blacole virus or the like

[Fiery]

Sorry for the delay, I have been busy.

Download WhoCrashed from this link
This program checks for any drivers which may have been causing your computer to crash.

Click on the file you just downloaded and run it.

• Put a tick in Accept then click on Next
• Put a tick in the Don't create a start menu folder then click Next
• Put a tick in Create a Desktop Icon then click on Install and make sure there is a tick in Launch Whocrashed before clicking Finish
• Click Analyze
• It will want to download the Debugger and install it Say Yes

WhoCrashed will create report but you have to scroll down to see it
Copy and paste it into your next reply

 

[phreaknes]

Sorry for the delay, I have been busy.

Download WhoCrashed from this link
This program checks for any drivers which may have been causing your computer to crash.

.....

Crash Dump Analysis
--------------------------------------------------------------------------------

Crash dump directory: C:\Windows\Minidump

Crash dumps are enabled on your computer.

On Mon 3/25/2013 12:42:14 AM GMT your computer crashed
crash dump file: C:\Windows\Minidump\032413-9048-01.dmp
This was probably caused by the following module: ntoskrnl.exe (nt+0x7EFC0)
Bugcheck code: 0xF4 (0x3, 0xFFFFFA800ABD7060, 0xFFFFFA800ABD7340, 0xFFFFF800037C8460)
Error: CRITICAL_OBJECT_TERMINATION
file path: C:\Windows\system32\ntoskrnl.exe
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: NT Kernel & System
Bug check description: This indicates that a process or thread crucial to system operation has unexpectedly exited or been terminated.
This appears to be a typical software driver bug and is not likely to be caused by a hardware problem. This problem might be caused by a thermal issue.
The crash took place in the Windows kernel. Possibly this problem is caused by another driver that cannot be identified at this time.



On Thu 3/21/2013 9:21:58 PM GMT your computer crashed
crash dump file: C:\Windows\Minidump\032113-7878-01.dmp
This was probably caused by the following module: ntoskrnl.exe (nt+0x7EFC0)
Bugcheck code: 0xF4 (0x3, 0xFFFFFA800BB3E6F0, 0xFFFFFA800BB3E9D0, 0xFFFFF80003789460)
Error: CRITICAL_OBJECT_TERMINATION
file path: C:\Windows\system32\ntoskrnl.exe
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: NT Kernel & System
Bug check description: This indicates that a process or thread crucial to system operation has unexpectedly exited or been terminated.
This appears to be a typical software driver bug and is not likely to be caused by a hardware problem. This problem might be caused by a thermal issue.
The crash took place in the Windows kernel. Possibly this problem is caused by another driver that cannot be identified at this time.



On Wed 3/20/2013 7:51:24 AM GMT your computer crashed
crash dump file: C:\Windows\Minidump\032013-9765-01.dmp
This was probably caused by the following module: ntoskrnl.exe (nt+0x7EFC0)
Bugcheck code: 0xF4 (0x3, 0xFFFFFA800B111B30, 0xFFFFFA800B111E10, 0xFFFFF800037DB460)
Error: CRITICAL_OBJECT_TERMINATION
file path: C:\Windows\system32\ntoskrnl.exe
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: NT Kernel & System
Bug check description: This indicates that a process or thread crucial to system operation has unexpectedly exited or been terminated.
This appears to be a typical software driver bug and is not likely to be caused by a hardware problem. This problem might be caused by a thermal issue.
The crash took place in the Windows kernel. Possibly this problem is caused by another driver that cannot be identified at this time.



On Tue 3/19/2013 7:47:23 PM GMT your computer crashed
crash dump file: C:\Windows\Minidump\031913-11934-01.dmp
This was probably caused by the following module: ntoskrnl.exe (nt+0x7EFC0)
Bugcheck code: 0xF4 (0x3, 0xFFFFFA800B20A6F0, 0xFFFFFA800B20A9D0, 0xFFFFF8000378C460)
Error: CRITICAL_OBJECT_TERMINATION
file path: C:\Windows\system32\ntoskrnl.exe
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: NT Kernel & System
Bug check description: This indicates that a process or thread crucial to system operation has unexpectedly exited or been terminated.
This appears to be a typical software driver bug and is not likely to be caused by a hardware problem. This problem might be caused by a thermal issue.
The crash took place in the Windows kernel. Possibly this problem is caused by another driver that cannot be identified at this time.



