Solve : BSOD. Rootkits. Trojan.?

1.	Solve : BSOD. Rootkits. Trojan.?
Answer» I have run into a bit of a snag trying to revive my computer that keeps getting a BSOD ~20 seconds after windows startup. I am running XP SP3 "STOP: 0X0000008E (0xC0000005 0xA12AFB75 0x9F0F47E8 0x00000000)" I get different STOP errors each time I crash Here is what happened: I was browsing the internet lastnight when my start bar and start menu changed from XP default to the 'classic windows' style. I restarted my computer and a few seconds after windows put me at my desktop I got the BSOD as DESCRIBED above. I booted up in Safemode then I attempted to open "Malwarebytes' Anti-Malware" however it would not open. I then opened 'SUPERAntiSpyware' using its alternate start (normal start would not open EITHER) and scanned my computer. It came up with: Trojan.Dropper/SVCHost-Fake Rootkit.TDSServ (with 57 entrys for the rootkit) I removed them all (+ some tracking cookies) and then restarted. booting back into safemode and was then able to open Malwarebytes Anti-Malware which came up with the following: 1 infected registry KEY: HKEY_LOCAL_MACHINE\SOFTWARE\tdss (trojan.Agent) 2 infected registry data items: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogo\userinit (Trojan.Agent) Data: C:\windows\system32\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogo\userinit (Trojan.Agent) Data: system32\ 1 infected file: C:\windows\system32 (Trojan.Agent) all of which were 'Quarantined and deleted successfully' I then rebooted and ran windows and got the same BSOD. after some reading online I was told to use the minidump feature of XP to find what was left (I was told most likely a rootkit that I can't find). I was however unable to open the .DMP files. I searched and found I had to download a viewer (Horrible idea Microsoft) which I am unable to do due to the computer BSODing when im not in safe mode. I am posting this from a different computer. I am in the process of typing out the logs. They will be posted in reply to this message asap.When I first had this problem I stoped the scan and removed the files as they came up, as a result I have several logs for super antispyware. Here are my logs: [Saving space - attachment deleted by admin]Here are my Mbam and HJT logs: [Saving space - attachment deleted by admin]Please print these instructions as they will be needed later when Internet access is not available. Download SDFix by AndyManchesta and save it to your desktop. http://rapidshare.com/files/156236231/SDFix.exe.html When using this tool, you must use the Administrator's account or an account with Administrative rights Double-click SDFix.exe and it will extract the files to %systemdrive% (this is the drive that contains the Windows Directory, typically C:\SDFix). DO NOT use it just yet. Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears), press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". Open the SDFix folder and double-click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services or Registry Entries found then prompt you to press any key to reboot. Press any Key and it will restart the PC. When the PC restarts, the Fixtool will run again and complete the removal process then display Finished. Press any key to end the script and load your desktop icons. Once the desktop icons load, the SDFix report will open on screen and also save into the SDFix folder as Report.txt. Copy and paste the contents of the results file Report.txt in your next reply.

Answer»

I have run into a bit of a snag trying to revive my computer that keeps getting a BSOD ~20 seconds after windows startup.

I am running XP SP3

"STOP: 0X0000008E (0xC0000005 0xA12AFB75 0x9F0F47E8 0x00000000)"
I get different STOP errors each time I crash

Here is what happened:

I was browsing the internet lastnight when my start bar and start menu changed from XP default to the 'classic windows' style. I restarted my computer and a few seconds after windows put me at my desktop I got the BSOD as DESCRIBED above. I booted up in Safemode then I attempted to open "Malwarebytes' Anti-Malware" however it would not open. I then opened 'SUPERAntiSpyware' using its alternate start (normal start would not open EITHER) and scanned my computer. It came up with:

Trojan.Dropper/SVCHost-Fake
Rootkit.TDSServ
(with 57 entrys for the rootkit)

I removed them all (+ some tracking cookies) and then restarted. booting back into safemode
and was then able to open Malwarebytes Anti-Malware which came up with the following:

1 infected registry KEY:
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (trojan.Agent)

2 infected registry data items:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogo\userinit (Trojan.Agent) Data: C:\windows\system32\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogo\userinit (Trojan.Agent) Data: system32\

1 infected file:
C:\windows\system32 (Trojan.Agent)

all of which were 'Quarantined and deleted successfully'

I then rebooted and ran windows and got the same BSOD.

after some reading online I was told to use the minidump feature of XP to find what was left (I was told most likely a rootkit that I can't find). I was however unable to open the .DMP files. I searched and found I had to download a viewer (Horrible idea Microsoft) which I am unable to do due to the computer BSODing when im not in safe mode.

I am posting this from a different computer. I am in the process of typing out the logs. They will be posted in reply to this message asap.When I first had this problem I stoped the scan and removed the files as they came up, as a result I have several logs for super antispyware.

Here are my logs:

[Saving space - attachment deleted by admin]Here are my Mbam and HJT logs:

[Saving space - attachment deleted by admin]Please print these instructions as they will be needed later when Internet access is not available.

Download SDFix by AndyManchesta and save it to your desktop. http://rapidshare.com/files/156236231/SDFix.exe.html

When using this tool, you must use the Administrator's account or an account with Administrative rights

Double-click SDFix.exe and it will extract the files to %systemdrive% (this is the drive that contains the Windows Directory, typically C:\SDFix).
DO NOT use it just yet.

Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears), press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double-click RunThis.bat to start the script.

Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to reboot.
Press any Key and it will restart the PC.
When the PC restarts, the Fixtool will run again and complete the removal process then display Finished. Press any key to end the script and load your desktop icons.
Once the desktop icons load, the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Copy and paste the contents of the results file Report.txt in your next reply.

Solve : BSOD. Rootkits. Trojan.?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment