1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Bad Malware Or Virus Causing BSOD

Discussion in 'Virus & Other Malware Removal' started by tecrat, Sep 25, 2008.

Thread Status:
Not open for further replies.
  1. tecrat

    tecrat Thread Starter

    Joined:
    Sep 25, 2008
    Messages:
    1
    HELP!!!

    I have some kind of virus or trojan that is causing the Blue Screen of Death problem. I have tried running Malware Byte's Anti-Malware and it seems to find and (supposedly fix, Quanrantine and Delete) problems/infections everytime I run it!

    But after reboot in Safe Mode (the ONLY mode I can use and not get BSOD), it again finds the same set of problems! I can't now install or remove any programs either because the Installer is shut off in Safe Mode! "Holy circular reasoning nightmare - Batman!"

    In general it is finding things like this:
    Rootkit.Agent
    Trojan.FakeAlert
    Trojan.Agent

    Here is my HiJackThis file and my Malwarebytes log file - please help! This is my Business server computer and I am dead in the water without it!

    --------------------------------------
    Malwarebytes' Anti-Malware 1.28
    Database version: 1137
    Windows 5.1.2600 Service Pack 2

    9/25/2008 10:37:48 AM
    mbam-log-2008-09-25 (10-37-48).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 69670
    Time elapsed: 5 minute(s), 52 second(s)

    Memory Processes Infected: 1
    Memory Modules Infected: 1
    Registry Keys Infected: 10
    Registry Values Infected: 2
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 9

    Memory Processes Infected:
    C:\WINDOWS\Temp\.ttC.tmp (Trojan.Downloader) -> Unloaded process successfully.

    Memory Modules Infected:
    C:\WINDOWS\system32\blphcg1wj0ep3v.scr (Trojan.FakeAlert) -> Delete on reboot.

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winmj31 (Rootkit.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\winmj31 (Rootkit.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\winmj31 (Rootkit.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winmj31 (Rootkit.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winxd08 (Rootkit.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\winxd08 (Rootkit.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\winxd08 (Rootkit.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winxd08 (Rootkit.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinCtrl32 (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcg1wj0ep3v (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\inrhcl1wj0ep3v (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\system32\drivers\Winmj31.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\Winxd08.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\WinCtrl32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\blphcg1wj0ep3v.scr (Trojan.FakeAlert) -> Delete on reboot.
    C:\WINDOWS\system32\lphcg1wj0ep3v.exe (Trojan.FakeAlert) -> Delete on reboot.
    C:\WINDOWS\system32\phcg1wj0ep3v.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\.ttC.tmp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\.tt6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\.ttC.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

    -------------------------
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:41:34 AM, on 9/25/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Safe mode with network support

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\TEMP\mhc3.tmp
    C:\WINDOWS\system32\lsass.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Admin\Desktop\HiJackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080604
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080604
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://216.195.55.10:3128/
    O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
    O4 - HKLM\..\Run: [BkupTray] "C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe"
    O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C6953D85-3C55-42C5-9B3D-154673EA3F54}: NameServer = 216.87.64.2,209.170.216.5
    O17 - HKLM\System\CS1\Services\Tcpip\..\{C6953D85-3C55-42C5-9B3D-154673EA3F54}: NameServer = 216.87.64.2,209.170.216.5
    O17 - HKLM\System\CS2\Services\Tcpip\..\{C6953D85-3C55-42C5-9B3D-154673EA3F54}: NameServer = 216.87.64.2,209.170.216.5
    O17 - HKLM\System\CS3\Services\Tcpip\..\{C6953D85-3C55-42C5-9B3D-154673EA3F54}: NameServer = 216.87.64.2,209.170.216.5
    O17 - HKLM\System\CS4\Services\Tcpip\..\{C6953D85-3C55-42C5-9B3D-154673EA3F54}: NameServer = 216.87.64.2,209.170.216.5
    O20 - AppInit_DLLs: karina.dat,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll
    O20 - Winlogon Notify: ikkqzm - C:\WINDOWS\SYSTEM32\ikkqzm.dll
    O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
    O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
    O23 - Service: NTI Backup Now 5 Agent Service (BUNAgentSvc) - NewTech Infosystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
    O23 - Service: IntelĀ® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
    O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - Unknown owner - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: NTI Backup Now 5 Shadow Service (ShadowSvc) - NewTech Infosystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\ShadowSvc.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

    --
    End of file - 5381 bytes

    Thanks so much!
    Terry
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/753281

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice