Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

dell says its haxdoor (personal antivirus?)


  • This topic is locked This topic is locked
46 replies to this topic

#1 dodson5

dodson5

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 08 June 2009 - 10:57 AM

Have tried Norton Malware Removal. Have run Safety.Live.Com PC scan. Still can operate only in safe mode. Continual looping of trying to start in windows normal mode with stop code of 8E.

DDS (Ver_09-05-14.01) - NTFSx86 NETWORK
Run by Lilly at 11:43:27.35 on Mon 06/08/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3061.2560 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Lilly\Downloads\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = https://webauth.usf.edu/login?SAMLRequest=fVLJTsMwEL0j8Q%

2BR71laIVFZTVBphajEEtHAgZvrTBInjh08dgt%2Fj5uCgAO9Pj%2B%2FZWbmV%2B%

2B9DHZgUGiVkkmUkAAU16VQdUqei5twRq6y87M5sl4OdOFso57gzQHawP9USMeHlDijqGYokCrWA1LL6WZxf0enUUIHo63mWp

JgvUpJv5VDw2veQd0OtWoqNnRdy0WpWddCq1qtqlpUJQlevmNND7HWiA7WCi1T1kNJMgsn0zCZFckFTS7pdPZKgvzL6VqoY4N

TsbZHEtLbosjD%2FHFTjAI7UYJ58OyU1FrXEiKu%2B4N9zhDFzsMVkwgkWCCCsT7gUit0PZgNmJ3g8Px0l5LG2gFpHO%2F3%

2B%2BhHJmZxz4SMHFYRlC5mHEk2zpaO9cyvoZ4Oz77NSfYjP49%2FSWVfOztUWa9yLQX%2FCBZS6v3SALO%

2BhzXO17jRpmf2f7dJNBkRUYbVSKVO4QBcVAL8kuLs6Pr3OPzJfAI%3D&RelayState=https%3A%2F%

2Fwww.google.com%2Fa%2Fmail.usf.edu%2FServiceLogin%3Fservice%3Dmail%26passive%3Dtrue%26rm%

3Dfalse%26continue%3Dhttps%253A%252F%252Fmail.google.com%252Fa%252Fmail.usf.edu%252F%26bsv%

3D1k96igf4806cy%26ss%3D1%26ltmpl%3Ddefault%26ltmplcache%3D2
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080809
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program

files\aol\aim toolbar 5.0\aoltb.dll
uURLSearchHooks: H - No File
mURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program

files\aol\aim toolbar 5.0\aoltb.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program

files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {100EB1FD-D03E-47FD-81F3-EE91287F9465} - No File
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program

files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1

\mcafee\msk\mskapbho.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05

\bin\ssv.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aim

toolbar 5.0\aoltb.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1

\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program

files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program

files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program

files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1

\mcafee\sitead~1\mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program

files\dell\bae\BAE.dll
TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aim toolbar 5.0

\aoltb.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1

\mcafee\sitead~1\mcieplg.dll
EB: {2aa2fbf8-9c76-4e97-a226-25c5f4ab6358} - Zango Information Window
EB: {A7CDDCDC-BEEB-4685-A062-978F5E07CEEE} - No File
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P

DellSupportCenter
uRun: [CollaborationHost] c:\windows\system32\p2phost.exe -s
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe"

/startup
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P

DellSupportCenter
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [LogitechCommunicationsManager] "c:\program files\common

files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware 2\mbamgui.exe

/install /silent
StartupFolder: c:\users\lilly\appdata\roaming\micros~1\windows\startm~1

\programs\startup\greeti~1.lnk - c:\program files\greetings workshop\GWREMIND.EXE
StartupFolder: c:\users\lilly\appdata\roaming\micros~1\windows\startm~1

\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program

files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program

files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program

files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program

files\dell\quickset\quickset.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program

files\java\jre1.6.0_05\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} -

c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program

files\aol\aim toolbar 5.0\aoltb.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program

files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {C5428486-50A0-4a02-9D20-520B59A9F9B2} - {C9CCBB35-D123-4a31-AFFC-9B2933132116}
IE: {C5428486-50A0-4a02-9D20-520B59A9F9B3} - {A16AD1E9-F69A-45af-9462-B1C286708842}
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -

hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
TCP: NameServer = 85.255.112.175,85.255.112.179
TCP: {8AE76000-768D-49CE-BCE4-034016FCA972} = 85.255.112.175,85.255.112.179
TCP: {F3499D1A-3CB5-4FB6-92CA-81594DC04737} = 85.255.112.175,85.255.112.179
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program

files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1

\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1

\skype\SKYPE4~1.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-8-8 73728]
S2 HPFECP06;HPFECP06;c:\windows\system32\drivers\hpfecp06.sys [2008-8-15 38176]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program

files\mcafee\siteadvisor\McSACore.exe [2008-11-30 210216]
S2 rpcnetp;rpcnetp;c:\windows\system32\rpcnetp.exe [2008-8-20 17408]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program

files\viewpoint\common\ViewpointService.exe [2008-8-15 24652]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32

\drivers\IntcHdmi.sys [2008-8-8 111616]
S3 rcmirror;rcmirror;c:\windows\system32\drivers\rcmirror.sys [2008-10-8 3328]

=============== Created Last 30 ================

Attached Files



BC AdBot (Login to Remove)

 


#2 dodson5

dodson5
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 16 June 2009 - 10:51 AM

Our laptop has been unusable for over a week! I would appreciate input even if it's "we can't help for 'x' reason". Microsoft has been vainly trying to help with this issue. Apparently, the following is my only option:

- Reload Vista OS (basically wiping clean and reloading the computer)

I am willing to send an updated Hijack report. I can get the laptop to come up in Normal Mode (after several attempts) HOWEVER I have to quickly end AOL AIM before it reloads itself. At this point, the laptop is semi-functional; i.e, McAfee will not load, certain internet sites are redirected, obviously Aim isn't available, etc.

I would appreciate a response.

Thank you for your time.

#3 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:29 PM

Posted 18 June 2009 - 09:26 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#4 dodson5

dodson5
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 18 June 2009 - 02:14 PM

Thank you for your time and assistance! Yall are greatly appreciated. Now...

Posted is the newest log and hopefully I performed the attachment correctly.

The laptop is a wireless with Vista OS. I have run multiple scans with one of the following results: the scan cannot be run (I'm told that is because my laptop is either wireless or Blue Screen only mode and therefore can't run the scan) or the scan is run and "minor" issues are resolved ie cookies are removed. Originally we had the Personal Antivirus popping up. I no longer see these pop ups. However, nothing has changed about the laptop can run only in Safe Mode with or without Internet. Occasionally and with several attempts, I can bring up the laptop in Normal Mode but I have to quickly stop the AIM process from running in order for the laptop to run in Normal Mode at all. Whenever this scenario is accomplished, I cannot load McAfee nor certain websites (as they are redirected) Usually, the laptop comes up into a Blue Screen (stop code 8E) and enters a reboot at loop. And that is where I'm at: a computer that constantly is looping thru a BSOD. This frustration is approaching 3 weeks. Dell has told me that I had a haxdoor virus and referred me to Microsoft. Microsoft has been determined to help however they are unable to resolve/identify the problem and are recommending I reload the OS. In preparation of this step, I have backed up the laptop. Please advise if there if another course of action or if I should proceed with the reload (and apparently wiping of my hard drive) of the OS.

Thanks again,

Sherry


DDS (Ver_09-05-14.01) - NTFSx86 NETWORK
Run by Lilly at 14:40:38.64 on Thu 06/18/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6001.1.1252.1.1033.18.3061.2610 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\Taskmgr.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Users\Lilly\Downloads\Desktop\dds.scr

============== Pseudo HJT Report ===============

uWindow Title = Internet Explorer provided by Dell
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - No File
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [CollaborationHost] c:\windows\system32\p2phost.exe -s
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
StartupFolder: c:\users\lilly\appdata\roaming\micros~1\windows\startm~1\programs\startup\greeti~1.lnk - c:\program files\greetings workshop\GWREMIND.EXE
StartupFolder: c:\users\lilly\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {C5428486-50A0-4a02-9D20-520B59A9F9B2} - {C9CCBB35-D123-4a31-AFFC-9B2933132116}
IE: {C5428486-50A0-4a02-9D20-520B59A9F9B3} - {A16AD1E9-F69A-45af-9462-B1C286708842}
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C237A80A-4C55-4C68-BAA9-CBE4408D12B2} - hxxp://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

