TechSpot

Google search redirect and possible rootkit maleware

By jpb2872
Aug 4, 2010
  1. Hello and thank you in advance for your help.

    I was receiving help from bobbye on this and he believed I have a boot-kit male-ware infection. I went on vacation so he temporarily closed the thread and I can not send a private message due to my number of post so I am opening a new one.

    I have a dell latitude D810, running windows xp professional

    OS Name Microsoft Windows XP Professional
    Version 5.1.2600 Service Pack 3 Build 2600
    OS Manufacturer Microsoft Corporation
    System Manufacturer Dell Inc.
    System Model Latitude D810
    System Type X86-based PC
    Processor x86 Family 6 Model 13 Stepping 8 GenuineIntel ~2261 Mhz
    BIOS Version/Date Dell Inc. A04, 9/30/2005
    SMBIOS Version 2.3
    Windows Directory C:\WINDOWS
    System Directory C:\WINDOWS\system32
    Boot Device \Device\HarddiskVolume2
    Locale United States
    Hardware Abstraction Layer Version = "5.1.2600.5512 (xpsp.080413-2111)"
    User Name PPSO-D1G5MW81\John
    Time Zone Central Daylight Time
    Total Physical Memory 1,024.00 MB
    Available Physical Memory 248.72 MB
    Total Virtual Memory 2.00 GB
    Available Virtual Memory 1.96 GB
    Page File Space 2.40 GB
    Page File C:\pagefile.sys

    I believe I have some type of virus/infection. The symptoms I am noticing are that in firefox, during a google search, if I click a link in the search results I get redirected to different pages. On a mouse over of a link it shows "adwords onlinesecure..." Also at times I get the blue screen and dumping memory message

    I have done the following so far. I have ran Malwarebytes and cleaned several items a few weeks ago but continue to get no viruses found since, ran avira and cleaned one virus, again a few weeks ago, and since I get no viruses found.

    Upon reading on this site tonight I followed the steps listed for virus removal.

    1.) Ran Malwarebytes - Log attached
    2.) Ran Avira - Log attached
    3.) Ran GMER log attached
    4.) Ran dds - Logs attached
    6.) Ran combofix - Log attached
    7.) Ran ESET - Log attached

    I did not download and run hijack log, please let me know if it is needed.

    ===========================================
    Database version: 4382

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.11

    8/2/2010 6:18:28 PM
    mbam-log-2010-08-02 (18-18-28).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 311520
    Time elapsed: 1 hour(s), 21 minute(s), 53 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
    ================================================



    Avira AntiVir Personal
    Report file date: Monday, August 02, 2010 18:25

    Scanning for 2670451 virus strains and unwanted programs.

    The program is running as an unrestricted full version.
    Online services are available:

    Licensee : Avira AntiVir Personal - FREE Antivirus
    Serial number : 0000149996-ADJIE-0000001
    Platform : Windows XP
    Windows version : (Service Pack 3) [5.1.2600]
    Boot mode : Normally booted
    Username : SYSTEM
    Computer name : PPSO-D1G5MW81

