Inactive Google search redirect and possible rootkit maleware

[jpb2872]

Hello and thank you in advance for your help.

I was receiving help from bobbye on this and he believed I have a boot-kit male-ware infection. I went on vacation so he temporarily closed the thread and I can not send a private message due to my number of post so I am opening a new one.

I have a dell latitude D810, running windows xp professional

OS Name Microsoft Windows XP Professional
Version 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer Microsoft Corporation
System Manufacturer Dell Inc.
System Model Latitude D810
System Type X86-based PC
Processor x86 Family 6 Model 13 Stepping 8 GenuineIntel ~2261 Mhz
BIOS Version/Date Dell Inc. A04, 9/30/2005
SMBIOS Version 2.3
Windows Directory C:\WINDOWS
System Directory C:\WINDOWS\system32
Boot Device \Device\HarddiskVolume2
Locale United States
Hardware Abstraction Layer Version = "5.1.2600.5512 (xpsp.080413-2111)"
User Name PPSO-D1G5MW81\John
Time Zone Central Daylight Time
Total Physical Memory 1,024.00 MB
Available Physical Memory 248.72 MB
Total Virtual Memory 2.00 GB
Available Virtual Memory 1.96 GB
Page File Space 2.40 GB
Page File C:\pagefile.sys

I believe I have some type of virus/infection. The symptoms I am noticing are that in firefox, during a google search, if I click a link in the search results I get redirected to different pages. On a mouse over of a link it shows "adwords onlinesecure..." Also at times I get the blue screen and dumping memory message

I have done the following so far. I have ran Malwarebytes and cleaned several items a few weeks ago but continue to get no viruses found since, ran avira and cleaned one virus, again a few weeks ago, and since I get no viruses found.

Upon reading on this site tonight I followed the steps listed for virus removal.

1.) Ran Malwarebytes - Log attached
2.) Ran Avira - Log attached
3.) Ran GMER log attached
4.) Ran dds - Logs attached
6.) Ran combofix - Log attached
7.) Ran ESET - Log attached

I did not download and run hijack log, please let me know if it is needed.

===========================================
Database version: 4382

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

8/2/2010 6:18:28 PM
mbam-log-2010-08-02 (18-18-28).txt

Scan type: Full scan (C:\|)
Objects scanned: 311520
Time elapsed: 1 hour(s), 21 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
================================================



Avira AntiVir Personal
Report file date: Monday, August 02, 2010 18:25

Scanning for 2670451 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : PPSO-D1G5MW81

Version information:
BUILD.DAT : 10.0.0.567 32097 Bytes 4/19/2010 15:07:00
AVSCAN.EXE : 10.0.3.0 433832 Bytes 4/1/2010 18:37:38
AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 18:57:04
LUKE.DLL : 10.0.2.3 104296 Bytes 3/8/2010 00:33:04
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 05:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 15:05:36
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 01:27:49
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 23:37:42
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 22:37:42
VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 17:29:03
VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 07:11:46
VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 07:12:02
VBASE007.VDF : 7.10.9.165 4840960 Bytes 7/23/2010 19:12:37
VBASE008.VDF : 7.10.9.166 2048 Bytes 7/23/2010 19:12:37
VBASE009.VDF : 7.10.9.167 2048 Bytes 7/23/2010 19:12:38
VBASE010.VDF : 7.10.9.168 2048 Bytes 7/23/2010 19:12:38
VBASE011.VDF : 7.10.9.169 2048 Bytes 7/23/2010 19:12:38
VBASE012.VDF : 7.10.9.170 2048 Bytes 7/23/2010 19:12:39
VBASE013.VDF : 7.10.9.198 157696 Bytes 7/26/2010 19:12:40
VBASE014.VDF : 7.10.9.255 997888 Bytes 7/29/2010 19:12:46
VBASE015.VDF : 7.10.10.28 139264 Bytes 8/2/2010 18:54:07
VBASE016.VDF : 7.10.10.29 2048 Bytes 8/2/2010 18:54:08
VBASE017.VDF : 7.10.10.30 2048 Bytes 8/2/2010 18:54:08
VBASE018.VDF : 7.10.10.31 2048 Bytes 8/2/2010 18:54:08
VBASE019.VDF : 7.10.10.32 2048 Bytes 8/2/2010 18:54:08
VBASE020.VDF : 7.10.10.33 2048 Bytes 8/2/2010 18:54:08
VBASE021.VDF : 7.10.10.34 2048 Bytes 8/2/2010 18:54:09
VBASE022.VDF : 7.10.10.35 2048 Bytes 8/2/2010 18:54:09
VBASE023.VDF : 7.10.10.36 2048 Bytes 8/2/2010 18:54:09
VBASE024.VDF : 7.10.10.37 2048 Bytes 8/2/2010 18:54:09
VBASE025.VDF : 7.10.10.38 2048 Bytes 8/2/2010 18:54:10
VBASE026.VDF : 7.10.10.39 2048 Bytes 8/2/2010 18:54:10
VBASE027.VDF : 7.10.10.40 2048 Bytes 8/2/2010 18:54:10
VBASE028.VDF : 7.10.10.41 2048 Bytes 8/2/2010 18:54:10
VBASE029.VDF : 7.10.10.42 2048 Bytes 8/2/2010 18:54:10
VBASE030.VDF : 7.10.10.43 2048 Bytes 8/2/2010 18:54:11
VBASE031.VDF : 7.10.10.47 92672 Bytes 8/2/2010 18:54:12
Engineversion : 8.2.4.32
AEVDF.DLL : 8.1.2.1 106868 Bytes 7/29/2010 19:16:12
AESCRIPT.DLL : 8.1.3.42 1364347 Bytes 7/29/2010 19:16:06
AESCN.DLL : 8.1.6.1 127347 Bytes 7/5/2010 07:14:03
AESBX.DLL : 8.1.3.1 254324 Bytes 7/5/2010 07:14:14
AERDL.DLL : 8.1.8.2 614772 Bytes 7/21/2010 23:28:29
AEPACK.DLL : 8.2.3.3 471414 Bytes 7/29/2010 19:15:29
AEOFFICE.DLL : 8.1.1.8 201081 Bytes 7/21/2010 23:28:23
AEHEUR.DLL : 8.1.2.10 2830711 Bytes 7/29/2010 19:15:10
AEHELP.DLL : 8.1.13.2 242039 Bytes 7/21/2010 23:28:06
AEGEN.DLL : 8.1.3.18 393589 Bytes 7/29/2010 19:13:11
AEEMU.DLL : 8.1.2.0 393588 Bytes 7/5/2010 07:13:37
AECORE.DLL : 8.1.16.2 192887 Bytes 7/21/2010 23:27:57
AEBB.DLL : 8.1.1.0 53618 Bytes 7/5/2010 07:13:32
AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 18:03:38
AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 18:03:35
AVREP.DLL : 10.0.0.8 62209 Bytes 2/18/2010 22:47:40
AVREG.DLL : 10.0.3.0 53096 Bytes 4/1/2010 18:35:46
AVSCPLR.DLL : 10.0.3.0 83816 Bytes 4/1/2010 18:39:51
AVARKT.DLL : 10.0.0.14 227176 Bytes 4/1/2010 18:22:13
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 15:53:30
SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 18:57:58
AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 21:38:56
NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 20:41:00
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 19:10:20
RCTEXT.DLL : 10.0.53.0 97128 Bytes 4/9/2010 20:14:29

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: repair
Secondary action....................: delete
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +APPL,+PCK,+PFS,+SPR,

Start of the scan: Monday, August 02, 2010 18:25

Starting search for hidden objects.
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\RNG\seed
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\Microsoft\SchedulingAgent\lasttaskrun
[NOTE] The registry entry is invisible.