S2 HPFECP06;HPFECP06;c:\windows\system32\drivers\hpfecp06.sys [2008-8-15 38176]
S2 rpcnetp;rpcnetp;c:\windows\system32\rpcnetp.exe [2008-8-20 17408]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-8-8 111616]
S3 rcmirror;rcmirror;c:\windows\system32\drivers\rcmirror.sys [2008-10-8 3328]
S4 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-8-8 73728]
S4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-11-30 210216]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-8-15 24652]

=============== Created Last 30 ================

2009-06-13 15:06 <DIR> --d----- c:\program files\ESET
2009-06-13 14:45 169,146,750 a------- c:\windows\MEMORY.DMP
2009-06-13 12:59 <DIR> --d----- c:\users\lilly\appdata\roaming\Thinstall
2009-06-13 12:55 <DIR> --d----- c:\programdata\Applications
2009-06-13 12:55 <DIR> --d----- c:\progra~2\Applications
2009-06-13 12:48 691 a------- c:\users\lilly\appdata\roaming\GetValue.vbs
2009-06-13 12:48 35 a------- c:\users\lilly\appdata\roaming\SetValue.bat
2009-06-13 12:48 4,172 a------- c:\windows\system32\tmp.reg
2009-06-13 12:30 <DIR> --d----- c:\users\lilly\appdata\roaming\TeamViewer
2009-06-12 18:38 <DIR> --d----- c:\windows\pss
2009-06-11 23:31 <DIR> --d----- c:\users\lilly\.housecall6.6
2009-06-11 23:03 <DIR> --d----- c:\windows\system32\drivers\NSS
2009-06-11 23:03 <DIR> --d----- c:\programdata\Norton
2009-06-11 23:03 <DIR> --d----- c:\program files\Norton Security Scan
2009-06-11 23:03 <DIR> --d----- c:\progra~2\Norton
2009-06-11 23:03 <DIR> --d----- c:\programdata\Symantec
2009-06-11 23:03 <DIR> --d----- c:\progra~2\Symantec
2009-06-11 23:03 <DIR> --d----- c:\programdata\NortonInstaller
2009-06-11 23:03 <DIR> --d----- c:\program files\NortonInstaller
2009-06-11 23:03 <DIR> --d----- c:\progra~2\NortonInstaller
2009-06-11 23:01 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-06-11 23:01 <DIR> --d----- c:\program files\Panda Security
2009-06-11 20:05 <DIR> --d----- c:\programdata\CA
2009-06-11 20:05 <DIR> --d----- c:\progra~2\CA
2009-06-07 15:14 <DIR> -cd-h--- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-07 15:14 <DIR> -cd-h--- c:\progra~2\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-07 01:12 <DIR> --d----- c:\programdata\Malwarebytes
2009-06-07 01:12 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-07 01:12 <DIR> --d----- c:\progra~2\Malwarebytes
2009-06-06 13:30 319,488 a------- c:\windows\system32\winexplorer.dll.tmp
2009-06-06 13:30 <DIR> --d----- c:\program files\common files\Uninstall
2009-06-06 13:27 <DIR> --d----- c:\program files\BHVideo
2009-06-06 13:05 <DIR> --d----- c:\program files\Mozilla ActiveX Control v1.7.12
2009-06-06 13:04 <DIR> --d----- c:\program files\VideoLAN
2009-05-26 22:05 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-05-26 22:05 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-05-26 22:05 <DIR> --d----- c:\program files\iPod
2009-05-26 22:05 <DIR> --d----- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-26 22:05 <DIR> --d----- c:\program files\iTunes
2009-05-26 22:05 <DIR> --d----- c:\progra~2\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-26 17:26 170,456 a------- c:\windows\hpqins00.dat
2009-05-22 00:16 <DIR> --d----- c:\users\lilly\appdata\roaming\MozillaControl
2009-05-22 00:15 <DIR> --d----- c:\program files\${MOZILLA_ACTIVEX_DIR_NAME}
2009-05-22 00:15 <DIR> --d----- c:\program files\Graboid

==================== Find3M ====================

2009-06-18 14:27 56,680 a------- c:\windows\system32\rpcnet.dll
2009-06-18 14:27 17,408 a------- c:\windows\system32\rpcnetp.dll
2009-06-18 14:27 17,408 a------- c:\windows\system32\rpcnetp.exe
2009-06-13 20:15 56,680 a------- c:\windows\system32\rpcnet.exe
2009-06-13 14:45 184,658,238 a------- c:\windows\DUMP4681.tmp
2009-05-06 13:40 178,302 a------- c:\windows\hpwins20.dat
2009-05-02 13:28 51,200 a------- c:\windows\inf\infpub.dat
2009-05-02 13:28 143,360 a------- c:\windows\inf\infstrng.dat
2009-04-23 22:55 176,235 a------- c:\windows\system32\Primomonnt.dll
2009-04-17 22:56 86,016 a------- c:\windows\inf\infstor.dat
2009-03-25 18:55 33,280 a------- c:\windows\system32\identprv.dll
2008-08-16 11:24 665,600 a------- c:\windows\inf\drvindex.dat
2008-08-15 18:15 1,844 a------- c:\users\lilly\appdata\roaming\install.dat
2008-01-20 22:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 14:40:52.01 ===============


Thank you for your time and assistance! Yall are greatly appreciated. Now...

Posted is the newest log and hopefully I performed the attachment correctly.

The laptop is a wireless with Vista OS. I have run multiple scans with one of the following results: the scan cannot be run (I'm told that is because my laptop is either wireless or Blue Screen only mode and therefore can't run the scan) or the scan is run and "minor" issues are resolved ie cookies are removed. Originally we had the Personal Antivirus popping up. I no longer see these pop ups. However, nothing has changed about the laptop can run only in Safe Mode with or without Internet. Occasionally and with several attempts, I can bring up the laptop in Normal Mode but I have to quickly stop the AIM process from running in order for the laptop to run in Normal Mode at all. Whenever this scenario is accomplished, I cannot load McAfee nor certain websites (as they are redirected) Usually, the laptop comes up into a Blue Screen (stop code 8E) and enters a reboot at loop. And that is where I'm at: a computer that constantly is looping thru a BSOD. This frustration is approaching 3 weeks. Dell has told me that I had a haxdoor virus and referred me to Microsoft. Microsoft has been determined to help however they are unable to resolve/identify the problem and are recommending I reload the OS. In preparation of this step, I have backed up the laptop. Please advise if there if another course of action or if I should proceed with the reload (and apparently wiping of my hard drive) of the OS.

Thanks again,

Sherry


DDS (Ver_09-05-14.01) - NTFSx86 NETWORK
Run by Lilly at 14:40:38.64 on Thu 06/18/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6001.1.1252.1.1033.18.3061.2610 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\Taskmgr.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Users\Lilly\Downloads\Desktop\dds.scr

============== Pseudo HJT Report ===============

uWindow Title = Internet Explorer provided by Dell
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - No File
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [CollaborationHost] c:\windows\system32\p2phost.exe -s
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
StartupFolder: c:\users\lilly\appdata\roaming\micros~1\windows\startm~1\programs\startup\greeti~1.lnk - c:\program files\greetings workshop\GWREMIND.EXE
StartupFolder: c:\users\lilly\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {C5428486-50A0-4a02-9D20-520B59A9F9B2} - {C9CCBB35-D123-4a31-AFFC-9B2933132116}
IE: {C5428486-50A0-4a02-9D20-520B59A9F9B3} - {A16AD1E9-F69A-45af-9462-B1C286708842}
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C237A80A-4C55-4C68-BAA9-CBE4408D12B2} - hxxp://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

S2 HPFECP06;HPFECP06;c:\windows\system32\drivers\hpfecp06.sys [2008-8-15 38176]
S2 rpcnetp;rpcnetp;c:\windows\system32\rpcnetp.exe [2008-8-20 17408]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-8-8 111616]
S3 rcmirror;rcmirror;c:\windows\system32\drivers\rcmirror.sys [2008-10-8 3328]
S4 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-8-8 73728]
S4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-11-30 210216]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-8-15 24652]