    Version information:
    BUILD.DAT : 10.0.0.567 32097 Bytes 4/19/2010 15:07:00
    AVSCAN.EXE : 10.0.3.0 433832 Bytes 4/1/2010 18:37:38
    AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 18:57:04
    LUKE.DLL : 10.0.2.3 104296 Bytes 3/8/2010 00:33:04
    LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 05:40:49
    VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 15:05:36
    VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 01:27:49
    VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 23:37:42
    VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 22:37:42
    VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 17:29:03
    VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 07:11:46
    VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 07:12:02
    VBASE007.VDF : 7.10.9.165 4840960 Bytes 7/23/2010 19:12:37
    VBASE008.VDF : 7.10.9.166 2048 Bytes 7/23/2010 19:12:37
    VBASE009.VDF : 7.10.9.167 2048 Bytes 7/23/2010 19:12:38
    VBASE010.VDF : 7.10.9.168 2048 Bytes 7/23/2010 19:12:38
    VBASE011.VDF : 7.10.9.169 2048 Bytes 7/23/2010 19:12:38
    VBASE012.VDF : 7.10.9.170 2048 Bytes 7/23/2010 19:12:39
    VBASE013.VDF : 7.10.9.198 157696 Bytes 7/26/2010 19:12:40
    VBASE014.VDF : 7.10.9.255 997888 Bytes 7/29/2010 19:12:46
    VBASE015.VDF : 7.10.10.28 139264 Bytes 8/2/2010 18:54:07
    VBASE016.VDF : 7.10.10.29 2048 Bytes 8/2/2010 18:54:08
    VBASE017.VDF : 7.10.10.30 2048 Bytes 8/2/2010 18:54:08
    VBASE018.VDF : 7.10.10.31 2048 Bytes 8/2/2010 18:54:08
    VBASE019.VDF : 7.10.10.32 2048 Bytes 8/2/2010 18:54:08
    VBASE020.VDF : 7.10.10.33 2048 Bytes 8/2/2010 18:54:08
    VBASE021.VDF : 7.10.10.34 2048 Bytes 8/2/2010 18:54:09
    VBASE022.VDF : 7.10.10.35 2048 Bytes 8/2/2010 18:54:09
    VBASE023.VDF : 7.10.10.36 2048 Bytes 8/2/2010 18:54:09
    VBASE024.VDF : 7.10.10.37 2048 Bytes 8/2/2010 18:54:09
    VBASE025.VDF : 7.10.10.38 2048 Bytes 8/2/2010 18:54:10
    VBASE026.VDF : 7.10.10.39 2048 Bytes 8/2/2010 18:54:10
    VBASE027.VDF : 7.10.10.40 2048 Bytes 8/2/2010 18:54:10
    VBASE028.VDF : 7.10.10.41 2048 Bytes 8/2/2010 18:54:10
    VBASE029.VDF : 7.10.10.42 2048 Bytes 8/2/2010 18:54:10
    VBASE030.VDF : 7.10.10.43 2048 Bytes 8/2/2010 18:54:11
    VBASE031.VDF : 7.10.10.47 92672 Bytes 8/2/2010 18:54:12
    Engineversion : 8.2.4.32
    AEVDF.DLL : 8.1.2.1 106868 Bytes 7/29/2010 19:16:12
    AESCRIPT.DLL : 8.1.3.42 1364347 Bytes 7/29/2010 19:16:06
    AESCN.DLL : 8.1.6.1 127347 Bytes 7/5/2010 07:14:03
    AESBX.DLL : 8.1.3.1 254324 Bytes 7/5/2010 07:14:14
    AERDL.DLL : 8.1.8.2 614772 Bytes 7/21/2010 23:28:29
    AEPACK.DLL : 8.2.3.3 471414 Bytes 7/29/2010 19:15:29
    AEOFFICE.DLL : 8.1.1.8 201081 Bytes 7/21/2010 23:28:23
    AEHEUR.DLL : 8.1.2.10 2830711 Bytes 7/29/2010 19:15:10
    AEHELP.DLL : 8.1.13.2 242039 Bytes 7/21/2010 23:28:06
    AEGEN.DLL : 8.1.3.18 393589 Bytes 7/29/2010 19:13:11
    AEEMU.DLL : 8.1.2.0 393588 Bytes 7/5/2010 07:13:37
    AECORE.DLL : 8.1.16.2 192887 Bytes 7/21/2010 23:27:57
    AEBB.DLL : 8.1.1.0 53618 Bytes 7/5/2010 07:13:32
    AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 18:03:38
    AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 18:03:35
    AVREP.DLL : 10.0.0.8 62209 Bytes 2/18/2010 22:47:40
    AVREG.DLL : 10.0.3.0 53096 Bytes 4/1/2010 18:35:46
    AVSCPLR.DLL : 10.0.3.0 83816 Bytes 4/1/2010 18:39:51
    AVARKT.DLL : 10.0.0.14 227176 Bytes 4/1/2010 18:22:13
    AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 15:53:30
    SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 18:57:58
    AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 21:38:56
    NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 20:41:00
    RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 19:10:20
    RCTEXT.DLL : 10.0.53.0 97128 Bytes 4/9/2010 20:14:29

    Configuration settings for the scan:
    Jobname.............................: Complete system scan
    Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
    Logging.............................: low
    Primary action......................: repair
    Secondary action....................: delete
    Scan master boot sector.............: on
    Scan boot sector....................: on
    Boot sectors........................: C:,
    Process scan........................: on
    Extended process scan...............: on
    Scan registry.......................: on
    Search for rootkits.................: on
    Integrity checking of system files..: off
    Scan all files......................: All files
    Scan archives.......................: on
    Recursion depth.....................: 20
    Smart extensions....................: on
    Macro heuristic.....................: on
    File heuristic......................: medium
    Deviating risk categories...........: +APPL,+PCK,+PFS,+SPR,

    Start of the scan: Monday, August 02, 2010 18:25

    Starting search for hidden objects.
    HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\RNG\seed
    [NOTE] The registry entry is invisible.
    HKEY_LOCAL_MACHINE\Software\Microsoft\SchedulingAgent\lasttaskrun
    [NOTE] The registry entry is invisible.