The scan of running processes will be started
Scan process 'msdtc.exe' - '43' Module(s) have been scanned
Scan process 'dllhost.exe' - '61' Module(s) have been scanned
Scan process 'dllhost.exe' - '48' Module(s) have been scanned
Scan process 'vssvc.exe' - '51' Module(s) have been scanned
Scan process 'avscan.exe' - '67' Module(s) have been scanned
Scan process 'NOTEPAD.EXE' - '27' Module(s) have been scanned
Scan process 'plugin-container.exe' - '70' Module(s) have been scanned
Scan process 'firefox.exe' - '114' Module(s) have been scanned
Scan process 'ctfmon.exe' - '25' Module(s) have been scanned
Scan process 'realsched.exe' - '42' Module(s) have been scanned
Scan process 'jusched.exe' - '24' Module(s) have been scanned
Scan process 'avgnt.exe' - '57' Module(s) have been scanned
Scan process 'alg.exe' - '36' Module(s) have been scanned
Scan process 'YahooAUService.exe' - '44' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '47' Module(s) have been scanned
Scan process 'SearchIndexer.exe' - '56' Module(s) have been scanned
Scan process 'wmpnetwk.exe' - '56' Module(s) have been scanned
Scan process 'UStorSrv.exe' - '23' Module(s) have been scanned
Scan process 'svchost.exe' - '44' Module(s) have been scanned
Scan process 'NICCONFIGSVC.exe' - '44' Module(s) have been scanned
Scan process 'avshadow.exe' - '33' Module(s) have been scanned
Scan process 'MDM.EXE' - '27' Module(s) have been scanned
Scan process 'jqs.exe' - '33' Module(s) have been scanned
Scan process 'Iap.exe' - '30' Module(s) have been scanned
Scan process 'svchost.exe' - '38' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '37' Module(s) have been scanned
Scan process 'avguard.exe' - '54' Module(s) have been scanned
Scan process 'Explorer.EXE' - '103' Module(s) have been scanned
Scan process 'Ati2evxx.exe' - '28' Module(s) have been scanned
Scan process 'svchost.exe' - '34' Module(s) have been scanned
Scan process 'sched.exe' - '49' Module(s) have been scanned
Scan process 'SCardSvr.exe' - '23' Module(s) have been scanned
Scan process 'spoolsv.exe' - '81' Module(s) have been scanned
Scan process 'svchost.exe' - '47' Module(s) have been scanned
Scan process 'svchost.exe' - '36' Module(s) have been scanned
Scan process 'svchost.exe' - '36' Module(s) have been scanned
Scan process 'svchost.exe' - '167' Module(s) have been scanned
Scan process 'svchost.exe' - '43' Module(s) have been scanned
Scan process 'svchost.exe' - '58' Module(s) have been scanned
Scan process 'Ati2evxx.exe' - '15' Module(s) have been scanned
Scan process 'lsass.exe' - '58' Module(s) have been scanned
Scan process 'services.exe' - '67' Module(s) have been scanned
Scan process 'winlogon.exe' - '85' Module(s) have been scanned
Scan process 'csrss.exe' - '12' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '1864' files ).


Starting the file scan:

Begin scan in 'C:\'


End of the scan: Monday, August 02, 2010 22:50
Used time: 4:24:29 Hour(s)

The scan has been done completely.

13708 Scanned directories
412544 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
412544 Files not concerned
4571 Archives were scanned
0 Warnings
0 Notes
923769 Objects were scanned with rootkit scan
2 Hidden objects were found

 

[jpb2872]

attach log

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 12/13/2005 1:29:04 PM
System Uptime: 8/2/2010 4:52:41 PM (7 hours ago)

