Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

atapi.sys rootkit (perhaps others)


  • This topic is locked This topic is locked
4 replies to this topic

#1 cameronM

cameronM

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:48 PM

Posted 08 September 2010 - 06:49 PM

Been getting the google browser redirect last few days although performance has been agonizingly sluggish for the past few months. My ignorance is rampant in this area. Also suffering from blue screens (possible separate issue owing to the POS Dell components - I have to hit F1 every boot cycle because of a disk 0 not present drive error or something), flash not working properly in browser on occasion (youtube clips play for 3s and stop). Very tempted to format and reinstall as I have two HDs, but I don't know where my xp cd is. I have I believe a (very) old one but no idea of the product key.

I also get an error loading wmedpi.dll notification on startup.

GMER crashes or produces nothing if I do a full scan, the initial startup scan shows suspicious modification in atapi.sys among others. DDS logs are below. Thank you in advance for the assistance.



DDS (Ver_10-03-17.01) - NTFSx86
Run by Cameron at 14:12:47.21 on Wed 09/08/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.1351 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Belkin\F5D9050v3\Belkinwcui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Cameron\Local Settings\Apps\F.lux\flux.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\MMTaskbar\MultiMon.exe
C:\Program Files\allSnap\allSnap.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Documents and Settings\Cameron\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Cameron\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Cameron\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Cameron\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Cameron\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Cameron\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Cameron\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Cameron\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Cameron\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Cameron\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Cameron\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Cameron\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Cameron\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Cameron\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Documents and Settings\Cameron\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Cameron\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Cameron\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Cameron\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Cameron\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Cameron\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Cameron\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Cameron\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Documents and Settings\Cameron\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\PROGRA~1\FOXITS~1\FOXITR~1\FOXITR~1.EXE
C:\Documents and Settings\Cameron\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Cameron\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Cameron\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Cameron\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\NoteTab Light\NoteTab.exe
C:\Documents and Settings\Cameron\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Cameron\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = redacted
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6080429
uSearch Bar =
uInternet Connection Wizard,ShellNext = hxxp://www.nvidia.com/content/drivers/redirect.asp?language=ENU&page=sysutility
uInternet Settings,ProxyServer = http=planetlab-1cs.princeton.edu:3128
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\cameron\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [F.lux] "c:\documents and settings\cameron\local settings\apps\f.lux\flux.exe" /noshow
uRun: [Scapininozumaho] rundll32.exe "c:\windows\wmedpi.dll",Startup
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [F5D9050v3] c:\program files\belkin\f5d9050v3\Belkinwcui.exe
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [mesnxcarow.tmp] "c:\docume~1\cameron\locals~1\temp\mesnxcarow.tmp"
mRun: [Umiyevadazade] rundll32.exe "c:\windows\awoqoziy.dll",Startup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mExplorerRun: [a5x3tq] c:\docume~1\cameron\locals~1\temp\202fbh.exe
StartupFolder: c:\docume~1\cameron\startm~1\programs\startup\allsnap.lnk - c:\program files\allsnap\allSnap.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launchy.lnk - c:\program files\launchy\Launchy.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\multim~1.lnk - c:\program files\mmtaskbar\MultiMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - c:\program files\partygaming\partycasino\RunApp.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38E51477-DDB4-4aed-9D61-D0C193E10749} {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38e51477-ddb4-4aed-9d61-d0c193e10749}\inprocserver32 does not exist!
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: WIKI.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\cameron\applic~1\mozilla\firefox\profiles\zcm50vzb.default\
FF - prefs.js: browser.startup.homepage - hxxp://note.amherst.edu/
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\cameron\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\cameron\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\cameron\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\cameron\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\photosynth\npPhotosynthMozilla.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {30571F20-35A3-4767-8AB3-A6D1396D633C} - c:\documents and settings\cameron\local settings\application data\{30571F20-35A3-4767-8AB3-A6D1396D633C}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-8-7 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-8-7 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-8-7 243024]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-8-7 308136]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\postgresql\8.3\bin\pg_ctl.exe [2008-2-1 65536]
R2 V7;V7;c:\windows\system32\drivers\V7.SYS [2010-6-2 5536]
R3 MusCDriverV32;MusCDriverV32;c:\windows\system32\drivers\MusCDriverV32.sys [2008-9-15 509312]
R3 MusCVideo32;MusCVideo32;c:\windows\system32\drivers\MusCVideo32.sys [2008-9-15 3768]
R3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\drivers\ss.sys [2010-4-8 19968]
S2 gupdate1c9d1f6308e2a6;Google Update Service (gupdate1c9d1f6308e2a6);c:\program files\google\update\GoogleUpdate.exe [2009-5-11 133104]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2009-12-15 25832]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2010-4-28 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2010-4-28 8456]
S3 SoundMovieServer;SoundMovieServer;c:\windows\system32\snmvtsvc.exe [2008-9-15 200704]
S3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\ultramonmirror.sys --> c:\windows\system32\drivers\UltraMonMirror.sys [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-5-5 24652]

