Malware/Virus won't stay gone

Found the following logs that may be helpful:

c:\qoobox\LogA
#######################
\Registry\Machine\System\CurrentControlSet\Services\vkquwexg

*******************

Script file located at: \??\C:\Cypher\ComboDel.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\QooBox
*******************

Beginning to process script file:

File move operation C:\WINDOWS\system32\drivers\jeddyf.sys|C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\jeddyf.sys.vir completed successfully.
Program C:\Cypher\CF29860.cfxxe" /c "C:\Cypher\Combobatch.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.


c:\qoobox\quarantine\catchme.log
########################

-------- 2010-02-15 - 09:27:59 -------------

file zipped: C:\WINDOWS\system32\drivers\jeddyf.sys -> _jeddyf_.sys.zip -> jeddyf.sys ( 791552 bytes )
file "C:\WINDOWS\system32\drivers\jeddyf.sys" replaced successfully





c:\cypher\temp00
################
catchme 0.3.1398.3 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-15 10:12:23
Windows 5.1.2600 Service Pack 3

scanning processes ...

System [4]
C:\WINDOWS\system32\smss.exe [684] 0x826F1978
C:\WINDOWS\system32\csrss.exe [732] 0x82728020
C:\WINDOWS\system32\winlogon.exe [760] 0x82C10460
C:\WINDOWS\system32\services.exe [816] 0x82718DA0
C:\WINDOWS\system32\lsass.exe [836] 0x82715DA0
C:\WINDOWS\system32\svchost.exe [1064] 0x826D9648
C:\WINDOWS\system32\svchost.exe [1256] 0x82A75340
C:\WINDOWS\system32\svchost.exe [1376] 0x822F0020
C:\WINDOWS\system32\svchost.exe [1524] 0x826FF628
C:\WINDOWS\system32\svchost.exe [1680] 0x82A4EA10
C:\WINDOWS\system32\spoolsv.exe [1788] 0x82762490
C:\WINDOWS\system32\svchost.exe [1952] 0x826EDDA0
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [568] 0x8209C908
C:\Program Files\Bonjour\mDNSResponder.exe [592] 0x826FE178
C:\Program Files\Digidesign\Drivers\MMERefresh.exe [668] 0x820A2348
C:\WINDOWS\ehome\ehrecvr.exe [1040] 0x82091A88
C:\WINDOWS\ehome\ehSched.exe [1124] 0x81F7A590
C:\temp\fold1\FAH504-Console.exe [1220] 0x81F668B8
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe [2144] 0x82037020
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe [2248] 0x820372A8
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe [2616] 0x81FC74E8
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe [2668] 0x81FD8020
C:\WINDOWS\system32\svchost.exe [2776] 0x81FA8020
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe [2816] 0x81FA7B28
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe [2932] 0x81F99020
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe [3032] 0xFF9CADA0
C:\WINDOWS\ehome\mcrdsvc.exe [3092] 0xFF9DD3C8
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe [3332] 0xFF9AC020
C:\WINDOWS\system32\dllhost.exe [3572] 0xFF8EA020
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe [3628] 0xFF8FF900
C:\WINDOWS\system32\alg.exe [3964] 0xFF44D020
C:\Program Files\Common Files\AOL\1139368192\ee\aolsoftware.exe [4092] 0x829FCDA0
C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2376] 0x81F2C738
C:\Program Files\iTunes\iTunesHelper.exe [2188] 0x81F2BC38
C:\WINDOWS\system32\ctfmon.exe [2332] 0x820CA308
C:\Program Files\iPod\bin\iPodService.exe [2200] 0x81F58C68
C:\WINDOWS\system32\MDM.EXE [5676] 0x82710020
C:\Cypher\CF29860.cfxxe [5256] 0xFE267DA0
C:\WINDOWS\system32\svchost.exe [3260] 0xFA366B50
C:\Cypher\catchme.cfxxe [1452] 0xF8B3F4A8
 
Hi
We'll try the Recovery Console again with a different command.
Restart your computer
Before Windows loads, you will be prompted to choose which Operating System to start
Use the up and down arrow key to select Microsoft Windows Recovery Console
You must enter which Windows installation to log onto. Type 1 and press enter
At the C:\Windows prompt, type the following bolded text, and press Enter:

cd erdnt\hiv-backup

At the next prompt, type the following bolded text, and press Enter:

batch erdnt.con

The erunt backups will begin copying
At the next prompt, type the following bolded text, and press Enter:

exit

Windows should now begin loading.