    The scan of running processes will be started
    Scan process 'msdtc.exe' - '43' Module(s) have been scanned
    Scan process 'dllhost.exe' - '61' Module(s) have been scanned
    Scan process 'dllhost.exe' - '48' Module(s) have been scanned
    Scan process 'vssvc.exe' - '51' Module(s) have been scanned
    Scan process 'avscan.exe' - '67' Module(s) have been scanned
    Scan process 'NOTEPAD.EXE' - '27' Module(s) have been scanned
    Scan process 'plugin-container.exe' - '70' Module(s) have been scanned
    Scan process 'firefox.exe' - '114' Module(s) have been scanned
    Scan process 'ctfmon.exe' - '25' Module(s) have been scanned
    Scan process 'realsched.exe' - '42' Module(s) have been scanned
    Scan process 'jusched.exe' - '24' Module(s) have been scanned
    Scan process 'avgnt.exe' - '57' Module(s) have been scanned
    Scan process 'alg.exe' - '36' Module(s) have been scanned
    Scan process 'YahooAUService.exe' - '44' Module(s) have been scanned
    Scan process 'wmiprvse.exe' - '47' Module(s) have been scanned
    Scan process 'SearchIndexer.exe' - '56' Module(s) have been scanned
    Scan process 'wmpnetwk.exe' - '56' Module(s) have been scanned
    Scan process 'UStorSrv.exe' - '23' Module(s) have been scanned
    Scan process 'svchost.exe' - '44' Module(s) have been scanned
    Scan process 'NICCONFIGSVC.exe' - '44' Module(s) have been scanned
    Scan process 'avshadow.exe' - '33' Module(s) have been scanned
    Scan process 'MDM.EXE' - '27' Module(s) have been scanned
    Scan process 'jqs.exe' - '33' Module(s) have been scanned
    Scan process 'Iap.exe' - '30' Module(s) have been scanned
    Scan process 'svchost.exe' - '38' Module(s) have been scanned
    Scan process 'mDNSResponder.exe' - '37' Module(s) have been scanned
    Scan process 'avguard.exe' - '54' Module(s) have been scanned
    Scan process 'Explorer.EXE' - '103' Module(s) have been scanned
    Scan process 'Ati2evxx.exe' - '28' Module(s) have been scanned
    Scan process 'svchost.exe' - '34' Module(s) have been scanned
    Scan process 'sched.exe' - '49' Module(s) have been scanned
    Scan process 'SCardSvr.exe' - '23' Module(s) have been scanned
    Scan process 'spoolsv.exe' - '81' Module(s) have been scanned
    Scan process 'svchost.exe' - '47' Module(s) have been scanned
    Scan process 'svchost.exe' - '36' Module(s) have been scanned
    Scan process 'svchost.exe' - '36' Module(s) have been scanned
    Scan process 'svchost.exe' - '167' Module(s) have been scanned
    Scan process 'svchost.exe' - '43' Module(s) have been scanned
    Scan process 'svchost.exe' - '58' Module(s) have been scanned
    Scan process 'Ati2evxx.exe' - '15' Module(s) have been scanned
    Scan process 'lsass.exe' - '58' Module(s) have been scanned
    Scan process 'services.exe' - '67' Module(s) have been scanned
    Scan process 'winlogon.exe' - '85' Module(s) have been scanned
    Scan process 'csrss.exe' - '12' Module(s) have been scanned
    Scan process 'smss.exe' - '2' Module(s) have been scanned

    Starting master boot sector scan:
    Master boot sector HD0
    [INFO] No virus was found!

    Start scanning boot sectors:
    Boot sector 'C:\'
    [INFO] No virus was found!

    Starting to scan executable files (registry).
    The registry was scanned ( '1864' files ).


    Starting the file scan:

    Begin scan in 'C:\'


    End of the scan: Monday, August 02, 2010 22:50
    Used time: 4:24:29 Hour(s)

    The scan has been done completely.

    13708 Scanned directories
    412544 Files were scanned
    0 Viruses and/or unwanted programs were found
    0 Files were classified as suspicious
    0 files were deleted
    0 Viruses and unwanted programs were repaired
    0 Files were moved to quarantine
    0 Files were renamed
    0 Files cannot be scanned
    412544 Files not concerned
    4571 Archives were scanned
    0 Warnings
    0 Notes
    923769 Objects were scanned with rootkit scan
    2 Hidden objects were found
     
  2. jpb2872

    jpb2872 TS Rookie Topic Starter Posts: 22

    attach log

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-03-17.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 12/13/2005 1:29:04 PM
    System Uptime: 8/2/2010 4:52:41 PM (7 hours ago)