Motherboard: Dell Inc. | | 0D8006
Processor: Intel(R) Pentium(R) M processor 2.26GHz | Microprocessor | 791/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 74 GiB total, 24.094 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP56: 7/5/2010 5:30:07 PM - System Checkpoint
RP57: 7/5/2010 5:30:06 PM - Software Distribution Service 3.0
RP58: 7/5/2010 5:30:05 PM - System Checkpoint
RP59: 7/5/2010 5:30:03 PM - System Checkpoint
RP60: 7/5/2010 5:30:03 PM - System Checkpoint
RP61: 7/5/2010 5:30:01 PM - System Checkpoint
RP62: 7/5/2010 5:29:47 PM - System Checkpoint
RP63: 7/19/2010 8:20:29 PM - System Checkpoint
RP64: 7/5/2010 5:30:21 PM - System Checkpoint
RP65: 7/5/2010 5:30:20 PM - System Checkpoint
RP66: 7/5/2010 5:30:10 PM - Software Distribution Service 3.0
RP67: 7/1/2010 3:44:09 PM - Restore Operation
RP68: 7/1/2010 4:11:18 PM - Restore Operation
RP69: 7/1/2010 4:24:37 PM - Restore Operation
RP70: 7/5/2010 5:30:09 PM - System Checkpoint
RP71: 7/6/2010 7:45:26 PM - Removed SUPERAntiSpyware Free Edition
RP72: 7/7/2010 7:20:28 AM - Removed Bonjour
RP73: 7/7/2010 7:24:25 AM - Removed RAID
RP74: 7/8/2010 9:12:48 AM - System Checkpoint
RP75: 7/9/2010 10:36:46 AM - System Checkpoint
RP76: 7/10/2010 12:11:29 PM - System Checkpoint
RP77: 7/11/2010 1:57:59 PM - System Checkpoint
RP78: 7/12/2010 10:30:31 AM - Installed Java(TM) 6 Update 20
RP79: 7/12/2010 10:34:52 AM - Installed QuickTime
RP80: 7/12/2010 10:40:42 AM - Removed Adobe Reader 8.1.1
RP81: 7/12/2010 10:41:54 AM - Installed Adobe Reader 9.3.
RP82: 7/13/2010 4:02:08 PM - System Checkpoint
RP83: 7/13/2010 8:14:48 PM - Software Distribution Service 3.0
RP84: 7/14/2010 3:00:35 AM - Software Distribution Service 3.0
RP85: 7/15/2010 3:00:42 AM - Software Distribution Service 3.0
RP86: 7/16/2010 4:07:07 AM - System Checkpoint
RP87: 7/17/2010 6:07:13 AM - System Checkpoint
RP88: 7/18/2010 8:07:07 AM - System Checkpoint
RP89: 7/18/2010 6:41:22 PM - OTL Restore Point
RP90: 7/20/2010 9:24:57 PM - System Checkpoint
RP91: 7/22/2010 12:28:29 AM - System Checkpoint
RP92: 7/23/2010 4:31:50 PM - System Checkpoint
RP93: 7/27/2010 3:00:29 PM - System Checkpoint
RP94: 7/28/2010 4:13:18 PM - System Checkpoint
RP95: 7/29/2010 6:13:18 PM - System Checkpoint
RP96: 7/30/2010 8:13:18 PM - System Checkpoint
RP97: 7/31/2010 10:13:19 PM - System Checkpoint
RP98: 8/2/2010 12:13:18 AM - System Checkpoint

==== Installed Programs ======================

2570
2570_Help
2570Trb
Acrobat.com
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Reader 9.3
Adobe Setup
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AiO_Scan_CDA
AiOSoftwareNPI
AnswerWorks 5.0 English Runtime
ATI Display Driver
Avanquest update
Avira AntiVir Personal - Free Antivirus
AVS VideoConverter 3.1.1.151
BufferChm
Conexant D110 MDC V.9x Modem
CP_AtenaShokunin1Config
CP_CalendarTemplates1
CP_Package_Basic1
CP_Panorama1Config
Crystal Reports XI
CueTour
DesignPro 5.4 Limited Edition
Destinations
DeviceFunctionQFolder
DeviceManagementQFolder
DivX Setup
DocProc
DocumentViewer
DocumentViewerQFolder
Fax_CDA
FTDI USB Serial Converter Drivers
FullDPAppQFolder
GeoVision ADPCM
GeoVision H264
GeoVision JPEG
GeoVision MPEG2
GeoVision MPEG4
GeoVision MPEG4 ASP
GeoVision MPEG4 AVC
Google Toolbar for Internet Explorer
Hotfix 2050 for SQL Server 2000 ENU (KB948110)
Hotfix 2055 for SQL Server 2000 ENU (KB960082)
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
HP Document Viewer 5.3
HP Image Zone 5.3
HP Imaging Device Functions 5.3
HP PSC & OfficeJet 5.3.A
iDEN Phonebook Manager
Imation Disk Manager V a Service
InstantShareDevices
Java Auto Updater
Java(TM) 6 Update 20
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft SQL Server Desktop Engine
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Motorola Driver Installation
Motorola Phone Tools
Mozilla Firefox (3.6.8)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB954459)
NewCopy_CDA
OGA Notifier 2.0.0048.0
OmniForm 5.0
PanoStandAlone
PayPal Plug-In
PDF Settings
Pdf995 (installed by TaxCut)
PdfEdit995 (installed by TaxCut)
PhotoGallery
ProductContextNPI
Quicken 2009
QuickTime
RandMap
Readme
RealPlayer
RealUpgrade 1.0
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Easy Media Creator 7 Basic VCD Edition
Roxio Express Labeler
Roxio Update Manager
Safari
Scan
ScannerCopy
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows XP (KB2229593)
SkinsHP1
Sonic Activation Module
Sonic DLA
Sonic_PrimoSDK
SpotLife
Status
Surveillance Device Configurator
TaxCut Louisiana 2007
TaxCut Premium + State + Efile 2007
TrayApp
TSP_CODEC
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB980182)
VC80CRTRedist - 8.0.50727.4053
Video DVD Maker v3.7.0.15
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
WinAce Archiver
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer Clean Up
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows Search 4.0
Windows XP Service Pack 3
WinRAR archiver
Yahoo! Browser Services
Yahoo! Messenger
Yahoo! Software Update
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

