Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSoD, disappearing disk space and possible malware


  • This topic is locked This topic is locked
26 replies to this topic

#1 gareth88

gareth88

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 17 August 2011 - 06:33 PM

I was sent here from the Am I infected? forum. My thread there is http://www.bleepingcomputer.com/forums/topic414140.html/page__p__2373641#entry2373641

In the past 2 to 3 weeks I have noticed a few things start to go wrong with my laptop. Firstly I started noticing big chunks of data (anywhere from 1GB-5GB) disappearing from the disk space in a very short space of time for no reason. All I would usually be doing in that time is browsing.

After this happening a few times, I decided to do a full scan with MBAM. I tried this 3 times, Every time, usually over an hour into the scan, (most full scans in the past took a little over 2 hours), I got the Blue Screen of Death. The error I got each time was:

KERNEL DATA INPAGE ERROR.

So, then I decided to do a scan in Safe Mode without networking and it completed in just over an hour, completely clean with no threats found. The next step I took was to scan with TDSS Killer, which came back clean as well. Finally, I tried an online scan with ESET and it detected 3 threats about an hour into the scan. These were:

Java/TrojanDownloader.Agent.NAN trojan.

The scan continued on for another half an hour, got to 94% and then I got the same BSoD problem as before.


All the above occured before I posted in the other forum. Since then I have managed to do a full ESET which came back clean with no threats. I had MBAM go into a BSoD twice more when I did a full scan. However, on the third time I successfully managed to complete a full scan, which came back clean with no threats. However, I think there is still a decent amount of disk space missing, that I had before my original problems. I was sent here by boopme from the other forum as he is suspicious there may be a hidden Malware eating up the disk space.

Please find the two attachments and my DDS log is as follows:



.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.19120 BrowserJavaVersion: 10.0.0
Run by Gareth at 23:39:07 on 2011-08-16
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.353.1033.18.2037.752 [GMT 1:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Windows\OEM02Mon.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\taskeng.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CASIO\YouTube Uploader for CASIO\YStart.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\explorer.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [MBBalloon] c:\program files\hotalbummybox\MBBalloon.exe
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\youtub~1.lnk - c:\program files\casio\youtube uploader for casio\YStart.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Free YouTube Download - c:\users\gareth\appdata\roaming\dvdvideosoftiehelpers\freeyoutubedownload.htm
IE: Free YouTube to MP3 Converter - c:\users\gareth\appdata\roaming\dvdvideosoftiehelpers\freeyoutubetomp3converter.htm
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{A295C045-B111-4B2A-BFA3-7530F5EF9B62} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{A560AE64-A22A-471B-BA31-3CEFF5952DEC} : DhcpNameServer = 192.168.1.254
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\615\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\gareth\appdata\roaming\mozilla\firefox\profiles\v9bpl4td.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://uk.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - prefs.js: network.proxy.ftp - proxy.pbsg.pvt
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - proxy.pbsg.pvt
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - proxy.pbsg.pvt
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.ssl - proxy.pbsg.pvt
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\users\gareth\appdata\roaming\mozilla\firefox\profiles\v9bpl4td.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc_fireftp.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npRLCT4Player.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\users\gareth\appdata\local\yahoo!\browserplus\2.8.1\plugins\npybrowserplus_2.8.1.dll
FF - plugin: c:\users\gareth\appdata\roaming\facebook\npfbplugin_1_0_3.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [2010-4-4 15172]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-6-30 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-12-20 309848]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-7-19 123264]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_c09c50a2\AEstSrv.exe [2009-8-17 73728]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-12-20 19544]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-12-20 54104]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-12-1 42184]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-10-4 21504]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2009-12-26 88176]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2011-4-21 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2011-08-14 01:50:27 -------- d-----w- C:\glassfish3
2011-08-12 23:49:12 -------- d-----w- c:\users\gareth\appdata\roaming\SUPERAntiSpyware.com
2011-08-12 23:48:55 -------- d-----w- c:\programdata\!SASCORE
2011-08-12 23:48:49 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-08-12 23:48:49 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-08-12 21:01:55 -------- d-----w- c:\program files\ESET
2011-08-12 15:48:15 6881616 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{850fe0a3-4503-4e4b-9daf-47d48427ee9e}\mpengine.dll
2011-08-10 18:59:40 375808 ----a-w- c:\windows\system32\winsrv.dll
2011-08-10 18:59:13 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-08-10 18:58:45 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-08-10 18:58:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-10 18:58:11 247808 ----a-w- c:\program files\internet explorer\ieproxy.dll
2011-08-10 18:58:10 129536 ----a-w- c:\program files\internet explorer\sqmapi.dll
2011-08-10 18:54:29 3602832 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-08-10 18:54:28 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-08-10 18:53:53 905104 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-08-01 21:39:59 -------- d-----w- c:\users\gareth\appdata\local\Xenocode
2011-07-31 13:26:07 -------- d-----w- c:\program files\iPod
2011-07-31 13:26:03 -------- d-----w- c:\program files\iTunes
2011-07-23 17:45:34 -------- d-----w- c:\program files\Audio Converter
.
==================== Find3M ====================
.
2011-08-14 22:27:02 544656 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-23 11:00:05 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-07-23 10:59:52 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-07-23 10:59:34 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-07-23 10:59:34 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-07-23 10:03:47 385024 ----a-w- c:\windows\system32\html.iec
2011-07-23 09:27:04 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-07-23 09:25:38 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-07-12 10:20:54 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 10:20:54 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 10:20:54 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-07-06 18:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 18:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-04 11:43:53 40112 ----a-w- c:\windows\avastSS.scr
2011-07-04 11:36:43 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-07-04 11:32:20 54104 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-06-26 13:27:11 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-06-25 20:28:01 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 13:34:49 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-05-24 18:14:10 222080 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 23:42:50.76 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:50 PM

Posted 22 August 2011 - 06:35 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/414890 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 gareth88

gareth88
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 25 August 2011 - 06:17 PM

Please find gmer log attached and an additional DDS log. The description of the problem is as original post.

Yes, I have the original Windows CD available.


Thanks




.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.19120 BrowserJavaVersion: 10.0.0
Run by Gareth at 0:04:41 on 2011-08-26
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.353.1033.18.2037.710 [GMT 1:00]
.
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Windows\OEM02Mon.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c09c50a2\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\CASIO\YouTube Uploader for CASIO\YStart.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\rundll32.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\Program Files\PeerBlock\peerblock.exe
C:\Users\Gareth\Desktop\gmer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\System32\notepad.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10t_Plugin.exe -update plugin
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [MBBalloon] c:\program files\hotalbummybox\MBBalloon.exe
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\youtub~1.lnk - c:\program files\casio\youtube uploader for casio\YStart.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Free YouTube Download - c:\users\gareth\appdata\roaming\dvdvideosoftiehelpers\freeyoutubedownload.htm
IE: Free YouTube to MP3 Converter - c:\users\gareth\appdata\roaming\dvdvideosoftiehelpers\freeyoutubetomp3converter.htm
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{A295C045-B111-4B2A-BFA3-7530F5EF9B62} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{A560AE64-A22A-471B-BA31-3CEFF5952DEC} : DhcpNameServer = 192.168.1.254
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\615\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\gareth\appdata\roaming\mozilla\firefox\profiles\v9bpl4td.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://uk.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - prefs.js: network.proxy.ftp - proxy.pbsg.pvt
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - proxy.pbsg.pvt
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - proxy.pbsg.pvt
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.ssl - proxy.pbsg.pvt
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\users\gareth\appdata\roaming\mozilla\firefox\profiles\v9bpl4td.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc_fireftp.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npRLCT4Player.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\users\gareth\appdata\local\yahoo!\browserplus\2.8.1\plugins\npybrowserplus_2.8.1.dll
FF - plugin: c:\users\gareth\appdata\roaming\facebook\npfbplugin_1_0_3.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [2010-4-4 15172]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-6-30 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-12-20 309848]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-7-19 123264]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_c09c50a2\AEstSrv.exe [2009-8-17 73728]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-12-20 19544]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-12-20 54104]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-12-1 42184]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-10-4 21504]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2009-12-26 88176]
R3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-12-25 20080]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2011-4-21 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2011-08-23 22:18:53 2048 ----a-w- c:\windows\system32\tzres.dll
2011-08-14 01:50:27 -------- d-----w- C:\glassfish3
2011-08-12 23:49:12 -------- d-----w- c:\users\gareth\appdata\roaming\SUPERAntiSpyware.com
2011-08-12 23:48:55 -------- d-----w- c:\programdata\!SASCORE
2011-08-12 23:48:49 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-08-12 23:48:49 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-08-12 21:01:55 -------- d-----w- c:\program files\ESET
2011-08-12 15:48:15 6881616 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{850fe0a3-4503-4e4b-9daf-47d48427ee9e}\mpengine.dll
2011-08-10 18:59:40 375808 ----a-w- c:\windows\system32\winsrv.dll
2011-08-10 18:59:13 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-08-10 18:58:45 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-08-10 18:58:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-10 18:58:11 247808 ----a-w- c:\program files\internet explorer\ieproxy.dll
2011-08-10 18:58:10 129536 ----a-w- c:\program files\internet explorer\sqmapi.dll
2011-08-10 18:54:29 3602832 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-08-10 18:54:28 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-08-10 18:53:53 905104 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-08-01 21:39:59 -------- d-----w- c:\users\gareth\appdata\local\Xenocode
2011-07-31 13:26:07 -------- d-----w- c:\program files\iPod
2011-07-31 13:26:03 -------- d-----w- c:\program files\iTunes
.
==================== Find3M ====================
.
2011-08-14 22:27:02 544656 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-23 11:00:05 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-07-23 10:59:52 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-07-23 10:59:34 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-07-23 10:59:34 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-07-23 10:03:47 385024 ----a-w- c:\windows\system32\html.iec
2011-07-23 09:27:04 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-07-23 09:25:38 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-07-12 10:20:54 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 10:20:54 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 10:20:54 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-07-06 18:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 18:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-05 17:37:00 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-07-05 17:37:00 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-07-04 11:43:53 40112 ----a-w- c:\windows\avastSS.scr
2011-07-04 11:36:43 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-07-04 11:32:20 54104 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-06-26 13:27:11 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-06-25 20:28:01 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 13:34:49 2043392 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 0:06:24.37 ===============

