Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vista troubles: bluescreen, Trojan.Zlob, i8042prt, DCOM errors


  • This topic is locked This topic is locked
25 replies to this topic

#1 fixerupper

fixerupper

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 22 December 2011 - 12:12 AM

I would appreciate any help. I have Windows Vista Home Premium HP m7760n. For some time, it has been quite bogged down (e.g., opening Windows mail can take a minute or more before you can use it.) Sometimes it just churns in the background while you are trying to do something. Many instances of SVCHOST are often running and hogging resources. I get multiple alerts from Norton Security Suite that excessive resources are being used by some functions, e.g. SVCHOST.

Most recently the dreaded blue screen of death, yesterday, log:

Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.0.6002.2.2.0.768.3
Locale ID: 1033

Additional information about the problem:
BCCode: 77
BCP1: 00000001
BCP2: 00000000
BCP3: 00000000
BCP4: 8A311C70
OS Version: 6_0_6002
Service Pack: 2_0
Product: 768_1

Files that help describe the problem:
C:\WINDOWS\Minidump\Mini122011-01.dmp
C:\Users\Main User\AppData\Local\Temp\WER-85270-0.sysdata.xml
C:\Users\Main User\AppData\Local\Temp\WERB98E.tmp.version.txt


The .xlm and .txt files do not exist. The .dmp file exists but is unreadable to the eye.


********************************


After successfully restarting in Safe Mode, I ran various diagnostics including Malwarebytes, log:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8403

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 9.0.8112.16421

12/20/2011 1:19:53 PM
mbam-log-2011-12-20 (13-19-53).txt

Scan type: Quick scan
Objects scanned: 250984
Time elapsed: 3 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\user32.dll (Trojan.Zlob) -> Value: user32.dll -> Quarantined and deleted successfully.


Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

************************

I suspect the Trojan.Zlob file was a remnant of an older incident (2 years ago?) where it was already removed, but don't know for sure.

Also ran memory diagnostics and disk check, all OK. Also ran system check (sfc.exe /scannow), OK.

Computer runs OK now but still highly bogged down, however no more BSCD events.

The Event Viewer file has many errors, perhaps most notable are "Failed to load i8042prt" and DCOM errors 1084, 1068. Examples:

The server {320A1A88-7BAE-498E-A42A-BA0BB3D92CED} did not register with DCOM within the required timeout.

The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.

The following boot-start or system-start driver(s) failed to load:
i8042prt

The Parallel port driver service failed to start due to the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

Printer KodakESP7+0643 failed to initialize because a suitable KODAK ESP 7 AiO driver could not be found. The new printer settings that you specified have not taken effect. Install or reinstall the printer driver. You might need to contact the vendor for an updated driver. [I don't use this, I don't think.]

Windows could not initialize printer KodakESP7+0643 because the print processor KODAK EASYSHARE 5000 Series All-in-One Printer could not be found. Please obtain and install a new version of the driver from the manufacturer (if available), or choose an alternate driver that works with this print device.

The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM within the required timeout. <---MULTIPLE OCCURRENCES

The server {4991D34B-80A1-4291-83B6-3328366B9097} did not register with DCOM within the required timeout.

The server {DD522ACC-F821-461A-A407-50B198B896DC} did not register with DCOM within the required timeout.

A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service. <---MULTIPLE OCCURRENCES


Above are most of all of the hard errors just from today.

*****************

The events right around the time of the BSOD event possibly including the reboot were:

The service 'TabletInputService' may not have unregistered for device event notifications before it was stopped.

DCOM got error "1084" attempting to start the service TermService with arguments "" in order to run the server:
{F9A874B6-F8A8-4D73-B5A8-AB610816828B}

Terminal Service start failed. The relevant status code was This service cannot be started in Safe Mode.

DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server:
{DD522ACC-F821-461A-A407-50B198B896DC}

DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server:
{BA126AD1-2166-11D1-B1D0-00805FC1270E}

DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server:
{A47979D2-C419-11D9-A5B4-001185AD2B89}

The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error:
A device attached to the system is not functioning.

The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error:
A device attached to the system is not functioning.

The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error:
A device attached to the system is not functioning.

The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error:
A device attached to the system is not functioning.

The Computer Browser service depends on the Server service which failed to start because of the following error:
The dependency service or group failed to start.

The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error:
The dependency service or group failed to start.

The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error:
A device attached to the system is not functioning.

...and a whole bunch more of probable domino effect failures.

Many thanks for whatever help you can provide!

Edited by fixerupper, 22 December 2011 - 12:16 AM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:56 PM

Posted 28 December 2011 - 10:40 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/433882 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 fixerupper

fixerupper
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 29 December 2011 - 02:19 AM

Yes, I still need help, please! Computer still bogged down, and I had another blue screen event today:

Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.0.6002.2.2.0.768.3
Locale ID: 1033

Additional information about the problem:
BCCode: 1
BCP1: 822504C8
BCP2: 00000000
BCP3: FFFF0000
BCP4: 00000000
OS Version: 6_0_6002
Service Pack: 2_0
Product: 768_1

Files that help describe the problem:
C:\WINDOWS\Minidump\Mini122911-01.dmp
C:\Users\Main User\AppData\Local\Temp\WER-748992-0.sysdata.xml
C:\Users\Main User\AppData\Local\Temp\WERFEB8.tmp.version.txt

=======================================================================

Once again, the .xml and .txt files for this event do not exist. The .dmp file does exist.


=================================

DDS.txt:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by Main User at 22:14:12 on 2011-12-28
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2038.1027 [GMT -6:00]
.
AV: Norton Security Suite *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Security Suite *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\LEXBCES.EXE
C:\Windows\System32\LEXPPS.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Application Updater\ApplicationUpdater.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehRecvr.exe
C:\hp\support\hpsysdrv.exe
C:\WINDOWS\RtHDVCpl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\WINDOWS\vVX1000.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\hp\kbd\kbd.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\hp\support\hpsysdrv.exe
C:\WINDOWS\RtHDVCpl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\vVX1000.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Users\Main User\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Windows\ehome\ehmsas.exe
C:\hp\kbd\kbd.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\SyncServer.exe
C:\Windows\system32\sdclt.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
C:\Windows\system32\UI0Detect.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://my.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: pdfforge Toolbar: {b922d405-6d13-4a2b-ae89-08a030da4402} - c:\program files\pdfforge toolbar\ie\4.9\pdfforgeToolbarIE.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\5.1.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\5.1.0.29\ips\IPSBHO.DLL
BHO: pdfforge Toolbar: {b922d405-6d13-4a2b-ae89-08a030da4402} - c:\program files\pdfforge toolbar\ie\4.9\pdfforgeToolbarIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\5.1.0.29\coIEPlg.dll
TB: pdfforge Toolbar: {b922d405-6d13-4a2b-ae89-08a030da4402} - c:\program files\pdfforge toolbar\ie\4.9\pdfforgeToolbarIE.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [CCUTRAYICON] FactoryMode
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [VX1000] c:\windows\vVX1000.exe
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [<NO NAME>]
mRun: [SearchSettings] "c:\program files\common files\spigot\search settings\SearchSettings.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\users\mainus~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\main user\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpconn~1.lnk - c:\program files\hp connections\6811507\program\HP Connections.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: intuit.com\ttlc
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
TCP: Interfaces\{4BE0B6D1-8EDC-421E-8266-B251ADEFA580} : DhcpNameServer = 68.87.77.130 68.87.72.130
TCP: Interfaces\{BFCCC247-F086-4FC5-9C5F-640DC5485683} : DhcpNameServer = 68.87.77.130 68.87.72.130
TCP: Interfaces\{D1D184A3-5E62-4C2F-A869-7CE568B9E99C} : DhcpNameServer = 75.75.76.76 75.75.75.75
Handler: schmap-help - {2CF664A0-5EA6-47B5-884C-433A60145F78} - c:\program files\schmap\schmap player\Schmapdoclib.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: x-excid - {9D6CC632-1337-4a33-9214-2DA092E776F4} - c:\windows\downloaded program files\mimectl.dll
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\main user\appdata\roaming\mozilla\firefox\profiles\nha82pfv.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/home.php?filter=lf#!/|http://www.startribune.com/|http://www.bloomberg.com/|http://news.google.com/nwshp?hl=en&tab=wn&ar=1316629469|https://www.google.com/calendar/render?hl=en&tab=wc&pli=1&gsessionid=k91NCsUSzGn489C0xTdvVg
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\coffplgn_2011_7_4_3\components\coFFPlgn.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdrmv2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdsplay.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwmsdrm.dll
FF - plugin: c:\users\jill\appdata\roaming\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\users\jill\appdata\roaming\move networks\plugins\npqmp071706000001.dll
FF - plugin: c:\users\main user\appdata\roaming\mozilla\plugins\npatgpc.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
FF - Ext: Fast Video Download (with SearchMenu): {c50ca3c4-5656-43c2-a061-13e717f73fc8} - %profile%\extensions\{c50ca3c4-5656-43c2-a061-13e717f73fc8}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Add-on Compatibility Reporter: compatibility@addons.mozilla.org - %profile%\extensions\compatibility@addons.mozilla.org
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Symantec IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\IPSFFPlgn
FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\coFFPlgn_2011_7_4_3
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0501000.01d\symds.sys [2011-8-4 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0501000.01d\symefa.sys [2011-8-4 744568]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\bashdefs\20111221.003\BHDrvx86.sys [2011-12-21 819320]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\ipsdefs\20111228.001\IDSvix86.sys [2011-12-28 368248]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0501000.01d\ironx86.sys [2011-8-4 136312]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\n360\0501000.01d\symtdiv.sys [2011-8-4 331384]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
R2 Application Updater;Application Updater;c:\program files\application updater\ApplicationUpdater.exe [2011-12-14 748440]
R2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-9-3 208896]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-26 21504]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-25 189736]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\5.1.0.29\ccsvchst.exe [2011-8-4 130008]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-4 118784]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-11-10 106104]
R3 hcw18bda;Hauppauge WinTV 418 Driver;c:\windows\system32\drivers\hcw18bda.sys [2007-4-18 366080]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-23 135664]
S2 IntelDHSvcConf;Intel DH Service;c:\program files\intel\inteldh\intel media server\tools\IntelDHSvcConf.exe [2006-5-10 29696]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-23 135664]
S3 MCLServiceATL;Intel® Application Tracker;c:\program files\intel\inteldh\intel media server\shells\MCLServiceATL.exe [2006-9-11 167936]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-12-20 20:54:38 -------- d-----w- c:\program files\Debugging Tools for Windows (x86)
2011-12-20 17:10:48 -------- d-----w- c:\users\main user\appdata\roaming\Malwarebytes
2011-12-20 17:10:36 -------- d-----w- c:\programdata\Malwarebytes
2011-12-20 17:10:32 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-20 17:10:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-19 17:44:54 -------- d-----w- c:\users\main user\appdata\local\BVRP Software
2011-12-19 17:42:47 11776 ------w- c:\windows\system32\spool\prtprocs\w32x86\WfxPrint2000.dll
2011-12-19 17:41:50 -------- d-----w- c:\program files\Classic PhoneTools
2011-12-16 19:03:41 -------- d-----w- c:\program files\Application Updater
2011-12-16 19:03:40 -------- d-----w- c:\program files\pdfforge Toolbar
2011-12-16 19:03:40 -------- d-----w- c:\program files\common files\Spigot
2011-12-14 21:34:58 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-14 21:34:57 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-12-14 21:34:52 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-12-14 21:34:51 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-12-14 21:34:48 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-12-14 21:34:46 49152 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-14 21:34:36 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-13 17:34:34 172344 ----a-w- c:\program files\mozilla firefox\plugins\npatgpc.dll
.
==================== Find3M ====================
.
2011-11-17 03:59:49 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-03 22:47:42 1798144 ----a-w- c:\windows\system32\jscript9.dll
2011-11-03 22:40:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-03 22:39:47 1127424 ----a-w- c:\windows\system32\wininet.dll
2011-11-03 22:31:57 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-10-03 11:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2009-01-28 02:11:01 2788800 ----a-w- c:\program files\FLV PlayerFCSetup.exe
.
============= FINISH: 22:15:45.18 ===============


