BSOD when Malwarebytes Anti-Rootkit BETA 1.01.0.1021

[kre8or]

I've had BSOD before and have tried to use many things to see if its a virus or something. MBAnti Rootkit is the only thing that i've found to cause the BSOD everytime I use it. I was able to open a dmp file before, but only through DOS and opening notepad from there... forgot how now. It said something about wbem in the system32 folder so I looked in there and found some quake files in the repository folder and though that was wierd so I used fileassassin to delet them. They come back every time though. Also, I use sfc/scannow and it finds corrupt files and tells me it will fix on next reboot but it dosn't fix it. Tried chkdsk before but its been a while. My antivirus is MSE and it has issues with updating unless i use a clean boot. Tried to use the other software in clean boot but it didn't work and still BSOD. Ive redone the OS several times and after a bit it seems to BSOD again. I remember some issues with updates like the sp2 and it never seems to install correct and I have to do many things to get it in there. Same for XP and Win7 on other computers so if there is an issue it may be through my isp or something. Had many modems too. Not sure what the deal is. Here are the log files. Thx

I noticed that the clock on my computer changes when it wants to also. Maybe there is another computer syncing with it? I checked my proxy settings and it says there is no proxy in windows or firefox. How long for a reply?

dds.txt

attach.txt

[kre8or]

Why no responses and why are my bumps deleted?

[Robybel]

Hi and Welcome!!

My name is Robybel.

I would be more than happy to take a look at your log and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

• I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  
• The fixes are specific to your problem and should only be used for the issues on this machine.
  
• Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  
• It's often worth reading through these instructions and printing them for ease of reference.
  
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  
• Please reply to this thread. Do not start a new topic.
  

IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your Operating System and losing all your programs and data.

Vista and Windows 7 users:

These tools MUST be run from the executable. (.exe) every time you run them

with Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

Having said that....Let's get going!!

Please reply to this post

[kre8or]

Thank you for any help you can give. Are you new to the forum too?

[Robybel]

Hi Kre8or

download Farbar Recovery Scan Tool 32-Bit

Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
  
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account an click Next.
  

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
  
• Restart your computer.
  
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  
• Click Repair your computer.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.
  

On the System Recovery Options menu you will get the following options:

• • Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
    

[*]Select Command Prompt

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to disclaimer.

[*]Press Scan button.

[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

[kre8or]

Ok, here it is. Thanks

FRST.txt

[Robybel]

Hi Kre8or

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

• Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
  Vista/Windows 7 users right-click and select Run As Administrator.
  
• If TDSSKiller does not run, try renaming it.
  
• To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  
• Click the Start Scan button.
  
• Do not use the computer during the scan
  
• If the scan completes with nothing found, click Close to exit.
  
• If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  
• Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  
• A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  
• Copy and paste the contents of that file in your next reply.
  

[kre8or]

Hi,

I ran it today and found nothing but I think a few days ago it did. The date isn't right either so I'm not sure why. There is a log file from another program that shows hidden objects and I hope you don't mind looking to see if those are ok too? I also should have maybe told you that when you asked me to reboot and run the last scanner from the usb drive it didn't want to go into recovery mode even when I pressed the boot order options and chose to boot from my recovery disk from the cd drive rather than the hard drive it still wouldn't go and then after 4 tries it just did even though nothing changed. I thought that was weird. It asked me if it was ok to change the boot path and I agreed to change it to the recovery disk and thats when it worked. Not sure if any of this matters or not.

Thanks again.

RootRepeal report 03-07-13 (02-29-25).txt

TDSSKiller.2.8.16.0_07.03.2013_10.57.58_log.txt

TDSSKiller.2.8.16.0_07.03.2013_11.03.17_log.txt

TDSSKiller.2.8.16.0_21.03.2013_13.07.30_log.txt

[kre8or]

I'm sorry because I can't remember if tdsskiller did find something the other day so maybe just ignore those old files? I always search google for anything found and I know it wasn't anything serious if so. I ran so many programs that I cant remember. One got a PUP hit but nothing major and now I don't think that was the TDSSKiller that found it. Also, the rootrepeal stuff seems fine after I googled it but it never finished a scan because of crashes. Same with the MBbeta program only no BSOD.

Sorry for the confusion.

[Robybel]

Hi Kre8or

AdwCleaner

• Please download AdwCleaner by Xplode onto your desktop.
  
• Close all open programs and internet browsers.
  
• Double click on AdwCleaner.exe to run the tool.
  
• Click on Delete.
  
• Confirm each time with Ok.
  
• Your computer will be rebooted automatically. A text file will open after the restart.
  
• Please post the content of that logfile with your next answer.
  
