Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


BSOD, now I wonder if I have some malware, etc.

  • This topic is locked This topic is locked
2 replies to this topic

#1 TSimmons2


  • Members
  • 5 posts
  • Local time:05:10 PM

Posted 27 February 2010 - 03:59 PM

Hello. I know you folks are swamped helping people but here is my problem. Originally, my PC wouldn't boot to normal mode (BSOD stop error 0x0000008E 0xC0000005, 0xE0CFB420, 0xF54717DC, 0x00000000) and so I d/l combofix.exe, rustbfix.exe and gmer and ran them but I didn't turn off Spybot S&D teatimer and I disallowed some registry changes that combofix was trying to make that looked suspicious. It was changing my start homepage in my browser! and deleting entries and so I disallowed most of that. It was running several instances of a service that uninstalls FireFox. So, I did run combofix but I suspected it was itself a malicious program. Maybe it wasn't but after that, my PC was slow and doing weird things. My FireFox browser would never be the default. It put an IE icon on the desktop. etc. etc.

So, by the time I shut my PC off last night in safe mode, the cpu was maxed and half the usage was dedicated to winlogon.exe and half to another process and of course it wouldn't let me kill winlogon.exe.

So, I have not run combofix properly (because it seemed to be doing things it shouldn't) and not sure if that caused my further problems but I did run this dds.scr and have saved the two txt files. If I DO need to rerun combofix.exe and do it w/o the firewalls/teatimer registry trapping, just let me know and also let me know WHERE I can get a known good copy of it.

I'm just worried about running the combofix program again and does it really work correctly in safe mode because that's the only mode I can get to windows in? Also, what makes me think combofix or maybe one of the other diags I ran was malware is that it deleted all of my recent system backups. I went to do a restore and ALL of them were gone. Plus, not only that, it didn't even give me the option to CREATE a backup.

I just wonder if I should blast the HD and reimage from the restore disc made by the manufacturer of the PC and reinstall all my software, all my patches, all my personal folders.... two days work to do that I'm guessing.

I think if I can be sure there really isn't any viruses, malware, etc. on my PC, then maybe someone can help me figure out why it will not boot in normal mode anymore and today, it didn't even give the BSOD. It went to the windows logo then.... died. Black screen. Nothing. I restarted (reset btn) and hit F8 and booted to safe mode.

Anyway, thanks for the help. I will NOT run combofix.exe unless someone here tells me that it is the next step to take in trying to diag this problem. I do have the txt files from the dds.scr diag if I need to post those and I can post my PC specs if needed but it's a fairly new and fast machine. Normal stuff. Intel, 3.something GHz chip, 4 gig ram, 600 gig hd, nvidia geforce 9600 gt, asus motherboard.

Well, after rereading some of the post on how to post here, it says to go ahead and post the dds files so I'll paste the one in here and attach the other as an attachment if I can figure out how.

Also, I reran the GMER just now and the only thing it showed was a few catchme.sys entries that were associated with my Comodo firewall program.

DDS (Ver_09-12-01.01) - NTFSx86 NETWORK
Run by kcufMicroSoft at 1:06:31.96 on Sat 02/27/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_07