=======================================================================

Attach.txt attached in zip file

=======================================================================

GMER scan was being done and this may be when the blue screen event occurred (I left after >30 mins. of scanning). Report to follow if I can complete it.

Thank you!

Attached Files



#4 fixerupper

fixerupper
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 29 December 2011 - 02:44 AM

There are a lot of system events in the event viewer. Many warnings, several errors and many critical events. If these would be helpful to see, please let me know how best to capture and report them here. Many but not all are related to system responsiveness and excessive boot time.

#5 fixerupper

fixerupper
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 29 December 2011 - 02:51 AM

Here is the first part of the GMER output in case it crashes before completion. I hope these are not all hits!

============================================================================

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-29 01:50:52
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\MAINUS~1\AppData\Local\Temp\ugriypoc.sys


---- System - GMER 1.0.15 ----

SSDT 8755FD88 ZwAlertResumeThread
SSDT 8755FE68 ZwAlertThread
SSDT 8755E7A8 ZwAllocateVirtualMemory
SSDT 87493F28 ZwAlpcConnectPort
SSDT 8755F530 ZwAssignProcessToJobObject
SSDT 8755FAD8 ZwCreateMutant
SSDT 8755F250 ZwCreateSymbolicLinkObject
SSDT 8755EC10 ZwCreateThread
SSDT 8755F610 ZwDebugActiveProcess
SSDT 8755E958 ZwDuplicateObject
SSDT 8755E5C8 ZwFreeVirtualMemory
SSDT 8755FBC8 ZwImpersonateAnonymousToken
SSDT 8755FCA8 ZwImpersonateThread
SSDT 87493EB0 ZwLoadDriver
SSDT 8755E4C8 ZwMapViewOfSection
SSDT 8755F9F8 ZwOpenEvent
SSDT 8755EAF8 ZwOpenProcess
SSDT 8755E898 ZwOpenProcessToken
SSDT 8755F838 ZwOpenSection
SSDT 8755EA28 ZwOpenThread
SSDT 8755F440 ZwProtectVirtualMemory
SSDT 8755FF48 ZwResumeThread
SSDT 8755E218 ZwSetContextThread
SSDT 8755E2F8 ZwSetInformationProcess
SSDT 8755F6F0 ZwSetSystemInformation
SSDT 8755F918 ZwSuspendProcess
SSDT 8755F008 ZwSuspendThread
SSDT 8755ECF0 ZwTerminateProcess
SSDT 8755E138 ZwTerminateThread
SSDT 8755E3E8 ZwUnmapViewOfSection
SSDT 8755E6B8 ZwWriteVirtualMemory
SSDT 8755F340 ZwCreateThreadEx