8/2/2010 7:45:48 PM, error: VolSnap [25] - The shadow copy of volume C: was aborted because the diff area file could not grow in time. Consider reducing the IO load on this system to avoid this problem in the future.
8/2/2010 7:38:45 PM, error: VolSnap [12] - The shadow copy of volume C: became low on diff area space before it was properly installed.
8/2/2010 6:46:11 PM, error: VolSnap [10] - The shadow copy of volume C: took too long to install.
8/2/2010 4:53:42 PM, error: Service Control Manager [7000] - The Pantech&Curitel Utility Service service failed to start due to the following error: The system cannot find the file specified.
8/2/2010 4:53:41 PM, error: Service Control Manager [7023] - The HID Input Service service terminated with the following error: The specified module could not be found.
8/2/2010 4:53:41 PM, error: Service Control Manager [7001] - The WLANKEEPER service depends on the EvtEng service which failed to start because of the following error: The system cannot find the file specified.
8/2/2010 4:53:41 PM, error: Service Control Manager [7001] - The Spectrum24 Event Monitor service depends on the EvtEng service which failed to start because of the following error: The system cannot find the file specified.
8/2/2010 4:53:41 PM, error: Service Control Manager [7000] - The OmniForm Printer service failed to start due to the following error: The system cannot find the path specified.
8/2/2010 4:53:41 PM, error: Service Control Manager [7000] - The MSSQLSERVER service failed to start due to the following error: The system cannot find the file specified.
8/2/2010 4:53:41 PM, error: Service Control Manager [7000] - The Lavasoft Ad-Aware Service service failed to start due to the following error: The system cannot find the path specified.
8/2/2010 4:53:41 PM, error: Service Control Manager [7000] - The EvtEng service failed to start due to the following error: The system cannot find the file specified.
8/2/2010 4:53:41 PM, error: Service Control Manager [7000] - The Broadcom ASF IP monitoring service v6.0.4 service failed to start due to the following error: The system cannot find the file specified.
8/2/2010 12:21:22 PM, error: EventLog [6004] - A driver packet received from the I/O subsystem was invalid. The data is the packet.
7/27/2010 2:10:15 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Lbd
7/27/2010 2:09:46 PM, error: Service Control Manager [7000] - The RegSrvc service failed to start due to the following error: The system cannot find the file specified.
7/27/2010 2:09:46 PM, error: Service Control Manager [7000] - The Pml Driver HPZ12 service failed to start due to the following error: The system cannot find the file specified.