=============== Created Last 30 ================

2009-06-13 15:06 <DIR> --d----- c:\program files\ESET
2009-06-13 14:45 169,146,750 a------- c:\windows\MEMORY.DMP
2009-06-13 12:59 <DIR> --d----- c:\users\lilly\appdata\roaming\Thinstall
2009-06-13 12:55 <DIR> --d----- c:\programdata\Applications
2009-06-13 12:55 <DIR> --d----- c:\progra~2\Applications
2009-06-13 12:48 691 a------- c:\users\lilly\appdata\roaming\GetValue.vbs
2009-06-13 12:48 35 a------- c:\users\lilly\appdata\roaming\SetValue.bat
2009-06-13 12:48 4,172 a------- c:\windows\system32\tmp.reg
2009-06-13 12:30 <DIR> --d----- c:\users\lilly\appdata\roaming\TeamViewer
2009-06-12 18:38 <DIR> --d----- c:\windows\pss
2009-06-11 23:31 <DIR> --d----- c:\users\lilly\.housecall6.6
2009-06-11 23:03 <DIR> --d----- c:\windows\system32\drivers\NSS
2009-06-11 23:03 <DIR> --d----- c:\programdata\Norton
2009-06-11 23:03 <DIR> --d----- c:\program files\Norton Security Scan
2009-06-11 23:03 <DIR> --d----- c:\progra~2\Norton
2009-06-11 23:03 <DIR> --d----- c:\programdata\Symantec
2009-06-11 23:03 <DIR> --d----- c:\progra~2\Symantec
2009-06-11 23:03 <DIR> --d----- c:\programdata\NortonInstaller
2009-06-11 23:03 <DIR> --d----- c:\program files\NortonInstaller
2009-06-11 23:03 <DIR> --d----- c:\progra~2\NortonInstaller
2009-06-11 23:01 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-06-11 23:01 <DIR> --d----- c:\program files\Panda Security
2009-06-11 20:05 <DIR> --d----- c:\programdata\CA
2009-06-11 20:05 <DIR> --d----- c:\progra~2\CA
2009-06-07 15:14 <DIR> -cd-h--- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-07 15:14 <DIR> -cd-h--- c:\progra~2\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-07 01:12 <DIR> --d----- c:\programdata\Malwarebytes
2009-06-07 01:12 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-07 01:12 <DIR> --d----- c:\progra~2\Malwarebytes
2009-06-06 13:30 319,488 a------- c:\windows\system32\winexplorer.dll.tmp
2009-06-06 13:30 <DIR> --d----- c:\program files\common files\Uninstall
2009-06-06 13:27 <DIR> --d----- c:\program files\BHVideo
2009-06-06 13:05 <DIR> --d----- c:\program files\Mozilla ActiveX Control v1.7.12
2009-06-06 13:04 <DIR> --d----- c:\program files\VideoLAN
2009-05-26 22:05 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-05-26 22:05 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-05-26 22:05 <DIR> --d----- c:\program files\iPod
2009-05-26 22:05 <DIR> --d----- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-26 22:05 <DIR> --d----- c:\program files\iTunes
2009-05-26 22:05 <DIR> --d----- c:\progra~2\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-26 17:26 170,456 a------- c:\windows\hpqins00.dat
2009-05-22 00:16 <DIR> --d----- c:\users\lilly\appdata\roaming\MozillaControl
2009-05-22 00:15 <DIR> --d----- c:\program files\${MOZILLA_ACTIVEX_DIR_NAME}
2009-05-22 00:15 <DIR> --d----- c:\program files\Graboid

==================== Find3M ====================

2009-06-18 14:27 56,680 a------- c:\windows\system32\rpcnet.dll
2009-06-18 14:27 17,408 a------- c:\windows\system32\rpcnetp.dll
2009-06-18 14:27 17,408 a------- c:\windows\system32\rpcnetp.exe
2009-06-13 20:15 56,680 a------- c:\windows\system32\rpcnet.exe
2009-06-13 14:45 184,658,238 a------- c:\windows\DUMP4681.tmp
2009-05-06 13:40 178,302 a------- c:\windows\hpwins20.dat
2009-05-02 13:28 51,200 a------- c:\windows\inf\infpub.dat
2009-05-02 13:28 143,360 a------- c:\windows\inf\infstrng.dat
2009-04-23 22:55 176,235 a------- c:\windows\system32\Primomonnt.dll
2009-04-17 22:56 86,016 a------- c:\windows\inf\infstor.dat
2009-03-25 18:55 33,280 a------- c:\windows\system32\identprv.dll
2008-08-16 11:24 665,600 a------- c:\windows\inf\drvindex.dat
2008-08-15 18:15 1,844 a------- c:\users\lilly\appdata\roaming\install.dat
2008-01-20 22:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 14:40:52.01 ===============