Attached Files



#4 Jack&Jill

Jack&Jill

  • Malware Response Team
  • 385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East Asia
  • Local time:08:50 AM

Posted 26 August 2011 - 10:12 AM

Hello and welcome to Bleeping Computer.

I am currently assessing your situation and will be back with a fix for your problem as soon as possible.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this, click Watch Topic near the top of the page, then select Immediate Notification. Click on Proceed.

Please be patient with me during this time.

Jack&Jill
MRU Teacher of Malware Removal University.
Member of ASAP and UNITE.


#5 Jack&Jill

Jack&Jill

  • Malware Response Team
  • 385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East Asia
  • Local time:08:50 AM

Posted 26 August 2011 - 10:24 PM

Hello gareth88 :),

Welcome to Bleeping Computer. I am Jack&Jill, and I will be helping you out.

Before we go further, there are a few things that I would like to make clear so that we are share the same understanding.
  • Please observe and follow these Board Rules and Terms of Use.
  • Any advice is for your computer only and is taken at your own risk. Fixes sometimes will cause unexpected results, but I will do my best to assist you.
  • Please read the instructions carefully and follow them closely, in the order they are presented to you.
  • If you have any doubts or problems during the fix, please stop and ask.
  • All the tools that I will ask you to download and use are safe. Please allow if prompted by any of your security softwares.
  • Do not use or run any malware cleaning tools without supervision as they may cause more harm if improperly used.
  • Refrain from installing any new programs except those that I request during the fix to prevent interference to my diagnosis of the problem.
  • Lack of malware symptoms does not mean your computer is clean. Stick to this topic until I give the All Clear.
  • If you do not reply within 5 days, this topic will be closed.
If you are agreeable to the above, then everything should go smoothly :) . We may begin.

--------------------

I need some clarification whether is this a business computer.

Jack&Jill
MRU Teacher of Malware Removal University.
Member of ASAP and UNITE.


#6 gareth88

gareth88
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 27 August 2011 - 10:47 AM

Hi Jack&Jill,

The only change from the original post is that I got another BSoD in the meantime, when I was browsing. Different one to last time though. This was titled IRQL_NOT_LESS_OR_EQUAL. Some disk space disappeared after it then. So, the situation remains the same.

#7 Jack&Jill

Jack&Jill

  • Malware Response Team
  • 385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East Asia
  • Local time:08:50 AM

Posted 28 August 2011 - 06:11 AM

Hello gareth88 :),

The only change from the original post is that I got another BSoD in the meantime, when I was browsing. Different one to last time though. This was titled IRQL_NOT_LESS_OR_EQUAL. Some disk space disappeared after it then. So, the situation remains the same.