• You can find the logfile at C:\AdwCleaner[s1].txt as well.

============ Next ==============

Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
  
• Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  
• The tool will open and start scanning your system.
  
• Please be patient as this can take a while to complete depending on your system's specifications.
  
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  
• Post the contents of JRT.txt into your next message.
  

============ Next ==============

• Download RogueKiller and save it to your desktop.
  
• Quit all other programs
  
• Start RogueKiller.exe
  
• Wait until the Prescan has finished ...
  
• Click on Scan
  
  
• Wait for the end of the scan
  
• A report will be created on your desktop.
  
• Click on the Delete button
  
  
• Next click on the ShortcutsFix
  
  
• another report will be created on your desktop.
  

Please post: All RKreport.txt text files located on your desktop.

On your next reply please post :

• C:\AdwCleaner[s1].txt
  
• JRT.txt
  
• All RKreport.txt
  

Let me know if you have any problems in performing with the steps above or any questions you may have.

Good Day!

[kre8or]

Some unexpected stuff when I ran the last two programs. The FRST scan was ran and when I returned to my computer many of my desktop icons were changed and missing. EX: I copied the instructions to a document file and saved it to my desktop before I started the scans and this was now gone. The computer ran very slow. I then logged off and back on when I found all the files are back.

So on to the next scan with RK. It found four things in the registry but it didn't save the file to the desktop like it should... or did it? because I tried to manually save a report there and it asked me if I wanted to replace it. I didn't and saved to c: Then I searched for the file name and it isn't on the desktop though when I tried to save it there again it said it was again...

Just though you should know. Here are the files.

Thanks

AdwCleanerS1.txt

FRST.txt

RKreport1_S_03222013_02d1534.txt

[kre8or]

thought I would add that I dont have or have ever installed google crome. Not sure if that matters.

[kre8or]

Forgot to add that after the RK scan there were two new shortcuts on my desktop... they go to "computer" and another to my user account

[Robybel]

Hi Kra8or

Please follow my instructions.

You have posted FRST instead of JRT.

Forgot to add that after the RK scan there were two new shortcuts on my desktop

You can delete

Follow this step:

Please read through these instructions to familarize yourself with what to expect when this tool runs

Refer to the ComboFix User's Guide

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs

====================================================

Double click on combofix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

[kre8or]

Hi,

I disabled security soft (but MSE was said to be on when I went to scan so I uninstalled it and reinstalled when it was done.) The wierd alternate desktop was there and I saw the Missing log files there and a lot of old icons I deleted. Is this normal? When I was trying to update the definitions in MSE I got a message from Winpatrol that APPMGMTS.DLL was being added to my system32 folder. It's prob normal but I just stopped the update and did a manual update instead to be safe. Here is the JRT log too. Thank you

ComboFix.txt

JRT.txt

[Robybel]

Hi Kre8or

Please follow all previous instructions regarding security programs.

Open a new Notepad session

• Click the Start button, click run
  
• in the run box type notepad
  
• click ok
  
• In the notepad, Click "Format" and be certain that Word Wrap is not checked.
  
• Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE
  

ClearJavaCache::

File::
c:\users\Ruth\AppData\Roaming\Microsoft\Installer\{2E0DFC24-7C4B-4DCF-BCC7-81C513BED3BC}\python_icon.exe
c:\users\Ruth\AppData\Roaming\.k3d

Folder::
C:\e889693acd34ae39cb

In the notepad

• Click File, Save as..., and set the Save in to your Desktop
  
• In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
  
• Click save
  

Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close all browser/windows first.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Next

• Please open your MalwareBytes AntiMalware Program
  
• Click the Update Tab and search for updates
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish, so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected. <-- very important
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Next

ESET Online Scanner

I'd like us to scan your machine with ESET OnlineScan

Note: If you are using Windows Vista/7, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

*Note

It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.

Please don't go surfing while your resident protection is disabled!

Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
   
2. Click the button.
   
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. 
      
   2. Click on to download the ESET Smart Installer. Save it to your desktop.
      
   3. Double click on the icon on your desktop.
      
      
   4. Check
      
   5. Click the button.
      
   6. Accept any security warnings from your browser.
      
   7. Check
      
   8. Make sure that the option "Remove found threats" is Unchecked
      
   9. Push the Start button.
      
   10. ESET will then download updates for itself, install itself, and begin
       scanning your computer. Please be patient as this can take some time.
       
   11. When the scan completes, push
       
   12. Push , and save the file to your desktop using a unique name, such as MyEsetScan. Alternatively, look for report in C:\Program Files\ESET\ESET Online Scanner\log.txt. Include the contents of this report in your next reply.
       