==== End Of File ===========================

 

[jpb2872]

dds log

DDS (Ver_10-03-17.01) - NTFSx86
Run by John at 23:15:40.73 on Mon 08/02/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.418 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\PPSO88\Desktop\gmer.exe
C:\Documents and Settings\PPSO88\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
{aa58ed58-01dd-4d91-8333-cf10577473f7}
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn4\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
uRun: [Uniblue RegistryBooster 2] c:\program files\uniblue\registrybooster 2\RegistryBooster.exe /S
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
mPolicies-system: HideShutdownScripts = 0 (0x0)
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - hxxps://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://instantgreetings.aol.com/prod/install.html
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134502743502
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ppso88\applic~1\mozilla\firefox\profiles\nc6b34uq.default\
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-7-5 11608]
R1 MPFIREWL;MPFIREWL;c:\windows\system32\drivers\MpFirewall.sys [2007-6-18 80640]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-7-5 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-7-5 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-7-5 60936]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2009-10-19 110984]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2005-11-23 80384]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" --> c:\program files\lavasoft\ad-aware\AAWService.exe [?]
S3 MotDev;Motorola Inc. USB Device; [x]
S3 XIRLINK;Veo PC Camera;c:\windows\system32\drivers\ucdnt.sys [2008-3-24 899884]

=============== Created Last 30 ================

2010-07-22 03:23:54 3281 ----a-w- c:\windows\system32\wbem\Outlook_01cb294d4fec85b4.mof
2010-07-22 03:08:52 0 d-----w- c:\program files\common files\AnswerWorks 5.0
2010-07-22 03:08:37 1848608 ----a-w- c:\windows\system32\acXMLParser.dll
2010-07-22 03:08:35 3523872 ----a-w- c:\windows\system32\cdintf300.dll
2010-07-22 03:08:01 0 d-----w- c:\docume~1\ppso88\applic~1\Intuit
2010-07-22 03:07:33 0 d-----w- c:\program files\common files\Intuit
2010-07-22 03:07:19 0 d-----w- c:\program files\Quicken
2010-07-22 03:07:09 120 ----a-w- c:\windows\QUICKEN.INI
2010-07-22 03:06:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Intuit
2010-07-13 19:15:58 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-12 15:31:51 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-07 12:28:17 0 d-----w- c:\program files\common files\McAfee
2010-07-05 22:32:57 0 d-----w- c:\docume~1\ppso88\applic~1\Avira
2010-07-05 07:02:22 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-07-05 07:01:26 0 d-----w- c:\program files\Avira
2010-07-05 07:01:26 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira

==================== Find3M ====================

2010-06-25 17:15:31 203776 ----a-w- c:\windows\system32\clrviddc.dll
2009-12-08 04:18:43 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2007-08-31 15:53:48 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012007083120070901\index.dat
2008-12-12 08:48:08 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008121220081213\index.dat

============= FINISH: 23:18:04.53 ===============

 

[jpb2872]

Error running GMER

I am trying to get a gmer log to post but this is my forth attempt, the other three attempts ended in a blue screen shutdown. The last error was an error in file UWTYRPOD.SYS page_fault_in_nonpaged_area, also listed UWTYRPOD.SYS - address B6FE2F60 base at B6FD700, datestamp 4b274F8D

noticed also when I reopen firefox I get a list of tabs to reopen with moneyservices.. blank 1 2 3 ect.

this is where the log styands as of now on this run in case it may help

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-04 16:09:10
Windows 5.1.2600 Service Pack 3
Running: f4c43c0o.exe; Driver: C:\DOCUME~1\PPSO88\LOCALS~1\Temp\uwtyrpod.sys


Ran again, got same error after about two hours of running but at time of blue screen no other items were added to log


---- System - GMER 1.0.15 ----

SSDT F7B8C514 ZwCreateThread
SSDT F7B8C500 ZwOpenProcess
SSDT F7B8C505 ZwOpenThread