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 11D 820B68A0 8 Bytes [88, FD, 55, 87, 68, FE, 55, ...]
.text ntkrnlpa.exe!KeSetEvent + 131 820B68B4 4 Bytes [A8, E7, 55, 87]
.text ntkrnlpa.exe!KeSetEvent + 13D 820B68C0 4 Bytes [28, 3F, 49, 87]
.text ntkrnlpa.exe!KeSetEvent + 191 820B6914 4 Bytes [30, F5, 55, 87]
.text ntkrnlpa.exe!KeSetEvent + 1F5 820B6978 4 Bytes [D8, FA, 55, 87]
.text ...
.text bridge.sys 8F794462 199 Bytes [8B, FF, 55, 8B, EC, 81, EC, ...]
.text bridge.sys 8F79452A 134 Bytes [8F, 6A, 60, 8D, 85, 78, FF, ...]
.text bridge.sys 8F7945B1 184 Bytes [FF, 15, 68, 41, 7A, 8F, 53, ...]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1968] USER32.dll!TrackPopupMenu 766314F3 5 Bytes JMP 662969A2 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[5976] ntdll.dll!LdrLoadDll 775C93A8 5 Bytes JMP 009D131F C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[5976] ntdll.dll!NtMapViewOfSection 77604974 5 Bytes JMP 006C003A
.text C:\Program Files\Mozilla Firefox\firefox.exe[5976] kernel32.dll!ReadProcessMemory + 3E 767B1CB3 7 Bytes JMP 006C00F7
.text C:\Program Files\Mozilla Firefox\firefox.exe[5976] kernel32.dll!WriteProcessMemory + 106 767B1DBE 7 Bytes JMP 006C0319
.text C:\Program Files\Mozilla Firefox\firefox.exe[5976] kernel32.dll!CreateIoCompletionPort + 52 767D9DA6 7 Bytes JMP 006C03CF
.text C:\Program Files\Mozilla Firefox\firefox.exe[5976] kernel32.dll!VirtualAllocEx + 54 767FAF70 7 Bytes JMP 006C0263
.text C:\Program Files\Mozilla Firefox\firefox.exe[5976] kernel32.dll!GetProcessHandleCount + 35 76845D4F 7 Bytes JMP 006C01AD

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center\Service\Scheduler@Heartbeat 0x0D 0x40 0xE2 0x4E ...

#6 fixerupper

fixerupper
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 29 December 2011 - 10:20 AM

GMER scan has been running now for seven hours. Nothing more has been added to the report than shown above. Should I keep running it? It is still crunching through Windows files.

#7 fixerupper

fixerupper
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 29 December 2011 - 10:50 AM

GMER seems to be held up (not necessarily hung up) on Windows\winsxs\Manifests. There are >14000 items in \winsxs\ itself and >60000 items in 14970 folders within that folder. Is that normal??

#8 fixerupper

fixerupper
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 29 December 2011 - 10:55 AM

Here is the GMER log to date. I don't think it adds much beyond what I posted 7+ hours ago.

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-29 09:53:36
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST325082 rev.3.AH
Running: gmer.exe; Driver: C:\Users\MAINUS~1\AppData\Local\Temp\ugriypoc.sys


