AntiVirus Agent Pro/spooldr.sys /BSOD

#1 Alex21


Posted 19 July 2009 - 07:46 PM

Hello there.

Got this rogue anti virus without downloading a dam thing and now i'm at my last hope. Immediately started getting the pop up and the nasty sound effect from Anti Virus agent pro. Shortly, the bsod appeared and so i rebooted my pc.

First i thought i could easily solve this problem by running malware bytes and removing all effected files, but even after removing the malwares(i know now that i should not have scan and instead waited for instructions 1st) The BSOD kept appearing. Once in a while i get an error message and i send report to microsoft. Microsoft reads. "Problem was caused by Spooldr.sys . A known virus/malware file. I searched my pc for spooldr.sys and nothing appears. The BSOD appears at random sometimes or when i'm running a software like maya or wmp power dvd etc..

I also ran debugger tools for windows. loaded the memory dump, it says often "problem caused by ntkrnlpa.exe"

I then tried driver verifier and tested all the drivers at a time. Non activated the BSOD. Some times the BSOD appears when i'm using a drawing tablet, and the error message reads "not_enough_or_equal_to(something like that)

anywho ..HELP!! appreciated !!!

DDS (Ver_09-06-26.01) - NTFSx86
Run by user at 19:49:04.84 on Sun 07/19/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.895.465 [GMT -4:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: CyberDefender Internet Security *On-access scanning enabled* (Updated) {4D2E25A0-79E5-401A-8AB8-17A795089D69}
AV: avast! antivirus 4.8.1229 [VPS 080915-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ActiveArmor Firewall *disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Windows Live\installer\WLSetupSvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AMT Media Manager\AMTDeviceService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\user\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: Wisdom-soft toolbar: {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - c:\program files\wisdom-soft\tbWisd.dll
uURLSearchHooks: free-downloads.net Toolbar: {ecdee021-0d17-467f-a1ff-c7a115230949} - c:\program files\free-downloads.net\tbfree.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Megaupload Toolbar: {4e7bd74f-2b8d-469e-ccb0-b130eedbe97c} - c:\progra~1\megaup~1\MEGAUP~1.DLL
TB: &FlashVideoBurner - Toolbar: {168ae376-5566-4025-bbcc-ae181d58a046} - flashvideoburner_toolbar.dll
TB: Wisdom-soft toolbar: {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - c:\program files\wisdom-soft\tbWisd.dll
TB: free-downloads.net Toolbar: {ecdee021-0d17-467f-a1ff-c7a115230949} - c:\program files\free-downloads.net\tbfree.dll
TB: Ask Toolbar: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {2aa2fbf8-9c76-4e97-a226-25c5f4ab6358} - Zango Information Window
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
uRun: [flashvideoburner.com] flvctrl.exe install show
uRun: [FlashVideoBurner] flvctrl.exe install show
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\axcmd.exe" /automount
uRun: [Google Update] "c:\documents and settings\user\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [WTClient] WTClient.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AMTDeviceService] "c:\program files\amt media manager\AMTDeviceService.exe"
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-3-28 24652]
R3 PTSimBus;PenTablet Bus Enumerator;c:\windows\system32\drivers\PTSimBus.sys [2007-6-7 18944]
S0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys --> c:\windows\system32\drivers\avgrkx86.sys [?]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys --> c:\windows\system32\drivers\avgldx86.sys [?]
S1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys --> c:\windows\system32\drivers\avgmfx86.sys [?]
S1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys --> c:\windows\system32\drivers\avgtdix.sys [?]
S1 is-G23MVdrv;is-G23MVdrv;c:\windows\system32\drivers\60732369.sys --> c:\windows\system32\drivers\60732369.sys [?]
S2 gupdate1c9e220e3157f3c;Google Update Service (gupdate1c9e220e3157f3c);c:\program files\google\update\GoogleUpdate.exe [2009-5-31 133104]
S3 CDAVFS;CDAVFS;c:\windows\system32\drivers\cdavfs.sys --> c:\windows\system32\drivers\CDAVFS.sys [?]
S3 getPlusŪ Helper;getPlusŪ Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-7-10 66056]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\ICDUSB2.sys [2002-11-28 39048]
S3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\1B.tmp [2008-9-16 5760]
S3 PTSimHid;PenTablet Simulated HID MiniDriver;c:\windows\system32\drivers\PTSimHid.sys [2007-4-23 10752]
S4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe --> c:\progra~1\avg\avg8\avgwdsvc.exe [?]
S4 OHWHZKYOXF;OHWHZKYOXF;c:\docume~1\user\locals~1\temp\ohwhzkyoxf.exe --> c:\docume~1\user\locals~1\temp\OHWHZKYOXF.exe [?]
S4 Zumie Search Service;Zumie Search Service;c:\program files\zumie\zumie.exe [2008-5-6 4608]

