Lokalaskurar
Posts: 513 +0
Hello there! The title is more or less self-explanatory. We (me and my brother) need help with a very virus-infected PC. Before helping me and my brother, Please Read my original post in the BSOD-support forum:
Please read it fully!
https://www.techspot.com/vb/topic162863.html
Please, Do not continue beyond this point unless you've read my original post.
It is mandatory, as it explains the origins of the problem.
I have read and performed all of the requested steps in the preliminary virus-removal thread. Yet, the BSOD problem is still unsolved.
The computer in question is the same Toshiba Satellite C650D as mentioned in my original BSOD-post. It it currently running Kaspersky antivirus protection.
Note: the text written in "ALL-CAPS" is not shouting, I'm not trying to be rude
--------------------------------------------------------------------
I have compiled a full log during the 8-step malware-removal process:
STEPS PERFORMED BEFORE I BEGAN READING ON THE MALWARE REMOVAL FORUM:
NOTE: "Line A" and "Line B" might have occured in reversed order.
I.e. "Line B" occured before "Line A."
"Line A:" Ran avast! 5, full scan, ran for 5 hours, result: 8 files infected. Removed all errors, resulted in BSOD, computer rendered unbootable, restored system to previous state.
"Line B:" Ran Panda, full scan, ran for 1 hour, result: 23 files infected, all "cured". BSOD's still occuring.
------------------------------
BEGAN READING ON THE 8-STEP MALWARE REMOVAL THREAD:
Step 1:
Ran Kaspersky, latest version (free).
Ran 4 hours, result: 0 files infected.
Continued with the 8-step guide.
Step 2:
Ran TFC: completed in 2 minutes.
~7230MbB was "cleaned."
Prompted to restart, pressed ok = wild BSOD appeared.
Physical memory was successfully dumped to disk.
Re-ran TFC:
~3MbB was "cleaned."
Prompted to restart, pressed ok = yet another BSOD appeared.
Physical memory was successfully dumped to disk.
Rebooted successfully.
Continued with guide anyway.
Step 3:
Installed Malwarebyte's Anti-Malware
Updated program after installation from database #5363 to #6322.
Ran quick scan: ~30.000 objects scanned, 33 objects infected.
All ticked, requested MB. to remove all.
"Some posts could not be removed" - prompted to restart.
Saved log-file to desktop.
Restarted computer.
Step 4:
Downloaded GMER. Disconnected from the Internet, closed all running programs.
Disabled Kaspersky's active protection.
Ran GMER, several files were scanned, nothing appeared in the white box, NONE of the boxes were tick-/de-tickable.
Saved log to desktop, resulted in an empty file, 0 bytes.
RE-ran GMER, several files were scanned, nothing appeared in the white box, NONE of the boxes were tick-/de-tickable.
Saved log to desktop, resulted in an empty file, 0 bytes.
Rebooted into Safe Mode (plain Safe Mode, no network, no CMD).
Disabled Kaspersky again.
RE-ran GMER, several files were scanned, nothing appeared in the white box, NONE of the boxes were tick-/de-tickable.
Saved log to desktop, resulted in an empty file, 0 bytes.
Continued anyway.
(Computer rebooted very slowly, took 5 minutes before log-in screen to appear, normally this takes about 1 minute)
Step 5:
Disabled Kaspersky again, disconnected from the Internet.
Downloaded DDS (using other PC), ran DDS. Resulted in BSOD after 5 seconds, physical memory dumped to disk successfully.
Rebooted computer.
Prompted to log-in, typed password, pressed Enter - resulted in immidient BSOD. (like those mentioned in my original post)
Rebooted computer.
Logged in succesfully this time.
RE-ran DDS. Resulted in BSOD after 5 seconds, physical memory dumped to disk successfully.
RE-ran DDS yet again. Ran for 35 seconds, several " ::: " did appear in DDS, resulted in BSOD yet again.
Tried logging in, computer froze.
Rebooted, tried logging in, computer froze again.
Rebooted successfully.
Continued anyway.