On Tue 3/19/2013 6:32:51 PM GMT your computer crashed
crash dump file: C:\Windows\Minidump\031913-8814-01.dmp
This was probably caused by the following module: ntoskrnl.exe (nt+0x7EFC0)
Bugcheck code: 0xF4 (0x3, 0xFFFFFA800B947060, 0xFFFFFA800B947340, 0xFFFFF80003782460)
Error: CRITICAL_OBJECT_TERMINATION
file path: C:\Windows\system32\ntoskrnl.exe
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: NT Kernel & System
Bug check description: This indicates that a process or thread crucial to system operation has unexpectedly exited or been terminated.
This appears to be a typical software driver bug and is not likely to be caused by a hardware problem. This problem might be caused by a thermal issue.
The crash took place in the Windows kernel. Possibly this problem is caused by another driver that cannot be identified at this time.



On Thu 3/14/2013 6:41:12 AM GMT your computer crashed
crash dump file: C:\Windows\Minidump\031413-9703-01.dmp
This was probably caused by the following module: ntoskrnl.exe (nt+0x7EF90)
Bugcheck code: 0x1E (0x0, 0x0, 0x0, 0x0)
Error: KMODE_EXCEPTION_NOT_HANDLED
file path: C:\Windows\system32\ntoskrnl.exe
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: NT Kernel & System
Bug check description: This indicates that a kernel-mode program generated an exception which the error handler did not catch.
This appears to be a typical software driver bug and is not likely to be caused by a hardware problem.
The crash took place in the Windows kernel. Possibly this problem is caused by another driver that cannot be identified at this time.

 

[Fiery]

• Double click on OTL.exe to run it.
• Click the Scan All Users checkbox.
• Under custom scan/fixes, copy and paste the following:
  
  

  netsvcs
  msconfig
  safebootminimal
  safebootnetwork
  activex
  drivers32
  DRIVES
  %SYSTEMDRIVE%\*.*
  %USERPROFILE%\*.*
  %USERPROFILE%\Application Data\*.*
  %USERPROFILE%\Application Data\*.
  %AllUsersProfile%\*.*
  %AllUsersProfile%\Application Data\*.*
  %AllUsersProfile%\Application Data\*.
  %AllUsersProfile%\Application Data\Local Settings\*.*
  %CommonProgramFiles%\*.*
  %CommonProgramFiles%\ComObjects*.*
  %PROGRAMFILES%\*.*
  %PROGRAMFILES%\*.
  %systemroot%\system32\config\systemprofile\*.*
  %systemroot%\system32\config\systemprofile\Application Data\*.*
  %systemroot%\system32\config\systemprofile\\Local Settings\*.*
  %systemroot%\system32\config\systemprofile\\Local Settings\Application Data\*.*
  C:\Documents and Settings\LocalService\Application Data\*.*
  C:\Documents and Settings\LocalService\Local Settings\Application Data\*.*
  C:\Documents and Settings\NetworkService\Application Data\*.*
  C:\Documents and Settings\NetworkService\Local Settings\Application Data\*.*
  C:\Documents and Settings\NetworkService\Local Settings\*.*
  C:\Documents and Settings\NetworkService\*.*
  %windir%\temp\*.exe
  %windir%\*.
  %windir%\installer\*.
  %windir%\system32\*.
  %Temp%\smtmp\1\*.*
  %Temp%\smtmp\2\*.*
  %Temp%\smtmp\3\*.*
  %Temp%\smtmp\4\*.*
  %systemroot%\system32\*.dll /lockedfiles
  %systemroot%\Tasks\*.job /lockedfiles
  %systemroot%\system32\drivers\*.sys /90
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
  %systemroot%\*. /rp /s
  %systemroot%\assembly\tmp\*.* /S /MD5
  %systemroot%\assembly\temp\*.* /S /MD5
  %systemroot%\assembly\GAC\*.ini
  %systemroot%\assembly\GAC_32\*.ini
  %SystemRoot%\assembly\GAC_MSIL\*.ini
  wsSystemRoot|l,n,u,@;True;False;True;$,{ /fn
  %systemdrive%\$Recycle.Bin|@;true;true;true /fp
  HKEY_CLASSES_ROOT\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s
  HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
  HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
  HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
  HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
  HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} /s
  HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s
  HKEY_CLASSES_ROOT\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s
  HKEY_CLASSES_ROOT\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s
  HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s
  HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s
  HKEY_CURRENT_USER\Software\Classes\clsid\{12d0253a-7c96-815c-11e0-3034bbd97cc0}] /s
  HKEY_CURRENT_USER\Software\MSOLoad /s
  /md5start
  eventlog.dll
  scecli.dll
  netlogon.dll
  cngaudit.dll
  sceclt.dll
  ntelogon.dll
  logevent.dll
  consrv.dll
  services.exe
  svchost.exe
  explorer.exe
  userinit.exe
  winlogon.exe
  smss.exe
  lsass.exe
  atapi.sys
  iaStor.sys
  serial.sys
  disk.sys
  volsnap.sys
  redbook.sys
  i8042prt.sys
  afd.sys
  netbt.sys
  tcpip.sys
  ipsec.sys
  hlp.dat
  str.sys
  crexv.ocx
  asr_nsta.dll
  /md5stop

