Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


IE8 Redirecting - General malaise

  • This topic is locked This topic is locked
2 replies to this topic

#1 whftherb


  • Members
  • 49 posts
  • Gender:Male
  • Local time:03:12 AM

Posted 18 July 2010 - 04:38 PM

Hello - here is the wife's laptop - an Acer Travelmate 4220 with XP Pro SP3 - updated as of a few days ago. C:\ Disk is 1/3 full. D:\ is about 1/2 full. Using ESET Smart Security v 3. She uses this laptop for browsing through Google and Outlook Express and that's about it!

On the user account, everything was fine until I did the latest MS updates the other day. A reboot brought up a very sluggish system compared to just before. And, IE 8 seems to be in trouble as is Google Chrome. I can pull up the homepage in both browsers (google.com) no problem. As soon as I try to call up a page off of the Google home page, it never seems to pull up what I requested. It just spins and spins endlessly. So I'm thinking something got in here around ESET. Or it could be a time-bomb before ESET got installed. So again, I'm associating the installation of updates with the uncovering/revealing of this malware. But it's a guess.

I ran SAS from Safe Mode - found 7 infections - scan and cleaned and rebooted. Still crapped out. I ran MBAM from Safe Mode - found 13 infections - scan and clean. Rebooted into normal - still crapped out. So I came here. I had no problem running DDS. I had difficulty running Gmer but I found that after disabling ESET, then running it went OK. With ESET running, GMer generated at BSOD with a stop code 50 pointing at a file called: ugtdipow.sys. Exposed all file types. Searched for this file - not found. But disabled ESET and Gmer ran through though it didn't appear to find as much as when ESET was running (before it bombed). I see several entries in DDS referring to "winlogon.exe" - makes me wonder....


The Local Admin account in normal mode is totaly hosed. Completely useless at this point. I could do nothing with it. It presents the desktop and as soon as you clik on anything, the screen goes black and intermittendly comes back with nothing running or it stays black. If you're lucky enough to try to log off, you get an error box claiming that "...winlogon.exe could not initialize winlogon.dll".

Here are the logs run from my wife's user account in normal mode and I'll wait to see what one of the experts here has to tell me about this. I promise to stay engaged totally until this is cleared up. Thanks.

DDS (Ver_10-03-17.01) - FAT32x86
Run by TanteC at 13:44:09.62 on Sun 07/18/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.99 [GMT -4:00]

AV: ESET Smart Security 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\The Fix\dds.EXE

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe"
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [HKCU] c:\windows\system32\winlogon\winlogon.exe
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [ePower_DMC] c:\acer\empowering technology\epower\ePower_DMC.exe
mRun: [Boot] c:\acer\empowering technology\epower\Boot.exe
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [HKLM] c:\windows\system32\winlogon\winlogon.exe
uExplorerRun: [Policies] c:\windows\system32\winlogon\winlogon.exe
mExplorerRun: [Policies] c:\windows\system32\winlogon\winlogon.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1256089416312
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {36K3DTB1-2174-737D-68CD-NY6P1SU1JT60} - c:\windows\system32\winlogon\winlogon.exe
mASetup: {AV0EQ4R6-Y588-N4Q6-SC63-Y6P21MLT75B6} - Restart

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-4-27 107256]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2009-4-27 731840]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-1-18 236368]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-1-18 19160]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\c:\windows\system32\elock2burnerlockdriver.sys --> c:\windows\system32\eLock2BurnerLockDriver.sys [?]
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows\system32\elock2fsctldriver.sys --> c:\windows\system32\eLock2FSCTLDriver.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2006-9-28 32512]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-4-6 27064]

=============== Created Last 30 ================

2010-07-18 17:42:34 0 d-----w- C:\The Fix
2010-07-17 23:56:56 581632 --sha-r- c:\documents and settings\tantec\plugin.dat
2010-07-17 23:05:35 0 d-----w- c:\docume~1\tantec\applic~1\SUPERAntiSpyware.com
2010-07-17 23:05:35 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-07-17 23:05:23 0 d-----w- c:\program files\SUPERAntiSpyware
2010-07-16 12:41:20 0 d-sh--w- C:\FOUND.003
2010-07-16 12:04:56 0 d-sh--w- C:\FOUND.002
2010-07-15 01:13:25 101888 ----a-w- c:\windows\system32\drivers\mtstjzvw.sys
2010-07-15 00:02:00 0 d-----w- c:\windows\system32\MpEngineStore
2010-07-14 23:38:32 172 ----a-w- c:\windows\system32\MRT.INI
2010-07-14 23:34:48 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-14 13:07:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-06-23 11:42:08 411368 ----a-w- c:\windows\system32\deployJava1.dll

==================== Find3M ====================

2010-07-18 17:43:14 2072 ---ha-w- c:\docume~1\tantec\applic~1\cglogs.dat
2010-05-05 13:30:58 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll
2006-08-01 04:29:00 1005065 --sh--r- c:\windows\system32\winlogon\winlogon.exe

============= FINISH: 13:45:52.70 ===============

GMER - http://www.gmer.net
Rootkit scan 2010-07-18 17:06:31
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\TanteC\LOCALS~1\Temp\ugtdipow.sys

---- System - GMER 1.0.15 ----

SSDT FFB3C580 ZwAssignProcessToJobObject
SSDT FFB3D100 ZwDebugActiveProcess
SSDT FFB3CB30 ZwDuplicateObject
SSDT FFB3BCC0 ZwOpenProcess
SSDT FFB3BFC0 ZwOpenThread
SSDT FFB3C9C0 ZwProtectVirtualMemory
SSDT FFB3C860 ZwSetContextThread
SSDT FFB3C6E0 ZwSetInformationThread
SSDT FFB39700 ZwSetSecurityObject
SSDT FFB3C420 ZwSuspendProcess
SSDT FFB3C2C0 ZwSuspendThread
SSDT FFB3BE50 ZwTerminateProcess
SSDT FFB3C150 ZwTerminateThread
SSDT FFB3CF50 ZwWriteVirtualMemory

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1892] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

Device -> \Driver\atapi \Device\Harddisk0\DR0 82E91EC5

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Thanks to all


Edited by whftherb, 18 July 2010 - 04:40 PM.

BC AdBot (Login to Remove)


#2 whftherb

  • Topic Starter

  • Members
  • 49 posts
  • Gender:Male
  • Local time:03:12 AM

Posted 22 July 2010 - 07:04 AM


Please close this thread.

I need to/have to move on.

It's one less problem.



#3 Budapest


    Bleepin' Cynic

  • Moderator
  • 23,573 posts
  • Gender:Male
  • Local time:05:12 PM

Posted 22 July 2010 - 04:23 PM

As this issue appears to be resolved I am closing the topic. Please send me (or any other Moderator) a Personal Message (PM) if you would like the topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users