=============== Created Last 30 ================

2010-09-08 16:51:56 20 ----a-w- c:\documents and settings\cameron\defogger_reenable
2010-09-08 13:55:01 0 d-----w- C:\tv
2010-09-07 12:37:27 0 d-----w- c:\docume~1\cameron\applic~1\SUPERAntiSpyware.com
2010-09-07 12:37:27 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-09-07 12:37:20 0 d-----w- c:\program files\SUPERAntiSpyware
2010-09-07 00:03:03 0 d-----w- c:\docume~1\cameron\applic~1\Malwarebytes
2010-09-07 00:02:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-07 00:02:57 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-07 00:02:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-09-07 00:02:56 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-06 21:58:15 120 ----a-w- c:\windows\Jpucolini.dat
2010-09-06 21:58:15 0 ----a-w- c:\windows\Vyexamo.bin
2010-09-06 21:56:20 0 d-----w- c:\docume~1\cameron\applic~1\8429D39CC7ABBBE9C3853C0094BA012A
2010-09-06 15:17:25 0 d-----w- c:\program files\Microsoft Games
2010-09-05 15:12:36 0 d-----w- c:\program files\JoyControl
2010-09-05 15:12:29 796672 ----a-w- c:\windows\GPInstall.exe
2010-09-01 15:50:50 0 d-----w- c:\program files\IL-2 Shturmovik Stab
2010-08-30 23:41:42 0 d-----w- c:\program files\Modded IL-2 Sturmovik 1946
2010-08-26 17:46:01 0 d-----w- c:\docume~1\cameron\applic~1\HyperLobby
2010-08-26 14:30:51 166 ----a-w- C:\X-Plane Installer.prf
2010-08-26 13:40:02 0 d-----w- c:\program files\X-Plane 9
2010-08-25 16:09:02 0 d-----w- c:\program files\IL-2 Sturmovik 1946
2010-08-25 15:46:54 0 d-----w- c:\program files\HyperLobby client
2010-08-20 03:12:17 0 d-----w- c:\docume~1\alluse~1\applic~1\XHEO INC
2010-08-17 02:27:56 0 d-----w- c:\docume~1\cameron\applic~1\StreamTorrent
2010-08-17 02:27:52 0 d-----w- c:\program files\StreamTorrent 1.0
2010-08-16 23:38:42 0 d-----w- c:\docume~1\cameron\applic~1\HEM Data
2010-08-12 02:05:49 0 d-----w- c:\program files\Rosetta Stone
2010-08-12 02:05:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Rosetta Stone
2010-08-09 19:51:06 0 d-----w- c:\program files\FreeTrack