---- System - GMER 1.0.15 ----

SSDT 8755FD88 ZwAlertResumeThread
SSDT 8755FE68 ZwAlertThread
SSDT 8755E7A8 ZwAllocateVirtualMemory
SSDT 87493F28 ZwAlpcConnectPort
SSDT 8755F530 ZwAssignProcessToJobObject
SSDT 8755FAD8 ZwCreateMutant
SSDT 8755F250 ZwCreateSymbolicLinkObject
SSDT 8755EC10 ZwCreateThread
SSDT 8755F610 ZwDebugActiveProcess
SSDT 8755E958 ZwDuplicateObject
SSDT 8755E5C8 ZwFreeVirtualMemory
SSDT 8755FBC8 ZwImpersonateAnonymousToken
SSDT 8755FCA8 ZwImpersonateThread
SSDT 87493EB0 ZwLoadDriver
SSDT 8755E4C8 ZwMapViewOfSection
SSDT 8755F9F8 ZwOpenEvent
SSDT 8755EAF8 ZwOpenProcess
SSDT 8755E898 ZwOpenProcessToken
SSDT 8755F838 ZwOpenSection
SSDT 8755EA28 ZwOpenThread
SSDT 8755F440 ZwProtectVirtualMemory
SSDT 8755FF48 ZwResumeThread
SSDT 8755E218 ZwSetContextThread
SSDT 8755E2F8 ZwSetInformationProcess
SSDT 8755F6F0 ZwSetSystemInformation
SSDT 8755F918 ZwSuspendProcess
SSDT 8755F008 ZwSuspendThread
SSDT 8755ECF0 ZwTerminateProcess
SSDT 8755E138 ZwTerminateThread
SSDT 8755E3E8 ZwUnmapViewOfSection
SSDT 8755E6B8 ZwWriteVirtualMemory
SSDT 8755F340 ZwCreateThreadEx

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 11D 820B68A0 8 Bytes [88, FD, 55, 87, 68, FE, 55, ...]
.text ntkrnlpa.exe!KeSetEvent + 131 820B68B4 4 Bytes [A8, E7, 55, 87]
.text ntkrnlpa.exe!KeSetEvent + 13D 820B68C0 4 Bytes [28, 3F, 49, 87]
.text ntkrnlpa.exe!KeSetEvent + 191 820B6914 4 Bytes [30, F5, 55, 87]
.text ntkrnlpa.exe!KeSetEvent + 1F5 820B6978 4 Bytes [D8, FA, 55, 87]
.text ...
.text bridge.sys 8F794462 199 Bytes [8B, FF, 55, 8B, EC, 81, EC, ...]
.text bridge.sys 8F79452A 134 Bytes [8F, 6A, 60, 8D, 85, 78, FF, ...]
.text bridge.sys 8F7945B1 184 Bytes [FF, 15, 68, 41, 7A, 8F, 53, ...]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1968] USER32.dll!TrackPopupMenu 766314F3 5 Bytes JMP 662969A2 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[5976] ntdll.dll!LdrLoadDll 775C93A8 5 Bytes JMP 009D131F C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[5976] ntdll.dll!NtMapViewOfSection 77604974 5 Bytes JMP 006C003A
.text C:\Program Files\Mozilla Firefox\firefox.exe[5976] kernel32.dll!ReadProcessMemory + 3E 767B1CB3 7 Bytes JMP 006C00F7
.text C:\Program Files\Mozilla Firefox\firefox.exe[5976] kernel32.dll!WriteProcessMemory + 106 767B1DBE 7 Bytes JMP 006C0319
.text C:\Program Files\Mozilla Firefox\firefox.exe[5976] kernel32.dll!CreateIoCompletionPort + 52 767D9DA6 7 Bytes JMP 006C03CF
.text C:\Program Files\Mozilla Firefox\firefox.exe[5976] kernel32.dll!VirtualAllocEx + 54 767FAF70 7 Bytes JMP 006C0263
.text C:\Program Files\Mozilla Firefox\firefox.exe[5976] kernel32.dll!GetProcessHandleCount + 35 76845D4F 7 Bytes JMP 006C01AD

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center\Service\Scheduler@Heartbeat 0x0D 0x40 0xE2 0x4E ...

#9 fixerupper

fixerupper
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 29 December 2011 - 11:11 AM

GMER log final:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-29 10:09:44
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST325082 rev.3.AH
Running: gmer.exe; Driver: C:\Users\MAINUS~1\AppData\Local\Temp\ugriypoc.sys


---- System - GMER 1.0.15 ----

SSDT 8755FD88 ZwAlertResumeThread
SSDT 8755FE68 ZwAlertThread
SSDT 8755E7A8 ZwAllocateVirtualMemory
SSDT 87493F28 ZwAlpcConnectPort
SSDT 8755F530 ZwAssignProcessToJobObject
SSDT 8755FAD8 ZwCreateMutant
SSDT 8755F250 ZwCreateSymbolicLinkObject
SSDT 8755EC10 ZwCreateThread
SSDT 8755F610 ZwDebugActiveProcess
SSDT 8755E958 ZwDuplicateObject
SSDT 8755E5C8 ZwFreeVirtualMemory
SSDT 8755FBC8 ZwImpersonateAnonymousToken
SSDT 8755FCA8 ZwImpersonateThread
SSDT 87493EB0 ZwLoadDriver
SSDT 8755E4C8 ZwMapViewOfSection
SSDT 8755F9F8 ZwOpenEvent
SSDT 8755EAF8 ZwOpenProcess
SSDT 8755E898 ZwOpenProcessToken
SSDT 8755F838 ZwOpenSection
SSDT 8755EA28 ZwOpenThread
SSDT 8755F440 ZwProtectVirtualMemory
SSDT 8755FF48 ZwResumeThread
SSDT 8755E218 ZwSetContextThread
SSDT 8755E2F8 ZwSetInformationProcess
SSDT 8755F6F0 ZwSetSystemInformation
SSDT 8755F918 ZwSuspendProcess
SSDT 8755F008 ZwSuspendThread
SSDT 8755ECF0 ZwTerminateProcess
SSDT 8755E138 ZwTerminateThread
SSDT 8755E3E8 ZwUnmapViewOfSection
SSDT 8755E6B8 ZwWriteVirtualMemory
SSDT 8755F340 ZwCreateThreadEx

