Jump to content

fsqwr.bmp blue screen-crash


shobuz99
 Share

Recommended Posts

Hello, I am following the instructions I received from the MalwareBytes program I ran to remove malware from my machine. I am attaching both logs, as instructed: dds.txt and attach.txt Please let me know if there is ANY other information you need from me, to help me with this problem. I appreciate your help very much. Thank you so much. Shobuz99

.

DDS (Ver_2011-08-26.01) - NTFSx86 MINIMAL

Internet Explorer: 8.0.6001.18702

Run by Administrator at 15:29:07 on 2012-09-23

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1534.1303 [GMT -4:00]

.

AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: Outpost Firewall *Disabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\WINDOWS\Explorer.EXE

.

============== Pseudo HJT Report ===============

.

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

mRun: [sigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [OutpostMonitor] c:\progra~1\agnitum\outpos~1\op_mon.exe /tray /noservice

mRun: [OutpostFeedBack] "c:\program files\agnitum\outpost firewall\feedback.exe" /dump:os_startup

mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui

mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon

mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon

mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot

mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [KodakShareButtonApp] c:\program files\kodak\kodak share button app\Listener.exe

mRunOnce: [OTL] "c:\documents and settings\bridget\desktop\OTL.exe"

mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photof~1.lnk - c:\program files\common files\panasonic\photofunstudio autostart\AutoStartupService.exe

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 209.18.47.61 209.18.47.62

TCP: Interfaces\{1F4F3D9F-A20C-4608-87CB-71BE86DB4011} : DhcpNameServer = 209.18.47.61 209.18.47.62

AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

============= SERVICES / DRIVERS ===============

.

S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-1-13 435032]

S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-1-28 314456]

S1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [2011-1-28 704384]

S2 acssrv;Agnitum Client Security Service;c:\progra~1\agnitum\outpos~1\acs.exe [2011-1-28 1195008]

S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-1-28 20568]

S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-1-28 44768]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-1-28 136176]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-9 250568]

S3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [2011-1-28 31128]

S3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [2011-1-28 257432]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-1-28 136176]

S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]

.

=============== Created Last 30 ================

.

2012-09-23 19:14:08 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes

2012-09-23 19:13:25 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2012-09-23 19:13:23 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-09-23 19:13:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-09-23 16:40:52 -------- d-----w- C:\_OTL

2012-09-23 03:24:28 1893 ----a-w- c:\windows\bcmwltrytmp.reg

2012-09-23 02:37:01 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Google

2012-09-14 00:18:46 -------- d-sh--w- c:\documents and settings\administrator\IETldCache

.

==================== Find3M ====================

.

2012-09-10 07:16:13 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-09-10 07:16:12 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-08-28 15:14:53 916992 ----a-w- c:\windows\system32\wininet.dll

2012-08-28 15:14:53 43520 ----a-w- c:\windows\system32\licmgr10.dll

2012-08-28 15:14:52 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-08-28 12:07:15 385024 ----a-w- c:\windows\system32\html.iec

2012-07-06 13:58:51 78336 ----a-w- c:\windows\system32\browser.dll

2012-07-04 14:05:18 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-07-03 13:40:15 1866112 ----a-w- c:\windows\system32\win32k.sys

.

============= FINISH: 15:30:33.06 ===============

attach.txt

dds.txt

Link to post
Share on other sites

  • Root Admin

Please visit this webpage for instructions on running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

When the tool is finished, it will produce a report for you.

Please attach the C:\ComboFix.txt log on your next reply so that we can continue checking and cleaning the system.

If you get a message similar to this: "Illegal operation attempted on a registry key that has been marked for deletion" please just restart your computer and everything should start working again.

Link to post
Share on other sites

Thank you for the reply, Ron.

I have a question before I proceed.

The infected computer's wifi will not connect for some reason.

It was working the day it became infected; however, it has since stopped.

Therefore, in order for me to download and install any program,

I have to use another machine, to download the sw, transfer to a flash drive,

and then boot the infected machine to Safe mode.

Once in Safe mode with Networking, the infected machine is fine but won't connect as I said.

I then have to install any software from the flash drive.

This is what I intend to do, today, after i get the ComboFix solution that you recommend.

Unless, I'm doing something wrong, I plan on proceeding with your instructions.

