Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

BSOD ntoskrnl.exe [Solved]


  • This topic is locked This topic is locked

#16
BWhite50

BWhite50

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
10-4.

Avast is back on and running with real time shield, I have Spybot running as well. Should I be running Malwarebytes in the background as well?

In control panel, only "network firewall" is showing up under the security tab and is "turned off or set up incorrectly". When I click "turn it on now" (with admin shield), I get an error message that says "action center can't turn on windows firewall" with a link that says "turn on windows firewall manually". When I click that it takes me to:

Control Panel>System and Security>Windows Firewall

The red box says "update your firewall settings" and when I click "use recommended settings" (with admin shield), I get an error message that says "windows firewall can't change some of your settings. Error code 0x80070424".
  • 0

Advertisements


#17
CompCav

CompCav

    Member 5k

  • Expert
  • 12,454 posts
Please disable Teatimer in SpyBot (directions in previous post) and leave it disabled until we complete the cleaning process. You can run MalwareBytes' in the background if you want. If you are behind a router you have some firewall protection, if you are not then please limit your online activity until we get it fixed.

I am preparing the next fix for you now and will have it ready for my instructor to review tomorrow when he logs on. I will post the log sometime in the early afternoon tomorrow US Central time.

Have a pleasant evening and I will hook up with you tomorrow!

CompCav
  • 0

#18
BWhite50

BWhite50

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Done and done. I'm wireless on all my computers but I'll keep this one in the corner until you give me the green light. I can't thank you enough for the help. Just the fact that it hasn't restarted itself is a HUGE step forward!

I'll look for an update tomorrow afternoon. Take care.
  • 0

#19
CompCav

CompCav

    Member 5k

  • Expert
  • 12,454 posts
Step 1.

VirusTotal File Scan

Please go to: VirusTotal
Posted Image

Click the Choose File button and search for the following file: C:\windows\SysWOW64\DllHost.exe
Click Open
Then click Send File


If it says already scanned -- click "reanalyze now"

Please be patient while the file is scanned.
Once the scan results appear, please click on the Compact button.
A new window should appear with a bunch of tabs at the top. Please click on the BBCode tab.
Copy and Paste the contents of the text in the BBCode into your next reply for me to review.


Please post the results in your next reply


Step 2.

Double Click MalwareBytes' Posted Image to run the application.

  • Click the Update tab and click Check for Updates
  • If an update is found, it will download and install the latest version.
  • Click the Scanner tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


Step 3.

Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

Vista / 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

Please go here then click on: Posted Image

If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the following instructions work with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow Add-On/Active X to install.
  • Make sure that the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically. The scan may take several hours.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.


Step 4.

Please download Farbar Service Scanner and run it on the computer with the issue.
Posted Image
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


Step 5.

Please post:

VirusTotal results
MalwareBytes' log
eset log
FSS.txt


Also give me an update on the issues remaining with your computer.
  • 0

#20
BWhite50

BWhite50

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
step 1 after I choose the .dll file and hit "scan it" it comes up with the reanalize message and I click that, it runs the report but there is no compact button, no tabs etc, it just takes me to what looks like a generic page...however the "detection ratio" is printed in green and says "0/43". There's also this information:

SHA256: f7ad4b09afb301ce46df695b22114331a57d52e6d4163ff74787bf68ccf44c78
SHA1: ace762c51db1908c858c898d7e0f9b36f788d2d9
MD5: a63dc5c2ea944e6657203e0c8edeaf61

I'm holding off on the next steps until you give me the green light.
  • 0

#21
CompCav

CompCav

    Member 5k

  • Expert
  • 12,454 posts
Green light go! :thumbsup:
  • 0

#22
Macboatmaster

Macboatmaster

    7k

  • Member
  • PipPipPipPipPipPipPipPip
  • 7,237 posts
CompCav

Hope you do not mind the interjection.


BWhite50

I am not online tomorrow and this is looking good. I know zero about Malware analysis and removal.
I just wanted to say -, how pleased I am that it appears, as though this may all work out well.
It was my pleasure to help you, before it seemed to me wise to refer you to the EXPERTS here.
Good Luck.
Macboatmaster.
  • 0

#23
CompCav

CompCav

    Member 5k

  • Expert
  • 12,454 posts
Thanks for your support Macboatmaster, it is always appreciated.

Please have a pleasant and well deserved day off.

CompCav
  • 0

#24
BWhite50

BWhite50

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
The only issue I'm aware of at this time is the fact that I don't have the Windows Defender w/ firewall anywhere to be found...

