Hello Phil and welcome,

I'm kevinf80 and I will be helping with any malware issues you may have with your system.

• Please be aware that some of the logs I may ask for can be very complex and can take a long time to decipher. I am a volunteer here with a job and family so I ask that you be patient when waiting for replies.
• Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
• Either print or Save to Notepad all instructions and please follow them carefully, if there's something you don't understand or that will not work please let me know and we will go through it together.
• Malware is often buggy and can be very unstable, with that in mind it is advisable to backup any important data before we begin.
• If you do not reply within 72 hours the thread will be closed, if you need more time let me know. Likewise if I do not respond within 48 hours feel free to PM me.
• If you have any P2P applications installed such as BitTorrent, uTorrent, Limewire etc etc, please uninstall them before we begin.
• If you are using Cracked or Illegal software your thread will be locked and all help will cease.

Please proceed as follows :-

Step 1

Please download this program Blue Screen Viewer and unzip "Bluescreen View.exe" to your desktop.
Next, Right click on "Computer" and select "Properties" > select "Advanced System Settings" > select "Advanced Tab." From the "Start up and Recovery" section > select "settings" make sure the default folder is "%SystemRoot%\Minidump".
Go back to your desktop and double click on Bluescreen Viewer to run it, if there is any info available the program will grab the most recent. Choose save from the Toolbar and copy paste to your next reply. If there is no information available try and re-create the BSOD and try again with the tool to collect the information.

Step 2

Download TFC to your desktop, from either of the following links
Link 1
Link 2

• Make sure any open work is saved. TFC will close all open application windows.
• Double-click TFC.exe to run the program.
• If prompted, click "Yes" to reboot.

TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

Step 3

Please download Malwarebytes Anti-Malware and save it to your desktop.
Alernative D/L mirror
Alternative D/L mirror

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Post the logs from Blue Screen Viewer and Malwarebytes in your next reply, also what is this program IVONA ControlCenter did you install it? what does it do?

Kevin

Hi Kevin

Many thanks for offering to help, I will follow your instructions closely but please let me know if I have not supplied the correct information.

1 Blue screen viewer:

This is the log generated, there were four events in total:

==================================================
Dump File         : 030311-29858-01.dmp
Crash Time        : 03/03/2011 23:16:46
Bug Check String  : SYSTEM_SERVICE_EXCEPTION
Bug Check Code    : 0x0000003b
Parameter 1       : 00000000`c0000005
Parameter 2       : fffff800`0329d46c
Parameter 3       : fffff880`02c33030
Parameter 4       : 00000000`00000000
Caused By Driver  : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+80640
File Description  : NT Kernel & System
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 6.1.7601.17514 (win7sp1_rtm.101119-1850)
Processor         : x64
Computer Name     :
Full Path         : C:\Windows\Minidump\030311-29858-01.dmp
Processors Count  : 4
Major Version     : 15
Minor Version     : 7601
Dump File Size    : 275,104
==================================================

==================================================
Dump File         : 101610-15116-01.dmp
Crash Time        : 16/10/2010 16:12:43
Bug Check String  : BAD_POOL_HEADER
Bug Check Code    : 0x00000019
Parameter 1       : 00000000`00000003
Parameter 2       : fffffa80`051b1b90
Parameter 3       : 00000000`004123a8
Parameter 4       : 00000000`01010066
Caused By Driver  : mfehidk.sys
Caused By Address : mfehidk.sys+42ffc
File Description  :
Product Name      :
Company           :
File Version      :
Processor         : x64
Computer Name     :
Full Path         : C:\Windows\Minidump\101610-15116-01.dmp
Processors Count  : 4
Major Version     : 15
Minor Version     : 7600
Dump File Size    : 275,048
==================================================

==================================================
Dump File         : 101610-15553-01.dmp
Crash Time        : 16/10/2010 09:39:52
Bug Check String  : SYSTEM_THREAD_EXCEPTION_NOT_HANDLED
Bug Check Code    : 0x1000007e
Parameter 1       : ffffffff`c0000005
Parameter 2       : fffff800`032ee4a1
Parameter 3       : fffff880`02fbd5c8
Parameter 4       : fffff880`02fbce30
Caused By Driver  : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+a34a1
File Description  : NT Kernel & System
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 6.1.7601.17514 (win7sp1_rtm.101119-1850)
Processor         : x64
Computer Name     :
Full Path         : C:\Windows\Minidump\101610-15553-01.dmp
Processors Count  : 4
Major Version     : 15
Minor Version     : 7600
Dump File Size    : 275,048
==================================================

==================================================
Dump File         : 101110-17269-01.dmp
Crash Time        : 11/10/2010 00:28:19
Bug Check String  : MEMORY_MANAGEMENT
Bug Check Code    : 0x0000001a
Parameter 1       : 00000000`00001236
Parameter 2       : fffffa80`051b1b40
Parameter 3       : fffffa80`051b1c30
Parameter 4       : 00000000`0009c8d8
Caused By Driver  : rdyboost.sys
Caused By Address : rdyboost.sys+4f42
File Description  :
Product Name      :
Company           :
File Version      :
Processor         : x64
Computer Name     :
Full Path         : C:\Windows\Minidump\101110-17269-01.dmp
Processors Count  : 4
Major Version     : 15
Minor Version     : 7600
Dump File Size    : 275,048
==================================================

2 TFC

This ran successfully and I had to reboot upon completion.

