Solved Manualy deleted system check on safe mode, now I get blue screen errors

[ihatebluescreen]

Yesterday, I got a lot of error notifications from System Check. I closed them all and tried to ignore them and open my antivirus (I didn't know what System Check was), but everything went "invisible."
I started watching some youtube videos on my phone with instructions of how to clean it (big mistake). "They made me" go into "Safe Mode with Networking" and download Trojan Killer. So, I ran it and it showed me where everything was located at, sinse I didn't pay for the membership, I deleted the files manualy (like they showed on the video).
I tried to get into the "normal" (I don't know how to call it) mode, but I got a blue screen error:
STOP: 0x000008E (0xC0000005, 0xF653AFF0, 0xA7D1AB9C, 0x00000000)
sfng32.sys - Adress F653AFF0 base at F6538000, DateStamp 4249000b
Soo, I went back to "Safe Mode with Networking" and ran "HiJackThis" and uploaded the log to the hijackthis.de site and fixed the dangerous files.

Now, I kind of gave up. Everytime I try to get on "Normal Mode" I get the blue screen error within 1-2 minutes from getting in.

Thank you guys very much in advance! I apologize for my grammar. My english is not that bueno!

 

[ihatebluescreen]

Did I miss any information? =/
XP
My main antivirus is Microsoft Essential

 

[ihatebluescreen]

I forgot to mention that I tried (and still am) restoring my computer to an earlier point, but when I click "next" after choosing the date I want, nothing happens.

 

[Broni]

Welcome aboard

Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

Please, observe following rules:

• Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
• If you're stuck, or you're not sure about certain step, always ask before doing anything else.
• Please refrain from running tools or applying updates other than those I suggest.
• Never run more than one scan at a time.
• Keep updating me regarding your computer behavior, good, or bad.
• The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
• If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
• I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

 

[ihatebluescreen]

I didn't notice that it was in spanish until I saw the log, and I tried to re-do it but it was too late. I hope this helps.

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.21.01

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
Home :: DESKTOP [administrator]

20/03/2012 07:01:48 p.m.
mbam-log-2012-03-20 (19-01-48).txt

Tipos de Análisis: Análisis Rápido
Opciones de análisis activado: Memoria | Inicio | Registro | Sistema de archivos | Heurística/Extra | Heurística/Shuriken | PUP | PUM
Opciones de análisis desactivados: P2P
Objetos examinados: 194024
Tiempo transcurrido: 11 minuto(s), 44 segundo(s)

Procesos en Memoria Detectados: 0
(No se han detectado elementos maliciosos)

Módulos de Memoria Detectados: 0
(No se han detectado elementos maliciosos)

Claves del Registro Detectados: 0
(No se han detectado elementos maliciosos)

Valores del Registro Detectados: 0
(No se han detectado elementos maliciosos)

Elementos de Datos del Registro Detectados: 6
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Malo: (0) Bueno: (1) -> En cuarentena y reparado con éxito.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowHelp (PUM.Hijack.StartMenu) -> Malo: (0) Bueno: (1) -> En cuarentena y reparado con éxito.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Malo: (0) Bueno: (1) -> En cuarentena y reparado con éxito.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Malo: (0) Bueno: (1) -> En cuarentena y reparado con éxito.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowRun (PUM.Hijack.StartMenu) -> Malo: (0) Bueno: (1) -> En cuarentena y reparado con éxito.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Malo: (0) Bueno: (1) -> En cuarentena y reparado con éxito.

Carpetas Detectadas: 0
(No se han detectado elementos maliciosos)

Archivos Detectados: 0
(No se han detectado elementos maliciosos)

fin)

-----
Gmer didn't find any Modifications to the System, so the log was blank.
DDS froze... twice; the first time I moved the window after 4 minutes had passed to read the steps behind it, and I noticed that it was frozen. I had to turn off the computer because nothing worked. The second time I waited for almost 15 minutes and the same thing happened.


I tried to get into the Normal Mode to see if Gmer and DDS worked there, but I get the same blue screen right after I log in.

 

[Broni]

Stay in safe mode with networking for now.

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

=================================================================

Download Bootkit Remover to your desktop.

• Unzip downloaded file to your Desktop.
• Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
• It will show a Black screen with some data on it.
• Right click on the screen and click Select All.
• Press CTRL+C
• Open a Notepad and press CTRL+V
• Post the output back here.

