Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD Can't tell if system is infected/hijacked or driver issue


  • This topic is locked This topic is locked
19 replies to this topic

#1 rnitschke

rnitschke

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:16 AM

Posted 26 July 2009 - 06:20 AM

NEWBE Here... Computer is BSOD contiually (Vista Home). It simply Blue Screens and then reboots. It did this awhile ago and then after multiple updates, virus scans, defrags, etc and a little patients it seemed to clear itself up. Now, ever since SP2 installed a couple weeks ago, it BSOD continually. Sounds like a Driver issue I know but everything seems to check out. It is a family computer so Wife, Kids have access to it so who knows what happened to it. I have done all the updates, AV scaning, etc and just can't get the thing stable again. I am concerned that I have picked up an infection somewhere but standard tools just don find anything and I just can't figure it out. Any help/guidance would be greatly appriecieated

Thanks in advance..
-Rick

Problem Reports Details and DDS follows:


--------------------------------------------------------------
Problem signature
Problem Event Name: BlueScreen
OS Version: 6.0.6002.2.2.0.768.3
Locale ID: 1033

Files that help describe the problem (some files may no longer be available)
Mini072609-01.dmp
sysdata.xml
Version.txt

View a temporary copy of these files
Warning: If a virus or other security threat caused the problem, opening a copy of the files could harm your computer.

Extra information about the problem
BCCode: 124
BCP1: 00000000
BCP2: 88896028
BCP3: B605C000
BCP4: 00000135
OS Version: 6_0_6002
Service Pack: 2_0
Product: 768_1

--------------------------------------------------------------------------------------------------------------
DDS (Ver_09-06-26.01) - NTFSx86
Run by Toni at 6:43:12.63 on Sun 07/26/2009
Internet Explorer: 8.0.6001.18783
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3454.2349 [GMT -4:00]

AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\rundll32.exe
C:\Windows\System32\bgsvcgen.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Windows\system32\rundll32.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Windows\system32\svchost.exe -k SDRSVC
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\schtasks.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\hp\support\hpsysdrv.exe
C:\Windows\system32\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Registry Defense\RDListener.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Hot Wheels\hotwheelsWatcher.exe
C:\Program Files\Race The World ™\turbokey.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Panasonic\VideoCamSuite\VideoCamSuiteAutoStart.exe
C:\Program Files\PictureMover\Bin\PictureMover.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\hp\kbd\kbd.exe
C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
C:\PROGRA~1\McAfee\MSM\McSmtFwk.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Toni\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [<NO NAME>]
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [RDListener] c:\program files\registry defense\RDListener.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Hot Wheels® Turbo Driver™ Watcher] c:\program files\hot wheels\HotwheelsWatcher.exe
mRun: [TurboKey] c:\program files\race the world ™\turbokey.exe
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\users\toni\appdata\roaming\micros~1\windows\startm~1\programs\startup\pictur~1.lnk - c:\program files\picturemover\bin\PictureMover.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\autoru~1.lnk - c:\program files\panasonic\videocamsuite\VideoCamSuiteAutoStart.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng1.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: c:\windows\system32\wpclsp.dll
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2009-2-25 13088]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-10-7 210216]
S2 gupdate1c966229a402ca0;Google Update Service (gupdate1c966229a402ca0);c:\program files\google\update\GoogleUpdate.exe [2008-12-24 133104]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-11-5 33752]

=============== Created Last 30 ================

2009-07-25 06:32 <DIR> --d----- c:\program files\Trend Micro
2009-07-15 07:21 156,672 a------- c:\windows\system32\t2embed.dll
2009-07-15 07:21 289,792 a------- c:\windows\system32\atmfd.dll
2009-07-15 07:21 72,704 a------- c:\windows\system32\fontsub.dll
2009-07-15 07:21 23,552 a------- c:\windows\system32\lpk.dll
2009-07-15 07:21 10,240 a------- c:\windows\system32\dciman32.dll
2009-07-10 06:46 <DIR> --d----- c:\windows\system32\eu-ES
2009-07-10 06:46 <DIR> --d----- c:\windows\system32\ca-ES
2009-07-10 06:46 <DIR> --d----- c:\windows\system32\vi-VN
2009-07-10 06:25 <DIR> --d----- c:\windows\system32\EventProviders
2009-07-07 07:46 2,499,629 a------- c:\windows\system32\wlan.tmf
2009-07-07 07:45 93,696 a------- c:\windows\system32\eappgnui.dll

==================== Find3M ====================

2009-07-19 16:45 143,360 a------- c:\windows\inf\infstrng.dat
2009-07-19 16:45 143,360 a------- c:\windows\inf\infstor.dat
2009-07-19 16:45 51,200 a------- c:\windows\inf\infpub.dat
2009-07-10 06:46 665,600 a------- c:\windows\inf\drvindex.dat
2009-06-24 06:04 116,840 a------- c:\windows\hpqins00.dat
2009-05-09 01:50 915,456 a------- c:\windows\system32\wininet.dll
2009-05-09 01:34 71,680 a------- c:\windows\system32\iesetup.dll
2008-04-12 15:40 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-03-09 11:53 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2009-03-09 11:53 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2009-03-09 11:53 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat
2007-11-08 05:59 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 6:44:04.10 ===============

Attached Files



BC AdBot (Login to Remove)

 


m

#2 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:16 AM

Posted 05 August 2009 - 03:38 AM

Hello and :thumbup2: to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here
.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.


Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay
.

-----------------------------------------------------------

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Kind regards
Net_Surfer

:)

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,699 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:16 AM

Posted 18 August 2009 - 07:20 PM

Topic reopened.

@ rnitschke,

Please post back with the information requested in the previous post.

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 rnitschke

rnitschke
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:16 AM

Posted 19 August 2009 - 06:23 AM

Bluescreened in the middle of trying to post.... GRRR..

Re-Run of DDS as requested. - See below and attached. Thank you for your assistance and sorry for delayed response, was out of town for a couple weeks..

Any help to determine if there is an infection is apprieceated.

-R


DDS (Ver_09-06-26.01) - NTFSx86
Run by Toni at 7:10:22.17 on Wed 08/19/2009
Internet Explorer: 8.0.6001.18813
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3454.1818 [GMT -4:00]

AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\rundll32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\System32\bgsvcgen.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Windows\system32\rundll32.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\System32\svchost.exe -k secsvcs
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\system32\schtasks.exe
C:\hp\support\hpsysdrv.exe
C:\Windows\system32\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Registry Defense\RDListener.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Hot Wheels\hotwheelsWatcher.exe
C:\Program Files\Race The World ™\turbokey.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Panasonic\VideoCamSuite\VideoCamSuiteAutoStart.exe
C:\Program Files\PictureMover\Bin\PictureMover.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hp\kbd\kbd.exe
C:\Windows\system32\wbem\wmiprvse.exe
c:\PROGRA~1\mcafee\msc\mcupdmgr.exe
c:\PROGRA~1\mcafee\msc\mcupdui.exe
c:\program files\mcafee\virusscan\mcinsupd.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Toni\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [<NO NAME>]
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [RDListener] c:\program files\registry defense\RDListener.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Hot Wheels® Turbo Driver™ Watcher] c:\program files\hot wheels\HotwheelsWatcher.exe
mRun: [TurboKey] c:\program files\race the world ™\turbokey.exe
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\users\toni\appdata\roaming\micros~1\windows\startm~1\programs\startup\pictur~1.lnk - c:\program files\picturemover\bin\PictureMover.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\autoru~1.lnk - c:\program files\panasonic\videocamsuite\VideoCamSuiteAutoStart.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng1.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: c:\windows\system32\wpclsp.dll
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-08-15 18:25 71,680 a------- c:\windows\system32\atl.dll
2009-08-15 18:25 160,256 a------- c:\windows\system32\wkssvc.dll
2009-08-15 18:25 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-08-15 18:25 91,136 a------- c:\windows\system32\avifil32.dll
2009-08-15 18:25 313,344 a------- c:\windows\system32\wmpdxm.dll
2009-08-15 18:25 7,680 a------- c:\windows\system32\spwmp.dll
2009-08-15 18:25 4,096 a------- c:\windows\system32\msdxm.ocx
2009-08-15 18:25 4,096 a------- c:\windows\system32\dxmasf.dll
2009-08-15 18:25 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-08-15 18:25 43,520 a------- c:\windows\system32\msdxm.tlb
2009-08-15 18:25 18,432 a------- c:\windows\system32\amcompat.tlb
2009-07-25 06:32 <DIR> --d----- c:\program files\Trend Micro