Please contact me ASAP, if I need to adjust anything because of the process I must use without wifi on the infected computer.

Thank you very much for all your help. I appreciate it.

Shobuz99

Link to post
Share on other sites

Checking back to see if you've had time to run this yet. Please post a status update Thanks

Ok. This is not good news. I ran ComboFix in "Safe mode with Networking" after I installed it from my flash drive.

There was a point during the run, that it asked for an internet connection to download something additional.

I had to click "no" because the wifi connection is not working on the infected machine.

I continued on and let it finish scanning.

At the end of the scan Windows went into "shut down" reboot mode;

BUT a small error dialog box popped up titled "Windows System Error",

and the error displayed as "Unknown Hard Error", with and "ok". I clicked "ok" twice.

The screen then cleared and the machine rebooted.

Unfortunately, it did not correct the problem.

On reboot, the machine beeps and displays the following message on a black screen with white letters:

internal

No bootable devices--strike F1 to retry boot, F2 for setup utility

Press F5 to run onboard diagnostics.

What is your next suggestion?

Thank you for your continued help and support.

Shobuz99

Link to post
Share on other sites

  • Root Admin

When the computer is starting up please tap the F8 key and see if you can get into a Recovery Console or Safe Mode

If neither of those available then press the F2 key and go into your BIOS settings and see if the hard drive is still listed there.

Do you have a CD burner on the other computer?

Link to post
Share on other sites

When the computer is starting up please tap the F8 key and see if you can get into a Recovery Console or Safe Mode

If neither of those available then press the F2 key and go into your BIOS settings and see if the hard drive is still listed there.

Do you have a CD burner on the other computer?

Thank you.

I have tried getting back into "Safe Mode" and it fails to allow me to do that.

I have an ERD Commander 2002 CD that will boot and allow me to use Windows XP SP3 from the infected C:\ drive.

From there I have access to the Registry and any of the files, including ComboFix.exe.

I can burn a CD from the computer I am on right now. I will say that I am a computer tech and have experience with ERD as a recovery tool; however, I dont consider myself to be an expert.

Especially with what problems I'm having with the infected machine.

I will proceed with any instructions you give me and refrain from using ERD Commander unless otherwise suggested by you.

ERD Commander is now the only way I can get into the C:\ drive and see all the files.

What do you want me to do next?

Shobuz99

Link to post
Share on other sites

  • Root Admin

If there was an error during the boot process like that but you can still access the drive I'm guessing that the MBR was probably modified.

Please see if you can repair the MBR and get it to boot again.

As for wireless you should be able to connect an Ethernet cable directly to the router (most routers have 2 to 4 physical ports) to get Internet access.

Have not used ERD myself in many years but I think it can repair the boot mbr

Link to post
Share on other sites

If there was an error during the boot process like that but you can still access the drive I'm guessing that the MBR was probably modified.

Please see if you can repair the MBR and get it to boot again.

As for wireless you should be able to connect an Ethernet cable directly to the router (most routers have 2 to 4 physical ports) to get Internet access.

Have not used ERD myself in many years but I think it can repair the boot mbr

Ok. I have two versions of ERD Commander. Version 2002 and 2005. ERD 2002 will allow me to use Windows on the infected C;\ drive; But ERD 2005 will not display ir or offer it. ERD 2005 does allow System Restore to be run; however, ERD 2002 does not.

So I'm in a predicament. If I use ERD 2002 to access the files on the infected drive, what folder in windows can I go to and find an exe that will run the Restore or repair the mbr? It's been a while for me, too :-)

Link to post
Share on other sites

  • Root Admin

I tried F2 and the hard drive was NOT listed in the Device Info.

Well that is an issue. You might try removing the hard drive connectors and then plug them back in and see if that helps.

If the hard drive is not showing up then not much we do at this point. If you boot from the CD do you see the hard drive to access it?

Link to post
Share on other sites

Update: I have found yet another tool in my old CD case. It is a Linux disk that is called "Super Rescue CD".

It lists the hard drive as a WDC WD1200BEVS-7 also, I found a 288 MB file called "loop0" device listed as a "sqaushfs" file system.

Is the "squashfs" file system the modification of the MBR? Just wondering..

Sorry for all the intermittent updates...

Link to post
Share on other sites

Well that is an issue. You might try removing the hard drive connectors and then plug them back in and see if that helps. If the hard drive is not showing up then not much we do at this point. If you boot from the CD do you see the hard drive to access it?