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\DRIVERS\gtipci21.sys entry point in "init" section [0xF6747A80]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Dell\OpenManage\Client\Iap.exe[200] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0153B9BB
.text C:\Program Files\Dell\OpenManage\Client\Iap.exe[200] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0153B558
.text C:\Program Files\Dell\OpenManage\Client\Iap.exe[200] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 0153B86D
.text C:\Program Files\Dell\OpenManage\Client\Iap.exe[200] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0153B639
.text C:\Program Files\Dell\OpenManage\Client\Iap.exe[200] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0153B70C
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[376] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01A8B9BB
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[376] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01A8B558
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[376] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01A8B86D
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[376] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01A8B639
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[376] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01A8B70C
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[376] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 1044721D C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Bonjour\mDNSResponder.exe[564] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 007DB9BB
.text C:\Program Files\Bonjour\mDNSResponder.exe[564] WS2_32.dll!send 71AB4C27 5 Bytes JMP 007DB558
.text C:\Program Files\Bonjour\mDNSResponder.exe[564] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 007DB86D
.text C:\Program Files\Bonjour\mDNSResponder.exe[564] WS2_32.dll!recv 71AB676F 5 Bytes JMP 007DB639
.text C:\Program Files\Bonjour\mDNSResponder.exe[564] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 007DB70C
.text C:\WINDOWS\system32\SearchIndexer.exe[664] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\system32\SearchIndexer.exe[664] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00AFB9BB
.text C:\WINDOWS\system32\SearchIndexer.exe[664] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00AFB558
.text C:\WINDOWS\system32\SearchIndexer.exe[664] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00AFB86D
.text C:\WINDOWS\system32\SearchIndexer.exe[664] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00AFB639
.text C:\WINDOWS\system32\SearchIndexer.exe[664] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00AFB70C
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[884] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0199B9BB
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[884] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0199B558
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[884] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 0199B86D
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[884] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0199B639
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[884] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0199B70C
.text C:\WINDOWS\system32\winlogon.exe[1360] Secur32.dll!LsaLogonUser 77FE33F1 5 Bytes JMP 015B2946
.text C:\WINDOWS\system32\UStorSrv.exe[2016] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00BDB9BB
.text C:\WINDOWS\system32\UStorSrv.exe[2016] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00BDB558
.text C:\WINDOWS\system32\UStorSrv.exe[2016] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00BDB86D
.text C:\WINDOWS\system32\UStorSrv.exe[2016] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00BDB639
.text C:\WINDOWS\system32\UStorSrv.exe[2016] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00BDB70C
.text C:\WINDOWS\system32\Ati2evxx.exe[2080] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0152B9BB
.text C:\WINDOWS\system32\Ati2evxx.exe[2080] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0152B558
.text C:\WINDOWS\system32\Ati2evxx.exe[2080] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 0152B86D
.text C:\WINDOWS\system32\Ati2evxx.exe[2080] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0152B639
.text C:\WINDOWS\system32\Ati2evxx.exe[2080] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0152B70C
.text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[2216] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 019DB9BB
.text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[2216] ws2_32.dll!send 71AB4C27 5 Bytes JMP 019DB558
.text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[2216] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 019DB86D
.text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[2216] ws2_32.dll!recv 71AB676F 5 Bytes JMP 019DB639
.text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[2216] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 019DB70C
.text C:\WINDOWS\Explorer.EXE[2320] USER32.dll!DisplayExitWindowsWarnings 7E459F91 5 Bytes JMP 00FC2758
.text C:\WINDOWS\Explorer.EXE[2320] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 026FB9BB
.text C:\WINDOWS\Explorer.EXE[2320] WS2_32.dll!send 71AB4C27 5 Bytes JMP 026FB558
.text C:\WINDOWS\Explorer.EXE[2320] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 026FB86D
.text C:\WINDOWS\Explorer.EXE[2320] WS2_32.dll!recv 71AB676F 5 Bytes JMP 026FB639
.text C:\WINDOWS\Explorer.EXE[2320] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 026FB70C
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2708] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00D7B9BB
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2708] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D7B558
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2708] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00D7B86D
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2708] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00D7B639
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2708] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00D7B70C
.text C:\WINDOWS\System32\alg.exe[3092] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00D7B9BB
.text C:\WINDOWS\System32\alg.exe[3092] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D7B558
.text C:\WINDOWS\System32\alg.exe[3092] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00D7B86D
.text C:\WINDOWS\System32\alg.exe[3092] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00D7B639
.text C:\WINDOWS\System32\alg.exe[3092] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00D7B70C
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3292] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00EAB9BB
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3292] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00EAB558
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3292] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00EAB86D
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3292] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00EAB639
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3292] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00EAB70C
.text C:\Program Files\Mozilla Firefox\firefox.exe[3736] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\WINDOWS\system32\wuauclt.exe[3912] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00FCB9BB
.text C:\WINDOWS\system32\wuauclt.exe[3912] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00FCB558
.text C:\WINDOWS\system32\wuauclt.exe[3912] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00FCB86D
.text C:\WINDOWS\system32\wuauclt.exe[3912] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00FCB639
.text C:\WINDOWS\system32\wuauclt.exe[3912] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00FCB70C
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3920] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E3B9BB
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3920] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E3B558
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3920] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00E3B86D
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3920] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00E3B639
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3920] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00E3B70C

