Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can someone take a look HiJackThis log


  • This topic is locked This topic is locked
17 replies to this topic

#1 skryber64

skryber64

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bleepin' Hoosier
  • Local time:02:54 PM

Posted 06 August 2009 - 07:52 PM

A friend gave me her Dell Inspiron 1501 to look at because it was unbelievably slow. It takes about 5-6 minutes to open a folder. I ran MBAM, Eset, SAS, and her scan which was AVG. They found nothing! I can't get online with the laptop so I'm going back and forth with my computer and a flash drive. Will someone take a look at this HiJackThis log and tell me if you see anything I should delete? Or maybe have an idea what the problem is?
Thanks in advance!

Skryber64


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:38:46 PM, on 8/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support Center\gs_agent\dsc.exe
E:\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0061215
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0061215
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - (no file)
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD40/JSCDL/jre/6u...ows-i586-jc.cab
O23 - Service: Ares Chatroom server (AresChatServer) - Unknown owner - E:\Ares\chatServer.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6415 bytes

BC AdBot (Login to Remove)

 


#2 skryber64

skryber64
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bleepin' Hoosier
  • Local time:02:54 PM

Posted 13 August 2009 - 11:53 AM

Well I ran the log through an analyzer and didn't really find anything. All maybe's. Does anyone know why this laptop could be running so slow if it isn't a virus? There isn't much on it. I even ran a cleaner and I'm not getting anywhere.
Thanks :thumbup2:

Skryber64

===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Orange Blossom ~ forum moderator

Edited by Orange Blossom, 13 August 2009 - 04:27 PM.


#3 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:54 PM

Posted 17 August 2009 - 10:15 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,805 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:54 PM

Posted 25 August 2009 - 03:02 PM

Topic reopened.

@ skryber64,

Please post back with current logs and an updated description of your computer issues as requested in the previous post.

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#5 skryber64

skryber64
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bleepin' Hoosier
  • Local time:02:54 PM

Posted 25 August 2009 - 07:33 PM

Hey there! Okay, I'm trying to fix a friend's laptop. It's incredibly slow and she can't access the internet. I can't seem to find the problem. Here is the DDS log:



==== Installed Programs ======================

Adobe Flash Player ActiveX
Adobe PageMaker 6.5
Adobe Reader 7.1.0
AIM 6
AMD Processor Driver
AOLIcon
ATI Catalyst Control Center
ATI Display Driver
Broadcom Management Programs
CCleaner (remove only)
Conexant HDA D110 MDC V.92 Modem
Dell Support 3.2.1
Dell Support Center
Dell System Restore
Dell Wireless WLAN Card
Digital Content Portal
Digital Line Detect
Documentation & Support Launcher
EnZip
ESET NOD32 Antivirus
Games, Music, & Photos Launcher
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Player 10 (KB903157)
InterActual Player
J2SE Runtime Environment 5.0 Update 6
Jasc Paint Shop Pro 8 Dell Edition
Java™ 6 Update 5
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ)
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Modem Helper
Mozilla Firefox (2.0.0.16)
PowerDVD 5.7
QuickSet
QuickTime
QuickTime for Windows (32-bit)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Media Player (KB911564)
Security Update for Windows XP (KB941569)
Sonic Encoders
Spybot - Search & Destroy
Synaptics Pointing Device Driver
SyncToy
Update for Windows Media Player 10 (KB910393)
Update Rollup 2 for Windows XP Media Center Edition 2005
Viewpoint Media Player
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB912067
Windows XP Service Pack 3

==== End Of File ===========================




DDS (Ver_09-07-30.01) - NTFSx86
Run by Linda at 16:55:56.29 on Tue 08/25/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_05

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com/?src=aim
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0061215
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.0.1225.9868\swg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
TB: {7EFBC57C-CD57-481F-B794-648FCE9C9116} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://sdlc-esd.sun.com/ESD40/JSCDL/jre/6u5-b19/jinstall-6u5-windows-i586-jc.cab?AuthParam=1210123393_2c2fa48b5a737799fffb29f16202620d&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD40/JSCDL/jre/6u5-b19/jinstall-6u5-windows-i586-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-08-01 13:25 <DIR> --d----- c:\docume~1\linda\applic~1\Malwarebytes
2009-08-01 13:25 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-01 13:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-01 13:25 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-01 13:21 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================


============= FINISH: 16:57:23.62 ===============

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:54 PM

Posted 01 September 2009 - 09:52 AM

Hello skryber64 :thumbup2: Welcome to the BC HijackThis Log and Analysis forum. Sorry about your wait, but I will be assisting you in cleaning up your system from here on out.


I ask that you refrain from running tools other than those we suggest while we are performing the clean-up. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





I need to get a little different look at your system so please perform the following:



We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.


Please do not post any logs as an attachment unless asked to do so.





Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 skryber64

skryber64
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bleepin' Hoosier
  • Local time:02:54 PM

Posted 03 September 2009 - 12:55 AM

Thanks for your response. Here is the requested GMER log:

GMER 1.0.15.15077 [pnin1o7z.exe] - http://www.gmer.net
Rootkit scan 2009-09-03 00:52:48
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 85031630 ZwAssignProcessToJobObject
SSDT 85030A60 ZwOpenProcess
SSDT 85030E80 ZwOpenThread
SSDT 85031460 ZwSuspendProcess
SSDT 85031280 ZwSuspendThread
SSDT 85030C90 ZwTerminateProcess
SSDT 850310B0 ZwTerminateThread

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1496] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 4 Bytes [C2, 04, 00, 00]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

---- Threads - GMER 1.0.15 ----

Thread System [4:276] 8502F790

---- EOF - GMER 1.0.15 ----

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:54 PM

Posted 03 September 2009 - 08:05 AM

Can you give me any background on how your friend lost Internet connection? Did it just happen or did the slowdown occur and they tried to run some tools to check for infections?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 skryber64

skryber64
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bleepin' Hoosier
  • Local time:02:54 PM

Posted 03 September 2009 - 11:20 AM

She said it started messing up a long time ago and she stopped using it and can't remember what happened. She's not very computer savy and I'm not getting any help from her. I asked for her Dell Recovery discs a month ago and she can't find them. It's very difficult to just jump in on something like this knowing nothing so I understand any frustration. If not a virus, I'm wondering if she has failed hardware. I've already cleared up many viruses. I worked on an E-Machine before with a bad modem and it rendered the entire PC useless until I took it out. Actually, that was the day I said I will never touch an E-Machine again. I'm sorry I can't offer you more information. I'm tempted to wipe it but if it's a hardware issue, it won't be doing me any good. The real frustration with this, is that it takes a very long time to open anything. And shutting it down, I waited 15 minutes and now I just do it manually. I don't even know if it will shut down on it's own. When I get home tonight, I will post the I/O error I get at start up. I shouldv'e done so in the beginning but I forgot about it thinking for sure the problem was a virus.

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:54 PM

Posted 03 September 2009 - 11:47 AM

I'm not entirely ruling out an infection because some of them are really good at hiding. What do you say to let's getting the error report and see if we can glean anything from that and then go from there.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 skryber64

skryber64
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bleepin' Hoosier
  • Local time:02:54 PM

Posted 03 September 2009 - 11:52 AM

OK. It will be later tonight bc I'm at work. Thank you very much for your help. :thumbup2:

#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:54 PM

Posted 03 September 2009 - 12:10 PM

I'm glad that I can help. We'll try our best to get it back to running but you just never really know. We worked on another machine for a couple of weeks off and on that was heavily infected but towards the end we discovered it also had a bad hdd so the guy still have to replace it and do a reinstall. Go figure! :thumbup2:

If this is a Dell PC there is a chance she really never got the recovery CDs. It might have just been some drivers and the like CDs that she thought was the recovery CD. Lot's of times with Dell they don't come with the computers but if she is the original owner you can usually get them in practically no time. Mine took one day to get here and the guy I was talking about above got his in about 14 hrs. If you need a link to order them let me know. If you didn't get them there is no charge for the first set.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 skryber64

skryber64
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bleepin' Hoosier
  • Local time:02:54 PM

Posted 03 September 2009 - 08:15 PM

Heres the error I get before I log into the user:

ehRec.exe - Application Error

The instruction at "0x791b6821" referenced memory at "0x79bc581c". The required data was not placed into memory because of an I/O error status of "0xc000009c".

Click on OK to terminate the program
Click on CANCEL to debug the program



Then I cancel to debug and windows loads and I get this:

dsca.exe - Common Language Runtime Debugging Services


Application has generated an exception that could not be handled.


Process id=0xcac (3244), Thread id=0xcb0 (3248).

Click OK to terminate the application
Click CANCEL to debug the application


So I click cancel and it finds no debugger:

dsca.exe - No debugger found.

Registered JIT debugger is not available. An attempt to launch a JIT debugger with the following command resulted in an error code of 0x2 (2).
Please chech computer settings.

cordbg.exe !a 0xcac

Click on Retry to have the process wait while attaching a debugger manually.
Click on CANCEL to abort the JIT debug request.



So I hit Cancel.



I figured this had something to do with an external drive that she didn't give me and brushed it off as no big deal. What do you think? Also do you know, aside from googling, how is the average PC user supposed to find out what these types of errors are? I mean when they give you a code like "0x791b6821".


Thank you much!

#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:54 PM

Posted 03 September 2009 - 09:06 PM

Let me do some checking. Probably be tomorrow before I can get back. :thumbup2:
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:01:54 PM

Posted 04 September 2009 - 10:00 AM

I tend to agree with your idea about wiping and doing a reinstallation. That may be the easiest way to go and the one with the least headaches. I believe I would ask her what I mentioned above concerning her being the original owner and I can give you the link to Dell to get disks if she didn't get them to begin with. If there is a hardware problem it is going to be the same thing whichever way we go.


Dell link
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users