Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


I was infected...now clean (I think), but my computer crashes shortly after boot

  • This topic is locked This topic is locked
36 replies to this topic

#1 ijcrz


  • Members
  • 20 posts
  • Local time:09:51 PM

Posted 24 April 2009 - 07:48 PM

I recently discovered that my computer was infected with a multitude of trojans and malware. I think this was mostly due to my daughter downloading from Limewire with out my knowledge :thumbup2: . My antivirus and firewall were disabled by these malware and viruses also. There were over 30 infections, mostly trojans. I ran several programs to help me remove these infections. They were Malwarebytes, spybot search and destroy, ad-aware SE, Spysweeper, Sophos AV, FixLG, FixVmonde, Vundofix, Windows Defender, and Combofix (on the advice of my local computer shop). Malwarebytes, Spybot, Ad-aware, and Spysweeper seem to have discovered and eliminated all infections.

Now I dont detect any viruses or malware but my computer gets locked up shortly after boot up. I have noticed that it seems to be related to my antivirus, but I could be wrong. Sophos AV will update at boot, and for some reason it seems to get in a loop updating causing the computer to lock up and become unusable. I have to do a hard restart in order to reboot. This happens about every other time I boot up.

some other tidbits, I installed IE8 as I thought that maybe the browser had something to do with it. Then I reinstalled the antivirus. It is better than before but still very frustrating. I think that the viruses may have done some damage to the start up or computer in general that I dont know how to fix. I am not an IT guy, everything I have done has been from research on the web and advice from my local computer repair shop. Please help.

Attached Files

BC AdBot (Login to Remove)


#2 KoanYorel


    Bleepin' Conundrum

  • Staff Emeritus
  • 19,461 posts
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:09:51 PM

Posted 06 May 2009 - 07:45 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 ijcrz

  • Topic Starter

  • Members
  • 20 posts
  • Local time:09:51 PM

Posted 07 May 2009 - 05:43 PM

I have gotten my computer to stop crashing by disabling Spysweeper at startup and starting it manually after startup. Not Ideal, but works for now. Also, the start up is very slow, not sure why.

Here is the new DDS :thumbup2:

DDS (Ver_09-03-16.01) - NTFSx86
Run by HP_Administrator at 18:32:48.01 on Thu 05/07/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1321 [GMT -4:00]

