[koolkarts]

Hi there guys, I'd really appreciate it if you could help me out here.

My laptop's been badly infected, and I can only boot in safe mode with networking. If i start up normally as soon as I log in, the desktop and icons appear and I get the BSOD with a stop error.

Basically, I can't log into Vista (32bit) in normal mode without getting a BSOD

with error message:

*** STOP: 0X0000008E (0XC0000005, 0X8BDA092D, 0X9AEC2000, 0X00000000)

I ran Memtest86 on booting, and after 8 passes it came up with no errors, so I'm pretty sure I've got no RAM problem.

My firefox and IE browser keep on redirecting to random websites off Google search, and my problem is identical to that of this guy:

http://forums.techguy.org/malware-re...-agent-dh.html


I was seeking advice on another forum, but I havent been able to get far, and I really need my laptop back and working asap. I cant back up everything cos I dont have an external hard drive, and I need my files for exam revision .

All my other info was posted in this forum here:

http://help.lockergnome.com/general/...pict57628.html

and that's where my HJT log and Combofix log is.
If you scroll down right to the bottom of that thread, you'll see that combofix identified the files associated with rookit activity on my laptop, but somehow i can't manage to find them myself.


....system32\drivers\ovfsthtfgkfvcnclgcieugcxojfqddrujvnucv.sys

.....system32\ovfsthgrkjtwcitydgkxveulvrbpbicvxeoxcx.dll

.....system32\ovfsthipttgjoejxtdqjnutsmincvobgvulgyg.dll

.....system32\ovfsthilbqrsjabinyjeikjejopxemgsmhippq.dll

.....system32\ovfsthnpnphnillkygpsllotxgvydeknvwoqwm.dat

Combofix says that because there is rootkit activity on my pc, it needs to reboot. Once i reboot my comp, i have to run combofix again, and the same message displays. I think it's occurring because I'm in safe mode.

Also i have a feeling that the first file in that list (the .sys one) is probably the reason behind my blue screen at startup. Do you know how I could locate the files and delete them?


Any help at all would be greatly appreciated. Many thanks in advance!

[koolkarts]

any help guys?

[koolkarts]

please guys, im getting desperate now. i can access my comp in normal mode

[koolkarts]

I ran a panda online active scan and got these results:


(see attachment)

[sjpritch25]

Welcome to TSG

Sorry for the delay


Those files are rootkits. Are you still getting the BSOD booting into Normal Mode?

[sjpritch25]

Also, do you have your VISTA dvd disc?

[koolkarts]

Hey, no problem, yeah I'm still getting the bsod on startup in normal mode.

And I've also got my vista dvd with me, but it's the one i was given with the laptop by dell (vista 32 was preinstalled).

[sjpritch25]

nope that is correct when combofix finds a nasty rootkit. It disabled it, reboots and then it should remove it. ComboFix will run fine in Safe Mode. Delete your current copy from your Desktop, i would like you to get a fresh copy.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

[koolkarts]

I'm having the same problem as before even after downloading a new combofix.exe of mybleepingcomputer . Combofix has detected the rootkit, says it needs to reboot, but once I reboot into safe mode and restart combofix i get the same problem as before. I restart combofix by clicking on it, it agains tell me to reboot again, and the circle continues...

[sjpritch25]

Well you need to let it reboot into normal and not stop it from finishing. It needs to run into completion, otherwise the infection will not be removed.

[koolkarts]

I can't boot up in normal mode though.... After I've run Combofix.exe in safe mode, I let my computer restart up into Normal mode, but then I get a black screen just before the login screen. My mouse appears and then suddenly the whole screen goes black. I left it for about 30 mins and then decided to restart cos nothing was happening. Safe mode still works fine though. I'm really dumbfounded and have got no idea what to do! Any ideas?

Many thanks for your help so far.

[koolkarts]

Oh god, I think this problem is getting bigger everyday....
I uninstalled combofix and downloaded a new fresh copy and now whenever I run it, I get the error:

"!! ALERT it is not safe to continue!

The contents of this combofix package have been compromised
Please download a fresh copy from:

http://www.mybleepingcomputer.com/combofix/how-to-use-combofix"

I've downlaoded many new copies and nothing is working!!
Any ideas?

[sjpritch25]

I did some further research and talked to a few security experts. Looks like you are infected with a nasty file infection called Virut. Unfortunately their is no way to fix this without trashing your system. I recommend a re-installing Vista. Sorry i couldn't have any better news.

[koolkarts]

Damn that sucks. Ok i'll do a reinstall of Vista, my only problem though is that I'm not sure hwo to go about it. There's some data i want to back up, but I dont want to copy it to my USB Hard Drive if my laptop ends up infecting the hard drive. How should I make sure that my hard drive does not get infected. Also, I have a recovery partition currently on my hard drive, apparently, that can reinfect the main C drive if I reinstall Vista. Should I just restore to factory settings with the Dell option on my laptop, so it ends up just being as good as new, or should I reinstall vista myself?

[sjpritch25]

We can do a boot scan with kaspersky.

We can try and clean it up with Kaspersky Rescue Disk, but access to another computer is required.

On a clean computer, download Kaspersky Rescue Disk

Burn the Kaspersky Rescue Disk ISO image to a CD using CD/DVD burning software and ensure its a CD image. The following ISO Recorder can do this too.

Here is a great tutorial on burning an ISO image here.

Setting your BIOS to boot from a CD may be required, go here for instructions.

Once Kaspersky Rescue Disk is burned successfully, reboot your computer, press any key to boot from cd and the following will appear.



Hit Enter to start booting from Kaspersky Rescue Disk.

Please pick your appropriate language and hit Enter

Kaspersky AntiVirus 2009 will appear, do not start a scan yet!!!!

• Click the Update tab, then on the Update now button.
• When the update is complete, click on the Settings button.
• Under Scan, set Security level to High and On Detection to Disinfection.
• Under Threats and exclusions, click the Setttings, tab, and ensure everything is checked.
• Click Apply then OK to return to the program.
• Click the Scan tab.

1. The scan can take a long time, so please be patient and allow it to run to completion.

• When the scan has completed, click the Reports button.
• Save the report to your C: drive as KAV2008.txt.
• Now reboot your computer and remove the CD and log into Windows.
• Navigate to your C:\ drive, and post the KAV2009.txt as an attachment in your next reply.
• Any questions please post and i will reply as soon as possible. Thanks