Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

dump_dumpata.sys found on PC - Browser Redirection - Lots of Hard Drive & CPU Activity - HELP!


  • Please log in to reply
2 replies to this topic

#1 NHGuy

NHGuy

  • Members
  • 117 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 18 January 2012 - 05:33 AM

Hello,
I've been fighting this problem for quite a while but now it has become very bad!

Using Process explore System PID 4 is now constantly accessing hard drive for 10 minutes + during turn on.

Found C:\Windows\System32\Drivers\dump_dumpata.sys

CPU use very high during these periods - laptop freezes

Problem began a few days ago with Firefox being re-directed on a number of sites.

I don't know what to do next

Please help

Thanks

BC AdBot (Login to Remove)

 


#2 NHGuy

NHGuy
  • Topic Starter

  • Members
  • 117 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 18 January 2012 - 07:58 AM

Below are (in order of being run:

DDS.txt, mbam log and GMER log.

I had to disable ms security essentials before GMER would run completely. This took two reboots.

Thanks again in advance for you time and effort on my behalf.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_30
Run by User at 6:26:40 on 2012-01-18
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2037.1304 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\USB Safely Remove\USBSRService.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Nitro PDF\Reader 2\NitroPDFReaderDriverService2.exe
C:\Toshiba\IVP\ISM\pinger.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\mobsync.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\My Lockbox\mylbx.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\USB Safely Remove\USBSafelyRemove.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~4\office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~4\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [OfficeSyncProcess] "c:\program files\microsoft office\office14\MSOSYNC.EXE"
uRun: [USB Safely Remove] c:\program files\usb safely remove\USBSafelyRemove.exe /startup
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [mylbx] c:\program files\my lockbox\mylbx.exe /a
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\user\appdata\roaming\micros~1\windows\startm~1\programs\startup\_unins~1.lnk - c:\users\user\appdata\local\temp\_uninst_91361604.bat
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~1\micros~4\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
Trusted Zone: intuit.com\ttlc
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{10797319-1BAE-49B6-974E-C64C84F088E5} : DhcpNameServer = 209.18.47.61 209.18.47.62
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~4\office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\user\appdata\roaming\mozilla\firefox\profiles\nzz2wp10.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - prefs.js: network.proxy.gopher -
FF - prefs.js: network.proxy.gopher_port - 0
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\progra~1\micros~4\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~4\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\common files\mpdrm\NPMPDRM.dll
FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\nitro pdf\reader 2\npdf.dll
FF - plugin: c:\program files\nitro pdf\reader 2\npnitromozilla.dll
.
---- FIREFOX POLICIES ----
FF - user.js: google.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
R0 FSProFilter;FSPro File Filter;c:\windows\system32\drivers\FSPFltd.sys [2011-7-10 41912]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2011-7-7 21504]
R2 NitroReaderDriverReadSpool2;NitroPDFReaderDriverCreatorReadSpool2;c:\program files\nitro pdf\reader 2\NitroPDFReaderDriverService2.exe [2011-12-20 196904]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
R2 USBSafelyRemoveService;USB Safely Remove Assistant;c:\program files\usb safely remove\USBSRService.exe [2011-8-8 257880]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2007-2-28 7168]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2011-4-18 43392]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 libusb0;libusb-win32 - Kernel Driver, Version 1.2.4.0;c:\windows\system32\drivers\libusb0.sys [2010-6-24 21504]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2011-8-25 13672]
S4 WebUpdate4;Web Update Wizard Service V4;c:\windows\system32\WebUpdateSvc4.exe [2011-6-23 291088]
.
=============== Created Last 30 ================
.
2012-01-18 09:47:12 6557240 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{dca7c806-f0fc-4d55-8f8b-345cc5487dc9}\mpengine.dll
2012-01-17 23:28:16 -------- d-----w- C:\HijackThis