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 11D 820B68A0 8 Bytes [88, FD, 55, 87, 68, FE, 55, ...]
.text ntkrnlpa.exe!KeSetEvent + 131 820B68B4 4 Bytes [A8, E7, 55, 87]
.text ntkrnlpa.exe!KeSetEvent + 13D 820B68C0 4 Bytes [28, 3F, 49, 87]
.text ntkrnlpa.exe!KeSetEvent + 191 820B6914 4 Bytes [30, F5, 55, 87]
.text ntkrnlpa.exe!KeSetEvent + 1F5 820B6978 4 Bytes [D8, FA, 55, 87]
.text ...
.text bridge.sys 8F794462 199 Bytes [8B, FF, 55, 8B, EC, 81, EC, ...]
.text bridge.sys 8F79452A 134 Bytes [8F, 6A, 60, 8D, 85, 78, FF, ...]
.text bridge.sys 8F7945B1 184 Bytes [FF, 15, 68, 41, 7A, 8F, 53, ...]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1968] USER32.dll!TrackPopupMenu 766314F3 5 Bytes JMP 662969A2 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[5976] ntdll.dll!LdrLoadDll 775C93A8 5 Bytes JMP 009D131F C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[5976] ntdll.dll!NtMapViewOfSection 77604974 5 Bytes JMP 006C003A
.text C:\Program Files\Mozilla Firefox\firefox.exe[5976] kernel32.dll!ReadProcessMemory + 3E 767B1CB3 7 Bytes JMP 006C00F7
.text C:\Program Files\Mozilla Firefox\firefox.exe[5976] kernel32.dll!WriteProcessMemory + 106 767B1DBE 7 Bytes JMP 006C0319
.text C:\Program Files\Mozilla Firefox\firefox.exe[5976] kernel32.dll!CreateIoCompletionPort + 52 767D9DA6 7 Bytes JMP 006C03CF
.text C:\Program Files\Mozilla Firefox\firefox.exe[5976] kernel32.dll!VirtualAllocEx + 54 767FAF70 7 Bytes JMP 006C0263
.text C:\Program Files\Mozilla Firefox\firefox.exe[5976] kernel32.dll!GetProcessHandleCount + 35 76845D4F 7 Bytes JMP 006C01AD

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center\Service\Scheduler@Heartbeat 0x0D 0x40 0xE2 0x4E ...

---- EOF - GMER 1.0.15 ----

#10 fixerupper

fixerupper
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 29 December 2011 - 11:30 AM

System froze while running fresh Malwarebytes fresh scan with Firefox running. Reboot OK but generated additional event logs of items taking too long.

Edited by fixerupper, 29 December 2011 - 11:36 AM.


#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:56 PM

Posted 30 December 2011 - 11:42 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

I will focus on the malware issues in this forum. Should you need further assistance with other issues I will let you know later.

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please post the logs for my review.

#12 fixerupper

fixerupper
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 30 December 2011 - 07:33 PM

Thank you! I will pursue these and report back. :busy:

#13 fixerupper

fixerupper
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 30 December 2011 - 08:13 PM

Here is the security check log:

=================================

Results of screen317's Security Check version 0.99.30
Windows Vista Service Pack 2 x86 (UAC is disabled!)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Java™ 6 Update 29
Java™ SE Runtime Environment 6
Java™ SE Runtime Environment 6 Update 1
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Java version out of date!
Adobe Flash Player 11.1.102.55
Adobe Reader 8 Adobe Reader out of date!
Mozilla Firefox (3.6.25) Firefox out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Norton ccSvcHst.exe
``````````End of Log````````````



===========================================

ComboFix was a scary experience. Although I had Norton Security Suite firewall and antivirus turned off, ComboFix popped up a message that it had a spyware scanner still on and running ComboFix might damage the computer. I could not locate any setting to turn a spyware scanner off, so I tried to close the ComboFix program (click X not OK) and it started running itself with another computer damage warning. I therefore rebooted immediately but this caused a CHKDSK to run that detected and fixed some disk errors. No log is readily apparent. I can't run ComboFix and put my computer at risk unless you happen to know how to turn off spyware scanner. It's not in any of the NSS settings that I can see. Also I sure hope that ComboFix program is a good file as it triggered a number of alerts - very new file, very few known users, invalid signature file etc.

PS: Windows firewall is, I believe, disabled by NSS and I had NSS firewal disabled when the check above ran.

Edited by fixerupper, 30 December 2011 - 08:14 PM.


#14 fixerupper

fixerupper
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 31 December 2011 - 01:02 AM

OK, I found the setting (fairly well hidden) and here is the log. Note in a few places I replaced actual names with [usernameX].

I'm concerned about the various files that were deleted, at least some of which I need (for example, cameraraw.8bi for Adobe).

ComboFix 11-12-30.02 - Main User 12/30/2011 23:32:49.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2038.1197 [GMT -6:00]
Running from: c:\users\Main User\Desktop\ComboFix.exe
AV: Norton Security Suite *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Security Suite *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Security Suite *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Main User\Camera Raw.8bi
c:\windows\HPCPCUninstaller-6.3.2.139-6811507.exe
c:\windows\system32\spool\prtprocs\w32x86\LMPRINT.DLL
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-31 )))))))))))))))))))))))))))))))
.
.
2011-12-31 05:44 . 2011-12-31 05:44 -------- d-----w- c:\users\[usernameW]\AppData\Local\temp
2011-12-31 05:44 . 2011-12-31 05:44 -------- d-----w- c:\users\[usernameNMM] (email)\AppData\Local\temp
2011-12-31 05:44 . 2011-12-31 05:44 -------- d-----w- c:\users\[usernameJ]\AppData\Local\temp
2011-12-31 05:44 . 2011-12-31 05:44 -------- d-----w- c:\users\IUSR_NMPR\AppData\Local\temp
2011-12-31 05:44 . 2011-12-31 05:44 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-31 05:44 . 2011-12-31 05:44 -------- d-----w- c:\users\[usernameBD] (email)\AppData\Local\temp
2011-12-31 00:51 . 2011-12-31 00:51 -------- d-----w- C:\found.000
2011-12-29 16:14 . 2011-12-29 16:14 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-12-22 03:54 . 2011-12-22 03:56 -------- d-----w- c:\users\Guest
2011-12-20 20:54 . 2011-12-20 20:54 -------- d-----w- c:\program files\Debugging Tools for Windows (x86)
2011-12-20 17:10 . 2011-12-20 17:10 -------- d-----w- c:\users\Main User\AppData\Roaming\Malwarebytes
2011-12-20 17:10 . 2011-12-20 17:10 -------- d-----w- c:\programdata\Malwarebytes
2011-12-20 17:10 . 2011-12-29 16:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-20 17:10 . 2011-12-10 21:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-19 17:44 . 2011-12-19 17:44 -------- d-----w- c:\users\Main User\AppData\Local\BVRP Software
2011-12-19 17:42 . 2006-10-20 01:09 11776 ------w- c:\windows\system32\Spool\prtprocs\w32x86\WfxPrint2000.dll
2011-12-19 17:41 . 2011-12-19 17:50 -------- d-----w- c:\program files\Classic PhoneTools
2011-12-19 17:41 . 2011-12-19 17:41 -------- d-----w- c:\programdata\BVRP Software
2011-12-16 19:03 . 2011-12-16 19:03 -------- d-----w- c:\program files\Application Updater
2011-12-16 19:03 . 2011-12-16 19:03 -------- d-----w- c:\program files\pdfforge Toolbar
2011-12-16 19:03 . 2011-12-16 19:03 -------- d-----w- c:\program files\Common Files\Spigot
2011-12-14 21:34 . 2011-10-27 08:01 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-14 21:34 . 2011-10-27 08:01 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-12-14 21:34 . 2011-10-14 16:02 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-12-14 21:34 . 2011-11-23 13:37 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-12-14 21:34 . 2011-11-08 12:10 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-12-14 21:34 . 2011-10-25 15:56 49152 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-14 21:34 . 2011-11-08 14:42 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-13 17:34 . 2011-12-13 17:34 172344 ----a-w- c:\program files\Mozilla Firefox\plugins\npatgpc.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-17 03:59 . 2011-05-23 19:37 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-03 11:06 . 2010-06-28 03:58 472808 ----a-w- c:\windows\system32\deployJava1.dll