• Click Run Scan
• Post the new log after

 

[phreaknes]

Added log as an attachment

 

[Fiery]

Upload a File to Virustotal
Please visit Virustotal.com

• Click the Choose file... button
• Navigate to the file C:\Users\Phreak\01018468.xlt
• Click the Open button
• Click the Scan It button
• Copy and paste the results back here.

Open notepad and copy & paste the following:

Folder: C:\Windows\system32\0409

and save it as fixlist.txt onto your flash drive.

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log.

 

[phreaknes]

Upload a File to Virustotal
Please visit Virustotal.com

• Click the Choose file... button
• Navigate to the file C:\Users\Phreak\01018468.xlt
• Click the Open button
• Click the Scan It button
• Copy and paste the results back here.

Open notepad and copy & paste the following:

Folder: C:\Windows\system32\0409

and save it as fixlist.txt onto your flash drive.

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log.

SHA256: b96c557b838583469ebecdc43143dbcc14a59dd3d096fb315c134abada74dea5
SHA1: 66d1fcaecb1376433534adfaf3bff0dc21ea8ddd
MD5: a0ab7d84950db379bc397afa0b6c2ad8
File size: 17.0 KB ( 17408 bytes )
File name: 01018468.xlt
File type: MS Excel Spreadsheet
Detection ratio: 0 / 46
Analysis date: 2013-03-26 03:45:53 UTC ( 0 minutes ago )

 

[Fiery]

Ok, that file is fine. We will remove 2 files now.

Open notepad and copy & paste the following:

C:\Users\Phreak\1172003.exe
C:\Windows\SysWow64\LMADMI32comc.dll
C:\Windows\system32\0409

and save it as fixlist.txt onto your flash drive.

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log.

 

[phreaknes]

Ok, that file is fine. We will remove 2 files now.

Open notepad and copy & paste the following:

C:\Users\Phreak\1172003.exe
C:\Windows\SysWow64\LMADMI32comc.dll
C:\Windows\system32\0409

and save it as fixlist.txt onto your flash drive.

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log.

 

[Fiery]

How's the PC now?

 

[phreaknes]

How's the PC now?

just booted it in normal mode, and it still hangs. I had the network off just in case to avoid re-infection. This must be a crazy virus. I'm at a lost.

 

[Fiery]

Download Malwarebytes Anti-Rootkit from here to your Desktop

• Unzip the contents to a folder on your Desktop.
• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
• After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
• When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)

 

[phreaknes]

Download Malwarebytes Anti-Rootkit from here to your Desktop

• Unzip the contents to a folder on your Desktop.
• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
• After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
• When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)

 

[Fiery]

Hmm nothing.. strange.