 

[ihatebluescreen]

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-20 21:18:59
-----------------------------
21:18:59.765 OS Version: Windows 5.1.2600 Service Pack 3
21:18:59.765 Number of processors: 1 586 0x401
21:18:59.765 ComputerName: DESKTOP UserName: Home
21:19:01.000 Initialize success
21:21:40.062 AVAST engine defs: 12032000
21:22:40.812 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-12
21:22:40.828 Disk 0 Vendor: WDC_WD800JD-75MSA1 10.01E01 Size: 76293MB BusType: 3
21:22:40.859 Disk 0 MBR read successfully
21:22:40.875 Disk 0 MBR scan
21:22:40.906 Disk 0 Windows XP default MBR code
21:22:40.921 Disk 0 MBR hidden
21:22:40.937 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 76285 MB offset 63
21:22:40.984 Disk 0 Partition 2 80 (A) 17 Hidd HPFS/NTFS NTFS 8 MB offset 156232125
21:22:41.015 Disk 0 Partition 2 **INFECTED** MBR:Alureon-K [Rtk]
21:22:41.031 Disk 0 scanning sectors +156249984
21:22:41.093 Disk 0 scanning C:\WINDOWS\system32\drivers
21:22:51.734 Service scanning
21:23:15.562 Modules scanning
21:23:16.968 Module: C:\WINDOWS\system32\KDCOM.DLL **SUSPICIOUS**
21:23:19.078 Module: C:\WINDOWS\System32\drivers\dxgthk.sys **SUSPICIOUS**
21:23:19.515 Module: C:\WINDOWS\system32\ntdll.dll **SUSPICIOUS**
21:23:19.562 Disk 0 trace - called modules:
21:23:19.625 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86f34fa9]<<
21:23:19.687 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f4aab8]
21:23:19.734 3 CLASSPNP.SYS[f78ddfd7] -> nt!IofCallDriver -> \Device\00000062[0x86fa5770]
21:23:19.781 5 ACPI.sys[f7834620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP3T0L0-12[0x86f40d98]
21:23:19.843 \Driver\atapi[0x86f8f108] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x86f34fa9
21:23:20.296 AVAST engine scan C:\WINDOWS
21:23:26.656 AVAST engine scan C:\WINDOWS\system32
21:26:19.406 AVAST engine scan C:\WINDOWS\system32\drivers
21:26:34.187 AVAST engine scan C:\Documents and Settings\Home
21:56:06.000 AVAST engine scan C:\Documents and Settings\All Users
22:01:15.546 Scan finished successfully
22:05:10.968 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Home\Desktop\MBR.dat"
22:05:10.984 The log file has been saved successfully to "C:\Documents and Settings\Home\Desktop\aswMBR.txt"

----------------------------------------------------------------------
----------------------------------------------------------------------

Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Controlled by rootkit!

Boot code on some of your physical disks is hidden by a rootkit.
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]


Done;
Press any key to quit...




Thanks again! You're awesome!

 

[ihatebluescreen]

I read some other posts that have a similar problem to mine... I didn't delete anything. I downloaded ListParts by Farbar. I hope I didn't mess anything up.

ListParts by Farbar Version: 12-03-2012 03
Ran by Home (administrator) on 20-03-2012 at 23:20:06
Windows XP (X86)
Running From: C:\Documents and Settings\Home\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 65%
Total physical RAM: 1013.88 MB
Available physical RAM: 351.77 MB
Total Pagefile: 2442.28 MB
Available Pagefile: 1727.82 MB
Total Virtual: 2047.88 MB
Available Virtual: 2000.14 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:74.5 GB) (Free:11.1 GB) NTFS ==>[Drive with boot components (Windows XP)]

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 75 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 74 GB 32 KB
Partition 2 Unknown 9 MB 74 GB
======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 74 GB Healthy Boot
======================================================================================================

Disk: 0
Partition 2
Type : 17 (Suspicious Type)
Hidden: Yes
Active: Yes

There is no volume associated with this partition.
======================================================================================================

****** End Of Log ******

 

[Broni]

Yeah we have an infected partition there.

WARNING!
Proceed with extreme caution!
Deleting wrong partition will result with your computer being unusable.
If you have any doubts, ask.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download GETxPUD.exe to the desktop of your clean computer

• Double click on GETxPUD.exe
• A new folder will appear on the desktop.
• Open the GETxPUD folder and click on the get&burn.bat
• The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
• Insert blank CD into your CD drive.
• Click on Start and follow the prompts to burn the image to a CD.
• Boot bad computer from the CD
• Click Menu then Terminal Emulator
• Type parted /dev/sda set 1 boot on
• Press Enter
• Type parted /dev/sda rm 2
• Press Enter
• Remove xPUD CD, reboot, run aswMBR and post the log

 

[ihatebluescreen]

I don't have access to a good computer right now. Can I do that on the bad one?

and I use a CD-R not a DVD-R, right?

 

[Broni]

Go ahead and create the CD on this computer.

and I use a CD-R not a DVD-R, right?

Yes.

