I was trying to download a photo utility the day after Christmas and downloaded an unwanted payload that infected my computer. Symptoms include erratic browser redirects, failure to lauch winupdate, webroot cannot complete a Spysweeper scan.
History of erradication: Downloaded AVG and it found a few problems and two Trojans. Still had the browser problem. Downloaded Malware product and it found a few infections. Still had the browser problem, Downloaded Spybot SD and it found a few more Trojans and infections (Java related). Still had the browser problem. Upgraded to SP3 on XP and upgraded to IE8. Still had the browser problem but now Webroot was blocking websites again. I would see a screen flicker up when I cut on networking on the system but then Webroot would start blocking the redirects. I uninstalled Webroot and reloaded it with an older version and it works better now, just isn't the new version. Webroot continues to block website, often at a very aggravating rate.
So I still have some infection. Here are the requisite dumps. the Malware MBAM scan came back clean but I left it at home. I can attach it tonight. Here are the others. BTW, the GMER scan says the webroot file is bad so I killed that process and re-ran it; the 2nd scan came back clean, with a possible rootkit trace on drive. I ran these with the network disabled to quarantine myself off the net. Notice the possible rootkit infection mentioned in the logs. I was able to disable Webroot from running but not AVG (could not kill the processes in GMER). Let me know the next step, thanks for looking at this. I got several infections over the last five years and I usually reload the OS which is a pain. I appreciate the time spent helping others on this forum.
GMER SCAN #1
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-01-03 21:29:10
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 ST96812AS rev.8.03
Running: cog1irf6.exe; Driver: C:\DOCUME~1\SASCEC~2.CHU\LOCALS~1\Temp\uwriqpog.sys
---- System - GMER 1.0.15 ----
SSDT 86F4B990 ZwAllocateVirtualMemory
SSDT 86F670A8 ZwCreateKey
SSDT 86F4BEB8 ZwCreateProcess
SSDT 86F4BE40 ZwCreateProcessEx
SSDT 86F4BC60 ZwCreateThread
SSDT 86F8A238 ZwDeleteKey
SSDT 86F4BF30 ZwDeleteValueKey
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xA9F2A6C0]
SSDT 86F4BA08 ZwQueueApcThread
SSDT 86F89020 ZwReadVirtualMemory
SSDT 86F8A1C0 ZwRenameKey
SSDT 86F4BAF8 ZwSetContextThread
SSDT 86F8A148 ZwSetInformationKey
SSDT 86F4BD50 ZwSetInformationProcess
SSDT 86F4BB70 ZwSetInformationThread
SSDT 86F4BFA8 ZwSetValueKey
SSDT 86F4BCD8 ZwSuspendProcess
SSDT 86F4BA80 ZwSuspendThread
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xA9F2A770]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xA9F2A810]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xA9F2A8B0]
Code B462B339 KeFindConfigurationNextEntry
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\System32\svchost.exe[1272] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D8000A
.text C:\WINDOWS\System32\svchost.exe[1272] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D9000A
.text C:\WINDOWS\System32\svchost.exe[1272] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D7000C
.text C:\WINDOWS\System32\svchost.exe[1272] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00FA000A
.text C:\WINDOWS\System32\svchost.exe[1272] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00EA000A
.text C:\WINDOWS\Explorer.EXE[1308] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E2000A
.text C:\WINDOWS\Explorer.EXE[1308] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00E3000A
.text C:\WINDOWS\Explorer.EXE[1308] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C3000C
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] 86F89EB0
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] 86F89FA8
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] 86F89FA8
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] 86F89EB0
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] 86F89EB0
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] 86F89FA8
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] 86F89FA8
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] 86F89EB0
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] 86F89FA8
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] 86F89EB0
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] 86F89FA8
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] 86F89EB0
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] 86F89FA8
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] 86F89FA8
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] 86F89EB0
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
Device \Driver\Tcpip \Device\Ip 86BC7E90
Device \Driver\Tcpip \Device\Ip 856D92F8
Device \Driver\Tcpip \Device\Ip 86C08A38
Device \Driver\Tcpip \Device\Ip 86F6E188
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 ATMhelpr.SYS (Windows NT Font Driver Helper/Adobe Systems Incorporated)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 ATMhelpr.SYS (Windows NT Font Driver Helper/Adobe Systems Incorporated)
Device \Driver\Tcpip \Device\Tcp 86BC7E90
Device \Driver\Tcpip \Device\Tcp 856D92F8
Device \Driver\Tcpip \Device\Tcp 86C08A38
Device \Driver\Tcpip \Device\Tcp 86F6E188
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\Udp 86BC7E90
Device \Driver\Tcpip \Device\Udp 856D92F8
Device \Driver\Tcpip \Device\Udp 86C08A38
Device \Driver\Tcpip \Device\Udp 86F6E188
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\RawIp 86BC7E90
Device \Driver\Tcpip \Device\RawIp 856D92F8
Device \Driver\Tcpip \Device\RawIp 86C08A38
Device \Driver\Tcpip \Device\RawIp 86F6E188
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\IPMULTICAST 86BC7E90
Device \Driver\Tcpip \Device\IPMULTICAST 856D92F8
Device \Driver\Tcpip \Device\IPMULTICAST 86C08A38
Device \Driver\Tcpip \Device\IPMULTICAST 86F6E188
AttachedDevice \FileSystem\Fastfat \Fat ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)
Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST96812AS_______________________________8.03____#5&19c84639&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
---- Processes - GMER 1.0.15 ----
Process C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe (*** hidden *** ) 1872
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sector 03: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 11: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
---- EOF - GMER 1.0.15 ----
=================================================================
Just for grins I ran the MBR.exe and here is the dump:
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST96812AS rev.8.03 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST96812AS_______________________________8.03____#5&19c84639&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86F0539B
user & kernel MBR OK
==============================================================
----------------------------------------------------------------------------------------------------
DDS (Ver_10-12-12.02) - NTFSx86
Run by sascec at 21:57:37.26 on Mon 01/03/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.532 [GMT -5:00]
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Webroot AntiVirus with AntiSpyware *Disabled/Updated* {B3891867-7230-459B-9987-E7CCFA7A7D1D}
FW: Webroot Internet Security Essentials *Disabled*
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
G:\cog1irf6.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\AVG\AVG10\avgchsvx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
G:\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [SpybotSD TeaTimer] "c:\program files\spybot - search & destroy\TeaTimer.exe"
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
StartupFolder: c:\docume~1\alluse~2.win\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
StartupFolder: c:\docume~1\alluse~2.win\startm~1\programs\startup\wdsmar~1.lnk - c:\program files\western digital\wd smartware\front parlor\WDSmartWare.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: igfxcui - igfxdev.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\sascec~2.chu\applic~1\mozilla\firefox\profiles\mo3wkrtg.default\
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: d:\program files\videolan\vlc\npvlc.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
============= SERVICES / DRIVERS ===============
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-11-12 29808]
R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2010-1-13 4064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-5-7 92008]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-23 6128208]
S2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-11-13 110592]
S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
S2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2008-11-12 3667312]
S2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2011-1-2 1086840]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2010-12-29 11520]
=============== Created Last 30 ================
2011-01-04 00:33:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-04 00:32:25 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-04 00:32:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-03 01:09:57 1553272 ----a-w- c:\windows\WRSetup.dll
2011-01-03 01:09:57 -------- d-----w- c:\docume~1\sascec~2.chu\applic~1\Webroot
2011-01-03 01:09:57 -------- d-----w- c:\docume~1\alluse~2.win\applic~1\Webroot
2010-12-31 14:37:10 -------- d-----w- c:\docume~1\alluse~2.win\applic~1\WD_SmartWareCommon
2010-12-30 15:35:46 -------- d-----w- c:\docume~1\sascec~2.chu\applic~1\Malwarebytes
2010-12-30 15:29:50 -------- d-----w- c:\docume~1\alluse~2.win\applic~1\Malwarebytes
2010-12-30 15:09:14 -------- d-sh--w- c:\documents and settings\sascec.chucklap\IECompatCache
2010-12-30 15:06:17 -------- d-sh--w- c:\documents and settings\sascec.chucklap\PrivacIE
2010-12-30 15:02:09 -------- d-sh--w- c:\documents and settings\sascec.chucklap\IETldCache
2010-12-30 14:49:28 -------- dc-h--w- c:\windows\ie8
2010-12-30 03:13:13 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
2010-12-30 03:13:13 1372672 -c----w- c:\windows\system32\dllcache\msxml6.dll
2010-12-30 03:11:59 9216 ------w- c:\windows\system32\dot3dlg.dll
2010-12-30 03:10:58 32866 ------w- c:\windows\slrundll.exe
2010-12-30 03:10:51 -------- d-----w- c:\windows\system32\scripting
2010-12-30 03:10:49 -------- d-----w- c:\windows\l2schemas
2010-12-30 03:10:43 -------- d-----w- c:\windows\system32\en
2010-12-30 03:10:42 -------- d-----w- c:\windows\system32\bits
2010-12-30 02:52:10 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe
2010-12-30 02:42:59 18944 ------w- c:\windows\system32\drivers\bthusb.sys
2010-12-29 20:02:15 -------- d-----w- c:\docume~1\sascec~2.chu\locals~1\applic~1\Western_Digital
2010-12-29 20:00:52 -------- d-----w- c:\docume~1\sascec~2.chu\applic~1\Western Digital
2010-12-29 20:00:39 -------- d-----w- c:\docume~1\alluse~2.win\applic~1\Western Digital
2010-12-29 19:59:58 11520 ----a-w- c:\windows\system32\drivers\wdcsam.sys
2010-12-29 19:58:42 -------- d-----w- c:\program files\Western Digital
2010-12-29 00:49:25 -------- d-----w- c:\docume~1\sascec~2.chu\locals~1\applic~1\Western Digital
2010-12-29 00:33:57 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-29 00:33:57 -------- d-----w- c:\docume~1\alluse~2.win\applic~1\Spybot - Search & Destroy
2010-12-28 20:08:09 -------- d--h--w- C:\$AVG
2010-12-28 19:47:15 -------- d-----w- c:\docume~1\sascec~2.chu\applic~1\AVG10
2010-12-28 19:45:52 -------- d--h--w- c:\docume~1\alluse~2.win\applic~1\Common Files
2010-12-28 19:43:49 -------- d-----w- c:\windows\system32\drivers\AVG
2010-12-28 19:43:49 -------- d-----w- c:\docume~1\alluse~2.win\applic~1\AVG10
2010-12-28 19:43:13 -------- d-----w- c:\program files\AVG
2010-12-28 19:21:19 -------- d-----w- c:\docume~1\alluse~2.win\applic~1\MFAData
2010-12-08 09:12:38 251728 ----a-w- c:\windows\system32\drivers\avgldx86.sys
==================== Find3M ====================
=================== ROOTKIT ====================
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST96812AS rev.8.03 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86F05555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86f0b7b0]; MOV EAX, [0x86f0b82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86F81AB8]
3 CLASSPNP[0xF757DFD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86ECE680]
\Driver\atapi[0x86F41B18] -> IRP_MJ_CREATE -> 0x86F05555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST96812AS_______________________________8.03____#5&19c84639&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86F0539B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
============= FINISH: 22:00:12.75 ===============
===============================================================
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-12-12.02)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 10/21/2009 8:31:48 PM
System Uptime: 1/3/2011 8:22:31 PM (2 hours ago)
Motherboard: Dell Inc. | | 0KD882
Processor: Genuine Intel(R) CPU T2050 @ 1.60GHz | Microprocessor | 1596/133mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 39 GiB total, 7.859 GiB free.
D: is FIXED (NTFS) - 12 GiB total, 2.555 GiB free.
F: is CDROM ()
G: is FIXED (FAT) - 0 GiB total, 0.051 GiB free.
==== Disabled Device Manager Items =============
Class GUID:
Description: Modem Device on High Definition Audio Bus
Device ID: HDAUDIO\FUNC_02&VEN_14F1&DEV_2BFA&SUBSYS_14F100C3&REV_0900\4&2973568E&0&0102
Manufacturer:
Name: Modem Device on High Definition Audio Bus
PNP Device ID: HDAUDIO\FUNC_02&VEN_14F1&DEV_2BFA&SUBSYS_14F100C3&REV_0900\4&2973568E&0&0102
Service:
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) PRO/Wireless 3945ABG Network Connection
Device ID: PCI\VEN_8086&DEV_4222&SUBSYS_10208086&REV_02\4&6C79FC5&0&00E0
Manufacturer: Intel Corporation
Name: Intel(R) PRO/Wireless 3945ABG Network Connection
PNP Device ID: PCI\VEN_8086&DEV_4222&SUBSYS_10208086&REV_02\4&6C79FC5&0&00E0
Service: NETw4x32
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Ethernet Controller
Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01AF1028&REV_02\4&2FE911E8&0&00F0
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01AF1028&REV_02\4&2FE911E8&0&00F0
Service:
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Base System Device
Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_01BD1028&REV_01\4&2FE911E8&0&0AF0
Manufacturer:
Name: Base System Device
PNP Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_01BD1028&REV_01\4&2FE911E8&0&0AF0
Service:
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Base System Device
Device ID: PCI\VEN_1180&DEV_0592&SUBSYS_01BD1028&REV_0A\4&2FE911E8&0&0BF0
Manufacturer:
Name: Base System Device
PNP Device ID: PCI\VEN_1180&DEV_0592&SUBSYS_01BD1028&REV_0A\4&2FE911E8&0&0BF0
Service:
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Base System Device
Device ID: PCI\VEN_1180&DEV_0852&SUBSYS_01BD1028&REV_05\4&2FE911E8&0&0CF0
Manufacturer:
Name: Base System Device
PNP Device ID: PCI\VEN_1180&DEV_0852&SUBSYS_01BD1028&REV_05\4&2FE911E8&0&0CF0
Service:
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: SM Bus Controller
Device ID: PCI\VEN_8086&DEV_27DA&SUBSYS_01BD1028&REV_01\3&61AAA01&0&FB
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_8086&DEV_27DA&SUBSYS_01BD1028&REV_01\3&61AAA01&0&FB
Service:
==== System Restore Points ===================
RP1: 1/2/2011 7:27:49 PM - System Checkpoint
==== Installed Programs ======================
ACD PhotoStitcher
ACDSee 3.1 (SR-1)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Type Manager 4.0
Apple Software Update
AVG 2011
Broadcom 440x 10/100 Integrated Controller
Dell ResourceCD
High Definition Audio Driver Package - KB835221
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel(R) Graphics Media Accelerator Driver
Java(TM) 6 Update 16
Juniper Networks Setup Client
Juniper Networks Setup Client Activex Control
Juniper Terminal Services Client
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Silverlight
Microsoft SQL Server Compact 3.5 SP1 English
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.13)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
MSXML 6 Service Pack 2 (KB973686)
PCFriendly
PHOTOfunSTUDIO 4.0 HD Edition
Picasa 3
PowerDVD
QuickTime
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio MyDVD DE
Roxio Update Manager
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB982381)
SigmaTel Audio
SILKYPIX Developer Studio 3.0 SE
Sonic Activation Module
Spy Sweeper
Spy Sweeper Core
Spybot - Search & Destroy
TomTom HOME 2.7.4.1962
TomTom HOME Visual Studio Merge Modules
Try Corel Snapfire muvee autoProducer add on
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
Update for Windows XP (KB980182)
VLC media player 1.1.4
WD SmartWare
WebFldrs XP
Windows Imaging Component
Windows Internet Explorer 8
Windows Media Format Runtime
Windows XP Service Pack 3
WinRAR archiver
==== Event Viewer Messages From Past Week ========
12/31/2010 9:31:32 AM, error: Service Control Manager [7000] - The Java Quick Starter service failed to start due to the following error: The system cannot find the file specified.
12/30/2010 9:49:04 AM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
12/30/2010 9:49:04 AM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Cryptographic Services service, but this action failed with the following error: An instance of the service is already running.
12/30/2010 7:36:15 AM, error: Service Control Manager [7022] - The Windows Firewall/Internet Connection Sharing (ICS) service hung on starting.
12/29/2010 8:06:05 PM, error: Service Control Manager [7034] - The WD SmartWare Drive Manager service terminated unexpectedly. It has done this 1 time(s).
12/29/2010 8:06:00 PM, error: Service Control Manager [7034] - The WD SmartWare Background Service service terminated unexpectedly. It has done this 1 time(s).
12/29/2010 8:04:39 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
12/29/2010 7:40:32 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {9B1F122C-2982-4E91-AA8B-E071D54F2A4D}
12/29/2010 3:57:59 PM, error: Service Control Manager [7034] - The B's Recorder GOLD Library General Service service terminated unexpectedly. It has done this 1 time(s).
12/29/2010 2:49:32 PM, error: Service Control Manager [7022] - The Automatic Updates service hung on starting.
12/29/2010 2:47:16 PM, error: Dhcp [1002] - The IP address lease 192.168.2.4 for the Network Card with network address 001302BB980B has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
12/28/2010 9:59:10 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/28/2010 9:51:47 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
12/28/2010 8:40:17 PM, error: Service Control Manager [7034] - The Webroot Spy Sweeper Engine service terminated unexpectedly. It has done this 2 time(s).
12/28/2010 7:50:47 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
12/28/2010 7:09:42 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
12/28/2010 6:41:15 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ATMhelpr Avgldx86 Avgmfx86 Fips intelppm OMCI
12/28/2010 6:40:09 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/28/2010 5:35:30 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
12/28/2010 5:35:00 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
12/28/2010 2:43:42 PM, information: Windows File Protection [64004] - The protected system file dbghelp.dll could not be restored to its original, valid version. The file version of the bad file is 5.1.2600.2180 The specific error code is 0x00000490 [Element not found. ].
12/28/2010 12:34:09 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
12/28/2010 11:58:33 AM, error: Service Control Manager [7034] - The TomTomHOMEService service terminated unexpectedly. It has done this 1 time(s).
12/28/2010 11:27:54 AM, error: ATMhelpr [43] -
12/28/2010 1:58:38 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Themes service to connect.
12/28/2010 1:58:38 PM, error: Service Control Manager [7000] - The Themes service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/28/2010 1:52:39 PM, error: Service Control Manager [7034] - The WebClient service terminated unexpectedly. It has done this 1 time(s).
12/28/2010 1:52:26 PM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
12/28/2010 1:51:55 PM, error: Service Control Manager [7034] - The ProtexisLicensing service terminated unexpectedly. It has done this 1 time(s).
12/28/2010 1:51:47 PM, error: Service Control Manager [7034] - The Webroot Client Service service terminated unexpectedly. It has done this 1 time(s).
12/28/2010 1:28:03 PM, error: Dhcp [1002] - The IP address lease 192.168.2.2 for the Network Card with network address 001302BB980B has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
12/27/2010 8:50:44 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000007F' while processing the file 'admparse.dll' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
12/27/2010 3:42:02 PM, error: Service Control Manager [7034] - The Webroot Spy Sweeper Engine service terminated unexpectedly. It has done this 1 time(s).
1/3/2011 9:32:00 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
1/3/2011 9:13:47 PM, error: Service Control Manager [7034] - The AVGIDSAgent service terminated unexpectedly. It has done this 1 time(s).
1/3/2011 9:13:41 PM, error: Service Control Manager [7031] - The AVG WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
1/3/2011 7:24:42 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000007F' while processing the file 'desktop.ini' on the volume 'HarddiskVolume6'. It has stopped monitoring the volume.
1/3/2011 5:29:32 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
1/1/2011 9:38:25 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD ATMhelpr Avgldx86 Avgmfx86 Avgtdix Fips intelppm IPSec MRxSmb NetBIOS NetBT OMCI RasAcd Rdbss Tcpip
1/1/2011 9:38:25 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
1/1/2011 9:38:25 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/1/2011 9:38:25 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/1/2011 9:38:25 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
==== End Of File ===========================
History of erradication: Downloaded AVG and it found a few problems and two Trojans. Still had the browser problem. Downloaded Malware product and it found a few infections. Still had the browser problem, Downloaded Spybot SD and it found a few more Trojans and infections (Java related). Still had the browser problem. Upgraded to SP3 on XP and upgraded to IE8. Still had the browser problem but now Webroot was blocking websites again. I would see a screen flicker up when I cut on networking on the system but then Webroot would start blocking the redirects. I uninstalled Webroot and reloaded it with an older version and it works better now, just isn't the new version. Webroot continues to block website, often at a very aggravating rate.
So I still have some infection. Here are the requisite dumps. the Malware MBAM scan came back clean but I left it at home. I can attach it tonight. Here are the others. BTW, the GMER scan says the webroot file is bad so I killed that process and re-ran it; the 2nd scan came back clean, with a possible rootkit trace on drive. I ran these with the network disabled to quarantine myself off the net. Notice the possible rootkit infection mentioned in the logs. I was able to disable Webroot from running but not AVG (could not kill the processes in GMER). Let me know the next step, thanks for looking at this. I got several infections over the last five years and I usually reload the OS which is a pain. I appreciate the time spent helping others on this forum.
GMER SCAN #1
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-01-03 21:29:10
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 ST96812AS rev.8.03
Running: cog1irf6.exe; Driver: C:\DOCUME~1\SASCEC~2.CHU\LOCALS~1\Temp\uwriqpog.sys
---- System - GMER 1.0.15 ----
SSDT 86F4B990 ZwAllocateVirtualMemory
SSDT 86F670A8 ZwCreateKey
SSDT 86F4BEB8 ZwCreateProcess
SSDT 86F4BE40 ZwCreateProcessEx
SSDT 86F4BC60 ZwCreateThread
SSDT 86F8A238 ZwDeleteKey
SSDT 86F4BF30 ZwDeleteValueKey
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xA9F2A6C0]
SSDT 86F4BA08 ZwQueueApcThread
SSDT 86F89020 ZwReadVirtualMemory
SSDT 86F8A1C0 ZwRenameKey
SSDT 86F4BAF8 ZwSetContextThread
SSDT 86F8A148 ZwSetInformationKey
SSDT 86F4BD50 ZwSetInformationProcess
SSDT 86F4BB70 ZwSetInformationThread
SSDT 86F4BFA8 ZwSetValueKey
SSDT 86F4BCD8 ZwSuspendProcess
SSDT 86F4BA80 ZwSuspendThread
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xA9F2A770]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xA9F2A810]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xA9F2A8B0]
Code B462B339 KeFindConfigurationNextEntry
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\System32\svchost.exe[1272] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D8000A
.text C:\WINDOWS\System32\svchost.exe[1272] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D9000A
.text C:\WINDOWS\System32\svchost.exe[1272] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D7000C
.text C:\WINDOWS\System32\svchost.exe[1272] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00FA000A
.text C:\WINDOWS\System32\svchost.exe[1272] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00EA000A
.text C:\WINDOWS\Explorer.EXE[1308] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E2000A
.text C:\WINDOWS\Explorer.EXE[1308] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00E3000A
.text C:\WINDOWS\Explorer.EXE[1308] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C3000C
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] 86F89EB0
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] 86F89FA8
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] 86F89FA8
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] 86F89EB0
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] 86F89EB0
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] 86F89FA8
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] 86F89FA8
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] 86F89EB0
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] 86F89FA8
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] 86F89EB0
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] 86F89FA8
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] 86F89EB0
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] 86F89FA8
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] 86F89FA8
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] 86F89EB0
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
Device \Driver\Tcpip \Device\Ip 86BC7E90
Device \Driver\Tcpip \Device\Ip 856D92F8
Device \Driver\Tcpip \Device\Ip 86C08A38
Device \Driver\Tcpip \Device\Ip 86F6E188
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 ATMhelpr.SYS (Windows NT Font Driver Helper/Adobe Systems Incorporated)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 ATMhelpr.SYS (Windows NT Font Driver Helper/Adobe Systems Incorporated)
Device \Driver\Tcpip \Device\Tcp 86BC7E90
Device \Driver\Tcpip \Device\Tcp 856D92F8
Device \Driver\Tcpip \Device\Tcp 86C08A38
Device \Driver\Tcpip \Device\Tcp 86F6E188
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\Udp 86BC7E90
Device \Driver\Tcpip \Device\Udp 856D92F8
Device \Driver\Tcpip \Device\Udp 86C08A38
Device \Driver\Tcpip \Device\Udp 86F6E188
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\RawIp 86BC7E90
Device \Driver\Tcpip \Device\RawIp 856D92F8
Device \Driver\Tcpip \Device\RawIp 86C08A38
Device \Driver\Tcpip \Device\RawIp 86F6E188
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\IPMULTICAST 86BC7E90
Device \Driver\Tcpip \Device\IPMULTICAST 856D92F8
Device \Driver\Tcpip \Device\IPMULTICAST 86C08A38
Device \Driver\Tcpip \Device\IPMULTICAST 86F6E188
AttachedDevice \FileSystem\Fastfat \Fat ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)
Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST96812AS_______________________________8.03____#5&19c84639&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
---- Processes - GMER 1.0.15 ----
Process C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe (*** hidden *** ) 1872
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sector 03: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 11: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
---- EOF - GMER 1.0.15 ----
=================================================================
Just for grins I ran the MBR.exe and here is the dump:
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST96812AS rev.8.03 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST96812AS_______________________________8.03____#5&19c84639&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86F0539B
user & kernel MBR OK
==============================================================
----------------------------------------------------------------------------------------------------
DDS (Ver_10-12-12.02) - NTFSx86
Run by sascec at 21:57:37.26 on Mon 01/03/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.532 [GMT -5:00]
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Webroot AntiVirus with AntiSpyware *Disabled/Updated* {B3891867-7230-459B-9987-E7CCFA7A7D1D}
FW: Webroot Internet Security Essentials *Disabled*
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
G:\cog1irf6.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\AVG\AVG10\avgchsvx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
G:\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [SpybotSD TeaTimer] "c:\program files\spybot - search & destroy\TeaTimer.exe"
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
StartupFolder: c:\docume~1\alluse~2.win\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
StartupFolder: c:\docume~1\alluse~2.win\startm~1\programs\startup\wdsmar~1.lnk - c:\program files\western digital\wd smartware\front parlor\WDSmartWare.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: igfxcui - igfxdev.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\sascec~2.chu\applic~1\mozilla\firefox\profiles\mo3wkrtg.default\
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: d:\program files\videolan\vlc\npvlc.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
============= SERVICES / DRIVERS ===============
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-11-12 29808]
R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2010-1-13 4064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-5-7 92008]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-23 6128208]
S2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-11-13 110592]
S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
S2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2008-11-12 3667312]
S2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2011-1-2 1086840]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2010-12-29 11520]
=============== Created Last 30 ================
2011-01-04 00:33:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-04 00:32:25 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-04 00:32:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-03 01:09:57 1553272 ----a-w- c:\windows\WRSetup.dll
2011-01-03 01:09:57 -------- d-----w- c:\docume~1\sascec~2.chu\applic~1\Webroot
2011-01-03 01:09:57 -------- d-----w- c:\docume~1\alluse~2.win\applic~1\Webroot
2010-12-31 14:37:10 -------- d-----w- c:\docume~1\alluse~2.win\applic~1\WD_SmartWareCommon
2010-12-30 15:35:46 -------- d-----w- c:\docume~1\sascec~2.chu\applic~1\Malwarebytes
2010-12-30 15:29:50 -------- d-----w- c:\docume~1\alluse~2.win\applic~1\Malwarebytes
2010-12-30 15:09:14 -------- d-sh--w- c:\documents and settings\sascec.chucklap\IECompatCache
2010-12-30 15:06:17 -------- d-sh--w- c:\documents and settings\sascec.chucklap\PrivacIE
2010-12-30 15:02:09 -------- d-sh--w- c:\documents and settings\sascec.chucklap\IETldCache
2010-12-30 14:49:28 -------- dc-h--w- c:\windows\ie8
2010-12-30 03:13:13 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
2010-12-30 03:13:13 1372672 -c----w- c:\windows\system32\dllcache\msxml6.dll
2010-12-30 03:11:59 9216 ------w- c:\windows\system32\dot3dlg.dll
2010-12-30 03:10:58 32866 ------w- c:\windows\slrundll.exe
2010-12-30 03:10:51 -------- d-----w- c:\windows\system32\scripting
2010-12-30 03:10:49 -------- d-----w- c:\windows\l2schemas
2010-12-30 03:10:43 -------- d-----w- c:\windows\system32\en
2010-12-30 03:10:42 -------- d-----w- c:\windows\system32\bits
2010-12-30 02:52:10 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe
2010-12-30 02:42:59 18944 ------w- c:\windows\system32\drivers\bthusb.sys
2010-12-29 20:02:15 -------- d-----w- c:\docume~1\sascec~2.chu\locals~1\applic~1\Western_Digital
2010-12-29 20:00:52 -------- d-----w- c:\docume~1\sascec~2.chu\applic~1\Western Digital
2010-12-29 20:00:39 -------- d-----w- c:\docume~1\alluse~2.win\applic~1\Western Digital
2010-12-29 19:59:58 11520 ----a-w- c:\windows\system32\drivers\wdcsam.sys
2010-12-29 19:58:42 -------- d-----w- c:\program files\Western Digital
2010-12-29 00:49:25 -------- d-----w- c:\docume~1\sascec~2.chu\locals~1\applic~1\Western Digital
2010-12-29 00:33:57 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-29 00:33:57 -------- d-----w- c:\docume~1\alluse~2.win\applic~1\Spybot - Search & Destroy
2010-12-28 20:08:09 -------- d--h--w- C:\$AVG
2010-12-28 19:47:15 -------- d-----w- c:\docume~1\sascec~2.chu\applic~1\AVG10
2010-12-28 19:45:52 -------- d--h--w- c:\docume~1\alluse~2.win\applic~1\Common Files
2010-12-28 19:43:49 -------- d-----w- c:\windows\system32\drivers\AVG
2010-12-28 19:43:49 -------- d-----w- c:\docume~1\alluse~2.win\applic~1\AVG10
2010-12-28 19:43:13 -------- d-----w- c:\program files\AVG
2010-12-28 19:21:19 -------- d-----w- c:\docume~1\alluse~2.win\applic~1\MFAData
2010-12-08 09:12:38 251728 ----a-w- c:\windows\system32\drivers\avgldx86.sys
==================== Find3M ====================
=================== ROOTKIT ====================
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST96812AS rev.8.03 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86F05555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86f0b7b0]; MOV EAX, [0x86f0b82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86F81AB8]
3 CLASSPNP[0xF757DFD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86ECE680]
\Driver\atapi[0x86F41B18] -> IRP_MJ_CREATE -> 0x86F05555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST96812AS_______________________________8.03____#5&19c84639&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86F0539B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
============= FINISH: 22:00:12.75 ===============
===============================================================
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-12-12.02)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 10/21/2009 8:31:48 PM
System Uptime: 1/3/2011 8:22:31 PM (2 hours ago)
Motherboard: Dell Inc. | | 0KD882
Processor: Genuine Intel(R) CPU T2050 @ 1.60GHz | Microprocessor | 1596/133mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 39 GiB total, 7.859 GiB free.
D: is FIXED (NTFS) - 12 GiB total, 2.555 GiB free.
F: is CDROM ()
G: is FIXED (FAT) - 0 GiB total, 0.051 GiB free.
==== Disabled Device Manager Items =============
Class GUID:
Description: Modem Device on High Definition Audio Bus
Device ID: HDAUDIO\FUNC_02&VEN_14F1&DEV_2BFA&SUBSYS_14F100C3&REV_0900\4&2973568E&0&0102
Manufacturer:
Name: Modem Device on High Definition Audio Bus
PNP Device ID: HDAUDIO\FUNC_02&VEN_14F1&DEV_2BFA&SUBSYS_14F100C3&REV_0900\4&2973568E&0&0102
Service:
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) PRO/Wireless 3945ABG Network Connection
Device ID: PCI\VEN_8086&DEV_4222&SUBSYS_10208086&REV_02\4&6C79FC5&0&00E0
Manufacturer: Intel Corporation
Name: Intel(R) PRO/Wireless 3945ABG Network Connection
PNP Device ID: PCI\VEN_8086&DEV_4222&SUBSYS_10208086&REV_02\4&6C79FC5&0&00E0
Service: NETw4x32
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Ethernet Controller
Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01AF1028&REV_02\4&2FE911E8&0&00F0
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01AF1028&REV_02\4&2FE911E8&0&00F0
Service:
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Base System Device
Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_01BD1028&REV_01\4&2FE911E8&0&0AF0
Manufacturer:
Name: Base System Device
PNP Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_01BD1028&REV_01\4&2FE911E8&0&0AF0
Service:
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Base System Device
Device ID: PCI\VEN_1180&DEV_0592&SUBSYS_01BD1028&REV_0A\4&2FE911E8&0&0BF0
Manufacturer:
Name: Base System Device
PNP Device ID: PCI\VEN_1180&DEV_0592&SUBSYS_01BD1028&REV_0A\4&2FE911E8&0&0BF0
Service:
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Base System Device
Device ID: PCI\VEN_1180&DEV_0852&SUBSYS_01BD1028&REV_05\4&2FE911E8&0&0CF0
Manufacturer:
Name: Base System Device
PNP Device ID: PCI\VEN_1180&DEV_0852&SUBSYS_01BD1028&REV_05\4&2FE911E8&0&0CF0
Service:
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: SM Bus Controller
Device ID: PCI\VEN_8086&DEV_27DA&SUBSYS_01BD1028&REV_01\3&61AAA01&0&FB
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_8086&DEV_27DA&SUBSYS_01BD1028&REV_01\3&61AAA01&0&FB
Service:
==== System Restore Points ===================
RP1: 1/2/2011 7:27:49 PM - System Checkpoint
==== Installed Programs ======================
ACD PhotoStitcher
ACDSee 3.1 (SR-1)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Type Manager 4.0
Apple Software Update
AVG 2011
Broadcom 440x 10/100 Integrated Controller
Dell ResourceCD
High Definition Audio Driver Package - KB835221
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel(R) Graphics Media Accelerator Driver
Java(TM) 6 Update 16
Juniper Networks Setup Client
Juniper Networks Setup Client Activex Control
Juniper Terminal Services Client
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Silverlight
Microsoft SQL Server Compact 3.5 SP1 English
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.13)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
MSXML 6 Service Pack 2 (KB973686)
PCFriendly
PHOTOfunSTUDIO 4.0 HD Edition
Picasa 3
PowerDVD
QuickTime
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio MyDVD DE
Roxio Update Manager
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB982381)
SigmaTel Audio
SILKYPIX Developer Studio 3.0 SE
Sonic Activation Module
Spy Sweeper
Spy Sweeper Core
Spybot - Search & Destroy
TomTom HOME 2.7.4.1962
TomTom HOME Visual Studio Merge Modules
Try Corel Snapfire muvee autoProducer add on
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
Update for Windows XP (KB980182)
VLC media player 1.1.4
WD SmartWare
WebFldrs XP
Windows Imaging Component
Windows Internet Explorer 8
Windows Media Format Runtime
Windows XP Service Pack 3
WinRAR archiver
==== Event Viewer Messages From Past Week ========
12/31/2010 9:31:32 AM, error: Service Control Manager [7000] - The Java Quick Starter service failed to start due to the following error: The system cannot find the file specified.
12/30/2010 9:49:04 AM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
12/30/2010 9:49:04 AM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Cryptographic Services service, but this action failed with the following error: An instance of the service is already running.
12/30/2010 7:36:15 AM, error: Service Control Manager [7022] - The Windows Firewall/Internet Connection Sharing (ICS) service hung on starting.
12/29/2010 8:06:05 PM, error: Service Control Manager [7034] - The WD SmartWare Drive Manager service terminated unexpectedly. It has done this 1 time(s).
12/29/2010 8:06:00 PM, error: Service Control Manager [7034] - The WD SmartWare Background Service service terminated unexpectedly. It has done this 1 time(s).
12/29/2010 8:04:39 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
12/29/2010 7:40:32 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {9B1F122C-2982-4E91-AA8B-E071D54F2A4D}
12/29/2010 3:57:59 PM, error: Service Control Manager [7034] - The B's Recorder GOLD Library General Service service terminated unexpectedly. It has done this 1 time(s).
12/29/2010 2:49:32 PM, error: Service Control Manager [7022] - The Automatic Updates service hung on starting.
12/29/2010 2:47:16 PM, error: Dhcp [1002] - The IP address lease 192.168.2.4 for the Network Card with network address 001302BB980B has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
12/28/2010 9:59:10 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/28/2010 9:51:47 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
12/28/2010 8:40:17 PM, error: Service Control Manager [7034] - The Webroot Spy Sweeper Engine service terminated unexpectedly. It has done this 2 time(s).
12/28/2010 7:50:47 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
12/28/2010 7:09:42 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
12/28/2010 6:41:15 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ATMhelpr Avgldx86 Avgmfx86 Fips intelppm OMCI
12/28/2010 6:40:09 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/28/2010 5:35:30 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
12/28/2010 5:35:00 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
12/28/2010 2:43:42 PM, information: Windows File Protection [64004] - The protected system file dbghelp.dll could not be restored to its original, valid version. The file version of the bad file is 5.1.2600.2180 The specific error code is 0x00000490 [Element not found. ].
12/28/2010 12:34:09 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
12/28/2010 11:58:33 AM, error: Service Control Manager [7034] - The TomTomHOMEService service terminated unexpectedly. It has done this 1 time(s).
12/28/2010 11:27:54 AM, error: ATMhelpr [43] -
12/28/2010 1:58:38 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Themes service to connect.
12/28/2010 1:58:38 PM, error: Service Control Manager [7000] - The Themes service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/28/2010 1:52:39 PM, error: Service Control Manager [7034] - The WebClient service terminated unexpectedly. It has done this 1 time(s).
12/28/2010 1:52:26 PM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
12/28/2010 1:51:55 PM, error: Service Control Manager [7034] - The ProtexisLicensing service terminated unexpectedly. It has done this 1 time(s).
12/28/2010 1:51:47 PM, error: Service Control Manager [7034] - The Webroot Client Service service terminated unexpectedly. It has done this 1 time(s).
12/28/2010 1:28:03 PM, error: Dhcp [1002] - The IP address lease 192.168.2.2 for the Network Card with network address 001302BB980B has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
12/27/2010 8:50:44 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000007F' while processing the file 'admparse.dll' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
12/27/2010 3:42:02 PM, error: Service Control Manager [7034] - The Webroot Spy Sweeper Engine service terminated unexpectedly. It has done this 1 time(s).
1/3/2011 9:32:00 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
1/3/2011 9:13:47 PM, error: Service Control Manager [7034] - The AVGIDSAgent service terminated unexpectedly. It has done this 1 time(s).
1/3/2011 9:13:41 PM, error: Service Control Manager [7031] - The AVG WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
1/3/2011 7:24:42 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000007F' while processing the file 'desktop.ini' on the volume 'HarddiskVolume6'. It has stopped monitoring the volume.
1/3/2011 5:29:32 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
1/1/2011 9:38:25 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD ATMhelpr Avgldx86 Avgmfx86 Avgtdix Fips intelppm IPSec MRxSmb NetBIOS NetBT OMCI RasAcd Rdbss Tcpip
1/1/2011 9:38:25 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
1/1/2011 9:38:25 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/1/2011 9:38:25 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/1/2011 9:38:25 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
==== End Of File ===========================