Download Kaspersky Virus Removal Tool <a title="External link" href="http://www.kaspersky.com/antivirus-removal-tool?form=1" rel="nofollow">from here</a></> <em>(Download Version 11. You'll have to enter your email address and name)</em>
<ol>
<li>Double-click the file and follow the on-screen prompts until it is installed</li>
<li>Click the Options button (the 'Gear' icon), then make sure only the following are ticked:
<ul>
<li><span style="color: #ff0000;">System Memory</span></li>
<li><span style="color: #ff0000;">Hidden startup objects</span></li>
<li><span style="color: #ff0000;">Disk boot sectors</span></li>
<li><span style="color: #ff0000;">Computer</span></li>
<li><span style="color: #ff0000;">Local Disk (C: )</span></li>
</ul>
</li>
<li>Click on <>Automatic Scan</></li>
<li>Now click the <>Start Scanning</> button, to run the scan</li>
<li>After the scan is complete, click the reports button ('Paper icon', next to the 'Gear' icon) on the right hand side</li>
<li>Click <>Detected threats</> on the left</li>
<li>Now click the <>Save</> button, and save it as <>kaslog.txt</> to your <>Desktop</></li>
<li>Please attach kaslog.txt in your next reply.</li>
</ol>

 

[phreaknes]

Hmm nothing.. strange.

Download Kaspersky Virus Removal Tool <a title="External link" href="http://www.kaspersky.com/antivirus-removal-tool?form=1" rel="nofollow">from here</a></> <em>(Download Version 11. You'll have to enter your email address and name)</em>
<ol>
<li>Double-click the file and follow the on-screen prompts until it is installed</li>
<li>Click the Options button (the 'Gear' icon), then make sure only the following are ticked:
<ul>
<li><span style="color: #ff0000;">System Memory</span></li>
<li><span style="color: #ff0000;">Hidden startup objects</span></li>
<li><span style="color: #ff0000;">Disk boot sectors</span></li>
<li><span style="color: #ff0000;">Computer</span></li>
<li><span style="color: #ff0000;">Local Disk (C: )</span></li>
</ul>
</li>
<li>Click on <>Automatic Scan</></li>
<li>Now click the <>Start Scanning</> button, to run the scan</li>
<li>After the scan is complete, click the reports button ('Paper icon', next to the 'Gear' icon) on the right hand side</li>
<li>Click <>Detected threats</> on the left</li>
<li>Now click the <>Save</> button, and save it as <>kaslog.txt</> to your <>Desktop</></li>
<li>Please attach kaslog.txt in your next reply.</li>
</ol>

 

[Fiery]

How is the PC now?

 

[phreaknes]

How is the PC now?

I did a normal boot without the wireless enabled and it stays up alot longer (10 -15 mins) but it still crashes. But safe mode with network works just fine for some reason

 

[Fiery]

Do a new OTL scan with the default settings but change extra registry to All and press Run Scan.

 

[phreaknes]

Do a new OTL scan with the default settings but change extra registry to All and press Run Scan.

 

[Fiery]

Your logs don't show any malware

Did you install any new programs lately?

Please download MiniToolBox save it to your desktop and run it.

Place a check in the following boxes:

• Flush DNS
  Report IE Proxy Settings
  Reset IE Proxy Settings
  Report FF Proxy Settings
  Reset FF Proxy Settings
  List content of Hosts
  List IP configuration
  List Winsock Entries
  List last 10 Event Viewer log
  List Installed Programs
  List Devices
  List Users, Partitions and Memory size.
  List Minidump Files

Close your browsers and click Go. Post the Result.txt located in the same directory as the tool.

 

[phreaknes]

Your logs don't show any malware

Did you install any new programs lately?

Please download MiniToolBox save it to your desktop and run it.

Place a check in the following boxes:

• Flush DNS
  Report IE Proxy Settings
  Reset IE Proxy Settings
  Report FF Proxy Settings
  Reset FF Proxy Settings
  List content of Hosts
  List IP configuration
  List Winsock Entries
  List last 10 Event Viewer log
  List Installed Programs
  List Devices
  List Users, Partitions and Memory size.
  List Minidump Files

Close your browsers and click Go. Post the Result.txt located in the same directory as the tool.

I'm thinking it's a driver that might have been corrupted by the malware. Safe mode with networking works great and that's how I've been posting, but it now take longer for normal windows to crash. So I'm going to try to get a more detailed dump file. I haven't been brave enough to boot into normal mode with the WIFI enabled yet for fear of reinfection.