 

[ihatebluescreen]

THANK YOU VERY MUCH!!
I've never booted a computer from a CD.
Do you think this instructions are correct?
http://pcsupport.about.com/od/tipstricks/ht/bootcddvd.htm
http://pcsupport.about.com/od/fixtheproblem/ss/bootorderchange_2.htm

 

[Broni]

That will do

 

[ihatebluescreen]

I'm such a noob, I'm sorry!

I did it. But I think I did it wrong. It says that the file dosn't exsist on these steps:

•Type parted /dev/sda set 1 boot on <<<<<<
•Press Enter
•Type parted /dev/sda rm 2 <<<<<<
•Press Enter
•Remove xPUD CD, reboot, run aswMBR and post the log

 

[Broni]

Type parted /dev/sda set 1 boot on

You didn't type word "type", did you?

 

[ihatebluescreen]

Nope. Just "parted /dev/sda set 1 boot on"

 

[Broni]

What is the exact message you're getting?
Are you sure you typed everything correctly paying attention to "spaces"?

 

[ihatebluescreen]

I didn't notice the space after "parted"
Thanks again!

 

[Broni]

WARNING!
Proceed with extreme caution!
Deleting wrong partition will result with your computer being unusable.

...

 

[ihatebluescreen]

I know, I'm sorry! I will be extra careful from now on.

I typed it just like you told me, and I got "you may need to update /etc/fstab

I'm about to run aswMBR

 

[ihatebluescreen]

I think I only clicked "RUN" instead of "Save" the first time I used aswMBR. The link isn't working for me anymore.

 

[Broni]

What link?

 

[ihatebluescreen]

I was getting a connection error when I tried to download aswMBR, but not anymore.

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-21 12:54:48
-----------------------------
12:54:48.171 OS Version: Windows 5.1.2600 Service Pack 3
12:54:48.171 Number of processors: 1 586 0x401
12:54:48.171 ComputerName: DESKTOP UserName: Home
12:54:48.687 Initialize success
12:55:00.546 AVAST engine defs: 12032000
12:55:02.156 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-12
12:55:02.171 Disk 0 Vendor: WDC_WD800JD-75MSA1 10.01E01 Size: 76293MB BusType: 3
12:55:02.203 Disk 0 MBR read successfully
12:55:02.218 Disk 0 MBR scan
12:55:02.265 Disk 0 Windows XP default MBR code
12:55:02.281 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 76285 MB offset 63
12:55:02.312 Disk 0 scanning sectors +156232125
12:55:02.421 Disk 0 scanning C:\WINDOWS\system32\drivers
12:55:12.546 Service scanning
12:55:34.078 Modules scanning
12:55:36.984 Module: C:\WINDOWS\System32\drivers\dxgthk.sys **SUSPICIOUS**
12:55:37.390 Disk 0 trace - called modules:
12:55:37.437 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
12:55:38.468 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f82ab8]
12:55:38.531 3 CLASSPNP.SYS[f78ddfd7] -> nt!IofCallDriver -> \Device\00000062[0x86f40f18]
12:55:38.578 5 ACPI.sys[f7834620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP3T0L0-12[0x86f6fd98]
12:55:39.000 AVAST engine scan C:\WINDOWS
12:55:45.171 AVAST engine scan C:\WINDOWS\system32
12:58:32.234 AVAST engine scan C:\WINDOWS\system32\drivers
12:58:47.125 AVAST engine scan C:\Documents and Settings\Home
13:26:50.796 AVAST engine scan C:\Documents and Settings\All Users
13:31:20.968 Scan finished successfully
13:31:37.671 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Home\Desktop\MBR.dat"
13:31:37.703 The log file has been saved successfully to "C:\Documents and Settings\Home\Desktop\aswMBR2.txt"




I tried to get into the "Normal Mode," and the screen is now white (not black like when I had system check), I'm still missing some icons, and the blue screen of death took me off again. =/

 

[Broni]

Very good.
Infected partition is gone.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
• Close any open browsers.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
• Double click on combofix.exe & follow the prompts.

• 
  NOTE1. If Combofix asks you to install Recovery Console, please allow it.
  NOTE 2. If Combofix asks you to update the program, always do so.

• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.exe

• Double-click on the Rkill icon to run the tool.
• If using Vista or Windows 7 right-click on it and choose Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• Do not reboot until instructed.
• If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[ihatebluescreen]

Something bad happened.

Everything was going very well. I'm on safe mode, so I used Rkill first, and immediately used combofix (renamed).
It deleted some files that needed to be deleted, icons started appearing on my screen, and it restarted.

Then, I logged in "Normal Mode" and the combofix window appeared. It said not to run any program until combo fix finished, aaaand the blue screen came on.

Here is the Rkill log:
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 16/02/2012 at 0:33:34.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:



Rkill completed on 16/02/2012 at 0:34:04.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 21/03/2012 at 14:12:22.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:



Rkill completed on 21/03/2012 at 14:12:26.