AV: Sophos Anti-Virus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Maxtor\ManagerApp\OneTouch.exe
C:\Program Files\Fisher-Price\FP3 Player\sspnotifier.exe
C:\Program Files\iTunes\Moms Music\iTunesHelper.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\webhelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
uRun: [WMPNSCFG] "c:\program files\windows media player\WMPNSCFG.exe"
mRun: [ehTray] "c:\windows\ehome\ehtray.exe"
mRun: [RTHDCPL] "c:\windows\RTHDCPL.EXE"
mRun: [AlwaysReady Power Message APP] "c:\windows\ARPWRMSG.EXE"
mRun: [NvCplDaemon] "c:\windows\system32\rundll32.exe" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] "c:\windows\system32\nwiz.exe" /install
mRun: [HPHUPD08] "c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe"
mRun: [DMAScheduler] "c:\program files\hp digitalmedia archive\DMAScheduler.exe"
mRun: [Recguard] "c:\windows\sminst\RECGUARD.EXE"
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"
mRun: [HPDJ Taskbar Utility] "c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe"
mRun: [HPHmon04] "c:\windows\system32\hphmon04.exe"
mRun: [HPHUPD04] "c:\program files\hp photosmart 11\hphinstall\unipatch\hphupd04.exe"
mRun: [Share-to-Web Namespace Daemon] "c:\program files\hp\hp share-to-web\hpgs2wnd.exe"
mRun: [KBD] "c:\hp\kbd\KBD.EXE"
mRun: [SW20] "c:\windows\system32\sw20.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [MaxtorOneTouch] "c:\program files\maxtor\managerapp\OneTouch.exe"
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [NvMediaCenter] "c:\windows\system32\rundll32.exe" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SSP Notifier] "c:\program files\fisher-price\fp3 player\sspnotifier.exe"
mRun: [Ad-Watch] "c:\program files\lavasoft\ad-aware\AAWTray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\moms music\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/mygarmin/m/GarminAxControl.CAB
DPF: {03177121-226B-11D4-B0BE-005004AD3039} - hxxp://members17.clubphoto.com/_img/uploader/atl_uploader.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxp://oak4.vcu.edu/iNotes6W.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxp://oak4.vcu.edu/dwa7W.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://snadna.webex.com/client/T26L/webex/ieatgpc.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5404/mcfscan.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
AppInit_DLLs: c:\progra~1\sophos\sophos~1\SOPHOS~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\glex7ybl.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\itunes\moms music\mozilla plugins\npitunes.dll
FF - HiddenExtension: XUL Cache: {63EDEB22-A795-4A19-8033-516FF569EA5C} - c:\documents and settings\hp_administrator\local settings\application data\{63EDEB22-A795-4A19-8033-516FF569EA5C}
FF - HiddenExtension: XUL Cache: {D6A559B4-4CDB-4DC7-8C1B-95AD0F83D903} - c:\documents and settings\kelsey\local settings\application data\{D6A559B4-4CDB-4DC7-8C1B-95AD0F83D903}
FF - HiddenExtension: XUL Cache: {27BFD315-F78F-4393-89DD-8E4C08029134} - c:\documents and settings\tracey\local settings\application data\{27BFD315-F78F-4393-89DD-8E4C08029134}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-2 64160]
R0 ntcdrdrv;ntcdrdrv;c:\windows\system32\drivers\ntcdrdrv.sys [2008-6-1 13440]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-8-9 29808]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2007-4-7 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2007-4-7 38528]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2009-4-20 69632]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2009-4-20 98304]
R2 Sophos Agent;Sophos Agent;c:\program files\sophos\remote management system\ManagementAgentNT.exe [2009-4-20 266240]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2009-1-28 172032]
R2 Sophos Message Router;Sophos Message Router;c:\program files\sophos\remote management system\RouterNT.exe [2009-4-20 794624]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\spy sweeper\SpySweeper.exe [2009-4-2 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\spy sweeper\WRConsumerService.exe [2009-3-24 1181040]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]

=============== Created Last 30 ================

2009-05-03 20:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-03 20:23 <DIR> --d----- c:\program files\iTunes
2009-05-03 20:22 <DIR> --d----- c:\program files\Bonjour
2009-04-20 00:35 130,104 a------- c:\windows\system32\sdccoinstaller.dll
2009-04-20 00:35 <DIR> --d----- c:\program files\common files\Cisco Systems
2009-04-20 00:35 23,552 a------- c:\windows\system32\sophosboottasks.exe
2009-04-19 23:43 552 a------- c:\windows\system32\d3d8caps.dat
2009-04-14 20:34 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-04-14 20:34 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-04-14 20:34 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-04-14 20:34 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-04-14 20:34 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 20:34 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 20:34 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 20:34 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-04-14 20:34 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-04-14 20:33 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-14 20:33 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-14 20:33 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-04-12 11:52 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat
2009-04-12 01:16 <DIR> --d----- c:\windows\system32\XPSViewer
2009-04-12 01:16 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-04-12 01:16 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll
2009-04-12 01:16 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-12 01:16 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-04-12 01:16 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-12 01:16 117,760 -------- c:\windows\system32\prntvpt.dll
2009-04-12 01:16 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-12 01:15 <DIR> --d----- C:\08b606fa5cb3cac927
2009-04-12 01:15 <DIR> --d----- c:\windows\SxsCaPendDel
2009-04-09 23:35 15,688 a------- c:\windows\system32\lsdelete.exe
2009-04-08 23:52 <DIR> --dsh--- c:\documents and settings\hp_administrator\PrivacIE
2009-04-07 19:30 4,196,168 a------- c:\windows\pfirewall.log.old