Attached Files


Edited by Orange Blossom, 18 June 2009 - 03:28 PM.
Removed last name. ~ OB


#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:29 AM

Posted 18 June 2009 - 05:17 PM

Hi Sherry,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

We are going to run ComboFix. It is better to run it in normal mode. If it didn't run you may rename it to dod.exe and run it. If you couldn't get to normal mode you may run it in safe mode but make sure it reboots to normal mode even if you have to use the rest button a few times.


Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE).
  • Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#6 dodson5

dodson5
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 18 June 2009 - 09:22 PM

Hello Farbar!

Was unable to get into Normal Mode. Was unable to run ComboFix altho it apparently downloaded. Renamed to dod.exe Cannot get Normal Mode up Running from Safe Mode
Message: Rootkit "ComboFix has detected the presence of rootkit activity and needs to reboot the machine. Kindly note down on paper, the name of each file. We may need it ...

C:\Window\system32\drivers\gxvxccixbxrvoixtpstsvxxvdomrrwiwvryrh.sys
C:\Windows\system32\gxvxcjifmbqakbtsxqqwfarxitdihtybjprxm.dll
C:\Windows\system32\gxvxcfspdqpdnekuyhevtknxqosewpcnotlwe.dll
2nd run - message: Rootkit - same files
(keeps asking for an admnistrator command prompt?)
a message that flashed up - was unable to get it
3rd run - repeat of previous runs
4th run - repeat of previous runs
I'm in a loop, right?

Sherry

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:29 AM

Posted 19 June 2009 - 04:29 AM

  • Now we need to make sure to turn off UAC ( UAC = User Account Control )
    • Click Start, and then click Control Panel.
    • In Control Panel, click User Accounts.
    • In the User Accounts window, click User Accounts.
    • In the User Accounts tasks window, click Turn User Account Control on or off.
    • If UAC is currently configured in Admin Approval Mode, the User Account Control message appears. Click Continue.
    • Clear the Use User Account Control (UAC) to help protect your computer check box, and then click OK. If it is already uncheck, then you should also notice a red shield with an X in it located in your system tray. Ignore any messages about UAC being disabled.
    • Click Restart Now to apply the change right away. (Restart even if you did not make the above change, we need to be sure that a reboot has occurred since the first time that UAC was disabled.)
    NOTE: DO NOT CONTINUE UNTIL UAC has been disabled and you have rebooted. The UAC should be kept disabled until I give you the clean sign before closing the topic.

  • When running ComboFix or any other tool right-click it and select "Run as administrator" from the Context Menu. By doing this the tools get administrator right to do the fixes an administrator is allowed to do.

  • Do you reboot to normal mode or again to safe mode?

  • See if there is a log made here: C:\ComboFix.txt


#8 dodson5

dodson5
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 19 June 2009 - 04:08 PM

Ok... I turned off the UAC; I canNOT run in Normal; started scan as Administrator, Rebooted off the rootkit error (same error as before); Reloaded into Normal Mode!; ran dod.exe as administrator all the way thru the 'configureing 3 of 3 (updates) 0% complete'. The computer froze at that point. Eventually it tries rebooting on its own but always comes back to the 'configuring 3 of 3' screen. I can NO longer bring the computer up in ANY mode (Normal, Safe w/ Networking, Safe) because the computer will either go to a blank blue screen and reboot or to the 'configuring 3 of 3' screen and reboot.

I have been trying different combinations just to get back to any screen so I can try to access a log, if available (because a lot of 'stuff' was going on until we got to the Install Update section).

Any suggestions?

Sherry

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:29 AM

Posted 19 June 2009 - 04:18 PM

Could you please give me some clear description. You were able to boot to Safe Mode and sometimes normal mode.
What did you do? Please clear and step by step description.
No what happens when you turn on the computer?