   13. Push the Back button.
       
   14. Select Uninstall application on close check box and push
       
       
       On your next reply please post :
       
       • New combofix log
         
       • Malwarebytes log
         
       • Eset report
         

Let me know if you have any problems in performing with the steps above or any questions you may have.

Good Day!

[kre8or]

Are you talking aboutMalwarebytes Anti-Rootkit BETA 1.01.0.1021 or should I download the regular MB because I don't have that installed right now? Just want to be clear before I start. Thanks.

[Robybel]

Just want to be clear before I start

You're Right

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
  
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select Perform quick scan, then click Scan.
  
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected .
  
• When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  
• Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
  

[kre8or]

Ok, I ran the combo fix like you said and attached the report. The alternate desktop showed up when it was done and I think that is the admin desktop. It ran very slow and I tried to switch user and chose my user account but it took me back to the same thing that isn't my desktop so I logged off and back on and that worked. Not sure if this is normal?

Next I will do the MBAM scan

combofix2.txt

[kre8or]

Some of the instructions didn't apply because it didn't find anything I think. I'll move on to the next scan after this post.

Here is the report:, thanks:

Malwarebytes Anti-Malware (Trial) 1.70.0.1100

www.malwarebytes.org

Database version: v2013.03.24.07

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

main room :: MAINROOM-PC [administrator]

Protection: Enabled

3/24/2013 3:48:19 PM

mbam-log-2013-03-24 (15-48-19).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 244338

Time elapsed: 3 minute(s), 49 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

[kre8or]

Here is the scan...

ESETscan.txt

[Robybel]

Hi Kre8or:)

Please follow all previous instructions regarding security programs.

Open a new Notepad session

• Click the Start button, click run
  
• in the run box type notepad
  
• click ok
  
• In the notepad, Click "Format" and be certain that Word Wrap is not checked.
  
• Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE
  

File::
C:\Users\Ruth\Downloads\Game Engine and Games\3d modeling soft and tuts\cbsidlm-tr1_7-Argile-ORG2-10834895.exe	
C:\Users\Ruth\Downloads\Software install\software for general use\cbsidlm-tr1_8-KLite_Mega_Codec_Pack-ORG2-10794603.exe	

In the notepad

• Click File, Save as..., and set the Save in to your Desktop
  
• In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
  
• Click save
  

Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close all browser/windows first.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Please let me know how your machine is running and if there are any outstanding issues

[kre8or]

Took me to alternate desktop again but I take it that's normal? Was there anything infected or just PUP's? There is one wierd thing though. I had BSOD every day for over a month but when I posted this topic and before anyone looked at it the BSOD stopped before any changes were made and it hasn't done a BSOD from that time on. Does this maybe mean that someone is monitoring my posts and stopped doing a DOService attack or something like that? I just find it a strange thing to just happen by chance. Anyway, thanks for your help

combofix3.txt

[Robybel]

Hi Kre8or

I had BSOD every day for over a month but when I posted this topic and before anyone looked at it the BSOD stopped before any changes were made and it hasn't done a BSOD from that time on

This means that the BSOD is afraid of me

Does this maybe mean that someone is monitoring my posts and stopped doing a DOService attack or something like that?

Nooooo!!! Your pc is clean.

Ok follow this step

Download TFC to your desktop

• Close any open windows.
  
• Double click the TFC icon to run the program
  
• TFC will close all open programs itself in order to run,
  
• Click the Start button to begin the process.
  
• Allow TFC to run uninterrupted.
  
• The program should not take long to finish it's job
  
• Once its finished it should automatically reboot your machine,
  
• if it doesn't, manually reboot to ensure a complete clean
  

Next

Please download Windows Repair (all in one) from here

Install the program then run it

Go to step 2 and allow it to run Disk check

Once that is done then go to step 3 and allow it to run SFC

On the the Start Repairs tab => Click the Start

Click on the select all check box and then click on Start

DON'T use the computer while each scan is in progress.

Restart may be needed to finish the repair procedure

Please let me know how your machine running now and if still, you have any BSOD problem

[kre8or]

Hi,

"This means that the BSOD is afraid of me "

Lmao, I think your right.

"Nooooo!!! Your pc is clean."

Oh kool. So all these steps are just protocol or is there another issue? I just want to educate myself some. I feel bad now because I'm a poor person and I took all this time from you for nothing?

"Ok follow this step

Download TFC to your desktop"

I got this error and wanted to be sure it was ok to continue and that the link is ok to use before I continue?

Warning

A script on this page may be busy, or it may have stopped responding. You can stop the script now, or you can continue to see if the script will complete.

Script: chrome://mozapps/content/downloads/download.xml:71

I stopped the script and posted this to make sure it wasn't anything serious. Thanks again.