==================== Find3M ====================

2009-04-20 00:33 38,528 a------- c:\windows\system32\drivers\savonaccessfilter.sys
2009-04-20 00:33 110,848 a------- c:\windows\system32\drivers\savonaccesscontrol.sys
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-06 13:32 1,563,008 a------- c:\windows\WRSetup.dll
2009-04-02 14:30 176,752 a------- c:\windows\system32\drivers\ssidrv.sys
2009-04-02 14:30 23,152 a------- c:\windows\system32\drivers\sshrmd.sys
2009-04-02 14:30 29,808 a------- c:\windows\system32\drivers\ssfs0bbc.sys
2009-03-21 10:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-20 10:28 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-09 15:06 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-03-08 14:09 638,816 a------- c:\windows\system32\dllcache\iexplore.exe
2009-03-08 14:09 391,536 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-03-08 04:41 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
2009-03-08 04:39 11,063,808 a------- c:\windows\system32\dllcache\ieframe.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\dllcache\wininet.dll
2009-03-08 04:34 1,206,784 a------- c:\windows\system32\dllcache\urlmon.dll
2009-03-08 04:34 236,544 a------- c:\windows\system32\dllcache\webcheck.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\dllcache\licmgr10.dll
2009-03-08 04:34 105,984 a------- c:\windows\system32\dllcache\url.dll
2009-03-08 04:34 193,536 a------- c:\windows\system32\dllcache\msrating.dll
2009-03-08 04:34 109,568 a------- c:\windows\system32\dllcache\occache.dll
2009-03-08 04:33 759,296 a------- c:\windows\system32\dllcache\VGX.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\dllcache\corpol.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-03-08 04:33 726,528 a------- c:\windows\system32\dllcache\jscript.dll
2009-03-08 04:33 229,376 a------- c:\windows\system32\dllcache\ieaksie.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\dllcache\vbscript.dll
2009-03-08 04:33 125,952 a------- c:\windows\system32\dllcache\ieakeng.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\dllcache\admparse.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-03-08 04:32 163,840 a------- c:\windows\system32\dllcache\ieakui.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\dllcache\iesetup.dll
2009-03-08 04:32 55,808 a------- c:\windows\system32\dllcache\iernonce.dll
2009-03-08 04:32 128,512 a------- c:\windows\system32\dllcache\advpack.dll
2009-03-08 04:32 94,720 a------- c:\windows\system32\dllcache\inseng.dll
2009-03-08 04:32 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll
2009-03-08 04:32 1,985,024 a------- c:\windows\system32\dllcache\iertutil.dll
2009-03-08 04:32 611,840 a------- c:\windows\system32\dllcache\mstime.dll
2009-03-08 04:24 68,608 a------- c:\windows\system32\dllcache\hmmapi.dll
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-08 04:22 156,160 a------- c:\windows\system32\dllcache\msls31.dll
2009-03-08 04:11 445,952 a------- c:\windows\system32\dllcache\ieapfltr.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-02-28 00:55 105,984 -------- c:\windows\system32\dllcache\iecompat.dll
2009-02-09 08:10 729,088 -------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 08:10 714,752 -------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 -------- c:\windows\system32\advapi32.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-07 19:02 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 21:07 3,698,584 a------- c:\windows\system32\dllcache\ieapfltr.dat
2006-07-28 22:59 251 a------- c:\program files\wt3d.ini

============= FINISH: 18:33:39.54 ===============

Attached Files

#4 Hoov


  • Malware Response Team
  • 3,519 posts
  • Location:Mikado Michigan
  • Local time:08:51 PM

Posted 08 May 2009 - 07:39 PM

Howdy, my name is Hoov, and I will be helping you with your dilemma.

Please make sure you watch this thread for responses. If you click the options tab at the top of your first post, you can select to track this thread.

Here is what I am asking you to do during the repair of your computer

*Tell me everything that you have done, if anything, to try and fix this problem.

*Please only use 1 forum to help clear up your problem. Posting on more than 1 and following instructions from more than 1 forum will cause those helping you to pull out thier hair.

*Follow my instructions - If you can't for some reason, or if you don't understand something, please tell me. If you deviate from my instructions, tell me, it may make a difference on where we go. Don't install anything, even other programs that have nothing to do with security or malware, it could cause things to change, and I would never know it.

*Have faith. I will do all I can to get your computer working, and if I can't - someone else here will know something else to try.

*Stick with me to the end. My aim is to fix your problems, and give you the tools and knowledge to keep this from happening again.

Now onto trying to fix your computer.

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Did you get Limewire uninstalled OK? I would also go into the add remove programs control panel and remove anything that you did not install or don't know why its there. If there is a question about what it is, just ask. It is better to be safe than sorry.

After that, Download and scan with CCleaner
1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free or Slim versions instead of the Standard Build.
2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
3. Then select the items you wish to clean up.
In the Windows Tab:
  • Clean all entries in the "Internet Explorer" section except Cookies if you want to keep those.
  • Clean all the entries in the "Windows Explorer" section.
  • Clean all entries in the "System" section.
  • Clean all entries in the "Advanced" section.
  • Clean any others that you choose.

In the Applications Tab:
  • Clean all except cookies in the Firefox/Mozilla section if you use it.
  • Clean all in the Opera section if you use it.
  • Clean Sun Java in the Internet Section.
  • Clean any others that you choose.
4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

Once that is done running, update Malwarebytes' Anti-Malware and run a full scan, instead of a quick scan and post the log.

And last I need you to go to the administration tools in XP. They are in the Control Panel. Open the Admin tools, then open the event viewer. Over on the left hand side and click on System. Then up at the top click on Action and then click on Save Events As, type in system as the file name, make sure file type EVT is selected, and then navigate so it will save the file to your desktop, then click save. Over on the left hand side and click on Application. Then up at the top click on Action and then click on Save Events As, type in application as the file name, make sure file type EVT is selected, and then navigate so it will save the file to your desktop, then click save. Zip them both up into a single zip file, post them back here in your next reply as attachments.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#5 ijcrz

  • Topic Starter

  • Members
  • 20 posts
  • Local time:09:51 PM

Posted 09 May 2009 - 12:00 PM

Thanks for helping me.

I think I have removed Limewire completely. I had to uninstall the program and then go back and manually remove some folders and other files. I have done a search for limewire files and don't seem to come up with anything associated with it. At least the obvious stuff is gone. I have installed a program from Wendy's called Petz by Ubisoft for my daughter since I started this log, fyi.

I have done as instructed. I already had CCleaner so I ran that followed by Mbam. Mbam came up with a trojan Matcash, I deleted it successfully. Here is the log:

Malwarebytes' Anti-Malware 1.36
Database version: 2099
Windows 5.1.2600 Service Pack 3

5/9/2009 12:45:12 PM
mbam-log-2009-05-09 (12-45-12).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 285758
Time elapsed: 1 hour(s), 32 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\HP_Administrator\Application Data\Twain (Trojan.Matcash) -> Quarantined and deleted successfully.

Files Infected:
(No malicious items detected)

This is the first time since my major infection Mbam has found anything. I wonder if it was due to the update. Anyway, let me know what you see.

Attached Files

#6 Hoov


  • Malware Response Team
  • 3,519 posts
  • Location:Mikado Michigan
  • Local time:08:51 PM

Posted 09 May 2009 - 02:45 PM

In the event viewer logs there are two pieces of software that keep coming up with errors. The first is your sophos antivirus, You may want to donwload the newest version and reinstall it. The second is ftsata2 which is the Promise Drivers for windows. You may want to reinstall or update your promise drivers.

Try doing both of those and see if there are any changes to your problem. Let me know.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#7 ijcrz

  • Topic Starter

  • Members
  • 20 posts
  • Local time:09:51 PM

Posted 09 May 2009 - 08:37 PM

I can reinstall the Sophos AV no problem. Should I uninstall it before i reinstall? Or should I just reinstall and let it rewrite?

I have no clue how to reinstall the promise drivers ftsata2. Can you give me detailed instructions? Thanks Hoov! :thumbup2:

#8 Hoov


  • Malware Response Team
  • 3,519 posts
  • Location:Mikado Michigan
  • Local time:08:51 PM

Posted 10 May 2009 - 03:31 PM

For Sophos, go ahead and uninstall it, then reinstall it. As for the Promise, go to the device manager in the control panel, and then go to the harddrives and update the driver from there.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#9 ijcrz

  • Topic Starter

  • Members
  • 20 posts
  • Local time:09:51 PM

Posted 10 May 2009 - 09:55 PM

I'm not sure im in the right place. when I go to the device manager I dont see a place to update the harddrive. I dont see a windows driver selection. AS a FYI, when I view hidden devices, Serial under Non plug and play devices shows up with an exclamation in the little triangle. Please direct me where to go.

#10 ijcrz

  • Topic Starter

  • Members
  • 20 posts
  • Local time:09:51 PM

Posted 11 May 2009 - 07:53 PM

Ok... so I must have overlooked the ftsata2 earlier b/c I just found it right under my nose :thumbup2: . The device manager says it is OK. It is set for start up at boot but the current status is "stopped."

The device manager lists the Serial device with an exclamation mark and the description as "This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)" Startup is set to automatic and current status is stopped.

Let me know if you need anymore info.

I have uninstalled and reinstalled Sophos before I started this case but apparently It is a pain to remove fully because I learned today that I didnt do it right. I will do it again when I hear from you.

#11 Hoov


  • Malware Response Team
  • 3,519 posts
  • Location:Mikado Michigan
  • Local time:08:51 PM

Posted 11 May 2009 - 07:54 PM

Go into the device manager and double click on the harddrive, and go to the driver tab, and do the update there.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#12 Hoov


  • Malware Response Team
  • 3,519 posts
  • Location:Mikado Michigan
  • Local time:08:51 PM

Posted 11 May 2009 - 08:56 PM

Ignore my previous response. Go back into the device manager and the device that has a problem, right click on it and select delete. Then reboot windows, and it should redetect the hardware and install the proper drivers. Even if it doesn't, go ahead and remove Sophos and reinstall it.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#13 ijcrz

  • Topic Starter

  • Members
  • 20 posts
  • Local time:09:51 PM

Posted 11 May 2009 - 10:49 PM

Uninstalled the Serial drivers...removed Sophos and reinstalled next. The drivers did not reinstall upon reboot, but antivirus seems to be quicker at boot up. what next?

#14 Hoov


  • Malware Response Team
  • 3,519 posts
  • Location:Mikado Michigan
  • Local time:08:51 PM

Posted 12 May 2009 - 10:38 AM

Other than the missing phantom device, how is the computer running?

Go into the Admin tools, back to the event viewer and for both the application and system logs, select it and then go up to action and select clear log. This erases all the prior logs for those two area's. If you want you can save the logs before erasing it, when you try to erase it you will be given the option. Then if all is well, run the computer for a day and reboot a couple times, and then attach the two logs again.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#15 ijcrz

  • Topic Starter

  • Members
  • 20 posts
  • Local time:09:51 PM

Posted 13 May 2009 - 06:53 PM


The computer seemed to be very responsive and quicker than it had been :thumbup2: . Until...

We had a major lockup today :) ...had to do a hard reboot. The Mrs. was working from home when the computer had a meltdown. She was using a variety of programs (IE8, MSword, Excell, Outlook) when this happened. The only thing I did different was turn on Spysweeper to load and update at startup. I have had it disabled since I removed the viruses that started my problems as it seemed that Sophos worked better without it on. (BTW.. the two programs never had any conflicts prior and worked beautifully.) I dont know if its the problem but my computer locked up so I disabled it again. One thing I have noticed is that the startup is quicker. The other is that IE8 and Firefox take about 5-8 seconds to start. Once they do they work perfectly and quickly. Other programs dont seem to have this issue.

Anyway here are the logs you asked for and I am including the first 2 Mbam logs so you can see what I had removed prior to beginning this post.

Attached Files

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users