#10 dodson5

dodson5
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 19 June 2009 - 09:16 PM

Farbar,

- I turned off the UAC
- I canNOT run in Normal Mode anymore
- I started ComboFix scan as Administrator from Safe Mode
Received the same rootkit error as before and computer rebooted into Normal Mode!
- I ran dod.exe as administrator (in Normal mode) all the way thru the message stating "configuring 3 of 3 (updates) 0% complete" (The messages Installing Updates 1, 2 and 3 completed. Configuring 1 and 2 updates completed). The computer froze at this point ("configuring 3 of 3"). Eventually it tries rebooting on its own but always comes back to the 'configuring 3 of 3' screen. I can NO longer bring the computer up in ANY mode (Normal, Safe w/ Networking, Safe) because the computer will either go to a blank blue screen (from the times I try to bring the computer up in the safe modes) or to the 'configuring 3 of 3' screen and reboot (when I let the computer try to come up in Normal Mode). Basically the computer is in a loop: "configuring 3 of 3 updates 0% completed" and rebooting back into the same page "configuring 3 of 3 updates 0% completed"

I have been trying different combinations just to get the computer to come up in any mode that will allow me to look for the logfile, if it's available.

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:29 AM

Posted 20 June 2009 - 04:25 AM

Thanks for the feedback. The ComboFix was suppose to run once, preferably in normal mode. It could be run in Safe Mode if it did not run in Normal Mode.

What happens when you turn on the computer?
The way you tell it seems as if you turn on the computer and the first thing you see it "3 of 3 configuration" and then it reboots to the same screen.
What I need to know is what you see and I don't see. The exact sequence of what you see on the screen when you turn on the computer until it reboots again by itself. Like if the initial loading screen with Windows logo appears, if you get to log on screen, if Windows loads, etc.

Also tell me if you have a Windows installation disk we can use to get to System Recovery Options to restore the computer to the state before running ComboFix.

#12 dodson5

dodson5
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 20 June 2009 - 09:30 AM

Farbar,

I turned on the computer this morning. Windows Error Recovery screen comes up. I let Windows Start Normally run. "Configuring updates: State 3 of 3 - 0% complete. Do not turn off your computer." screen comes up. Eventually, the computer goes to "shutting down screen" and reboots to "configuring updates:" screen. This scenario repeats indefinately.

Now, if I hit F8 during the reboot, the Advanced Boot Options screen comes up. I select Safe Mode with Networking. The list of drivers loading shows and then a blank blue screen then the windows logo screen then the shutting down screen then I hit F8 and go into a windows Boot Manager screen. I select Windows Vista. The "configuring update" screen comes up.

Now, if I hit F8 during the reboot, the Advanced Boot Options screen comes up. I select Safe Mode. The list of drivers loading shows and then a blank blue screen then the reboot cycle into a Advanced Boot Options screen. I select Start Windows Normally. Computer comes up in "configuring updates" page.

I have the Reinstallation DVD Windows Vista Home Premium 32 Bit.

Sherry

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:29 AM

Posted 20 June 2009 - 09:54 AM

"Configuring updates: State 3 of 3 - 0%


It seems this has nothing to do with ComboFix. It might be the case that ComboFix removed the infection, Windows went on downloading the updates and installing them. On reboot it got stuck. I would like you to do the following:

Use your Windows installation disc to get to System Recovery Options:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Choose your language settings, and then click Next.
  • Click Repair your computer.
  • Select the operating system you want to repair, and then click Next.
  • On the System Recovery Options menu you will get the following options:
    • Startup Repair
    • System Restore
    • Windows Complete PC Restore
    • Windows Memory Diagnostic Tool
    • Scans your computer's memory for errors.
    • Command Prompt
  • Select Command Prompt.
Tell me if you get there.

#14 dodson5

dodson5
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 20 June 2009 - 11:37 AM

It worked!!

I'm at X:\Sources> prompt

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:29 AM

Posted 20 June 2009 - 06:19 PM

Well done. :thumbup2:

Now I would like you to check two things:
  • Type in the following lines one by one in command prompt and press Enter after each line:

    cd c:\windows\system32
    dir userinit.exe

    Please note down the result and post it to your reply.

  • Type in the following command and press Enter:

    start regedit.exe

    The registry editor will open. Navigate to the following key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

    While you select Winlogon sub-key on the linker pane check if there is a value named Userinit in the linker pane.

    The Userinit value should have under Data the following data (nothing more and nothing less): C:\Windows\System32\userinit.exe,
Please post back your findings.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users