Thanks for the new information. I take it the answer is yes to my question about the computer being used for business.

Please note that there are possibilities the tools that I may request you to run could reveal a lot of information to the public.

Are you comfortable with that and agreeable to be responsible for any consequences that could arise? If you are OK with this, please proceed further. Otherwise, we should stop here and you should get help from your IT department or the local computer shop.

--------------------

Please download MiniToolBox© by farbar and save it to your desktop. Click here.
  • Double click on MiniToolBox.exe to run it.
    Please check (tick) the following options:
    • List last 10 Event Viewer Errors
    • List Users, Partitions and Memory size.
  • Click on the GO button. A log will open.
  • Please post the contents of this log. It can also be found on the desktop as Result.txt.

--------------------

Please use JDiskReport to assist in narrowing down the big files and their locations. Let me know the results.

--------------------

Please post back:
1. if you wish to proceed
2. if yes to the above, the MiniToolBox result and
3. JDiskReport result

Edited by Jack&Jill, 28 August 2011 - 06:13 AM.

Jack&Jill
MRU Teacher of Malware Removal University.
Member of ASAP and UNITE.


#8 gareth88

gareth88
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 30 August 2011 - 07:53 PM

Sorry, I never noticed that question at the time. No, it's not a computer used for business. So, I ran the scan.

MiniToolBox Log:


MiniToolBox by Farbar
Ran by Gareth (administrator) on 31-08-2011 at 01:00:52
Windows Vista ™ Home Premium Service Pack 2 (X86)

***************************************************************************

========================= Event log errors: ===============================

Application errors:
==================
Error: (08/26/2011 06:22:31 PM) (Source: Application Hang) (User: )
Description: The program firefox.exe version 6.0.0.4240 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel.
Process ID: 8f0
Start Time: 01cc64145d59a825
Termination Time: 27

Error: (08/25/2011 08:23:19 PM) (Source: Perflib) (User: )
Description: EmdCacheC:\Windows\system32\emdmgmt.dll4

Error: (08/24/2011 03:01:43 AM) (Source: Bonjour Service) (User: )
Description: 416: ERROR: read_msg errno 10054 (An existing connection was forcibly closed by the remote host.)

Error: (08/24/2011 03:01:43 AM) (Source: Bonjour Service) (User: )
Description: 372: ERROR: read_msg errno 10054 (An existing connection was forcibly closed by the remote host.)

Error: (08/24/2011 03:01:43 AM) (Source: Application Hang) (User: )
Description: The program iTunes.exe version 10.4.0.80 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel.
Process ID: 1f98
Start Time: 01cc61c154ad55d0
Termination Time: 289

Error: (08/24/2011 03:01:43 AM) (Source: Bonjour Service) (User: )
Description: 352: ERROR: read_msg errno 10054 (An existing connection was forcibly closed by the remote host.)

Error: (08/23/2011 08:03:10 AM) (Source: Bonjour Service) (User: )
Description: 352: ERROR: read_msg errno 10054 (An existing connection was forcibly closed by the remote host.)

Error: (08/23/2011 08:03:10 AM) (Source: Bonjour Service) (User: )
Description: 412: ERROR: read_msg errno 10054 (An existing connection was forcibly closed by the remote host.)

Error: (08/23/2011 08:03:09 AM) (Source: Bonjour Service) (User: )
Description: 392: ERROR: read_msg errno 10054 (An existing connection was forcibly closed by the remote host.)

Error: (08/17/2011 11:35:52 PM) (Source: Application Hang) (User: )
Description: The program gmer.exe version 1.0.15.15641 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel.
Process ID: 2454
Start Time: 01cc5d2de87ba2f0
Termination Time: 9


System errors:
=============
Error: (08/30/2011 11:57:43 PM) (Source: atapi) (User: )
Description: The driver detected a controller error on \Device\Ide\IdePort1.

Error: (08/30/2011 11:57:43 PM) (Source: atapi) (User: )
Description: The driver detected a controller error on \Device\Ide\IdePort1.

Error: (08/30/2011 11:57:43 PM) (Source: atapi) (User: )
Description: The driver detected a controller error on \Device\Ide\IdePort1.

Error: (08/30/2011 11:57:43 PM) (Source: atapi) (User: )
Description: The driver detected a controller error on \Device\Ide\IdePort1.

Error: (08/30/2011 11:57:43 PM) (Source: atapi) (User: )
Description: The driver detected a controller error on \Device\Ide\IdePort1.

Error: (08/30/2011 11:57:43 PM) (Source: atapi) (User: )
Description: The driver detected a controller error on \Device\Ide\IdePort1.

Error: (08/30/2011 11:57:43 PM) (Source: atapi) (User: )
Description: The driver detected a controller error on \Device\Ide\IdePort1.

Error: (08/30/2011 11:57:43 PM) (Source: atapi) (User: )
Description: The driver detected a controller error on \Device\Ide\IdePort1.

Error: (08/30/2011 11:57:43 PM) (Source: atapi) (User: )
Description: The driver detected a controller error on \Device\Ide\IdePort1.

Error: (08/30/2011 11:57:43 PM) (Source: atapi) (User: )
Description: The driver detected a controller error on \Device\Ide\IdePort1.


Microsoft Office Sessions:
=========================
Error: (08/07/2011 01:12:39 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 5 seconds with 0 seconds of active time. This session ended with a crash.

Error: (08/07/2011 01:12:07 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 25 seconds with 0 seconds of active time. This session ended with a crash.

Error: (06/18/2011 03:42:22 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6557.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 3 seconds with 0 seconds of active time. This session ended with a crash.

Error: (06/18/2011 03:32:47 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6557.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 4 seconds with 0 seconds of active time. This session ended with a crash.

Error: (05/27/2011 01:03:46 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6550.5004, Microsoft Office Version: 12.0.6425.1000. This session lasted 8 seconds with 0 seconds of active time. This session ended with a crash.

Error: (05/14/2011 01:05:11 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 19 seconds with 0 seconds of active time. This session ended with a crash.

Error: (05/10/2011 04:59:24 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6550.5004, Microsoft Office Version: 12.0.6425.1000. This session lasted 6 seconds with 0 seconds of active time. This session ended with a crash.

Error: (04/06/2011 10:15:38 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 13 seconds with 0 seconds of active time. This session ended with a crash.

Error: (03/12/2011 05:41:00 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 8 seconds with 0 seconds of active time. This session ended with a crash.

Error: (02/12/2011 02:56:33 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 7 seconds with 0 seconds of active time. This session ended with a crash.


========================= Memory info: ===================================

Percentage of memory in use: 56%
Total physical RAM: 2037.31 MB
Available physical RAM: 884.62 MB
Total Pagefile: 4313.88 MB
Available Pagefile: 2786.05 MB
Total Virtual: 2047.88 MB
Available Virtual: 1962.36 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:146 GB) (Free:3.24 GB) NTFS

========================= Users: ========================================

User accounts for \\GARETH-PC

Administrator Gareth Guest


**** End of log ****




What would you like me to post from JDiskReport? I get a pie chart on the first screen after I do a scan.

#9 Jack&Jill

Jack&Jill

  • Malware Response Team
  • 385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East Asia
  • Local time:08:50 AM

Posted 31 August 2011 - 01:34 AM

Hello gareth88 :),

For JDiskReport, this is what I need you to do. You can actually click or double click on the pie chart to go further deeper into the folders until you reach the last folder. Please always click on the biggest one until you reach the end, then post back the location. Do it for the top three biggest folders.

Jack&Jill
MRU Teacher of Malware Removal University.
Member of ASAP and UNITE.


#10 gareth88

gareth88
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 31 August 2011 - 06:49 PM

Ok, I did it for each of the 3 biggest folders in the C drive and worked my way down clicking the biggest file all the way:

1. C:\Windows\winsxs\Manifests
2. C:\Users\Gareth\AppData\Local\Mozilla\Firefox\Profiles\v9bpl4td.default\Cache\7\92
3. C:\Program Files\Microsoft Office\Office12\1033\PUBSPAPR

#11 Jack&Jill

Jack&Jill

  • Malware Response Team
  • 385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East Asia
  • Local time:08:50 AM

Posted 31 August 2011 - 10:39 PM

Hello gareth88 :),

In the Windows folder, which is the second and third biggest besides the winsxs folder?

Jack&Jill
MRU Teacher of Malware Removal University.
Member of ASAP and UNITE.