    Motherboard: Dell Inc. | | 0D8006
    Processor: Intel(R) Pentium(R) M processor 2.26GHz | Microprocessor | 791/133mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 74 GiB total, 24.094 GiB free.
    D: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP56: 7/5/2010 5:30:07 PM - System Checkpoint
    RP57: 7/5/2010 5:30:06 PM - Software Distribution Service 3.0
    RP58: 7/5/2010 5:30:05 PM - System Checkpoint
    RP59: 7/5/2010 5:30:03 PM - System Checkpoint
    RP60: 7/5/2010 5:30:03 PM - System Checkpoint
    RP61: 7/5/2010 5:30:01 PM - System Checkpoint
    RP62: 7/5/2010 5:29:47 PM - System Checkpoint
    RP63: 7/19/2010 8:20:29 PM - System Checkpoint
    RP64: 7/5/2010 5:30:21 PM - System Checkpoint
    RP65: 7/5/2010 5:30:20 PM - System Checkpoint
    RP66: 7/5/2010 5:30:10 PM - Software Distribution Service 3.0
    RP67: 7/1/2010 3:44:09 PM - Restore Operation
    RP68: 7/1/2010 4:11:18 PM - Restore Operation
    RP69: 7/1/2010 4:24:37 PM - Restore Operation
    RP70: 7/5/2010 5:30:09 PM - System Checkpoint
    RP71: 7/6/2010 7:45:26 PM - Removed SUPERAntiSpyware Free Edition
    RP72: 7/7/2010 7:20:28 AM - Removed Bonjour
    RP73: 7/7/2010 7:24:25 AM - Removed RAID
    RP74: 7/8/2010 9:12:48 AM - System Checkpoint
    RP75: 7/9/2010 10:36:46 AM - System Checkpoint
    RP76: 7/10/2010 12:11:29 PM - System Checkpoint
    RP77: 7/11/2010 1:57:59 PM - System Checkpoint
    RP78: 7/12/2010 10:30:31 AM - Installed Java(TM) 6 Update 20
    RP79: 7/12/2010 10:34:52 AM - Installed QuickTime
    RP80: 7/12/2010 10:40:42 AM - Removed Adobe Reader 8.1.1
    RP81: 7/12/2010 10:41:54 AM - Installed Adobe Reader 9.3.
    RP82: 7/13/2010 4:02:08 PM - System Checkpoint
    RP83: 7/13/2010 8:14:48 PM - Software Distribution Service 3.0
    RP84: 7/14/2010 3:00:35 AM - Software Distribution Service 3.0
    RP85: 7/15/2010 3:00:42 AM - Software Distribution Service 3.0
    RP86: 7/16/2010 4:07:07 AM - System Checkpoint
    RP87: 7/17/2010 6:07:13 AM - System Checkpoint
    RP88: 7/18/2010 8:07:07 AM - System Checkpoint
    RP89: 7/18/2010 6:41:22 PM - OTL Restore Point
    RP90: 7/20/2010 9:24:57 PM - System Checkpoint
    RP91: 7/22/2010 12:28:29 AM - System Checkpoint
    RP92: 7/23/2010 4:31:50 PM - System Checkpoint
    RP93: 7/27/2010 3:00:29 PM - System Checkpoint
    RP94: 7/28/2010 4:13:18 PM - System Checkpoint
    RP95: 7/29/2010 6:13:18 PM - System Checkpoint
    RP96: 7/30/2010 8:13:18 PM - System Checkpoint
    RP97: 7/31/2010 10:13:19 PM - System Checkpoint
    RP98: 8/2/2010 12:13:18 AM - System Checkpoint

