    Download fresh one and rename combofix.exe to broni.exe BEFORE saving it to the desktop.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.pif
    * Rkill.exe

    * Double-click on the Rkill desktop icon to run the tool.
    * If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    * A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    * If not, delete the file, then download and use the one provided in Link 2.
    * If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    * Do not reboot until instructed.
    * If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run then try to immediately run broni.exe.
  7. maddy04

    maddy04 TS Rookie Topic Starter Posts: 62


    i downloaded the file rkill.com ( from d 1st link)
    when i right clicked the file, the option ' RUN AS ADMINISTRATOR ' does not appear.

    so i just double clicked on it and ran the file. the log is pasted below :

    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.
    Ran as Madhav on 03/13/2010 at 8:38:22.

    Processes terminated by Rkill or while it was running:


    Rkill completed on 03/13/2010 at 8:38:23.

    then i ran broni.exe , stil i am getting the same results. a folder named broni is created and only a text file named Resident.txt is created in the folder C:\broni
    NO text file gets created in the c:\root directory.
  8. Broni

    Broni Malware Annihilator Posts: 53,860   +370

    Download TDSSKiller and save it to your Desktop.
    Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
    Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

    If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
    When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.
  9. maddy04

    maddy04 TS Rookie Topic Starter Posts: 62

    broni i did what u said

    but when i pressed enter at run to execute the command, a dos box appeared, and some msgs came 'scanning...' and it asked me to press key to continue and i did.
    there was no msg like ' hidden status detected' as said in your msg.

    the contents of the file TDSSkiller.txt , am pasting them below...

    w8ing for your further instructions...

    09:57:25:534 1868 TDSS rootkit removing tool 2.2.8 Mar 10 2010 15:53:20
    09:57:25:534 1868 ================================================================================
    09:57:25:534 1868 SystemInfo:

    09:57:25:534 1868 OS Version: 6.0.6002 ServicePack: 2.0
    09:57:25:534 1868 Product type: Workstation
    09:57:25:534 1868 ComputerName: MADHAV-PC
    09:57:25:534 1868 UserName: Madhav
    09:57:25:534 1868 Windows directory: C:\Windows
    09:57:25:534 1868 Processor architecture: Intel x86
    09:57:25:534 1868 Number of processors: 2
    09:57:25:534 1868 Page size: 0x1000
    09:57:25:534 1868 Boot type: Safe boot with network
    09:57:25:534 1868 ================================================================================
    09:57:25:534 1868 UnloadDriverW: NtUnloadDriver error 2
    09:57:25:534 1868 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
    09:57:44:426 1868 wfopen_ex: Trying to open file C:\Windows\system32\config\system
    09:57:44:426 1868 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
    09:57:44:426 1868 wfopen_ex: Trying to KLMD file open
    09:57:44:426 1868 wfopen_ex: File opened ok (Flags 2)
    09:57:44:441 1868 wfopen_ex: Trying to open file C:\Windows\system32\config\software
    09:57:44:441 1868 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
    09:57:44:441 1868 wfopen_ex: Trying to KLMD file open
    09:57:44:441 1868 wfopen_ex: File opened ok (Flags 2)
    09:57:44:441 1868 Initialize success
    09:57:44:441 1868
    09:57:44:441 1868 Scanning Services ...
    09:57:45:658 1868 GetAdvancedServicesInfo: Raw services enum returned 435 services
    09:57:45:674 1868
    09:57:45:674 1868 Scanning Kernel memory ...
    09:57:45:674 1868 Devices to scan: 2
    09:57:45:674 1868
    09:57:45:674 1868 Driver Name: USBSTOR
    09:57:45:674 1868 IRP_MJ_CREATE : 86C7E1F8
    09:57:45:674 1868 IRP_MJ_CREATE_NAMED_PIPE : 8285EA22
    09:57:45:674 1868 IRP_MJ_CLOSE : 86C7E1F8
    09:57:45:674 1868 IRP_MJ_READ : 86C7E1F8
    09:57:45:674 1868 IRP_MJ_WRITE : 86C7E1F8
    09:57:45:674 1868 IRP_MJ_QUERY_INFORMATION : 8285EA22
    09:57:45:674 1868 IRP_MJ_SET_INFORMATION : 8285EA22
    09:57:45:674 1868 IRP_MJ_QUERY_EA : 8285EA22
    09:57:45:674 1868 IRP_MJ_SET_EA : 8285EA22
    09:57:45:674 1868 IRP_MJ_FLUSH_BUFFERS : 8285EA22
    09:57:45:674 1868 IRP_MJ_QUERY_VOLUME_INFORMATION : 8285EA22
    09:57:45:674 1868 IRP_MJ_SET_VOLUME_INFORMATION : 8285EA22
    09:57:45:674 1868 IRP_MJ_DIRECTORY_CONTROL : 8285EA22
    09:57:45:674 1868 IRP_MJ_FILE_SYSTEM_CONTROL : 8285EA22
    09:57:45:674 1868 IRP_MJ_DEVICE_CONTROL : 86C7E1F8
    09:57:45:674 1868 IRP_MJ_INTERNAL_DEVICE_CONTROL : 86C7E1F8
    09:57:45:674 1868 IRP_MJ_SHUTDOWN : 8285EA22
    09:57:45:674 1868 IRP_MJ_LOCK_CONTROL : 8285EA22
    09:57:45:674 1868 IRP_MJ_CLEANUP : 8285EA22
    09:57:45:674 1868 IRP_MJ_CREATE_MAILSLOT : 8285EA22
    09:57:45:674 1868 IRP_MJ_QUERY_SECURITY : 8285EA22
    09:57:45:674 1868 IRP_MJ_SET_SECURITY : 8285EA22
    09:57:45:674 1868 IRP_MJ_POWER : 86C7E1F8
    09:57:45:674 1868 IRP_MJ_SYSTEM_CONTROL : 86C7E1F8
    09:57:45:674 1868 IRP_MJ_DEVICE_CHANGE : 8285EA22
    09:57:45:674 1868 IRP_MJ_QUERY_QUOTA : 8285EA22
    09:57:45:674 1868 IRP_MJ_SET_QUOTA : 8285EA22
    09:57:45:674 1868 C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
    09:57:45:674 1868
    09:57:45:689 1868 Driver Name: atapi
    09:57:45:689 1868 IRP_MJ_CREATE : 85F101F8
    09:57:45:689 1868 IRP_MJ_CREATE_NAMED_PIPE : 8285EA22
    09:57:45:689 1868 IRP_MJ_CLOSE : 85F101F8
    09:57:45:689 1868 IRP_MJ_READ : 8285EA22
    09:57:45:689 1868 IRP_MJ_WRITE : 8285EA22
    09:57:45:689 1868 IRP_MJ_QUERY_INFORMATION : 8285EA22
    09:57:45:689 1868 IRP_MJ_SET_INFORMATION : 8285EA22
    09:57:45:689 1868 IRP_MJ_QUERY_EA : 8285EA22
    09:57:45:689 1868 IRP_MJ_SET_EA : 8285EA22
    09:57:45:689 1868 IRP_MJ_FLUSH_BUFFERS : 8285EA22
    09:57:45:689 1868 IRP_MJ_QUERY_VOLUME_INFORMATION : 8285EA22
    09:57:45:689 1868 IRP_MJ_SET_VOLUME_INFORMATION : 8285EA22
    09:57:45:689 1868 IRP_MJ_DIRECTORY_CONTROL : 8285EA22
    09:57:45:689 1868 IRP_MJ_FILE_SYSTEM_CONTROL : 8285EA22
    09:57:45:689 1868 IRP_MJ_DEVICE_CONTROL : 85F101F8
    09:57:45:689 1868 IRP_MJ_INTERNAL_DEVICE_CONTROL : 85F101F8
    09:57:45:689 1868 IRP_MJ_SHUTDOWN : 8285EA22
    09:57:45:689 1868 IRP_MJ_LOCK_CONTROL : 8285EA22
    09:57:45:689 1868 IRP_MJ_CLEANUP : 8285EA22
    09:57:45:689 1868 IRP_MJ_CREATE_MAILSLOT : 8285EA22
    09:57:45:689 1868 IRP_MJ_QUERY_SECURITY : 8285EA22
    09:57:45:689 1868 IRP_MJ_SET_SECURITY : 8285EA22
    09:57:45:689 1868 IRP_MJ_POWER : 85F101F8
    09:57:45:689 1868 IRP_MJ_SYSTEM_CONTROL : 85F101F8
    09:57:45:689 1868 IRP_MJ_DEVICE_CHANGE : 8285EA22
    09:57:45:689 1868 IRP_MJ_QUERY_QUOTA : 8285EA22
    09:57:45:689 1868 IRP_MJ_SET_QUOTA : 8285EA22
    09:57:45:705 1868 C:\Windows\system32\drivers\atapi.sys - Verdict: 1
    09:57:45:705 1868
    09:57:45:705 1868 Completed
    09:57:45:705 1868
    09:57:45:705 1868 Results:
    09:57:45:705 1868 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
    09:57:45:705 1868 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
    09:57:45:720 1868 File objects infected / cured / cured on reboot: 0 / 0 / 0
    09:57:45:720 1868
    09:57:45:720 1868 fclose_ex: Trying to close file C:\Windows\system32\config\system
    09:57:45:720 1868 fclose_ex: Trying to close file C:\Windows\system32\config\software
    09:57:45:720 1868 KLMD(ARK) unloaded successfully
  10. Broni

    Broni Malware Annihilator Posts: 53,860   +370

    Try rkil and broni.exe again.
  11. maddy04

    maddy04 TS Rookie Topic Starter Posts: 62


    its the same case again.

    after running rkill and then running broni.exe, another folder named broni11578b is created but no text file combofix.txt or bronifix.txt is created.

    i will wait for ur further instructions...

    broni can u plz tell me what is that we are trying to do. how did the initial step running bluscreenview helped us? what this software combofix.exe , hijackthis, rkill and tdssdkiller are doing?

    i am not a computer expert like you but i would definately like to learn.

    waiting for your further instructions on curing the problem...
  12. Broni

    Broni Malware Annihilator Posts: 53,860   +370

    Well, your computer is definitely infected and we've been trying various tools to find out what's going on.

    Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) to your desktop.

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform quick scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    Be sure to restart the computer.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  13. maddy04

    maddy04 TS Rookie Topic Starter Posts: 62


    i downloaded the software and installed it. it asked for an update and i clicked yes and then carried out a quick scan.

    there were 6-8 errors and then i clicked on remove all

    the log generated is posted below

    Malwarebytes' Anti-Malware 1.44
    Database version: 3862
    Windows 6.0.6002 Service Pack 2 (Safe Mode)
    Internet Explorer 8.0.6001.18882

    3/13/2010 1:02:04 PM
    mbam-log-2010-03-13 (13-02-04).txt

    Scan type: Quick Scan
    Objects scanned: 107708
    Time elapsed: 5 minute(s), 5 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 6
    Registry Values Infected: 0
    Registry Data Items Infected: 2
    Folders Infected: 2
    Files Infected: 10

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rndismex (Spyware.EliteKeylogger) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\ROUA3O12PW (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\TOY5KNQ8OC (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (C:\RECYCLER\S-1-5-21-1980998268-1022546200-537814393-5763\wnzip32.exe,explorer.exe,C:\RECYCLER\S-1-5-21-7549570908-3108869973-364522532-3715\windll.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe rundll32.exe ufmduo) Good: (Explorer.exe) -> Quarantined and deleted successfully.

    Folders Infected:
    C:\ProgramData\MPK (Refog.Keylogger) -> Quarantined and deleted successfully.
    C:\ProgramData\MPK\1 (Refog.Keylogger) -> Quarantined and deleted successfully.

    Files Infected:
    C:\Windows\System32\igfxsvr.exe (Spyware.EliteKeylogger) -> Quarantined and deleted successfully.
    C:\Windows\System32\mprd32.dll (Spyware.EliteKeylogger) -> Quarantined and deleted successfully.
    C:\Windows\System32\mtxx86.dll (Spyware.EliteKeylogger) -> Quarantined and deleted successfully.
    C:\Windows\System32\nshEFF.tmp (Spyware.EliteKeylogger) -> Quarantined and deleted successfully.
    C:\Windows\System32\nsv12A7.tmp (Spyware.EliteKeylogger) -> Quarantined and deleted successfully.
    C:\Windows\System32\drivers\RNDISMex.sys (Spyware.EliteKeylogger) -> Quarantined and deleted successfully.
    C:\ProgramData\MPK\M0000 (Refog.Keylogger) -> Quarantined and deleted successfully.
    C:\ProgramData\MPK\1\D0000 (Refog.Keylogger) -> Quarantined and deleted successfully.
    C:\Windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

    i restarted the computer, but the bluescreen was still coming so as been doing i restrted in safemode with netwrking.

    looking forward for further instructions...
  14. Broni

    Broni Malware Annihilator Posts: 53,860   +370

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:

    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles

    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  15. maddy04

    maddy04 TS Rookie Topic Starter Posts: 62

    broni the content of both the files are exceeding the length so cannot post the contents.

    am enclosing them as attachments..

    OTL.txt attachment here...

    Attached Files:

    • OTL.Txt
      File size:
      64.6 KB
  16. maddy04

    maddy04 TS Rookie Topic Starter Posts: 62

    extras.txt is attached in this post...

    hope u are able to c both the files...

    hope that my problem will be resolved soon :)

    Attached Files:

  17. Broni

    Broni Malware Annihilator Posts: 53,860   +370

    You're running out of space on drive C:
    Drive C: | 116.42 Gb Total Space | 14.56 Gb Free Space | 12.51% Space Free
    When we're done, you'll have to start moving some stuff out of it.