==================== Find3M ====================

2009-07-21 17:52 915,456 a------- c:\windows\system32\wininet.dll
2009-07-21 17:47 109,056 a------- c:\windows\system32\iesysprep.dll
2009-07-21 17:47 71,680 a------- c:\windows\system32\iesetup.dll
2009-07-21 16:13 133,632 a------- c:\windows\system32\ieUnatt.exe
2009-07-19 16:45 143,360 a------- c:\windows\inf\infstrng.dat
2009-07-19 16:45 143,360 a------- c:\windows\inf\infstor.dat
2009-07-19 16:45 51,200 a------- c:\windows\inf\infpub.dat
2009-07-10 06:46 665,600 a------- c:\windows\inf\drvindex.dat
2009-06-24 06:04 116,840 a------- c:\windows\hpqins00.dat
2009-06-15 10:53 156,672 a------- c:\windows\system32\t2embed.dll
2009-06-15 10:52 23,552 a------- c:\windows\system32\lpk.dll
2009-06-15 10:52 72,704 a------- c:\windows\system32\fontsub.dll
2009-06-15 10:51 10,240 a------- c:\windows\system32\dciman32.dll
2009-06-15 08:42 289,792 a------- c:\windows\system32\atmfd.dll
2008-04-12 15:40 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-03-09 11:53 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2009-03-09 11:53 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2009-03-09 11:53 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat
2007-11-08 05:59 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 7:11:07.26 ===============

Attached Files



#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:16 AM

Posted 21 August 2009 - 09:57 AM

Hi rnitschke,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

Please perform the steps fully and in the order they are written.
  • Set up Windows in order not to restart automatically by system failure:
    • Go to start and Rightclick Computer.
    • In the left pane select Advanced Settings.
    • Under Advanced tab in the Startup and Recovery section press Setting.
      • The option "write an event to system log" should be checked.
      • The option "Automatically restart" should be unchecked.
    • Click OK twice and close the open window.
    • From now on if you get a notification error please note the exact error message and post it to your reply.
    • Also Windows creates a minidump file, please attach the file to your reply. An example follows from your post:

      Files that help describe the problem (some files may no longer be available)
      Mini072609-01.dmp
      sysdata.xml
      Version.txt

  • We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
    • Go to Start > Control Panel > Windows Defender.
    • Open Windows Defender.
    • Click on Tools, Options.
    • At the bottom of the Window Defender's page, under Administrator Options uncheck "use Windows Defender" and then Save.
    • Click Close.
    Note:When everything is done and your log is clean again, you can enable it again.

  • I see on the log the Coupon Printer for Windows is installed on your computer:
    This program is known to be bundled with adware/spyware.

    For more information please see this:
    A Closer Look at Coupons.com

    To uninstall Coupon Printer for Windows:

    Click "start" on the taskbar and then click on the "Control Panel" icon.
    Please doubleclick the "Add or Remove Programs" icon.
    A list of programs installed will be "populated" this may take a bit of time.
    If they exist, uninstall the following by clicking on the following entries and selecting "remove":

    Coupon Printer for Windows

    Also delete the folders in bold (if present):

    C:\Program Files\Coupon
    C:\Program Files\Coupons

  • This small application you may want to keep and use to keep the computer clean.
    Download CCleaner from here http://www.ccleaner.com/
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Click Run Cleaner.
    • Close CCleaner.
  • Download RootRepeal.exe from one of these download locations and save it to your desktop:
    http://download.bleepingcomputer.com/rootr.../RootRepeal.exe
    http://ad13.geekstogo.com/RootRepeal.exe
    http://rootrepeal.psikotick.com/RootRepeal.exe
    • Open Posted Image on your desktop.
    • Click the Posted Image tab.
    • Click the Posted Image button.
    • Check all seven boxes: Posted Image
    • Click Ok.
    • Check the box for your main system drive (Usually C:), and press Ok.
    • Allow RootRepeal to run a scan of your system. This may take some time.
    • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.


#6 rnitschke

rnitschke
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:16 AM

Posted 24 August 2009 - 04:08 PM

Hi Farbar,

Thank you for offering to help. Let me tell you where I am right now.