    ==== Installed Programs ======================

    2570
    2570_Help
    2570Trb
    Acrobat.com
    Adobe AIR
    Adobe Anchor Service CS3
    Adobe Asset Services CS3
    Adobe Bridge CS3
    Adobe Bridge Start Meeting
    Adobe Camera Raw 4.0
    Adobe CMaps
    Adobe Color - Photoshop Specific
    Adobe Color Common Settings
    Adobe Color EU Extra Settings
    Adobe Color JA Extra Settings
    Adobe Color NA Recommended Settings
    Adobe Default Language CS3
    Adobe Device Central CS3
    Adobe ExtendScript Toolkit 2
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Fonts All
    Adobe Help Viewer CS3
    Adobe Linguistics CS3
    Adobe PDF Library Files
    Adobe Photoshop CS3
    Adobe Reader 9.3
    Adobe Setup
    Adobe Stock Photos CS3
    Adobe Type Support
    Adobe Update Manager CS3
    Adobe Version Cue CS3 Client
    Adobe WinSoft Linguistics Plugin
    Adobe XMP Panels CS3
    AiO_Scan_CDA
    AiOSoftwareNPI
    AnswerWorks 5.0 English Runtime
    ATI Display Driver
    Avanquest update
    Avira AntiVir Personal - Free Antivirus
    AVS VideoConverter 3.1.1.151
    BufferChm
    Conexant D110 MDC V.9x Modem
    CP_AtenaShokunin1Config
    CP_CalendarTemplates1
    CP_Package_Basic1
    CP_Panorama1Config
    Crystal Reports XI
    CueTour
    DesignPro 5.4 Limited Edition
    Destinations
    DeviceFunctionQFolder
    DeviceManagementQFolder
    DivX Setup
    DocProc
    DocumentViewer
    DocumentViewerQFolder
    Fax_CDA
    FTDI USB Serial Converter Drivers
    FullDPAppQFolder
    GeoVision ADPCM
    GeoVision H264
    GeoVision JPEG
    GeoVision MPEG2
    GeoVision MPEG4
    GeoVision MPEG4 ASP
    GeoVision MPEG4 AVC
    Google Toolbar for Internet Explorer
    Hotfix 2050 for SQL Server 2000 ENU (KB948110)
    Hotfix 2055 for SQL Server 2000 ENU (KB960082)
    Hotfix for Microsoft .NET Framework 3.0 (KB932471)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB954550-v5)
    HP Document Viewer 5.3
    HP Image Zone 5.3
    HP Imaging Device Functions 5.3
    HP PSC & OfficeJet 5.3.A
    iDEN Phonebook Manager
    Imation Disk Manager V a Service
    InstantShareDevices
    Java Auto Updater
    Java(TM) 6 Update 20
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft Office Professional Edition 2003
    Microsoft Silverlight
    Microsoft SQL Server Desktop Engine
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Motorola Driver Installation
    Motorola Phone Tools
    Mozilla Firefox (3.6.8)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6 Service Pack 2 (KB954459)
    NewCopy_CDA
    OGA Notifier 2.0.0048.0
    OmniForm 5.0
    PanoStandAlone
    PayPal Plug-In
    PDF Settings
    Pdf995 (installed by TaxCut)
    PdfEdit995 (installed by TaxCut)
    PhotoGallery
    ProductContextNPI
    Quicken 2009
    QuickTime
    RandMap
    Readme
    RealPlayer
    RealUpgrade 1.0
    Roxio Creator Audio
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator DE
    Roxio Creator Tools
    Roxio Drag-to-Disc
    Roxio Easy Media Creator 7 Basic VCD Edition
    Roxio Express Labeler
    Roxio Update Manager
    Safari
    Scan
    ScannerCopy
    Security Update for Windows Internet Explorer 7 (KB978207)
    Security Update for Windows Internet Explorer 7 (KB982381)
    Security Update for Windows XP (KB2229593)
    SkinsHP1
    Sonic Activation Module
    Sonic DLA
    Sonic_PrimoSDK
    SpotLife
    Status
    Surveillance Device Configurator
    TaxCut Louisiana 2007
    TaxCut Premium + State + Efile 2007
    TrayApp
    TSP_CODEC
    Unload
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 7 (KB980182)
    VC80CRTRedist - 8.0.50727.4053
    Video DVD Maker v3.7.0.15
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    WebFldrs XP
    WinAce Archiver
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Installer Clean Up
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Presentation Foundation
    Windows Search 4.0
    Windows XP Service Pack 3
    WinRAR archiver
    Yahoo! Browser Services
    Yahoo! Messenger
    Yahoo! Software Update
    Yahoo! Toolbar

    ==== Event Viewer Messages From Past Week ========

    8/2/2010 7:45:48 PM, error: VolSnap [25] - The shadow copy of volume C: was aborted because the diff area file could not grow in time. Consider reducing the IO load on this system to avoid this problem in the future.
    8/2/2010 7:38:45 PM, error: VolSnap [12] - The shadow copy of volume C: became low on diff area space before it was properly installed.
    8/2/2010 6:46:11 PM, error: VolSnap [10] - The shadow copy of volume C: took too long to install.
    8/2/2010 4:53:42 PM, error: Service Control Manager [7000] - The Pantech&Curitel Utility Service service failed to start due to the following error: The system cannot find the file specified.
    8/2/2010 4:53:41 PM, error: Service Control Manager [7023] - The HID Input Service service terminated with the following error: The specified module could not be found.
    8/2/2010 4:53:41 PM, error: Service Control Manager [7001] - The WLANKEEPER service depends on the EvtEng service which failed to start because of the following error: The system cannot find the file specified.
    8/2/2010 4:53:41 PM, error: Service Control Manager [7001] - The Spectrum24 Event Monitor service depends on the EvtEng service which failed to start because of the following error: The system cannot find the file specified.
    8/2/2010 4:53:41 PM, error: Service Control Manager [7000] - The OmniForm Printer service failed to start due to the following error: The system cannot find the path specified.
    8/2/2010 4:53:41 PM, error: Service Control Manager [7000] - The MSSQLSERVER service failed to start due to the following error: The system cannot find the file specified.
    8/2/2010 4:53:41 PM, error: Service Control Manager [7000] - The Lavasoft Ad-Aware Service service failed to start due to the following error: The system cannot find the path specified.
    8/2/2010 4:53:41 PM, error: Service Control Manager [7000] - The EvtEng service failed to start due to the following error: The system cannot find the file specified.
    8/2/2010 4:53:41 PM, error: Service Control Manager [7000] - The Broadcom ASF IP monitoring service v6.0.4 service failed to start due to the following error: The system cannot find the file specified.
    8/2/2010 12:21:22 PM, error: EventLog [6004] - A driver packet received from the I/O subsystem was invalid. The data is the packet.
    7/27/2010 2:10:15 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Lbd
    7/27/2010 2:09:46 PM, error: Service Control Manager [7000] - The RegSrvc service failed to start due to the following error: The system cannot find the file specified.
    7/27/2010 2:09:46 PM, error: Service Control Manager [7000] - The Pml Driver HPZ12 service failed to start due to the following error: The system cannot find the file specified.