=============== Created Last 30 ================

2009-07-19 17:45 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-07-19 14:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Comodo
2009-07-19 14:54 179,792 a------- c:\windows\system32\guard32.dll
2009-07-19 14:54 132,040 a------- c:\windows\system32\drivers\cmdguard.sys
2009-07-19 14:54 25,160 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-07-19 09:44 <DIR> --d----- C:\log
2009-07-19 09:21 <DIR> --d----- c:\windows\system32\scripting
2009-07-19 09:21 <DIR> --d----- c:\windows\l2schemas
2009-07-19 09:21 <DIR> --d----- c:\windows\system32\en
2009-07-19 09:21 <DIR> --d----- c:\windows\system32\bits
2009-07-19 09:15 <DIR> --d----- c:\windows\ServicePackFiles
2009-07-19 05:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Downloaded Installations
2009-07-18 20:23 <DIR> --d----- c:\program files\Trend Micro
2009-07-17 16:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Drivers HeadQuarters
2009-07-17 09:24 2,930 a------- C:\rollback.ini
2009-07-17 09:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ParetoLogic
2009-07-13 13:29 43,632,672 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-07-13 13:29 512,396 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-07-13 13:25 <DIR> --d----- c:\program files\Enigma Software Group
2009-07-13 10:54 2,042 a------- c:\windows\system32\tmp.reg
2009-07-11 20:53 <DIR> --d----- c:\docume~1\user\applic~1\Reg Tool
2009-07-10 10:51 <DIR> --d----- c:\program files\Reg Tool
2009-07-10 08:36 74,412 a---h--- c:\windows\system32\mlfcache.dat
2009-07-10 05:49 136,192 -------- c:\windows\system32\aaclient.dll
2009-07-10 05:49 44,928 -------- c:\windows\system32\drivers\agpcpq.sys
2009-07-10 05:49 42,368 -------- c:\windows\system32\drivers\agp440.sys
2009-07-10 05:49 4,255 -------- c:\windows\system32\drivers\adv01nt5.dll
2009-07-10 05:49 3,967 -------- c:\windows\system32\drivers\adv02nt5.dll
2009-07-10 05:49 3,775 -------- c:\windows\system32\drivers\adv11nt5.dll
2009-07-10 05:49 3,711 -------- c:\windows\system32\drivers\adv09nt5.dll
2009-07-10 05:49 3,647 -------- c:\windows\system32\drivers\adv07nt5.dll
2009-07-10 05:49 3,615 -------- c:\windows\system32\drivers\adv05nt5.dll
2009-07-10 05:49 3,135 -------- c:\windows\system32\drivers\adv08nt5.dll
2009-07-10 05:47 86,016 -------- c:\windows\system32\mdmxsdk.dll
2009-07-10 05:43 1,309,184 -------- c:\windows\system32\drivers\mtlstrm.sys
2009-07-09 14:44 <DIR> --dsh--- c:\documents and settings\user\IECompatCache
2009-07-09 14:41 <DIR> --dsh--- c:\documents and settings\user\IETldCache
2009-07-09 14:38 <DIR> --d----- c:\windows\ie8updates
2009-07-09 14:37 <DIR> -cd-h--- c:\windows\ie8
2009-07-09 14:35 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-07-09 14:35 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-07-09 14:35 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-07-09 12:34 23,392 a------- c:\windows\system32\nscompat.tlb
2009-07-09 12:34 16,832 a------- c:\windows\system32\amcompat.tlb
2009-07-08 23:44 <DIR> --d----- c:\windows\system32\CatRoot2
2009-07-08 23:16 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-08 23:16 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-08 23:16 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-08 22:56 <DIR> --d----- c:\program files\Debugging Tools for Windows (x86)
2009-07-08 12:10 918,045 a---h--- C:\DH Temp.tmp
2009-07-08 12:05 0 a---h--- C:\miniex.ant
2009-07-08 11:59 224 a---h--- c:\windows\winshell.dat
2009-07-08 11:58 <DIR> --d----- c:\program files\Dachshund Software
2009-07-07 17:29 <DIR> --d----- c:\docume~1\user\applic~1\Malwarebytes
2009-07-07 17:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-01 00:03 <DIR> --d----- C:\tox
2009-06-30 23:54 <DIR> --d----- C:\TOKKKK
2009-06-30 23:26 <DIR> --d----- C:\mediacache
2009-06-30 23:20 <DIR> --d----- c:\program files\common files\Autodesk Shared
2009-06-20 20:30 <DIR> --d----- c:\program files\common files\fwc

==================== Find3M ====================

2009-07-19 13:35 170,800 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2009-07-19 09:24 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-07-15 23:42 98,304 a------- c:\windows\DUMPb6bd.tmp
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-02 11:17 75,776 a------- c:\windows\system32\WS2Fix.exe
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-22 00:22 34 a------- c:\documents and settings\user\jagex_runescape_preferences.dat
2008-09-17 19:25 1,739 a------- c:\program files\INSTALL.LOG
2008-04-06 17:07 82 ac------ c:\docume~1\alluse~1\applic~1\SUMQU0C1-FE20-APII-YE7M-BEDSDWMY5R6A.dat
2003-01-31 13:05 89,083 ac------ c:\documents and settings\user\LemD3DCombine.dat
2002-01-12 10:58 2,170,928 a------- c:\documents and settings\user\gs_dll.dll
2001-06-01 16:05 28,160 a------- c:\documents and settings\user\kailleraclient.dll

============= FINISH: 19:49:35.00 ===============

Edited by Alex21, 19 July 2009 - 07:53 PM.

#2 Alex21

Posted 21 July 2009 - 08:07 AM


I downloaded AutoRun, but still don't know how to use it Or should i use it. Waiting for further instructions.

Hello Alex21,

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.


The weatherman

Edited by The weatherman, 21 July 2009 - 05:31 PM.

Posted 27 July 2009 - 11:09 AM

It has come to my attention that you have posted for help with your computer at other forums.

I am currently helping you here are malware removal. When you post at multiple forums, it just causes a lot of confusion. I would like to direct you to this topic at malware removal. ;)

Since you are being helped at another forum, to avoid confusion this topic is now closed.