Yes I can access the HDD from ERD Commander 2002. I explained that previously.

My question is, Do you recommend that I use a Windows XP setup CD with Repair and Restore capabilities

to fix the MBR or go back to a early Restore point??

Link to post
Share on other sites

Nope. Selecting "R" to launch the Recovery doesn't work because it can't find the HDD.

Now ERD Commander 2002 is NOT finding the C:\ drive like it was before!!

I think I'm left with one last option: Using a recovery CD that operates with Linux.

I'll let you know how that turn out...

Thanks anyway for all your help..

Shobuz99

Link to post
Share on other sites

If the CD is not seeing the drive then it's doubtful that a Linux CD would either, but let me know.

I will quit for today. I've taken up a lot of your time as well as my own.

I will try the Linux recovery CD tomorrow, afternoon EDT.

I appreciate your willingness to hang in with me. Thank you.

Shobuz99

Link to post
Share on other sites

If the CD is not seeing the drive then it's doubtful that a Linux CD would either, but let me know.

The Linux CD's DO see the HDD.

However, I can't find the program that would give me access to the MBR, so that I may fix it.

I still am able to use "Safe Mode" to the "cmd" file and then view all the files on the drive.

It actually lists them as Drive C: However, when I select Safe Mode using the Command dialog,

Windows still gets loaded. So when I try using Chkdsk /F I get a message that says it's not allowed.

I suspect that the malware will not allow me to go to a true "cmd" dialog. i wanted to try FDisk /mbr

At any rate, I am able to copy data folders and put them on an external USB drive.

Once I'm finished with that, i intend to "format" the drive and start all over and install

a clean Windows XP SP3 to the drive. If I should do anything else as a last resort,

please let me know asap!

Thank you Ron. I hope to hear from you soon.

Shobuz99

Link to post
Share on other sites

  • Root Admin

Well there are some other methods but saving the user data and reinstalling Windows is certainly a much safer and cleaner route to go if you're able to do it.

We try to help clean up systems because often users cannot reinstall Windows but if you can then that would be a better choice.

If you'd like to try to repair it then let me know otherwise save the data to like a USB drive and then format and reinstall Windows.

Link to post
Share on other sites

Well there are some other methods but saving the user data and reinstalling Windows is certainly a much safer and cleaner route to go if you're able to do it.

We try to help clean up systems because often users cannot reinstall Windows but if you can then that would be a better choice.

If you'd like to try to repair it then let me know otherwise save the data to like a USB drive and then format and reinstall Windows.

I would like to repair it. Please suggest away. I'm willing to download anything that will allow me to fix the MBR.

I do have CDs that can reformat or repair partitions; but O don't know how to get the maximum benefit of those CDs.

Perhaps you are familiar with the "Super Rescue CD" or the "Ultimate Boot CD with Partition Tools"?

These are among the sw tools I have. I don't use them very much, ergo, I don't have experience with them

as an optimization tool at my disposal. Do you?

Let me know, I'm willing to take a calculated risk. I've already backed up some data files, anyway.

Thank you very much for your continued help.

Shobuz99 ( Rick)

Link to post
Share on other sites

****Update!!!:

On a hunch, once I was able to reach the cmd file in Safe Mode (the only part of Safe Mode that kept working for me),

I decided to connect directly to my router and attempt a re-run of the ComboFix.exe.

The first try, I still could not connect to to the internet. I think this means that the malware has corrupted the driver file

for the Broadcom device that allows connection to the internet with both Wifi and direct.

The program aborted itself and shut down when I wasn't looking.

On the 2nd try, still no internet connection; but ComboFix ran through "Completed Stage 50" of its scan process.

When it finished, it actually created a ComboFix.txt logfile. THEN IT ALLOWED ME TO GO DIRECTLY TO SAFE MODE

as I originally was able to do. This means that ComboFix was able to correct and remove SOMETHING that was part of the Malware, I think.

Anyway, I am attaching the Combofix.txt file for your review.

What do you suggest I do next? BTW.. I do not intend to shut down the machine until I hear from you. At this point it is in Safe Mode and displays the desktop as it should. I don't want to lose it.

Thank you for sticking with me, here Ron!

Shobuz99 (Rick)

ComboFix.txt

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.