    ==== End Of File ===========================
     
  3. jpb2872

    jpb2872 TS Rookie Topic Starter Posts: 22

    dds log

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by John at 23:15:40.73 on Mon 08/02/2010
    Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_20
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.418 [GMT -5:00]

    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

    ============== Running Processes ===============

    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Dell\OpenManage\Client\Iap.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\UStorSrv.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Documents and Settings\PPSO88\Desktop\gmer.exe
    C:\Documents and Settings\PPSO88\My Documents\Downloads\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
    BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
    {aa58ed58-01dd-4d91-8333-cf10577473f7}
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn4\YTSingleInstance.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll
    TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No File
    TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    uRun: [Uniblue RegistryBooster 2] c:\program files\uniblue\registrybooster 2\RegistryBooster.exe /S
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    mPolicies-system: HideShutdownScripts = 0 (0x0)
    IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
    IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
    IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
    IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - hxxps://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://instantgreetings.aol.com/prod/install.html
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134502743502
    DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    Notify: AtiExtEvent - Ati2evxx.dll
    Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    Hosts: 127.0.0.1 www.spywareinfo.com

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\ppso88\applic~1\mozilla\firefox\profiles\nc6b34uq.default\
    FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
    c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-7-5 11608]
    R1 MPFIREWL;MPFIREWL;c:\windows\system32\drivers\MpFirewall.sys [2007-6-18 80640]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-7-5 135336]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-7-5 267432]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-7-5 60936]
    R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2009-10-19 110984]
    R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2005-11-23 80384]
    S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" --> c:\program files\lavasoft\ad-aware\AAWService.exe [?]
    S3 MotDev;Motorola Inc. USB Device; [x]
    S3 XIRLINK;Veo PC Camera;c:\windows\system32\drivers\ucdnt.sys [2008-3-24 899884]

    =============== Created Last 30 ================

    2010-07-22 03:23:54 3281 ----a-w- c:\windows\system32\wbem\Outlook_01cb294d4fec85b4.mof
    2010-07-22 03:08:52 0 d-----w- c:\program files\common files\AnswerWorks 5.0
    2010-07-22 03:08:37 1848608 ----a-w- c:\windows\system32\acXMLParser.dll
    2010-07-22 03:08:35 3523872 ----a-w- c:\windows\system32\cdintf300.dll
    2010-07-22 03:08:01 0 d-----w- c:\docume~1\ppso88\applic~1\Intuit
    2010-07-22 03:07:33 0 d-----w- c:\program files\common files\Intuit
    2010-07-22 03:07:19 0 d-----w- c:\program files\Quicken
    2010-07-22 03:07:09 120 ----a-w- c:\windows\QUICKEN.INI
    2010-07-22 03:06:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Intuit
    2010-07-13 19:15:58 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
    2010-07-12 15:31:51 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2010-07-07 12:28:17 0 d-----w- c:\program files\common files\McAfee
    2010-07-05 22:32:57 0 d-----w- c:\docume~1\ppso88\applic~1\Avira
    2010-07-05 07:02:22 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-07-05 07:01:26 0 d-----w- c:\program files\Avira
    2010-07-05 07:01:26 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira

    ==================== Find3M ====================

    2010-06-25 17:15:31 203776 ----a-w- c:\windows\system32\clrviddc.dll
    2009-12-08 04:18:43 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
    2007-08-31 15:53:48 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012007083120070901\index.dat
    2008-12-12 08:48:08 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008121220081213\index.dat

    ============= FINISH: 23:18:04.53 ===============
     
  4. jpb2872

    jpb2872 TS Rookie Topic Starter Posts: 22

    Error running GMER

    I am trying to get a gmer log to post but this is my forth attempt, the other three attempts ended in a blue screen shutdown. The last error was an error in file UWTYRPOD.SYS page_fault_in_nonpaged_area, also listed UWTYRPOD.SYS - address B6FE2F60 base at B6FD700, datestamp 4b274F8D

    noticed also when I reopen firefox I get a list of tabs to reopen with moneyservices.. blank 1 2 3 ect.

    this is where the log styands as of now on this run in case it may help

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-08-04 16:09:10
    Windows 5.1.2600 Service Pack 3
    Running: f4c43c0o.exe; Driver: C:\DOCUME~1\PPSO88\LOCALS~1\Temp\uwtyrpod.sys


    Ran again, got same error after about two hours of running but at time of blue screen no other items were added to log


    ---- System - GMER 1.0.15 ----

    SSDT F7B8C514 ZwCreateThread
    SSDT F7B8C500 ZwOpenProcess
    SSDT F7B8C505 ZwOpenThread