#12 gareth88

gareth88
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 01 September 2011 - 05:28 PM

2nd and 3rd biggest in Windows are:

1. System32\DriverStore\FileRepository\prnca001.inf_92fbd03f\I386
2. SoftwareDistribution\Download\cde11068f5b77b180111333ef9781925

#13 Jack&Jill

Jack&Jill

  • Malware Response Team
  • 385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East Asia
  • Local time:08:50 AM

Posted 01 September 2011 - 07:14 PM

Hello gareth88 :),

Lets attemp to clear up some space.

Please download ATF (Atribune Temp File) Cleaner© by Atribune from one of the links below and save it to your desktop.

Link 1
Link 2
Link 3

Run ATF Cleaner
  • Exit all browsers.
  • Double-click ATF Cleaner.exe to open it.
  • Click Run if prompted.
  • At the bottom of the list, check (tick) Select All.
  • Note: If you would like to keep your cookies, please uncheck this option as it will remove all cookies, including the useful ones you may want to keep.
  • Then click the Empty Selected button.
  • Firefox:
    • Click Firefox at the top and choose: Select All. Uncheck the cookies option if you want to keep them.
    • Click the Empty Selected button.
    • Note: If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
--------------------

I see that you have some programs that are not recommended or not safe on board your computer. You may uninstall them through Add/Remove Programs at the Control Panel.

Registry Cleaner(s)

Glary Utilities 2.33.0.1158

Personally, I do not recommend any such programs. Here is an excerpt from a discussion on Registry Cleaners:

Most Registry Cleaners aren't bad as such, but they aren't perfect and even the best have been known to cause problems. The point we are trying to make is that the risk of using one far outweighs any benefit. If it does work perfectly you will not see any difference. If it doesn't work properly you may end up with an expensive doorstop.


See here and here for additional information.

Please uninstall these as well:
SUPERAntiSpyware
EasyBits GO

--------------------

If BSOD happen during the scan below, please post back the error message.

Please download aswMBR and save it to your desktop. Click here.
  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily. They will interfere and may cause unexpected results.
  • If you need help to disable your protection programs see here and here.
  • Double click the aswMBR.exe file to run it. If you are asked to download an antivirus software, please allow.
  • Click on the Scan button to start. The program will launch a scan.
  • When done, you will see Scan finished successfully. Please click on Save log and save the file to your desktop.
  • Please post the contents of the log in your next reply.
--------------------

Please post back:
1. disk space status
2. BSOD error message if occur
3. aswMBR log

Jack&Jill
MRU Teacher of Malware Removal University.
Member of ASAP and UNITE.


#14 gareth88

gareth88
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 02 September 2011 - 01:44 PM

Ok, did those and here's where we stand:

1. The ATF Cleaner cleared 388MB of disk space.

2/3. A BSoD did occur during the scan. I tried a full scan of the C drive first of all and it took ages on one particular folder, so I exited out and did a Quick Scan the second time around. About 2 minutes or so into it I got the same BSoD as before: IRQL_NOT_LESS_OR_EQUAL. I lost no disk space after it though. So, no log for that one.

#15 Jack&Jill

Jack&Jill

  • Malware Response Team
  • 385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East Asia
  • Local time:08:50 AM

Posted 03 September 2011 - 02:09 AM

Hello gareth88 :),

For the BSOD, if it happen again, please provide the error message information as shown in the picture:

Posted Image

The stop error will be always be displayed, but the other information may or may not be available. Just provide whatever is available.

I tried a full scan of the C drive first of all and it took ages on one particular folder

Did you have a good look at the location? If you can provide me the path of this folder, it might help.

I need you to repeat the aswMBR step.

--------------------

Scan with RogueKiller
  • Please download RogueKiller© by Tigzy from one of the links below and save it to your desktop.
    Link 1
    Link 2
  • Allow the download if prompted by your security software and please close all your programs.
  • Double click on RogueKiller.exe to run it. If it does not run, please try a few times.
  • A program window will open. Type 1 for Scan and press Enter when prompted.
  • Once finished, Notepad will open with a log called RKreport.txt, located at the desktop.
  • Please copy and paste the contents of that log in your next reply.
--------------------

Please post back:
1. details of the BSOD if occur
2. the folder that aswMBR got stuck at
3. aswMBR log
4. RogueKiller result

Jack&Jill
MRU Teacher of Malware Removal University.
Member of ASAP and UNITE.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users