/* 8-step Preliminary Removal Completed */
Idle BSOD randomly appeared. Rebooted.
FINAL:
Malwarebyte's log follows:
NOTE: I have translated the log-entries (Marked red) into English from Swedish (my brother's native tounge).
(
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6322
Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421
2011-04-10 12:55:06
mbam-log-2011-04-10 (12-55-06).txt
Scan-type: Quick scan
Number of scanned objects: 164702
Elapsed time: 3 minute(s), 24 second(s)
Infected memory-processes: 1
Infected memory-modules: 0
Infected registry keys: 12
Infected registry values: 1
Infected registry data-posts: 1
Infected folders: 3
Infected files: 15
Infected memory-processes:
c:\Windows\Temp\Rrs.exe (Trojan.FraudPack.Gen) -> 2680 -> Unloaded process successfully.
Infected memory-modules:
(No "evil" posts were discovered)
Infected registry keys:
HKEY_CLASSES_ROOT\CLSID\{10F31E8B-528B-41C8-B7E2-3534E4D5CBA0} (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chkavwsqhst.chkavwsqhst.1.0 (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chkavwsqhst.chkavwsqhst (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{C348BB9A-995C-404A-8185-76325B4BED9F} (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adfavwsqpr.adfavwsqpr.1.0 (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adfavwsqpr.adfavwsqpr (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C348BB9A-995C-404A-8185-76325B4BED9F} (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$XNTUninstall643$ (Adware.AdRotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{F96A7C1E-38CA-4F0A-9D2D-A42C226BCDC8} (Adware.AdRotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\brumavwsqgrm.brumavwsqgrm.1.0 (Adware.AdRotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\brumavwsqgrm.brumavwsqgrm (Adware.AdRotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F96A7C1E-38CA-4F0A-9D2D-A42C226BCDC8} (Adware.AdRotator) -> Quarantined and deleted successfully.
Infected registry values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bipro (Trojan.Agent.Gen) -> Value: bipro -> Quarantined and deleted successfully.
Infected registry data-posts
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Spyware.Passwords.XGen) -> Bad: (mgxgfnkg.dll) Good: () -> Quarantined and deleted successfully.
Infected folders:
c:\program files (x86)\relevantknowledge (Spyware.MarketScore) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\relevantknowledge (Spyware.MarketScore) -> Quarantined and deleted successfully.
c:\Windows\$xntuninstall643$ (Adware.AdRotator) -> Delete on reboot.
Infected files:
c:\Windows\Temp\Rrs.exe (Trojan.FraudPack.Gen) -> Quarantined and deleted successfully.
c:\Windows\System32\mgxgfnkg.dll (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\mgxgfnkg.dll (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Users\CENSORED\AppData\Roaming\adddefaultvaluefordevicepathkey.reg (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
c:\program files (x86)\Cmprssh0.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{bbaeaeaf-1275-40e2-bd6c-bc8f88bd114a}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{810401e2-dde0-454e-b0e2-aa89c9e5967c}.job (Trojan.FraudPack) -> Quarantined and deleted successfully.
c:\Windows\$xntuninstall643$\mbdwt.dll (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\relevantknowledge\about relevantknowledge.lnk (Spyware.MarketScore) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\relevantknowledge\privacy policy and user license agreement.lnk (Spyware.MarketScore) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\relevantknowledge\Support.lnk (Spyware.MarketScore) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\relevantknowledge\uninstall instructions.lnk (Spyware.MarketScore) -> Quarantined and deleted successfully.
c:\Windows\$xntuninstall643$\apuninstall.exe (Adware.AdRotator) -> Quarantined and deleted successfully.
c:\Windows\$xntuninstall643$\xgoir.dll (Adware.AdRotator) -> Quarantined and deleted successfully.
c:\Windows\$xntuninstall643$\zrpt.xml (Adware.AdRotator) -> Quarantined and deleted successfully.
)
GMER log is NOT pasted due to error mentioned above.
DDS log is NOT pasted due to error mentioned above.
So, where will we go from here?
The BSOD's seem to keep occurring like nothing happened.