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip MpFirewall.sys (McAfee Personal Firewall Driver/McAfee)
AttachedDevice \Driver\Tcpip \Device\Ip ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp MpFirewall.sys (McAfee Personal Firewall Driver/McAfee)
AttachedDevice \Driver\Tcpip \Device\Tcp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 ssmdrv.sys (AVIRA SnapShot Driver/Avira GmbH)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 ssmdrv.sys (AVIRA SnapShot Driver/Avira GmbH)
AttachedDevice \Driver\Tcpip \Device\Udp MpFirewall.sys (McAfee Personal Firewall Driver/McAfee)
AttachedDevice \Driver\Tcpip \Device\Udp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp MpFirewall.sys (McAfee Personal Firewall Driver/McAfee)
AttachedDevice \Driver\Tcpip \Device\RawIp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device \FileSystem\cdudf_xp \Device\CdUdf_XP DLAIFS_M.SYS (Drive Letter Access Component/Roxio)
Device rdpdr.sys (Microsoft RDP Device redirector/Microsoft Corporation)
Device B6F27D20

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

 

[Bobbye]

Welcome back! I hope you enjoyed your vacation. Let's get started:

Download Bootkit Remover and save to your Desktop

1. You then need to extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
2. After extracting remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
3. You will see a Black screen with some data on it.
4. Right click on the screen and click Select All.
5. Press CTRL+C to Copy
6. Open a Notepad and press CTRL+V to Paste.
7. Include the report in your next post.

I'll be checking the new logs while you do that.

Our previous thread was https://www.techspot.com/vb/topic150294.html
If everyoine was as good as you about pasting their logs in, I could triple my speed here! Thank you.

 

[jpb2872]

Bootkit remover log

Hope this helps and thanks again

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`03ec1000

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Controlled by rootkit!

Boot code on some of your physical disks is hidden by a rootkit.
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]


Done;
Press any key to quit...

 

[Bobbye]

That was quick! I was still checking the logs. Let start with this:

• Open Notepad
• Copy and paste the text in the codebox into Notepad:
  

  @ECHO OFF
  START 
  remover.exe fix \\.\PhysicalDrive0
  
  EXIT

• Go File > Save As
• Save as Type choose All Files
• For File Name type fix.bat
• Save In> choose Desktop
• Save
• Double click to Run fix.bat

(You may see a black box appear; this is normal.)

Run remover.exe again and post its output.

Do NOT reboot computer!

 

[jpb2872]

Bootkit remover log

Ok I copy and pasted your text into notepad and saved as instructed, executed and then ran bootkit, here's the log. Let me know whats next. Thanks again for your time and help


Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`03ec1000

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Controlled by rootkit!

Boot code on some of your physical disks is hidden by a rootkit.
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]


Done;
Press any key to quit...

 

[jpb2872]

No boot sector on internal hard drive

When I got into work this morning my computer was displaying no boot sector on internal hard drive. When I left yesterday I left the pc on, not sure why it rebooted but now it has no boot sector. Is there a way to boot from a jump drive or cd to finish the repairs?

OK I ran fixmbr from a xp recovery boot disk and now i get no bootable devices

 

[jpb2872]

Hard Drive gone

You can close the thread, pc guy from work came out and said hard drive was dead, not sure I agree but he took the drive to attempt to recover my files, I will keep my fingers crossed, if he cant I will open a new threadf in an attempt to recover files myself. thanks again

 

[Broni]

Message from Bobbye:

Due to family matters that require my time and efforts, I am unable to continue helping with malware cleaning at this time. If and when these matters are resolved, I will return to the board.

Since the only other helper in the Virus and Malware forum is Broni, I will ask him to pickup the open threads I have going, if and when he can.

=================================================================

Thank you for letting us know