==================== Find3M ====================

2010-08-26 20:08:49 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-08-26 20:08:46 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-08-08 01:24:41 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-08-08 01:24:40 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-08-08 01:24:34 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-08-08 01:11:27 794408 ----a-w- c:\windows\system32\pbsvc.exe
2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-30 12:31:35 149504 ------w- c:\windows\system32\dllcache\schannel.dll
2010-06-24 12:10:44 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-06-24 12:10:44 81920 ------w- c:\windows\system32\dllcache\ieencode.dll
2010-06-24 12:10:44 667136 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:10:44 667136 ------w- c:\windows\system32\dllcache\wininet.dll
2010-06-24 12:10:44 627712 ------w- c:\windows\system32\dllcache\urlmon.dll
2010-06-24 12:10:44 3073024 ------w- c:\windows\system32\dllcache\mshtml.dll
2010-06-24 12:10:44 251904 ------w- c:\windows\system32\dllcache\iepeers.dll
2010-06-24 12:10:44 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2010-06-24 12:10:44 1025024 ------w- c:\windows\system32\dllcache\browseui.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\dllcache\win32k.sys
2010-06-21 15:27:11 354304 ------w- c:\windows\system32\dllcache\srv.sys
2010-06-18 13:36:12 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31:20 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-14 07:41:45 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
2010-05-01 03:21:04 707 ----a-w- c:\program files\INSTALL.LOG
2003-12-18 15:33:46 20102 ----a-w- c:\program files\Readme.txt
2003-09-03 11:46:54 10960 ----a-w- c:\program files\EULA.txt

============= FINISH: 14:13:47.62 ===============

Attached Files


Edited by cameronM, 08 September 2010 - 06:52 PM.


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:48 PM

Posted 09 September 2010 - 02:41 PM

Good evening. smile.gif

Download Preformat.zip from here and save it to your Desktop. You will need to extract the file.

Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


You should now see a folder with a .vbs file in it. Double click Preformat.vbs to run it and a text file called Preformat.txt should be created in the same folder - either that or you'll get an error message.
Please copy and paste the contents of the text file into your next reply and then you can delete both of the folders and their contents.

So long, and thanks for all the fish.

 

 


#3 cameronM

cameronM
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:48 PM

Posted 09 September 2010 - 03:18 PM

Hi Noviciate, thanks for the reply!

Here's the output:

Partition ID: Disk #1, Partition #0
Size: 465.76 GB

~~~~~~~~~~~~~~~~~~~~~~~~

BIOS Manufacturer: Dell Inc.
Name: Phoenix - AwardBIOS v6.00PG
Status: OK

This is the primary BIOS.

~~~~~~~~~~~~~~~~~~~~~~~~


#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:48 PM

Posted 09 September 2010 - 04:50 PM

OK, the "expert" opinion that i'm going to offer is based on one piece of information from one of the logs you posted:

Install Date: 5/5/2008 2:32:23 PM

The fact that your system is running with the Windows installation being over two years old suggests to me that at least some of your issues are down to age. The installations/uninstallations, updates and various system mods you may have made will have a cumulative effect on your system's speed and stability. There is also the possibility that files and system settings may have been messed up by malware too. Whatever tools we run don't guarantee to deal with all these issues - only a reformat and reinstall is going to tidy them up fully.

The machine looks like a Dell, so you should have somewhere a couple of discs, one Windows installation disc and one drivers disc, so if you can locate them, i'd back-up and then reformat and reinstall and start afresh. If you only have a generic Windows installation disc, you will need to pay a visit to the Dell website and get hold of any drivers you need before you start the process.

A handy tool to recover the product key can be found here

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If you wish, we can try and solve your PC's problems, but the time that is spent may not resolve all the issues and you may very well end up reformatting anyway, so you need to decide what is your best option. I'd wipe it and start afresh if it was my machine, but that's just my two cents/pence/euros or whatever currency you like.

So long, and thanks for all the fish.

 

 


#5 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:05:48 PM

Posted 14 September 2010 - 02:50 PM

As there has been no response for five days, this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users