3 Malawarebytes

This also ran ok and did not find anything suspicious. Here is the log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6044

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

13/03/2011 20:34:51
mbam-log-2011-03-13 (20-34-51).txt

Scan type: Quick scan
Objects scanned: 163580
Time elapsed: 3 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

4 Ivona Control Center

This is a program my son uses (graphic design student), it converts a written script into an audio script and you can choose a selection of different voices to read it. I think it was a free trial which has now expired.

Regards

Phil Handley

Hiya Phil,

Nothing conclusive from that information, OK lets run chkdsk and see if it shows anything untoward. As follows please....

Go start > all programs > accessories > right click command prompt and select "Run as Administartor" accept any alerts.

Type this at the prompt chkdsk /r and tap .
Note the space between the "chkdsk" and the "/r". You will get a message that the drive cannot be locked, but that the command can be scheduled to run at the next boot. Type Y and then tap again. You will get a message that chkdsk has been scheduled to run on the next boot. Then reboot.

chkdsk will run during the boot, and it will take quite a bit of time, particularly if your boot partition is large. What the /r flag does is force chkdsk to run an expanded version of chkdsk that has 5 tests. The last two will check the drive for file/folder/free space errors and also fix related MFT errors if there are any.

You can retrieve the log as follows:

Select the Windows Key plus R Key together and type eventvwr.msc into the open box and hit enter.
When Event Viewer opens, click on "Application", then scroll down to "Winlogon" and double-click on it to open it up. This is the log created after running chkdsk. Click on the icon that looks like two pieces of paper to copy it and then paste it here please.

One other point, if you no longer use 4 Ivona Control Center I`d uninstall it...

Kevin

Hi Kevin

It took a long time to complete the chkdsk /r but now I cannot find the log.

In event viewer I have Applications and Services Logs - Microsoft - Windows - Winlogon - Operational

Operational has the icon you describe but the log appears to be empty.

Am I looking in the right place?

Phil

Have removed the Ivona Control Center program also.

Hiya Phil,

Try the following:

Event Viewer > Windows Logs > Application

Sort by 'Source' and look for 'Chkdsk' as the source. The Event Viewer will list each scan. Click on the desired scan to view both system-event information and scan results in the preview pane; if you don't see a preview pane, you can turn it on in the 'View' menu or simply double-click the log entry to open it in a separate window.

You can save it as a text file by clicking the 'Save Selected Events...' action button in the action panel. Then, give the text file a name and use the 'Save as type:' menu to choose 'Text (tab-delimited) (*.txt)'

Kevin

Hi Kevin

Had to do a search in the end but managed to find the right file.

Should be attached...

Phil

Hiya Phil,

Thanks for the log,  nothing bad found. OK lets have a direct look at your system with one of the big guns, if this issue is malware related we should find it with this tool....

We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

Combofix

Don`t forget Combofix must be saved to your desktop, do not save to or run from anywhere else. <--Very important

Before saving Combofix to the Desktop re-name to Gotcha.exe as below:



Ensure you have disabledyour Firewall and all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <---Very important

Please include the C:\ComboFix.txt in your next reply for further review.

Examples of how to disable realtime protection available at the following link :-

Disable realtime protection

Note: Do not click combofix's window with your mouse while it's running. That action may cause it to stall.

*EXTRA NOTES*

• If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
• If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
• If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Let me see the log in next reply please,

Kevin

Hi Kevin

Latest log attached from ComboFix.

Should I delete these various 'fix' programs after running the tests or keep them for now?

Phil

Leave tools in place for now, how is your system running since running Combofix...

Hi Kevin

Had a crash/restart this evening when playing music via Windows Media Player; not sure where to look for the log though.

Phil

Hiya Phil,

Run Blue Screen Viewer again and post the log please, also run the following online AV scan :-

and the second attachment...

hi Kevin

Latest log reports attached for Blue Screen Viewer and ESET Scan.

Phil

Hiya Phil,

Did ESET not give any more information? when it flags an entry it always gives a reason. Either the name of the infection or some other reason!!

Run this scan and let me see the log please :-

Download CKScanner from here

Important : Save it to your desktop.

• Doubleclick CKScanner.exe and click Search For Files.
• After a very short time, when the cursor hourglass disappears, click Save List To File.
• A message box will verify that the file is saved.
• Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

Kevin

And here is the result from ckscanner:

CKScanner - Additional Security Risks - These are not necessarily bad
c:\program files (x86)\scope\data\crypt.dll
scanner sequence 3.AP.11
 ----- EOF -----

Phil