I completed Steps 1-4 from you list. Had some minor difficulties on disabling Windows Defender but the rest had no problems. As for Item 5 using rootRepeal I have had limitted success. I can;t get it to complete running through the reports if "File" and "Hidden Services" are selected???? If I just try to select "File". It just runs forever (hours and hours) and usually ends in BSOD. Same for Hidden Services......

As for the BSOD, the stop codes for the last several are:


BCCode: 124
BCP1: 00000000
BCP2: 85347028
BCP3: B605C000
BCP4: 00000135

BCCode: 124
BCP1: 00000000
BCP2: 8569D3F0
BCP3: B205C000
BCP4: 00000175

BCCode: 124
BCP1: 00000000
BCP2: 8867E3F0
BCP3: B605C000
BCP4: 00000145

BCP1: 00000000
BCP2: 855E73F0
BCP3: B605C000
BCP4: 00000135


I will attempt to re-run rootrepeal a couple more times to see if I can get a good capture unless you have alternative directions.

Thanks for helping out.
-r

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:16 AM

Posted 24 August 2009 - 04:50 PM

  • Please download Malwarebytes' Anti-Malware from one of these ocations:
    malwarebytes.org
    majorgeeks.com
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • Lets try another rootkit scanner:

    Download GMER Rootkit Scanner from here or here.
    • Extract the contents of the zipped file to desktop.
    • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
    • Click on this link to see a list of programs that should be disabled.
    • Disconnect from the Internet and close all running programs.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    • In the right panel, you will see several boxes that have been checked. Make sure the following are unchecked:
    • Sections
    • IAT/EAT
    • Drives/Partition other than C:\ drive (C:\ drive should remain checked)
  • Then click the Scan button & wait for it to begin. (Please be patient as it can take some time to complete).
  • When the scan is finished, you will see the scan button appears again. Click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
*********************************************

In case of the crash I need the mini.dump file. There are a number of the ways you can find it.
  • Go to start > right-click My Computer > Properties > under Advanced tab > under Startup and Recovery section click Settings > (the option Automatically restart should be unchecked and the other two options should be checked) under Write debugging information section > under Small dump directory: the path to the mini dump folder is given. When the computer crashes after restart the system makes dump files (Minixxxxx.dmp where x represent a number). After a crash you should go to that folder and find the mini dump file inside it to upload it.

    Note: %systemroot% usually means Windows so %systemroot%\Minidump is C:\Windows\Minidump

  • If still you could not find the file set Windows to show hidden files. Instructions on how to do this can be found here:
    How to see hidden files in Windows

  • Use the windows search advanced options:
    • Go to start -> Search -> click All files and folders.
    • Click More advanced options.
    • Put a check mark in the box nest to search system folders, search hidden files and folders and search sub-folders.
    • Make sure Case Sensitive box in not checked.
    • Type mini*.dmp in the upper box and click on search.
  • Zip the file and attach the it to your reply. To attach the file:
    • When you press the ADDREPLY, under the reply window press Browse... show the path to the zip-file on your computer:
    • Highlight the zip-file and click Open then press the green UPLOAD button.
    Alternatively, instead of zipping and attaching, you can upload the file to the following site and give me the link to the file:
    http://www.mediafire.com/

    Note: The old mini dump files might have already been removed and you have to wait for the next crash and find the file before using cleanup utilities.


#8 rnitschke

rnitschke
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:16 AM

Posted 24 August 2009 - 06:10 PM

Below is the Malwarebytes results. I also attached a minidump from the last BSOD.

BCCode: 124
BCP1: 00000000
BCP2: 889AD028
BCP3: B605C000
BCP4: 00000135
OS Version: 6_0_6002
Service Pack: 2_0
Product: 768_1

Will work on the rootkit analyzer next and post results.

-R



Malwarebytes' Anti-Malware 1.40
Database version: 2691
Windows 6.0.6002 Service Pack 2

8/24/2009 7:00:30 PM
mbam-log-2009-08-24 (19-00-30).txt

Scan type: Quick Scan
Objects scanned: 93585
Time elapsed: 6 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\turbokey (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Race The World ™\turbokey.exe (Trojan.FakeAlert.H) -> Delete on reboot.

Attached Files



#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:16 AM

Posted 25 August 2009 - 03:23 AM

According to the Minidump it is a hardware issue probably caused by the failing AuthenticAMD processor.