============== Running Processes ===============

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\uninstall\helper.exe
C:\Program Files\Mozilla Firefox\uninstall\helper.exe
C:\Program Files\Mozilla Firefox\uninstall\helper.exe
C:\Program Files\Mozilla Firefox\uninstall\helper.exe
C:\Program Files\Mozilla Firefox\uninstall\helper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\uninstall\helper.exe
C:\Documents and Settings\kcufMicroSoft\Desktop\dds.scr
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mDefault_Page_URL = hxxp://www.endpcnoise.com/
uInternet Connection Wizard,ShellNext = hxxp://www.endpcnoise.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: WsftpBrowserHelper Class: {601ed020-fb6c-11d3-87d8-0050da59922b} - c:\program files\ipswitch\ws_ftp pro\wsbho2k0.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Google Update] "c:\documents and settings\kcufmicrosoft\local settings\application data\google\update\\GoogleUpdate.exe"
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\NPSWF32_FlashUtil.exe -p
mRun: [CPU Power Monitor] "c:\program files\asus\ai suite\aigear3\CpuPowerMonitor.exe"
mRun: [Cpu Level Up help] c:\program files\asus\ai suite\CpuLevelUpHelp.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [CTSysVol] c:\program files\creative\sbaudigy2\surround mixer\CTSysVol.exe
mRun: [CTDVDDet] c:\program files\creative\sbaudigy2\dvdaudio\CTDVDDet.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [CtxfiReg] CTXFIREG.exe /FAIL2
mRun: [Ai Nap] "c:\program files\asus\ai suite\ainap\AiNap.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [nwiz] nwiz.exe /install
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRunOnce: [LHTTSENG] RunDll32 advpack.dll,LaunchINFSection c:\windows\inf\LHTTSENG.inf, RemoveCabinet
mRunOnce: [tv_enua] RunDll32 advpack.dll,LaunchINFSection c:\windows\inf\tv_enua.inf, RemoveCabinet
mPolicies-explorer: <NO NAME> =
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: aol.com\free
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kcufmi~1\applic~1\mozilla\firefox\profiles\2spjmnmm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\documents and settings\kcufmicrosoft\local settings\application data\yahoo!\browserplus\2.5.1\plugins\npybrowserplus_2.5.1.dll
FF - plugin: c:\program files\google\update\\npGoogleOneClick7.dll
FF - plugin: c:\program files\tabletplugins\npwacom.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R? cmdAgent;COMODO Internet Security Helper Service
R? cmdGuard;COMODO Internet Security Sandbox Driver
R? ctgame;Game Port
R? ehdrv;ehdrv
R? ekrn;ESET Service
R? gupdate1c918755fcc0efe;Google Update Service (gupdate1c918755fcc0efe)
R? TabletServiceWacom;TabletServiceWacom
S? cmdHlp;COMODO Internet Security Helper Driver
S? epfwtdir;epfwtdir
S? wacmoumonitor;Wacom Mode Helper

=============== Created Last 30 ================

2010-02-27 05:39:38 0 d-----w- C:\Rustbfix
2010-02-27 05:24:46 98816 ----a-w- c:\windows\sed.exe
2010-02-27 05:24:46 77312 ----a-w- c:\windows\MBR.exe
2010-02-27 05:24:46 261632 ----a-w- c:\windows\PEV.exe
2010-02-27 05:24:46 161792 ----a-w- c:\windows\SWREG.exe
2010-02-26 19:37:43 0 d-----w- c:\windows\system32\wbem\Repository
2010-02-26 04:38:45 116 ----a-w- c:\documents and settings\kcufmicrosoft\Adobe Encore_AME.pref
2010-02-15 03:18:45 0 d-----w- c:\docume~1\kcufmi~1\applic~1\NevoSoft Games
2010-02-12 22:14:54 0 d-----w- c:\program files\common files\MagicDVDRipper
2010-02-12 22:13:46 0 d-----w- c:\program files\MagicDVDRipper
2010-02-12 21:30:41 0 d-----w- c:\program files\Convert VOB to AVI
2010-02-09 18:36:16 0 d-----w- c:\docume~1\kcufmi~1\applic~1\Nevosoft
2010-02-03 17:03:14 0 d-----w- C:\Solomon_Pics

==================== Find3M ====================

2010-01-13 19:37:58 360580 ----a-w- c:\windows\eSellerateEngine.dll
2006-06-23 06:48:54 32768 ----a-r- c:\windows\inf\UpdateUSB.exe
2008-09-01 06:39:38 74 --sh--r- c:\windows\3DXCT.BIN
2009-11-09 20:24:17 74 --sh--r- c:\windows\CT6PRET.BIN

============= FINISH: 1:12:58.82 ===============


Attached Files

Edited by TSimmons2, 27 February 2010 - 04:10 PM.

BC AdBot (Login to Remove)


#2 TSimmons2

  • Topic Starter

  • Members
  • 5 posts
  • Local time:05:10 PM

Posted 28 February 2010 - 11:30 PM

After determining the registry was corrupt and being unsuccessful at using a few different registry backup files in windows/repair etc, I opted to reimage the HD to the way it was from the seller using a CD they sent along with it. I saved most of my personal stuff to an external HD but there's always something missed (like tons of bookmarks in FireFox I forgot to save).

Anyway, thanks for the help and I just wanted to write back with my solution and say you can close this thread.


#3 Elise


    Bleepin' Blonde

  • Malware Study Hall Admin
  • 61,313 posts
  • Gender:Female
  • Location:Romania
  • Local time:02:10 AM

Posted 03 March 2010 - 09:00 AM

Thanks for letting us know!

This topic will now be closed.

regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome


Malware analyst @ Emsisoft

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users