2009-01-28 02:11 . 2009-01-28 02:10 2788800 ----a-w- c:\program files\FLV PlayerFCSetup.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-10-31 21:02 94208 ----a-w- c:\users\Main User\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-10-31 21:02 94208 ----a-w- c:\users\Main User\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-10-31 21:02 94208 ----a-w- c:\users\Main User\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-10-31 21:02 94208 ----a-w- c:\users\Main User\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CCUTRAYICON"="FactoryMode" [X]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-04-19 151552]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-29 583048]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-06-05 71176]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-04-01 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-04-01 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-04-01 133656]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2008-08-04 160800]
"VX1000"="c:\windows\vVX1000.exe" [2008-08-04 721936]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"SearchSettings"="c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe" [2011-12-13 922976]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-25 44136]
.
c:\users\Main User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Main User\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-12-5 24242056]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-4 113664]
HP Connections.lnk - c:\program files\HP Connections\6811507\Program\HP Connections.exe [2006-12-9 34520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 98304]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-24 135664]
R2 IntelDHSvcConf;Intel DH Service;c:\program files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe [2006-05-10 29696]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 118784]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-24 135664]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-12-29 40776]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0501000.01D\SYMDS.SYS [2011-01-27 340088]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0501000.01D\SYMEFA.SYS [2011-03-15 744568]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20111221.003\BHDrvx86.sys [2011-11-14 819320]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20111228.001\IDSvix86.sys [2011-08-23 368248]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0501000.01D\Ironx86.SYS [2010-11-16 136312]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\N360\0501000.01D\SYMTDIV.SYS [2011-03-22 331384]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [2011-12-14 748440]
S2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [2006-09-03 208896]
S2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [2009-09-26 189736]
S2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe [2011-04-17 130008]
S3 hcw18bda;Hauppauge WinTV 418 Driver;c:\windows\system32\drivers\hcw18bda.sys [2007-04-18 366080]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ERASERUTILDRVI13
*Deregistered* - EraserUtilDrvI13
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-24 03:20]
.
2011-12-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-24 03:20]
.
2010-12-15 c:\windows\Tasks\User_Feed_Synchronization-{8407C683-CC7F-4B83-9F49-09BDC11149BE}.job
- c:\windows\system32\msfeedssync.exe [2011-05-31 17:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: intuit.com\ttlc
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
FF - ProfilePath - c:\users\Main User\AppData\Roaming\Mozilla\Firefox\Profiles\nha82pfv.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/home.php?filter=lf#!/|http://www.startribune.com/|http://www.bloomberg.com/|http://news.google.com/nwshp?hl=en&tab=wn&ar=1316629469|https://www.google.com/calendar/render?hl=en&tab=wc&pli=1&gsessionid=k91NCsUSzGn489C0xTdvVg
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
FF - Ext: Fast Video Download (with SearchMenu): {c50ca3c4-5656-43c2-a061-13e717f73fc8} - %profile%\extensions\{c50ca3c4-5656-43c2-a061-13e717f73fc8}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Add-on Compatibility Reporter: compatibility@addons.mozilla.org - %profile%\extensions\compatibility@addons.mozilla.org
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Symantec IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\IPSFFPlgn
FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\coFFPlgn_2011_7_4_3
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-mcmscsvc
SafeBoot-MCODS
AddRemove-Chuzzle Deluxe - c:\program files\PopCap Games\Chuzzle Deluxe\Uninstall.exe
AddRemove-Chuzzle Deluxe_is1 - c:\program files\Chuzzle Deluxe\ReflexiveArcade\unins000.exe
AddRemove-Coupon Printer for Windows4.0 - c:\program files\Coupons\uninstall.exe
AddRemove-WT014849 - c:\program files\HP Games\Bookworm Deluxe\Uninstall.exe
AddRemove-WT014895 - c:\program files\HP Games\JEOPARDY\Uninstall.exe
AddRemove-WT066018 - c:\program files\HP Games\Chuzzle Deluxe\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-30 23:45
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\5.1.0.29\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-12-30 23:49:25
ComboFix-quarantined-files.txt 2011-12-31 05:49
.
Pre-Run: 13,267,128,320 bytes free
Post-Run: 13,151,854,592 bytes free
.
- - End Of File - - 0E9F1D5141FBF60208EAD904E5215C06

#15 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:56 PM

Posted 31 December 2011 - 10:46 AM

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 6 Update 29
Java™ SE Runtime Environment 6
Java™ SE Runtime Environment 6 Update 1
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7

===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Include in your download" this is not required. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
===


We will continue with the clean up and your Camera Raw.8bi file will be restored.

Open notepad and copy/paste the text in the quote box below into it:

File::
c:\program files\Application Updater\ApplicationUpdater.exe

Folder::
C:\found.000

Driver::
Application Updater

DEQUARANTINE::
c:\qoobox\quarantine\c\users\Main User\Camera Raw.8bi.vir


Save this as CFScript on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Please post the log and let me know what problem persists.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users