You may post another minidump to see if the dump reports are the same and consistent. Also post the rootkit scanner anyway if succeeded.

#10 rnitschke

rnitschke
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:16 AM

Posted 25 August 2009 - 06:59 AM

Attached is the last minidump file to check for consistency. I will try a couple more times on the rootkit, but machine BSOD before it completes. I did run the Malaware full search and it did not find anything. I'm going to run HW Diagnostics again to see if it picks anything up on the CPU.

Thanks Farbar for all your help.

-R

Stop Error associated with this MiniDump.

Problem signature
Problem Event Name: BlueScreen
OS Version: 6.0.6002.2.2.0.768.3
Locale ID: 1033

Files that help describe the problem (some files may no longer be available)
Mini082409-04.dmp
sysdata.xml
Version.txt

View a temporary copy of these files
Warning: If a virus or other security threat caused the problem, opening a copy of the files could harm your computer.

Extra information about the problem
BCCode: 4e
BCP1: 00000007
BCP2: 000D73C0
BCP3: 00000001
BCP4: 00000000
OS Version: 6_0_6002
Service Pack: 2_0
Product: 768_1

Attached Files



#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:16 AM

Posted 25 August 2009 - 02:18 PM

The minidump this time shows another cause. It is related to a driver in the user's temporary folder called aajasnkj.sys. I don't see this driver on your DDS log so I believe it is a temporary driver made by GMER and the BSOD should be from when you tried to run GMER.

Let's check something and see if you are able to run ComboFix.
  • To check if all devices are working properly:
  • Go to start > right-click Computer and select Properties.
  • In the left pane select Device Manger.
  • Expand Display Adapters.
  • Check if there is any ? or ! sign next to the listed devices. If yes tell me about that and:
  • Double-click on the listed device with ? or !
  • Under General tab note the writing in the Device Status section and post it to your reply.

[*]Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.
[/list]

#12 rnitschke

rnitschke
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:16 AM

Posted 25 August 2009 - 06:53 PM

Farbar,

1) Device manager shows no signs of problems. All devices OK.
2) Ready to run ComboFix but it gives me a warning that antivirus and antispyware by Norton Internet Security is running. HOWEVEr, I am not running Norton, I am running McAfee and I have disabled them in McAfee Security Center but the Process manager still shows that McAfee Real-Time scanning is started?? Note that Norton did come installed on this machine so could it be a false posttive??? Not sure. Should I go ahead and run ComboFix? Maybe I should just uninstall McAfee for now??

Also, you are right about that last BSOD MiniDump. It occured when i was trying to run GMER. I had another BSOD today which occured even before I logged in. Just booted up and BSOD, so one more attached MiniDump if you want to review.

Attached Files



#13 rnitschke

rnitschke
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:16 AM

Posted 25 August 2009 - 09:42 PM

Moved forward with ComboFix. Results below:

ComboFix 09-08-25.02 - Toni 08/25/2009 22:24.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3454.2257 [GMT -4:00]
Running from: c:\users\Toni\Downloads\ComboFix.exe
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2020713807-2621566357-2366945470-500
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-2743716092-3295824385-944637748-500
c:\users\Default\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
c:\users\Sam\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
c:\users\Sam\ntuser.dat{92aec3ca-199d-11de-92a5-001e8c3574a8}.TMContainer00000000000000000001.regtrans-ms
c:\users\Toni\AppData\Local\Temp\TempFolder.aag\dirapi.dll
c:\users\Toni\AppData\Local\Temp\TempFolder.aag\iml32.dll
c:\users\Toni\AppData\Local\Temp\TempFolder.aag\proj.dll
c:\users\Toni\AppData\Local\Temp\TempFolder.aag\xtras\budapi.x32
c:\users\Toni\AppData\Local\Temp\TempFolder.aag\xtras\budtray.x32
c:\users\Toni\AppData\Local\Temp\TempFolder.aag\xtras\UsbAccessXtra.x32
c:\users\Toni\ntuser.dat{0a516f02-7965-11de-acff-001e8c3574a8}.TMContainer00000000000000000001.regtrans-ms
c:\users\Toni\ntuser.dat{120a6bd8-7660-11de-b2e9-001e8c3574a8}.TMContainer00000000000000000001.regtrans-ms
c:\users\Toni\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
c:\users\Toni\ntuser.dat{6d240499-7201-11de-9264-001e8c3574a8}.TMContainer00000000000000000001.regtrans-ms
c:\windows\Installer\6c84d0a.msi
c:\windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
c:\windows\ServiceProfiles\LocalService\ntuser.dat{a67ccb25-2540-11de-99e0-001e8c3574a8}.TMContainer00000000000000000001.regtrans-ms
c:\windows\ServiceProfiles\LocalService\ntuser.dat{bb84deae-1d36-11de-b84b-001e8c3574a8}.TMContainer00000000000000000001.regtrans-ms
c:\windows\ServiceProfiles\LocalService\ntuser.dat{bd4d9516-35b5-11de-82a4-001e8c3574a8}.TMContainer00000000000000000001.regtrans-ms
c:\windows\ServiceProfiles\LocalService\ntuser.dat{fe0bf6dd-79e2-11de-bee3-001e8c3574a8}.TMContainer00000000000000000001.regtrans-ms
c:\windows\ServiceProfiles\NetworkService\ntuser.dat{2d0d4f0b-380b-11de-837b-001e8c3574a8}.TMContainer00000000000000000001.regtrans-ms
c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
c:\windows\system32\config\systemprofile\ntuser.dat{b1c6f9d8-8de2-11dc-99c2-806e6f6e6963}.TMContainer00000000000000000001.regtrans-ms
c:\users\Toni\ntuser.dat{2a694898-79ce-11de-925c-001e8c3574a8}.TMContainer00000000000000000001.regtrans-ms . . . . failed to delete
c:\windows\ServiceProfiles\LocalService\ntuser.dat{e95512e3-8cb1-11de-9555-001e8c3574a8}.TMContainer00000000000000000001.regtrans-ms . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2009-07-26 to 2009-08-26 )))))))))))))))))))))))))))))))
.

2009-08-25 23:33 . 2009-06-22 10:09 2048 ----a-w- c:\windows\system32\tzres.dll
2009-08-25 23:29 . 2009-06-05 09:53 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-25 23:29 . 2009-06-05 09:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-24 22:22 . 2009-08-24 22:22 -------- d-----w- c:\users\Toni\AppData\Roaming\Malwarebytes
2009-08-24 22:22 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-24 22:22 . 2009-08-24 22:22 -------- d-----w- c:\programdata\Malwarebytes
2009-08-24 22:22 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-24 22:22 . 2009-08-24 22:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-22 00:36 . 2009-08-22 00:36 -------- d-----w- c:\users\Toni\AppData\Roaming\Yahoo!
2009-08-22 00:36 . 2009-08-22 00:36 -------- d-----w- c:\programdata\Yahoo! Companion
2009-08-22 00:36 . 2009-08-22 00:36 -------- d-----w- c:\program files\CCleaner
2009-08-15 22:25 . 2009-07-17 13:54 71680 ----a-w- c:\windows\system32\atl.dll
2009-08-15 22:25 . 2009-06-10 11:42 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-08-15 22:25 . 2009-06-04 12:07 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-08-15 22:25 . 2009-06-10 11:38 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-08-15 22:25 . 2009-07-15 12:39 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-08-15 22:25 . 2009-07-15 12:39 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-08-15 22:25 . 2009-07-15 12:39 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-08-15 22:25 . 2009-07-15 12:40 8147456 ----a-w- c:\windows\system32\wmploc.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-25 23:21 . 2008-12-24 23:50 -------- d-----w- c:\programdata\Google Updater
2009-08-24 23:15 . 2009-05-07 22:15 -------- d-----w- c:\program files\Race The World ™
2009-08-22 00:36 . 2007-11-08 11:00 -------- d-----w- c:\program files\Yahoo!
2009-08-20 20:47 . 2008-03-07 01:21 -------- d-----w- c:\program files\McAfee
2009-08-20 12:18 . 2009-06-05 19:28 -------- d-----w- c:\program files\Unity
2009-08-16 11:45 . 2009-05-07 22:13 -------- d-----w- c:\program files\Hot Wheels
2009-08-15 23:34 . 2009-02-22 12:48 -------- d-----w- c:\programdata\Microsoft Help
2009-08-15 23:33 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-08-01 08:25 . 2008-12-18 11:49 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-25 10:32 . 2009-07-25 10:32 -------- d-----w- c:\program files\Trend Micro
2009-07-21 21:52 . 2009-07-29 10:29 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-29 10:29 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-29 10:29 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-29 10:29 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-19 21:57 . 2008-03-07 00:43 106096 ----a-w- c:\users\Toni\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-19 20:46 . 2007-11-08 10:37 -------- d-----w- c:\programdata\HP
2009-07-17 10:36 . 2007-11-08 10:56 -------- d-----w- c:\programdata\WildTangent
2009-07-10 13:10 . 2007-11-08 10:33 -------- d-----w- c:\programdata\NVIDIA
2009-07-10 10:48 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-07-10 10:48 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-07-10 10:48 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-07-10 10:48 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-07-10 10:48 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-07-10 10:48 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-07-10 10:46 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-07-10 10:27 . 2008-03-07 01:19 -------- d-----w- c:\programdata\McAfee
2009-07-05 17:32 . 2009-07-05 17:32 15252408 ----a-w- c:\programdata\WildTangent\My HP Game Console\Downloads\en-us\Installers\SetupGamesClient.exe
2009-06-24 10:04 . 2009-06-24 10:03 116840 ----a-w- c:\windows\hpqins00.dat
2009-06-15 14:53 . 2009-07-15 11:21 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 14:52 . 2009-07-15 11:21 23552 ----a-w- c:\windows\system32\lpk.dll
2009-06-15 14:52 . 2009-07-15 11:21 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 14:51 . 2009-07-15 11:21 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-06-15 12:42 . 2009-07-15 11:21 289792 ----a-w- c:\windows\system32\atmfd.dll
2007-11-08 09:59 . 2007-11-08 09:54 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-23 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-23 92704]
"WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 176128]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"RDListener"="c:\program files\Registry Defense\RDListener.exe" [2009-02-07 115312]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Hot Wheels® Turbo Driver™ Watcher"="c:\program files\Hot Wheels\HotwheelsWatcher.exe" [2008-01-25 2870612]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-15 4874240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-10-09 44168]

c:\users\Toni\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
PictureMover.lnk - c:\program files\PictureMover\Bin\PictureMover.exe [2008-8-13 413696]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Auto run of VideoCam Suite 1.0.lnk - c:\program files\Panasonic\VideoCamSuite\VideoCamSuiteAutoStart.exe [2009-4-11 161160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:thumbup2::f6,b7,42,00,4d,01,ca,01

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{C61BEF46-DEC4-446B-A3C9-8911790454AC}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{7ECA0280-D1A6-4B44-B6FE-F6D92DB114A6}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{5213E56E-C134-4C7C-839F-6831026348DA}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{16184ECD-80CA-4335-9DD4-1C94FFAC8741}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{F7368523-7412-4729-ADC8-C90D04A18079}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{6C04A3C6-E534-48FA-A879-033809A8C2D6}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{BF63AFF3-E431-4CF0-B13B-A834FE49DB00}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{739BA350-305A-4021-A7BD-A52C17D10872}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{22F27552-C914-4437-9457-385FC9475C2B}"= UDP:c:\program files\TurboTax\Deluxe 2007\32bit\ttax.exe:TurboTax
"{E2E58441-3DDA-43E8-8B40-327D06DBFCD1}"= TCP:c:\program files\TurboTax\Deluxe 2007\32bit\ttax.exe:TurboTax
"{C66324F7-00B9-4097-A13E-2F7EBE648F30}"= UDP:c:\program files\TurboTax\Deluxe 2007\32bit\updatemgr.exe:TurboTax Update Manager
"{DF7153A0-570F-44E3-AE80-53F232D5447A}"= TCP:c:\program files\TurboTax\Deluxe 2007\32bit\updatemgr.exe:TurboTax Update Manager
"{23100907-92EC-4C1A-A1C0-75776FA66244}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{3D9C5FE1-5A2E-41F8-840D-A5F54D2B1E9D}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{9A7310B9-52AA-40E7-A1E3-2E536F9C6AD0}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{56842705-E887-4F16-9B11-A9C2B0BB3B29}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{5C8FE037-32BD-470A-96BB-0E7E66C3E4D2}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{AA4DF80A-28E2-489B-8DCA-3B276BEC9286}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{6D4CF2E5-F551-4C68-A797-422B4AD9E0AD}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2/25/2009 6:06 PM 13088]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/7/2008 9:59 PM 210216]
S2 gupdate1c966229a402ca0;Google Update Service (gupdate1c966229a402ca0);c:\program files\Google\Update\GoogleUpdate.exe [12/24/2008 7:51 PM 133104]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [11/5/2008 8:17 AM 33752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-26 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-03-16 00:17]