    ---- Kernel code sections - GMER 1.0.15 ----

    init C:\WINDOWS\system32\DRIVERS\gtipci21.sys entry point in "init" section [0xF6747A80]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Dell\OpenManage\Client\Iap.exe[200] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0153B9BB
    .text C:\Program Files\Dell\OpenManage\Client\Iap.exe[200] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0153B558
    .text C:\Program Files\Dell\OpenManage\Client\Iap.exe[200] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 0153B86D
    .text C:\Program Files\Dell\OpenManage\Client\Iap.exe[200] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0153B639
    .text C:\Program Files\Dell\OpenManage\Client\Iap.exe[200] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0153B70C
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[376] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01A8B9BB
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[376] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01A8B558
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[376] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01A8B86D
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[376] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01A8B639
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[376] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01A8B70C
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[376] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 1044721D C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Program Files\Bonjour\mDNSResponder.exe[564] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 007DB9BB
    .text C:\Program Files\Bonjour\mDNSResponder.exe[564] WS2_32.dll!send 71AB4C27 5 Bytes JMP 007DB558
    .text C:\Program Files\Bonjour\mDNSResponder.exe[564] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 007DB86D
    .text C:\Program Files\Bonjour\mDNSResponder.exe[564] WS2_32.dll!recv 71AB676F 5 Bytes JMP 007DB639
    .text C:\Program Files\Bonjour\mDNSResponder.exe[564] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 007DB70C
    .text C:\WINDOWS\system32\SearchIndexer.exe[664] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
    .text C:\WINDOWS\system32\SearchIndexer.exe[664] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00AFB9BB
    .text C:\WINDOWS\system32\SearchIndexer.exe[664] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00AFB558
    .text C:\WINDOWS\system32\SearchIndexer.exe[664] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00AFB86D
    .text C:\WINDOWS\system32\SearchIndexer.exe[664] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00AFB639
    .text C:\WINDOWS\system32\SearchIndexer.exe[664] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00AFB70C
    .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[884] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0199B9BB
    .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[884] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0199B558
    .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[884] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 0199B86D
    .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[884] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0199B639
    .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[884] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0199B70C
    .text C:\WINDOWS\system32\winlogon.exe[1360] Secur32.dll!LsaLogonUser 77FE33F1 5 Bytes JMP 015B2946
    .text C:\WINDOWS\system32\UStorSrv.exe[2016] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00BDB9BB
    .text C:\WINDOWS\system32\UStorSrv.exe[2016] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00BDB558
    .text C:\WINDOWS\system32\UStorSrv.exe[2016] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00BDB86D
    .text C:\WINDOWS\system32\UStorSrv.exe[2016] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00BDB639
    .text C:\WINDOWS\system32\UStorSrv.exe[2016] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00BDB70C
    .text C:\WINDOWS\system32\Ati2evxx.exe[2080] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0152B9BB
    .text C:\WINDOWS\system32\Ati2evxx.exe[2080] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0152B558
    .text C:\WINDOWS\system32\Ati2evxx.exe[2080] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 0152B86D
    .text C:\WINDOWS\system32\Ati2evxx.exe[2080] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0152B639
    .text C:\WINDOWS\system32\Ati2evxx.exe[2080] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0152B70C
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[2216] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 019DB9BB
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[2216] ws2_32.dll!send 71AB4C27 5 Bytes JMP 019DB558
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[2216] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 019DB86D
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[2216] ws2_32.dll!recv 71AB676F 5 Bytes JMP 019DB639
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[2216] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 019DB70C
    .text C:\WINDOWS\Explorer.EXE[2320] USER32.dll!DisplayExitWindowsWarnings 7E459F91 5 Bytes JMP 00FC2758
    .text C:\WINDOWS\Explorer.EXE[2320] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 026FB9BB
    .text C:\WINDOWS\Explorer.EXE[2320] WS2_32.dll!send 71AB4C27 5 Bytes JMP 026FB558
    .text C:\WINDOWS\Explorer.EXE[2320] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 026FB86D
    .text C:\WINDOWS\Explorer.EXE[2320] WS2_32.dll!recv 71AB676F 5 Bytes JMP 026FB639
    .text C:\WINDOWS\Explorer.EXE[2320] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 026FB70C
    .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2708] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00D7B9BB
    .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2708] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D7B558
    .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2708] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00D7B86D
    .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2708] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00D7B639
    .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2708] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00D7B70C
    .text C:\WINDOWS\System32\alg.exe[3092] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00D7B9BB
    .text C:\WINDOWS\System32\alg.exe[3092] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D7B558
    .text C:\WINDOWS\System32\alg.exe[3092] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00D7B86D
    .text C:\WINDOWS\System32\alg.exe[3092] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00D7B639
    .text C:\WINDOWS\System32\alg.exe[3092] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00D7B70C
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3292] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00EAB9BB
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3292] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00EAB558
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3292] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00EAB86D
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3292] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00EAB639
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3292] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00EAB70C
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3736] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
    .text C:\WINDOWS\system32\wuauclt.exe[3912] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00FCB9BB
    .text C:\WINDOWS\system32\wuauclt.exe[3912] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00FCB558
    .text C:\WINDOWS\system32\wuauclt.exe[3912] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00FCB86D
    .text C:\WINDOWS\system32\wuauclt.exe[3912] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00FCB639
    .text C:\WINDOWS\system32\wuauclt.exe[3912] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00FCB70C
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3920] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E3B9BB
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3920] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E3B558
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3920] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00E3B86D
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3920] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00E3B639
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3920] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00E3B70C

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip MpFirewall.sys (McAfee Personal Firewall Driver/McAfee)
    AttachedDevice \Driver\Tcpip \Device\Ip ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp MpFirewall.sys (McAfee Personal Firewall Driver/McAfee)
    AttachedDevice \Driver\Tcpip \Device\Tcp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
    AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 ssmdrv.sys (AVIRA SnapShot Driver/Avira GmbH)
    AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 ssmdrv.sys (AVIRA SnapShot Driver/Avira GmbH)
    AttachedDevice \Driver\Tcpip \Device\Udp MpFirewall.sys (McAfee Personal Firewall Driver/McAfee)
    AttachedDevice \Driver\Tcpip \Device\Udp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp MpFirewall.sys (McAfee Personal Firewall Driver/McAfee)
    AttachedDevice \Driver\Tcpip \Device\RawIp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)

    Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
    Device \FileSystem\cdudf_xp \Device\CdUdf_XP DLAIFS_M.SYS (Drive Letter Access Component/Roxio)
    Device rdpdr.sys (Microsoft RDP Device redirector/Microsoft Corporation)
    Device B6F27D20

    AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome back! I hope you enjoyed your vacation. Let's get started:

    Download Bootkit Remover and save to your Desktop
    1. You then need to extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
    2. After extracting remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
    3. You will see a Black screen with some data on it.
    4. Right click on the screen and click Select All.
    5. Press CTRL+C to Copy
    6. Open a Notepad and press CTRL+V to Paste.
    7. Include the report in your next post.

    I'll be checking the new logs while you do that.

    Our previous thread was http://www.techspot.com/vb/topic150294.html
    If everyoine was as good as you about pasting their logs in, I could triple my speed here! Thank you.
     
  6. jpb2872

    jpb2872 TS Rookie Topic Starter Posts: 22

    Bootkit remover log

    Hope this helps and thanks again

    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.1.0.0
    OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`03ec1000

    Size Device Name MBR Status
    --------------------------------------------
    74 GB \\.\PhysicalDrive0 Controlled by rootkit!

    Boot code on some of your physical disks is hidden by a rootkit.
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]


    Done;
    Press any key to quit...
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    That was quick! I was still checking the logs. Let start with this:
    • Open Notepad
    • Copy and paste the text in the codebox into Notepad:
      Code:
      
      @ECHO OFF
      START 
      remover.exe fix \\.\PhysicalDrive0
      
      EXIT
      
    • Go File > Save As
    • Save as Type choose All Files
    • For File Name type fix.bat
    • Save In> choose Desktop
    • Save
    • Double click to Run fix.bat
    (You may see a black box appear; this is normal.)

    Run remover.exe again and post its output.

    Do NOT reboot computer!
     
  8. jpb2872

    jpb2872 TS Rookie Topic Starter Posts: 22

    Bootkit remover log

    Ok I copy and pasted your text into notepad and saved as instructed, executed and then ran bootkit, here's the log. Let me know whats next. Thanks again for your time and help


    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.1.0.0
    OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`03ec1000

    Size Device Name MBR Status
    --------------------------------------------
    74 GB \\.\PhysicalDrive0 Controlled by rootkit!

    Boot code on some of your physical disks is hidden by a rootkit.
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]


    Done;
    Press any key to quit...
     
  9. jpb2872

    jpb2872 TS Rookie Topic Starter Posts: 22

    No boot sector on internal hard drive

    When I got into work this morning my computer was displaying no boot sector on internal hard drive. When I left yesterday I left the pc on, not sure why it rebooted but now it has no boot sector. Is there a way to boot from a jump drive or cd to finish the repairs?

    OK I ran fixmbr from a xp recovery boot disk and now i get no bootable devices
     
  10. jpb2872

    jpb2872 TS Rookie Topic Starter Posts: 22

    Hard Drive gone

    You can close the thread, pc guy from work came out and said hard drive was dead, not sure I agree but he took the drive to attempt to recover my files, I will keep my fingers crossed, if he cant I will open a new threadf in an attempt to recover files myself. thanks again
     
  11. Broni

    Broni Malware Annihilator Posts: 52,890   +344

    Message from Bobbye:

    =================================================================

    Thank you for letting us know :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...