Let me know if that worked.
 
I'm sorry. I must have miscommunicated. My computer blue screens when loading recovery console.

I don't get the option to choose my installation. I get the progress bar that says "Starting Recovery Console..." then it says "Please wait..." then blue screen.
 
Hi jezzzzy.
Sorry for the delay but as i said previously i am consulting with an expert about this problem.
Ok we need to see if we can access the Recovery Console from your XP discs.


1. Insert the Windows XP cd in your computer.

2. Restart your computer so you are booting off of the CD.

3. When the Welcome to Setup screen appears, press the R button on your keyboard to start the Recovery Console.

4. The Recovery Console will start and ask you which Windows installation you would like to log on to. If you have multiple Windows installations, it will list each one, and you would enter the number associated with the installation you would like to work on and press enter. If you have just one Windows installation, type 1 and press enter.

5. It will then prompt you for the Administrator's password. If there is no password, simply press enter. Otherwise type in the password and then press enter. If you do not know your password then see this.

6. If you entered the correct password you will now be presented with a C:\Windows> prompt and you can start using the Recovery Console.



Next We'll try the Recovery Console again with a different command.
Restart your computer
Before Windows loads, you will be prompted to choose which Operating System to start
Use the up and down arrow key to select Microsoft Windows Recovery Console
You must enter which Windows installation to log onto. Type 1 and press enter
At the C:\Windows prompt, type the following bolded text, and press Enter:

cd erdnt\hiv-backup

At the next prompt, type the following bolded text, and press Enter:

batch erdnt.con

The erunt backups will begin copying
At the next prompt, type the following bolded text, and press Enter:
exit

Windows should now begin loading.

Post back and let me know if your PC now boots.
 
Last edited:
Recovery console booted to the C prompt without asking for any login information. It seems it can't find my windows installation. A "cd" command in C:\> returns "There is no floppy disk or CD in the drive.
 
Ok. I got recovery console working (needed RAID drivers for windows installation to be found). I sucussfully ran the commands as you instructed. Still cannot boot. Computer reboots just prior to letting me login. If I try safe mode, it reboots while loading files.
 
Hi jezzzzy.
are you saying you got as far as trying these commands?

cd erdnt\hiv-backup

batch erdnt.con
 
Hi jezzzzy.
This is not looking good.
we have one last thing to try then the only other option is to reformat to a clean install.

Use the Windows cd to boot the computer.
Once booted:

Click Start, click Run, and enter into the command line that opens:
REN c:\windows\system32\gdi32.dll gdi.dll.org

Again, Click Start, click Run, and enter into the command line that opens:
copy c:\windows\servicepackfiles\i386\gdi32.dll c:\window\system32\

IMPORTANT: If XP is installed to some other drive letter than C, replace the above to match your configuration.

* Reboot and try Normal mode.

Please try that and let me know if it works.
 
Hi jezzzzy.
My best advice would be to recover any personal documents you can and reformat your computer.
We have tried everything we can at this point.
Here is a link with more information Windows XP Clean Installation
Your system was seriously infected due to a lack of protection.
If you wish i can give you more information on how to keep your system secure after you reformat.
Sorry the news is not better but that is my best advice.
 
Also, I found this when researching my blue screen stop error.

"You may receive a "Stop 0x0000007B" error message in the following scenarios:

* A device driver that the computer boot controller needs is not configured to start during the startup process.
* A device driver that the computer boot controller needs is corrupted.
* Information in the Windows XP registry (information related to how the device drivers load during startup) is corrupted."

Is it possible that combofix removed my HDD controller driver?

Can we restore it? I think it's called iastor.sys.
 
Hi jezzzzy.
That error can be caused by a lot of things from what i know.

jezzzzy said:
One last question. Would a repair installation help?
Click to expand...
You can try that if you wish but if you reformat your system will be clean so no need to come back and start another thread.
Personally i think thats your best course of action but the decision is yours.
 
Last edited:
There is much data on this computer that I do not want to lose.

Another ms technote says this:

"If the System hive in the Windows XP registry is corrupted, Windows XP may not be able to load the miniport device driver that the boot controller requires. To resolve this issue, restore a registry backup."

The only reason I think that the controller is missing is because I had to load a specific RAID controller to get recovery console to recognize my drive.

Is it possible that ComboFix changed the registry so that the required miniport driver is not loaded? How would I restore the registry to the day before combofix?
 
You must log in or register to reply here.
Back
Top