LOG FILES ADDED only boot safe mode after using ASWmbr fix to get rid of Alureon

I seem to have run into another problem. As you correctly surmised Sophos is not fully uninstalled. I see Sophos items on the “Programs and Features” menu but get a message that “Windows Installer Service could not be accessed…” I believe because I am in Safe Mode.

ComboFix warns me that Sophos is running. Should I run ComboFix anyway?

Thanks for all the time and help

Yes please as I do not want to damage what protection you have at the moment. Just ensure that Sophos does not try to stop or quarantine anything, allow everything even if it gives it a scarey name. Many of the elements of Combofix can be used for good or bad and no AV can tell the difference

Here is the log file.

I noticed on the ots.txt file there were several items that said “File Not Found” under “Driver Services”. Could these have been infected and been deleted when I originally ran aswMBR?

No they are on demand drivers as opposed to required drivers

I will have a chat with some other people I know to see if they have come across this before and have a resolution

OK back allready

Could you rerun aswMBR please but a fresh copy this time - I need to revisit the MBR record

Download aswMBR.exe ( 1.8mb ) to your desktop.

Double click the aswMBR.exe to run it

Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR2-1.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

http://public.avast.com/~gmerek/aswMBR2.png

Very thorough program, QuickScan mode took 4 hours. Log is attached. Thanks.

Esexboy won’t be back on the forums until tomorrow, 12:30am in the UK, so you can try this in the meantime if you wise or wait.

You must have had a lot of data to scan ?
I have just run this new update of the aswMBR.exe file on a Quick scan to get an idea of what it is like for speed as 4 hours sounds excessive. It is certainly using a bit of CPU, 20-30% (with a few spikes over 30%) on my system and a bit of RAM. So I don’t know what you sustem is like as this resource use might well have slowed the system and scan some.

The File: C:\Users\Alyssa\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\75SIPGQN\AV2010Installer[1].exe INFECTED Win32:Trojan-gen sounds like a rogue AV installer and it is in your Temporary Internet Files folder so you could see if it will be removed by clearing the Temporary Internet Files from IE.

Or it may need something a little stronger to remove temp files:
TFC - Temp File Cleaner by OldTimer
http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/
TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

If that removes it you might want to run MBAM as that is normally quite good at finding rogue/fake AV stuff.
If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).
MalwareBytes Anti-Malware (MBAM), On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

Thanks, I will try as you suggest. (FYI this computer has a Pentium T2330 1.6GHz with 2 g of memory) I ran malwarebytes yesterday per Essexboy’s instructions but I don’t believe it found the same infected file.

I also ran across this log file from (I believe) before I started getting blue screen on normal startup. This is when AVAST was finding a payload of malware. Thought it might be helpful.

Yes that spec would certainly put a crimp in performance.

The memory.dmp is going to be too large to move as it would be the same size as your memory, 2GB and at the time of the crash/bsod (was this recent?) it would appear you had an Alureon-G@mbr infection. You can manually delete this file as the memory.dmp file is overwritten or recreated if you have another bsod.

This one is a bit weird as this is an avast log file recording the anti-rootkit protection information, so avast is alerting on one of its log files.
File C:\ProgramData\AVAST Software\Avast\arpot\14cc91-174c-0.dat is infected by Alureon-G@mbr [Rtk], Moved to chest. This shouldn’t be an issue as the file (clean one) will be recreated I believe.

The JAVA version also appears to be out of date so that brings vulnerabilities - I would also suggest a visit to this site, which scans your system for out of date programs that have patches to close vulnerabilities, http://secunia.com/software_inspector/.

The TFC application should take care of the temp internet files location.

So for now get on with the TFC cleaning and MBAM scans.

I ran the TFC. No option for a log, and although it said 0 bytes removed from TemporaryInternetFiles, aswMBR found no malware afterwards. (Latest asw log attached.) Still getting blue screen when trying to start normally.

I did not rerun the MBAM, but it has not succesfully detected the Win32Trojan-gen in TemporaryInternetFile as aswMBR has.

So, per your comment, is my memory.dmp file not being recreated (I was forced to delete it during an initial AVAST scan due to infection and apparently being too large to put in chest) because I only have 2gb of memory on this machine? Or is it not writing because I do not have enough free HDD space (I show 35gb free)?

Another side note…saw some info on Microsoft site about their Event Viewer. Tried it but got “Event Viewer cannot open log…” on all event files. Also cannot clear and save event logs. Possibly because I am running in safe mode?

I will run the program at secunia.com, and also look for some large unnecessary data files to delete. Thanks!

It was only too large fir the chest because it exceeded the pre-set maximum file size (about 16MB) to be sent to the chest and the memory.dmp file would basically be a copy of everything in memory at the time of the BSOD.

If it isn’t recreated on the next BSOD then you would have to look at the Vista Control Panel, System, Advanced tab, Startup and Recovery, Settings (that is for XP I don’t know if it is the same for Vista) to see if a Kernel memory dump is selected, otherwise it just creates minidump files in the c:\windows\minidump folder. So you need to check the settings and the minidump folder and see if there are any corresponding files in there (roughly the same date-time stamp as the BSOD.

Check this MS KB article for the 0X0000008E stop error code scroll down to find that error code http://support.microsoft.com/kb/935806.

Well they other experts are still out on this one, the hope was that the MBR was not created properly, but it appears it is

What is the make and model of the computer ?

Yes it is weird as some of the MS links on this stop error also mention an MBR rootkit, but we so far haven’t seen that in the aswMBR logs.

They also suggest rolling back to an earlier time and that too has been tried.

Others suggest a driver error and to check the drivers.

Thanks for the info.

I have tried several times to configure the System Recovery and Settings for both the Kernel memory dump and minidump, yet no file is ever create. I do have a minidump directory that is empty, even when configured to view hidden and system files.

Went to the microsoft support site mentioned but am a bit lost. It refers to getting the memory error during a when installing or upgrading Vista. I did rename all oem*.inf drivers to oem*.old as it suggested, but still got blue screen when trying normal startup.

Whe I was in Msinfo32 I did see several drivers under system drivers that are listed as critical yet are stopped and disabled. I have a feeling this is not helpful, but here are names of those drivers:

aliide
cmdide
isapnp
nvstor
pciide
spldr
viadide

There were also quite a few items under Signed Drivers that indicate NOT AVAILABLE for everything except device name, device class and device ID. All of these are Class LEGACYDRIVER except the following: Device ID HTREE\ROOT\0 showed NOT AVAILABLE for everything, other than ID. Device Name KEYBOARD_FILTER_01 shows NOT AVAILABLE for all but Device Name and ID.

Just saw recent posts. Computer is HP laptop Pavillon dv6701us

You and me both, this is outside my area of experience and I have never used Vista either.

Hopefully essexboy still has some ideas and tools in his bag.

We will reset the MBR again but use windows from the recovery console

[*]Start the safe mode menu by rebooting and pressing and holding F8
[*]Select Repair your computer.
[*]Select the operating system you want to repair, and then click Next.
[*]Select command prompt
[*]Type in the following command
.
Bootrec.exe /FixMbr

[*]Once finished type Exit

I ran the FIXMBR and received a message that said “Completed Operation Successfully” but apparently it’s view of success and mine differ since I still get a blue screen when trying to start normally.

I know you must be getting frustrated too, and I appreciate your hanging in there to help.

OK back to chat with some other experts

Thought I would give one last try before having to reinstall Windows on this machine. I found that even though the device manager did not display any exceptions, the Realtek sound drivers were missing, so I reloaded and updated. Also went through and tried updating all other drivers in device manager. Several did update, but they keep reverting when I reboot. I suspect this has something to do with being in safe mode?

When I go through this process of updating drivers the machine gets a little further before going to the blue screen. Can get past password screen but blue screen shortly after.

I ran across a reference to a program DDS so ran a scan and attached a log here. It is amazing that there are so many logs in windows, yet none seem to contain information useful as to why windows will not load normally. There seems to be a lot of cryptic information in things like BOOTckcl but virtually no info as to how to read the information.

At any rate, let me know if you have any additional ideas, or if the attached log reveals anything new. Otherwise I guess I am off the reload windows.

Well we have been thrashing this around

The final option is to try the last known good configuration

Press and hold the F8 key as your computer restarts.
On the Advanced Boot Options screen, use the arrow keys to highlight Last Known Good Configuration, and then press ENTER