Blue Screen Error

[cleary71]

Jacee, the scan came back clean. Here is the log . . .


Malwarebytes' Anti-Malware 1.46
Malwarebytes

Database version: 4494

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18943

8/28/2010 12:59:02 PM
mbam-log-2010-08-28 (12-59-02).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 292855
Time elapsed: 45 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[richc46]

After you are clean, the BSODs should be gone and no more virus.

 

[Jacee]

Looks good!

 

[niemiro]

Hello,

If you still have problems, we could scan that winspoole.exe file. It does seem very odd that it produces no hits on Google. Since we don't know where it is, we need to search for it. Here is how I am going to search for it:

STEP ONE:

OTL - Download or alternative link here and here

Download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Under the Custom Scan box paste this in

C:\|winspoole;true;true;true /FP
C:\|NTDOSDF412;true;true;true /FP

• Click the None button, followed by Scan. The scan wont take long.
  • When the scan completes, it will open OTL.Txt.This is saved in the same location as OTL.

This log should be fairly easy to understand. Ignore the top section. What I need you to find out is the directory (folder) that winspoole.exe and NTDOSDF412.SYS are saved to.

For example, if the scan has at the bottom:


< C:\|winspoole;true;true;true /FP >
[2010/08/13 18:33:22 | 000,000,229 | ---- | M] () -- C:\Windows\System32\winspoole.exe


< C:\|NTDOSDF412;true;true;true /FP >
[2010/08/13 18:33:22 | 000,000,229 | ---- | M] () -- C:\Windows\System32\Drivers\\NTDOSDF412.SYS

Then the directory of winspoole.exe would be C:\Windows\System32 and the directory of NTDOSDF412.SYS would be C:\Windows\System32\Drivers

NOTE: You will almost certainly get two different directories. Please keep a note of which file is in which directory.

Please note these down. If you cannot understand this, please just copy and paste the entire log into your next response, and ignore the rest of this post.


STEP TWO:

If you have found out where winspoole.exe and NTDOSDF412.SYS are located.

• I now need you to go to VirusTotal
• Please navigate to the directory you just found, and then select winspoole.exe.
• If it says that the file has already been analysed, click on Reanalyse.
• A log will be produced. Please post it in your next reply.

• Now please go back to VirusTotal
• Please navigate to the second directory, and select NTDOSDF412.SYS
• If it says that the file has already been analysed, click on Reanalyse.
• A log will be produced. Please post it in your next reply. Please remember to post both logs!

Thanks!

Richard

 

[richc46]

Just as a further note. Something has to be done about that driver. In everyone of your dump reports it was shown as the cause. If it is found not to be a virus, we may just have to disable it.

 

[Jacee]

I can find nothing on Google about this NTDOSDF412.SYS ( NTDOSDF412+118b )
It just leads back to this topic

 

[niemiro]

I can find nothing on Google about this NTDOSDF412.SYS ( NTDOSDF412+118b )
It just leads back to this topic

Added it in to confuse the OP more! Maybe, just maybe this infection is more than MyWebSearch!

 

[cleary71]

Niemiro - I am still having problems, so I will try your suggestion.

Rich - Should I delete the NTDOSDF412.SYS driver or just disable it?

Thanks to all once again!!

 

[richc46]

My primary concern about that driver is two fold. It appears that it was the cause of all the BSODs, so some sort of action should be taken
No one is having success at determining the function. Its name as shown on the report does not yield any result in Google or any other search engine. This being said, I really do not know its function

Lets try this: Go to search type cmd. In cmd type driverquery. Tell me everything that shows about the driver, especially correct spelling and date.

Do your results agree with this
NTDOSDF412.SYS Mon Jan 12 08:26:00 2009

When did you buy the computer with the OS, preinstalled?

If you bought it prior to the date above, we can probably safely delete, making a system resore point first. If you can wait, however, I would suggest that we delay until all the malware reports are examined, to make sure that deletion is the best course of action if this turns out to be malware.

 

[cleary71]

Here you go Rich . . . .

 

[cleary71]

Niemiro - Whenever I try and run the OTL it keeps giving me the error OTL has stopped working, pretty much right after I try and run it. I have tried to run it from the link and mirror sites and both have given me the same error.

 

[richc46]

Interesting, does not show up as a driver.

Boot computer, then on the bottom task bar, right click. Go to task manager and then process, does it show up there?

 

[richc46]

Niemiro
It does not show up as a driver, see last few posts, above.

 

[cleary71]

Rich,
I bought the computer in December of 2008. I see nothing under processes or services that resemble NTDOSDF412.

 

[richc46]

This is a problem for the malware team, working on this already. It does not show up as a process or a driver. This is most certainly malware. If you delete it, you may be deleting only the tip of the iceberg and the real problem remains hidden. Wait for Rich
(Niemiro), he would know best in this area. I will contact Jacee, again, too.
I know that you are frustrated, but you have 3 people on your side that will not let you down, please just be patient.

 

[cleary71]

I appreciate everyone's time and effort that is being put into this. If worse comes to worse we can always reformat if that is the only way to get rid of this bugger. I am certainly patient, so whatever anyone needs me to do and however long it takes is okay by me. Thanks once again!!

 

[richc46]

Do you have Vista install DVD? If so, the problem is annoying but can definately be solved.

 

[cleary71]

Yes, I have all the discs that came with the computer.

 

[Jacee]

Let's see what DDS can provide

Download DDS from one of these links:
Mirror 1 Mirror 2 Mirror 3

• Disable any script blocking protection
• Double click the dds icon to run the tool.
• When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt <--- this will be minimized in the task tray
• Save both reports to your desktop.

Include the contents of both logs in your next reply.

 

[niemiro]

Hello again!

Please follow the DDS instructions above first. If it cannot produce a log for any reason, please follow the below instructions:

If GMER produces a log, then ignore the RootRepeal section of this post. If GMER creates a BlueScreen of its own, and does not produce a log, do not try GMER again, but move onto RootRepeal. Post whichever log.

GMER Rootkit Scanner - Download here or here - Homepage
Why? Rootkits can generally be removed effectively, but they need to be removed before other malware can be cleaned, and they sometimes interfere with some of the tools we use. If you start a new topic, please include the GMER log as an initial check for the presence of rootkits:

• Extract the contents of the zipped file to desktop.
• Double click GMER.exe.
  
  
• If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
• In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
    
    Click the image to enlarge it
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
• Save the log where you can easily find it, such as your desktop.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.






---------------
Scan speech
---------------

Download RootRepeal from one of the following locations and save it to your desktop:

• Link 1
  Link 2
  Link 3

• Double click
  
  to start the program
• Click on the Report tab at the bottom of the program window
• Click the
  
  button
• In the Select Scan dialog, check:
  • 
    [*]Drivers
    [*]Files
    [*]Processes
    [*]SSDT
    [*]Stealth Objects
    [*]Hidden Services
    [*]Shadow SSDT
• Click the OK button
• In the next dialog, select all drives showing
• Click OK to start the scan
  Note: The scan can take some time. DO NOT run any other programs while the scan is running​
• When the scan is complete, click the
  
  button and save the report to your Desktop as RootRepeal.txt
• Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on
  
  to insert the attachment into your post