We do have patience with this machine, but we do not own the Win 7 disc. There is no super-crucial data stored on this PC.
We welcome all helpful advice!
Please read it fully!
https://www.techspot.com/vb/topic162863.html
Please, Do not continue beyond this point unless you've read my original post.
It is mandatory, as it explains the origins of the problem.
I have read and performed all of the requested steps in the preliminary virus-removal thread. Yet, the BSOD problem is still unsolved.
The computer in question is the same Toshiba Satellite C650D as mentioned in my original BSOD-post. It it currently running Kaspersky antivirus protection.
Note: the text written in "ALL-CAPS" is not shouting, I'm not trying to be rude
--------------------------------------------------------------------
I have compiled a full log during the 8-step malware-removal process:
STEPS PERFORMED BEFORE I BEGAN READING ON THE MALWARE REMOVAL FORUM:
NOTE: "Line A" and "Line B" might have occured in reversed order.
I.e. "Line B" occured before "Line A."
"Line A:" Ran avast! 5, full scan, ran for 5 hours, result: 8 files infected. Removed all errors, resulted in BSOD, computer rendered unbootable, restored system to previous state.
"Line B:" Ran Panda, full scan, ran for 1 hour, result: 23 files infected, all "cured". BSOD's still occuring.
------------------------------
BEGAN READING ON THE 8-STEP MALWARE REMOVAL THREAD:
Step 1:
Ran Kaspersky, latest version (free).
Ran 4 hours, result: 0 files infected.
Continued with the 8-step guide.
Step 2:
Ran TFC: completed in 2 minutes.
~7230MbB was "cleaned."
Prompted to restart, pressed ok = wild BSOD appeared.
Physical memory was successfully dumped to disk.
Re-ran TFC:
~3MbB was "cleaned."
Prompted to restart, pressed ok = yet another BSOD appeared.
Physical memory was successfully dumped to disk.
Rebooted successfully.
Continued with guide anyway.
Step 3:
Installed Malwarebyte's Anti-Malware
Updated program after installation from database #5363 to #6322.
Ran quick scan: ~30.000 objects scanned, 33 objects infected.
All ticked, requested MB. to remove all.
"Some posts could not be removed" - prompted to restart.
Saved log-file to desktop.
Restarted computer.
Step 4:
Downloaded GMER. Disconnected from the Internet, closed all running programs.
Disabled Kaspersky's active protection.
Ran GMER, several files were scanned, nothing appeared in the white box, NONE of the boxes were tick-/de-tickable.
Saved log to desktop, resulted in an empty file, 0 bytes.
RE-ran GMER, several files were scanned, nothing appeared in the white box, NONE of the boxes were tick-/de-tickable.
Saved log to desktop, resulted in an empty file, 0 bytes.
Rebooted into Safe Mode (plain Safe Mode, no network, no CMD).
Disabled Kaspersky again.
RE-ran GMER, several files were scanned, nothing appeared in the white box, NONE of the boxes were tick-/de-tickable.
Saved log to desktop, resulted in an empty file, 0 bytes.
Continued anyway.
(Computer rebooted very slowly, took 5 minutes before log-in screen to appear, normally this takes about 1 minute)
Step 5:
Disabled Kaspersky again, disconnected from the Internet.
Downloaded DDS (using other PC), ran DDS. Resulted in BSOD after 5 seconds, physical memory dumped to disk successfully.
Rebooted computer.
Prompted to log-in, typed password, pressed Enter - resulted in immidient BSOD. (like those mentioned in my original post)
Rebooted computer.
Logged in succesfully this time.
RE-ran DDS. Resulted in BSOD after 5 seconds, physical memory dumped to disk successfully.
RE-ran DDS yet again. Ran for 35 seconds, several " ::: " did appear in DDS, resulted in BSOD yet again.
Tried logging in, computer froze.
Rebooted, tried logging in, computer froze again.
Rebooted successfully.
Continued anyway.
/* 8-step Preliminary Removal Completed */
Idle BSOD randomly appeared. Rebooted.
FINAL:
Malwarebyte's log follows:
NOTE: I have translated the log-entries (Marked red) into English from Swedish (my brother's native tounge).
(
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6322
Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421
2011-04-10 12:55:06
mbam-log-2011-04-10 (12-55-06).txt
Scan-type: Quick scan
Number of scanned objects: 164702
Elapsed time: 3 minute(s), 24 second(s)
Infected memory-processes: 1
Infected memory-modules: 0
Infected registry keys: 12
Infected registry values: 1
Infected registry data-posts: 1
Infected folders: 3
Infected files: 15
Infected memory-processes:
c:\Windows\Temp\Rrs.exe (Trojan.FraudPack.Gen) -> 2680 -> Unloaded process successfully.
Infected memory-modules:
(No "evil" posts were discovered)
Infected registry keys:
HKEY_CLASSES_ROOT\CLSID\{10F31E8B-528B-41C8-B7E2-3534E4D5CBA0} (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chkavwsqhst.chkavwsqhst.1.0 (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chkavwsqhst.chkavwsqhst (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{C348BB9A-995C-404A-8185-76325B4BED9F} (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adfavwsqpr.adfavwsqpr.1.0 (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adfavwsqpr.adfavwsqpr (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C348BB9A-995C-404A-8185-76325B4BED9F} (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$XNTUninstall643$ (Adware.AdRotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{F96A7C1E-38CA-4F0A-9D2D-A42C226BCDC8} (Adware.AdRotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\brumavwsqgrm.brumavwsqgrm.1.0 (Adware.AdRotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\brumavwsqgrm.brumavwsqgrm (Adware.AdRotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F96A7C1E-38CA-4F0A-9D2D-A42C226BCDC8} (Adware.AdRotator) -> Quarantined and deleted successfully.
Infected registry values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bipro (Trojan.Agent.Gen) -> Value: bipro -> Quarantined and deleted successfully.
Infected registry data-posts
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Spyware.Passwords.XGen) -> Bad: (mgxgfnkg.dll) Good: () -> Quarantined and deleted successfully.
Infected folders:
c:\program files (x86)\relevantknowledge (Spyware.MarketScore) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\relevantknowledge (Spyware.MarketScore) -> Quarantined and deleted successfully.
c:\Windows\$xntuninstall643$ (Adware.AdRotator) -> Delete on reboot.
Infected files:
c:\Windows\Temp\Rrs.exe (Trojan.FraudPack.Gen) -> Quarantined and deleted successfully.
c:\Windows\System32\mgxgfnkg.dll (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\mgxgfnkg.dll (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Users\CENSORED\AppData\Roaming\adddefaultvaluefordevicepathkey.reg (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
c:\program files (x86)\Cmprssh0.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{bbaeaeaf-1275-40e2-bd6c-bc8f88bd114a}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{810401e2-dde0-454e-b0e2-aa89c9e5967c}.job (Trojan.FraudPack) -> Quarantined and deleted successfully.
c:\Windows\$xntuninstall643$\mbdwt.dll (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\relevantknowledge\about relevantknowledge.lnk (Spyware.MarketScore) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\relevantknowledge\privacy policy and user license agreement.lnk (Spyware.MarketScore) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\relevantknowledge\Support.lnk (Spyware.MarketScore) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\relevantknowledge\uninstall instructions.lnk (Spyware.MarketScore) -> Quarantined and deleted successfully.
c:\Windows\$xntuninstall643$\apuninstall.exe (Adware.AdRotator) -> Quarantined and deleted successfully.
c:\Windows\$xntuninstall643$\xgoir.dll (Adware.AdRotator) -> Quarantined and deleted successfully.
c:\Windows\$xntuninstall643$\zrpt.xml (Adware.AdRotator) -> Quarantined and deleted successfully.
)
GMER log is NOT pasted due to error mentioned above.
DDS log is NOT pasted due to error mentioned above.
So, where will we go from here?
The BSOD's seem to keep occurring like nothing happened.
We do have patience with this machine, but we do not own the Win 7 disc. There is no super-crucial data stored on this PC.
We welcome all helpful advice!