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
      O4 - HKLM..\RunOnce: [] File not found
      O33 - MountPoints2\{4e18fa65-7531-11de-99c0-00234e1adf2f}\Shell - "" = AutoRun
      O33 - MountPoints2\{4e18fa65-7531-11de-99c0-00234e1adf2f}\Shell\AutoRun\command - "" = F:\AutoExec.exe -- File not found
      O33 - MountPoints2\{b6e63f2d-747a-11de-8c8c-002269be7739}\Shell\AutoRun\command - "" = I:\CLEANUP.EXE -- File not found
      O33 - MountPoints2\{b6e63f30-747a-11de-8c8c-002269be7739}\Shell - "" = AutoRun
      O33 - MountPoints2\{b6e63f30-747a-11de-8c8c-002269be7739}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -- File not found
      O33 - MountPoints2\{fd3eff11-747c-11de-8e38-002269be7739}\Shell\AutoRun\command - "" = G:\SEARCHINDEXER.EXE -- File not found
      [2010/03/07 12:35:26 | 000,000,001 | ---- | M] () -- C:\Windows\System32\ek_check.stp
      [2010/03/07 03:53:12 | 000,012,450 | ---- | M] () -- C:\Windows\System32\WlScache.dll
      [2010/03/07 01:53:43 | 000,598,528 | ---- | C] () -- C:\Windows\System32\drivers\srv2k.sys
      [2010/03/07 01:53:43 | 000,010,752 | ---- | C] () -- C:\Windows\System32\drivers\asyncmnt.sys
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  18. maddy04

    maddy04 TS Rookie Topic Starter Posts: 62

    broni asked here are the logs as attachments

    the log after running fix scan is attached here...

    Attached Files:

  19. maddy04

    maddy04 TS Rookie Topic Starter Posts: 62

    the log generated after running a quick scan is attached here...

    broni, i am little confused...i have 15.6 GB free space on c drive, dont mind me asking, but y do u think this is less? i have used c drive when there was only 2 GB free space. i had no problems then.

    does less free space is causing blue screen error?

    Attached Files:

  20. Broni

    Broni Malware Annihilator Posts: 53,860   +370

    When free space on your main drive drops too low, you may find your computer not bootable at all.
    Windows needs 15% of a free space to operate correctly. In your case, it'd be 17.5GB.

    Try to restart computer in normal mode.
  21. maddy04

    maddy04 TS Rookie Topic Starter Posts: 62



    thx a ton. i am really happy...thx a lot for all ur guidance and help.

    broni i dint clear my hardisk, i started with 15.6GB free. when the part comes to load windows, it is very slow.
    so do i need to clear the harddisk now?

    broni what settings should i do to make the my settings as orignal? if u remember, we had switched off all the settings in startup mode, so what programs should i put on again?
  22. maddy04

    maddy04 TS Rookie Topic Starter Posts: 62


    i am really thankful to u for the concern u have shown to me.

    do i need to keep all the softwares we used installed or keeping the setups would server the purpose?

    broni can u teach me what u did exactly at every step so in situations like this further i can use the software on my own?
    can u teach me what exactly u infferred from each log?

    can i use the softwares on my own?

    can we have chat in person at anytime?
  23. Broni

    Broni Malware Annihilator Posts: 53,860   +370

    Very good :)
    Hold your horses, we're not done yet :)
    Cleaning your hard drive can wait for now. When we're done with malware cleaning, we'll go there.
    Go back to "msconfig" and re-enable everything you disabled before.
    Restart computer.

    I wish I had more time for chatting etc., but it's not possible. There are a lot of computer here and on other forums, which need help.

    When you're done with the above, try to run broni.exe again.
  24. maddy04

    maddy04 TS Rookie Topic Starter Posts: 62


    when i opened msconfig, the servies which we had disabled were already enabled. the startup programs were disabled and i enabled some of them which i use.

    i restarted my computer and then ran broni.exe
    the same porcedure was carried out and after restart, a dosbox was still there. it was creating some resotre point and then scanning was done for infected files.

    48 stages are completed, i will post u the log as soon as scan gets completed.

    broni i had installed a software, which had asked me to restart my pc, and when i did so, the blue screen appeared since then. i had tried to uninstall it in safe-mode but the process was not being carried out fully. so i deleted the folder manually.
    the name of that software files was not there in the ones infected.

    does this software installation can have anything to do with the bluescreen error?
  25. Broni

    Broni Malware Annihilator Posts: 53,860   +370

    You shouldn't be running any other tasks while Combofix is running!
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...