My daughter’s Windows Vista computer was infected with Alureon-G@mbr (among others) that the Sophos program her university made her install apparently let in. (Sophos was also useless in finding any of the viruses) Deleted Sophos and installed Avast which found most of the problems except the persistent Disk 0 mbr issue.
After reading through the forum I installed ASWmbr and ran scan and fix several times. Apparently got rid of viruses but now computer displays blue screen and reboots seconds after displaying the Windows password screen. Can start in safe mode.
Tried doing a system restore but this did not fix the problem. (it did delete Avast, however, and now I cannot seem to successfully reinstall)
Also, one of the files I had to delete (no disk room for chest) while AVAST was finding viruses was MEMORY.DMP. Now I cannot seem to find a file that the blue screen memory is dumping to. (although I do have boot logs.)
Tried to do this on my own reading the forum, but the fixes seem to be specific to the machine. Any help is greatly appreciated.
Hi, I am wondering if Sophos interfered with the removal process as it is still an active AV according to your driver and service list. Let me know if you can get to normal mode after this
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.
[Unregister Dlls]
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {02478D38-C3F9-4efb-9B51-7695ECA05670} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> "{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_USERS\S-1-5-21-3542362207-1953595748-2698762895-1000\] > -> HKEY_USERS\S-1-5-21-3542362207-1953595748-2698762895-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "Player" -> C:\Users\Alyssa\AppData\Roaming\Adobe\Player.exe [C:\Users\Alyssa\AppData\Roaming\Adobe\Player.exe]
[Files/Folders - Created Within 30 Days]
NY -> WindowsSearch -> C:\ProgramData\WindowsSearch
NY -> cG28321AdKgN28321 -> C:\ProgramData\cG28321AdKgN28321
[Files/Folders - Modified Within 30 Days]
NY -> 665x0e6t3b1o6256h52edgb -> C:\Users\Alyssa\AppData\Local\665x0e6t3b1o6256h52edgb
NY -> 665x0e6t3b1o6256h52edgb -> C:\ProgramData\665x0e6t3b1o6256h52edgb
NY -> ylog -> C:\Users\Alyssa\AppData\Local\ylog
NY -> mlog -> C:\Users\Alyssa\AppData\Local\mlog
NY -> 4051841017 -> C:\ProgramData\4051841017
[Files - No Company Name]
NY -> 665x0e6t3b1o6256h52edgb -> C:\Users\Alyssa\AppData\Local\665x0e6t3b1o6256h52edgb
NY -> 4051841017 -> C:\ProgramData\4051841017
NY -> 665x0e6t3b1o6256h52edgb -> C:\ProgramData\665x0e6t3b1o6256h52edgb
NY -> mlog -> C:\Users\Alyssa\AppData\Local\mlog
NY -> ylog -> C:\Users\Alyssa\AppData\Local\ylog
[Empty Temp Folders]
[EmptyFlash]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.
First, thanks for your help. After running the FIX in OTS I received a pop-up saying I needed to reboot with the only option being YES. After rebooting system still displayed BSOD shortly after log in password page displayed. Went into safe mode but was unable to find new log file (only looked in desktop, root drive, temp file on root drive, and owners documents). Should I rerun OTS? Thanks
Blue screen references: 0X0000008E(0xc0000005,0x8223157,0xAA56A91C,0x0000000)
followed by: “Collection data for crash dump…
Initializing disk for crash dump…
Physical memory dump complete.” But as I said I cannot find a file it is writing to. Minidump folder is empty, and no Memory.dmp file.
I do get a Repair My Computer option which opens a box in windows with a number of options. When I select STARTUP REPAIR it says it does not detect any problems. (Just tried it again) I tried the next, going back to the last good configuration, yesterday but it did not fix the BSOD problem. I did not try it today.
Other options I can get to when selecting Safe mode are: “Enable Boot Logging”, Last known good configuration", “Directory Services Restore Mode”, “Debugging Mode”, “Disable auto restart…”, and “Disable system Driver Signature Enforcement”
I do get this screen, and did try to restore to an earlier date, but that was before running the OLS fix script you gave me. I am running the restore again and will report.
Ran the restore twice. Once each for two different dates (all that were available) and still no change. I did notice that when the box came up with which disk to restore, it listed BOOT, along with C, which was checked, and D, but did not allow me to check either D or BOOT. I don’t know if this is normal or not.
Ran a full disk aswMBR scan last night and it did find something in TemporaryInternetFiles folder. Log attached. Does this help in solving my BSOD problem? Thanks
OK you have the new version of aswMBR - this version invokes the avast engine to cary out a virus scan - which is why it was detected
OK lets try a clean boot to determine if it is a windows driver or a third party one
Step 1: Start the System Configuration Utility
Click Start, click Run, type msconfig, and then click OK.
The System Configuration Utility dialog box is displayed.
Step 2: Configure selective startup options
In the System Configuration Utility dialog box, click the General tab, and then click Diagnostic startup.
Click the Services tab.
Click to select the Hide All Microsoft Services check box.
Click Disable All, and then click OK.
When you are prompted, click Restart to restart the computer.
STEP 2: Troubleshoot
[]Now restart and test the issue at hand
[]If no problems, run msconfig and recheck half the disabled items on the Services tab. Reboot to test again. If the problem recurs, Uncheck half the items you just checked to narrow down the culprit.
[*]If the problem does not re-occur, check the other half, so all the Services are enabled. Reboot to test again. If the problem recurs, Uncheck half the items you just checked to narrow down the culprit.
Apparently with my version all items are automatically disabled when selecting Diagnostic Startup. Have tried with all (including Microsoft)disabled, and first enabling Microsoft items then hiding them and disabling the rest. Still get blue screen after attempting to start Windows in normal mode.
I did select APPLY instead of OK at the end of your instructions the first time and the computer crashed immediately and rebooted, if that means anything.
Also, when I found the malware with the last aswMBR scan the FIX buttom was greyed out and I was not sure whether to select FIXMBR so did not. Do I need to remove the malware before proceeding?
Unfortunately I must go to jury duty today and will not be able to recheck posts for several hours. Thanks for your help
Posted the OTS log as per last instructions. (See last post) Hopefully this contains information that can identify why the system keeps going to blue screen on a normal boot. THanks!
[]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[]Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.