2009-08-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-24 13:45]

2009-08-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-24 13:45]

2009-07-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-02-28 15:53]

2009-08-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-02-28 15:53]

2009-08-25 c:\windows\Tasks\NightlyCleaning.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-02-28 15:53]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
LSP: c:\windows\system32\wpclsp.dll
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-25 22:36
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3116)
c:\program files\McAfee\SiteAdvisor\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\bgsvcgen.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\windows\System32\rundll32.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\microsoft shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\System32\drivers\XAudio.exe
c:\windows\System32\WUDFHost.exe
c:\program files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\System32\wbem\WMIADAP.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2009-08-26 22:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-26 02:39

Pre-Run: 338,393,157,632 bytes free
Post-Run: 337,985,667,072 bytes free

259 --- E O F --- 2009-08-25 23:34

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:16 AM

Posted 26 August 2009 - 11:38 AM

rnitschke,

The BSOD was again caused by the AuthenticAMD processor. It looks the cause of the crash is pretty consistent. yet post another minidump to make sure.

ComboFix found and removed some stuff.

I'm still concerned about not being able able to run a rootkit scan. Let's first check the volume for errors which is good for the system anyway.


To check the volume for errors:
  • Click start and then Computer.
  • Right click the drive C and select Properties.
  • Under Tools tab press Check Now...
  • Put a check mark in both items and press start.
  • If you get a message click Yes to schedule the disk check and click OK and then restart your computer to start the disk check. Please be patient and let the system run. In some cases it might take a couple of hours and you don't have to sit there the whole time.
After the disk check is finished and the Windows started:
  • Go to Start => Run => type or copy/paste eventvwr in the run box and click OK.
  • Select Applications section.
  • Click on the Source column to sort the items alphabetically.
  • Search for the Winlogon entry that corresponds to when you ran the check disk.
  • Double-click that entry and you'll find the scan's results there, click the third button on the right, under two arrow keys (this copies the info in the memory to the clipboard).
  • Then open a notepad, right-click in it and and select Paste the content of the clipboard


#15 rnitschke

rnitschke
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:16 AM

Posted 27 August 2009 - 06:07 AM

farbar,

1) Ran the checkdsk. Took about 3 hours. Went into event viewer and found the winlogon entries. I found the last winlogon entry before the the machine rebooted to run the scan and the 1st logon entry after the machine rebooted. See below.

2) Got GMER to run completely based on previous instructions, see attached GMER results.


3) Waiting for another BSOD. So far none but I have not done much activity with the machine. I did run the full HW Diagnostics that came with the machine (PC-Doctor by HP) and it did not identify any hardware issues or CPU issues.



-R


Last:

Log Name: Application
Source: Microsoft-Windows-Winlogon
Date: 8/26/2009 5:41:36 PM
Event ID: 6000
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: Toni-002
Description:
The winlogon notification subscriber <SessionEnv> was unavailable to handle a notification event.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Winlogon" Guid="{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}" EventSourceName="Wlclntfy" />
<EventID Qualifiers="32768">6000</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2009-08-26T21:41:36.000Z" />
<EventRecordID>25208</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>Toni-002</Computer>
<Security />
</System>
<EventData>
<Data>SessionEnv</Data>
<Binary>D9060000</Binary>
</EventData>
</Event>


First WINLOGIN after reboot

Log Name: Application
Source: Microsoft-Windows-Winlogon
Date: 8/27/2009 5:40:31 AM
Event ID: 4101
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: Toni-002
Description:
Windows license validated.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Winlogon" Guid="{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}" EventSourceName="Winlogon" />
<EventID Qualifiers="16384">4101</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2009-08-27T09:40:31.000Z" />
<EventRecordID>25246</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>Toni-002</Computer>
<Security />
</System>
<EventData>
<Data>0x00000000</Data>
<Data>0x00000001</Data>
</EventData>
</Event>

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users