VirusTotal results (above)

MalwareBytes' log

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.03.10

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
White's :: THEWHITES [administrator]

2/3/2012 5:16:28 PM
mbam-log-2012-02-03 (17-16-28).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 185057
Time elapsed: 4 minute(s), 47 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


eset log

C:\ProgramData\Microsoft\Windows\DRM\AFB2.tmp Win64/Olmarik.AD trojan cleaned by deleting - quarantined
C:\ProgramData\Microsoft\Windows\DRM\AFC3.tmp Win64/Olmarik.AD trojan cleaned by deleting - quarantined
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgp.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgp1.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgp2.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Users\White's\AppData\Roaming\Mozilla\Firefox\Profiles\mhtbcsv0.default\extensions\{c61fb20d-4233-4a51-ac54-7aa0aff2dd9f}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\02.02.2012_19.54.47\mbr0000\tdlfs0000\tsk0000.dta Win32/Olmarik.AWO trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\02.02.2012_19.54.47\mbr0000\tdlfs0000\tsk0001.dta Win64/Olmarik.AD trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\02.02.2012_19.54.47\mbr0000\tdlfs0000\tsk0002.dta Win32/Olmarik.AWO trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\02.02.2012_19.54.47\mbr0000\tdlfs0000\tsk0003.dta Win64/Olmarik.AC trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\02.02.2012_19.54.47\mbr0000\tdlfs0000\tsk0007.dta Win32/Olmarik.AWO trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\02.02.2012_19.54.47\mbr0000\tdlfs0000\tsk0008.dta Win64/Olmarik.X trojan cleaned by deleting - quarantined
C:\Users\White's\Desktop\cnet2_dopdf-7_exe.exe a variant of Win32/InstallCore.D application cleaned by deleting - quarantined
C:\Users\White's\Desktop\Stuff\Setup_FreeFlvConverter.exe Win32/Adware.Toolbar.Dealio application deleted - quarantined
C:\Users\White's\Desktop\Stuff\Setup_MoviesToDVD.exe Win32/Adware.Toolbar.Dealio application deleted - quarantined


FSS.txt

Farbar Service Scanner Version: 02-02-2012
Ran by White's (administrator) on 03-02-2012 at 23:42:08
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
===========
BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Demand. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****


  • 0

#25
BWhite50

BWhite50

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
I overlooked the posts above. Again I can't thank both of you enough for the help! I honestly wouldn't have known where to start! Thanks a ton :thumbsup:
  • 0

Advertisements


#26
CompCav

CompCav

    Member 5k

  • Expert
  • 12,454 posts
I am preparing the next fix for you now and will have it ready for my instructor to review tomorrow when he logs on. I will post the log sometime tomorrow morning US Central time.

We will focus on getting your firewall fixed tomorrow.

Sleep well,

CompCav
  • 0

#27
CompCav

CompCav

    Member 5k

  • Expert
  • 12,454 posts
Step 1.

Download the registry file and save it on your desktop:

http://www.mediafire...z6aw8j7997qa7j9

Once the file is downloaded if it has a .txt on the end, right click it and select rename and name it firewall.reg

Right click Firewall.reg select Merge and OK the merge.

Restart your PC


Step 2.

Now,open RUN again and type services.msc in the dialog box and click OK

Next look in the services for Windows Firewall

Make sure it is set to Startup type: Automatic If it is not select Automatic

Now look at Service status: Started If it is not select Start

Then click OK


Now check to see that Windows Firewall is on and working.


Step 3.

Finally please re run Farbar Services Scanner.

Please download Farbar Service Scanner and run it on the computer with the issue.
Posted Image
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


Step 4.


Then post FSS.txt and tell me what is not working.
  • 0

#28
BWhite50

BWhite50

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
After I rename firewall.reg and right click, there is no option for merge.

I have:

Open
Print
Edit
Scan with Avast
Open with
share with
add to archive (winrar)
add to firewall.reg.rar (winrar)
compress and email
compress firewall.reg.rar and email
add to Vaio gate
scan with malwarebytes
restore previous versions
send to
cut
copy
create shortcut
delete
rename
propoerties

I'm thinking "add to vaio gate"?
  • 0

#29
CompCav

CompCav

    Member 5k

  • Expert
  • 12,454 posts
Let's make sure your settings for file renaming are correct.


Click Start >> Computer >> Organize (Top left) >> Folder and search options

Click the View Tab

Under Hidden files and folders place the Dot next to Show hidden, files, folders, and drives

Go down a little further in the list and Uncheck Hide extensions for known file types

Now click Apply and finally click OK

Close the Computer window and look at the file now on your desktop.

Now rename it to firewall.reg and you will be ready to right click it and Merge
  • 0

#30
BWhite50

BWhite50

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Everything seems to be working...did the firewall installation include the "windows defender" application you mentioned earlier?

FSS Bar

Farbar Service Scanner Version: 02-02-2012
Ran by White's (administrator) on 04-02-2012 at 12:24:13
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
===========
BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Demand. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP