Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Malware? Virus?

  • This topic is locked This topic is locked
2 replies to this topic

#1 bubbatdog


  • Members
  • 3 posts
  • Local time:04:39 AM

Posted 17 June 2008 - 05:51 AM

This blue screen comes up when I try to run any Spyware detection or virus protection. "Driver Has Overrun a Stack Based Buffer" The only drivers that have been installed on my computer are for a Canon printer. I have since deleted those drivers. Also when I get google results, it sends redirects me to hrena.com and other pop up sites. Have run CA virus and spyware. Have run Spybot. . Will attach hijack this log. Now running avg, and it tells me that I have a trojan. Everytime I try to scan, I get the blue screen again.

Kaspersky told me there was no Malware.

Same things happen in safe mode.

Here is my DSS Log

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-06-17 05:43:52
Computer is in Normal Mode.

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
6: 2008-06-17 10:44:22 UTC - RP6 - Deckard's System Scanner Restore Point
5: 2008-06-17 02:50:26 UTC - RP5 - Installed AVG Free 8.0
4: 2008-06-16 23:30:30 UTC - RP4 - Removed InstallShield Restore Point
3: 2008-06-16 11:39:07 UTC - RP3 - Removed Symantec AntiVirus
2: 2008-06-16 11:37:55 UTC - RP2 - Removed Symantec AntiVirus

-- First Restore Point --
1: 2008-06-16 11:28:43 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-17 05:47:12
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\AVG\AVG8\avgemc.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
C:\Program Files\Apoint\ApntEx.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG\AVG8\aAvgApi.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: Shell=
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: 162123 helper - {95667A7A-03B3-4EE0-91AE-A4DE74D25729} - C:\WINDOWS\system32\162123\162123.dll (file missing)
O2 - BHO: (no name) - {99BA268B-4021-4739-9945-3C774217FE75} - C:\Program Files\NetProject\sbmdl.dll (file missing)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc3.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1141742572750
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\Software\..\Telephony: DomainName = ACCODOM.COM
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: Domain = ACCODOM.COM
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: Domain = ACCODOM.COM
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O22 - SharedTaskScheduler: chaplin - {257f6f44-2c64-46bb-acb4-55f9b9e0ae08} - C:\WINDOWS\system32\psqnuvo.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\SYSTEM32\ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgwdsvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\SYSTEM32\BAsfIpM.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE
O23 - Service: Inter-Tel Collaboration Remote Client (LkWebLink) - Inter-Tel (Delaware), Inc - C:\Documents and Settings\acco.ACCODOM\My Documents\Inter-Tel\Collaboration Client 2.0\lkWebLink.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe

End of file - 7120 bytes

-- HijackThis Fixed Entries (E:\\backups\) -------------------------------------

backup-20080616-203608-657 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
backup-20080616-203608-886 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
backup-20080616-203609-550 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
backup-20080616-203609-227 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>
R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Inc; OMCI Driver>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.1.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>

S1 tdidrv32.sys - c:\windows\system32\tdidrv32.sys (file missing)
S3 BW2NDIS5 - c:\windows\system32\drivers\bw2ndis5.sys (file missing)
S3 UIUSys (Conexant Setup API) - c:\windows\system32\drivers\uiusys.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 BAsfIpM (Broadcom ASF IP monitoring service v6.0.4) - c:\windows\system32\basfipm.exe <Not Verified; Broadcom Corp.; Broadcom ASF IP monitoring service>
R2 NICCONFIGSVC - c:\program files\dell\nicconfigsvc\nicconfigsvc.exe <Not Verified; Dell Inc.; NicConfigSvc>
R2 RegSrvc - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module>
R2 WLANKEEPER - c:\program files\intel\wireless\bin\wlkeeper.exe <Not Verified; Intel® Corporation; SSOFSet Service>

S4 LkWebLink (Inter-Tel Collaboration Remote Client) - "c:\documents and settings\acco.accodom\my documents\inter-tel\collaboration client 2.0\lkweblink.exe" -service <Not Verified; Inter-Tel (Delaware), Inc; Inter-Tel Remote Client>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Files created between 2008-05-17 and 2008-06-17 -----------------------------

2008-06-16 23:24:02 0 d--h----- C:\$AVG8.VAULT$
2008-06-16 21:50:56 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-16 21:50:30 0 d-------- C:\Program Files\AVG
2008-06-16 21:50:27 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-16 21:41:31 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVGTOOLBAR
2008-06-16 20:17:15 0 d-------- C:\VundoFix Backups
2008-06-16 18:34:47 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-06-16 06:43:18 0 d-------- C:\Documents and Settings\acco.ACCODOM\Application Data\GetRightToGo
2008-06-13 08:09:02 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-13 08:08:10 0 d-------- C:\WINDOWS\system32\162123
2008-06-11 09:05:54 0 d-------- C:\Program Files\Aurora
2008-06-08 19:29:32 0 d-------- C:\Documents and Settings\acco.ACCODOM\Application Data\Fantasy Baseball
2008-05-18 09:34:57 0 d-------- C:\Documents and Settings\acco.ACCODOM\Application Data\Macromedia

-- Find3M Report ---------------------------------------------------------------

2008-06-16 20:59:44 0 d-------- C:\Program Files\Common Files
2008-06-16 20:59:43 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-16 18:34:43 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-06-16 06:40:26 0 d-------- C:\Program Files\Symantec AntiVirus
2008-06-13 12:29:04 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-15 12:09:47 0 d-------- C:\Program Files\Common Files\Adobe

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95667A7A-03B3-4EE0-91AE-A4DE74D25729}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{99BA268B-4021-4739-9945-3C774217FE75}]
C:\Program Files\NetProject\sbmdl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
06/16/2008 09:50 PM 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [06/16/2008 09:50 PM 2050816]


"Apoint"="C:\Program Files\Apoint\Apoint.exe" [09/13/2004 11:33 AM]
"@"="" []
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [10/30/2004 02:59 PM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [10/14/2005 02:49 PM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [10/14/2005 02:46 PM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [10/14/2005 02:50 PM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [05/12/2005 08:00 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [06/16/2008 09:50 PM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:00 AM]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
DESKTOP.INI [8/11/2004 5:15:06 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [8/11/2004 5:15:06 PM]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [12/17/2002 5:23:32 PM]

"{257f6f44-2c64-46bb-acb4-55f9b9e0ae08}"= C:\WINDOWS\system32\psqnuvo.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 09/07/2004 04:08 PM 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]


-- End of Deckard's System Scanner: finished at 2008-06-17 05:48:07 ------------

BC AdBot (Login to Remove)


#2 suebaby41


    W.A.M. (Women Against Malware)

  • Malware Response Team
  • 6,248 posts
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:05:39 AM

Posted 08 July 2008 - 11:15 AM

Welcome to the BleepingComputer Forums. Since it has been a few days, please post a new Deckard's System Scanner which includes the HijackThis log. Please see Preparation Guide for use before posting about your potential Malware problem. Thank you for your patience.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 suebaby41


    W.A.M. (Women Against Malware)

  • Malware Response Team
  • 6,248 posts
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:05:39 AM

Posted 17 July 2008 - 02:34 PM

This subject is now closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users