2012-01-17 23:08:02 -------- d-----w- c:\program files\Trend Micro
2012-01-17 18:45:08 -------- d-sh--w- C:\$RECYCLE.BIN
2012-01-17 18:45:07 -------- d-----w- c:\users\user\appdata\local\temp
2012-01-16 23:56:22 -------- d-----w- c:\users\user\appdata\local\temp(432)
2012-01-16 19:06:00 -------- d-----w- c:\users\user\appdata\roaming\SUPERAntiSpyware.com
2012-01-16 19:05:21 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-01-16 19:05:21 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-01-16 17:52:37 -------- d-----w- c:\program files\common files\Java(286)
2012-01-16 02:32:00 -------- d-----w- c:\program files\VS Revo Group
2012-01-11 14:11:12 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-11 14:11:12 278528 ----a-w- c:\windows\system32\schannel.dll
2012-01-11 14:11:12 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-11 14:11:11 9728 ----a-w- c:\windows\system32\lsass.exe
2012-01-11 14:11:11 72704 ----a-w- c:\windows\system32\secur32.dll
2012-01-11 14:11:11 377344 ----a-w- c:\windows\system32\winhttp.dll
2012-01-11 13:40:13 1205064 ----a-w- c:\windows\system32\ntdll.dll
2012-01-11 13:40:10 23552 ----a-w- c:\windows\system32\mciseq.dll
2012-01-11 13:40:10 189952 ----a-w- c:\windows\system32\winmm.dll
2012-01-11 13:40:09 66560 ----a-w- c:\windows\system32\packager.dll
2012-01-11 13:40:08 376320 ----a-w- c:\windows\system32\winsrv.dll
2012-01-11 13:40:05 497152 ----a-w- c:\windows\system32\qdvd.dll
2012-01-11 13:40:05 1314816 ----a-w- c:\windows\system32\quartz.dll
2012-01-04 03:19:53 -------- d-----w- c:\programdata\Media Center Programs
2012-01-03 22:10:18 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2012-01-03 22:10:16 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
2012-01-03 22:10:16 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2012-01-03 22:10:16 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
2012-01-03 22:10:16 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
2012-01-02 01:54:07 -------- d-----w- c:\program files\Sonalysts Combat Simulations
2012-01-02 01:45:57 -------- d-----w- c:\users\user\appdata\local\AMozilla
2012-01-02 01:45:41 -------- d-----w- c:\program files\common files\SystemEngines
2012-01-02 01:45:40 -------- d-----w- c:\users\user\appdata\roaming\AMozilla
2012-01-02 00:55:51 -------- d-----w- c:\program files\Sierra On-Line
2012-01-02 00:55:43 -------- d-----w- C:\Sierra
2012-01-02 00:42:51 30048 ----a-w- c:\windows\UNWISE.EXE
2011-12-22 03:40:00 -------- d-----w- c:\program files\Nitro PDF
2011-12-22 03:39:59 -------- d-----w- c:\program files\common files\Nitro PDF
.
==================== Find3M ====================
.
2012-01-17 03:39:36 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-12-20 15:10:38 17704 ----a-w- c:\windows\system32\nitrolocalui2.dll
2011-12-20 15:10:36 26408 ----a-w- c:\windows\system32\nitrolocalmon2.dll
2011-12-10 20:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-26 16:39:10 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2011-11-26 16:39:10 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2011-11-23 13:37:27 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-11-17 01:16:32 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-08 14:42:19 2048 ----a-w- c:\windows\system32\tzres.dll
2011-11-03 22:47:42 1798144 ----a-w- c:\windows\system32\jscript9.dll
2011-11-03 22:40:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-03 22:39:47 1127424 ----a-w- c:\windows\system32\wininet.dll
2011-11-03 22:31:57 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-10-27 08:01:53 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-27 08:01:53 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 15:56:04 49152 ----a-w- c:\windows\system32\csrsrv.dll
.
============= FINISH: 6:27:37.98 ===============
Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.18.02

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
User :: USER-PC [administrator]

1/18/2012 7:00:56 AM
mbam-log-2012-01-18 (07-00-56).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 166693
Time elapsed: 5 minute(s), 19 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)




GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-18 07:45:13
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS541616J9SA00 rev.SB4OC7DP
Running: rw5cwmwd.exe; Driver: C:\Users\User\AppData\Local\Temp\pwldapob.sys


---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe[3492] ntdll.dll!DbgBreakPoint 77C3878E 1 Byte [90]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9E978E60-11B0-9E0B-FF4C-8F22D224EA9E}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9E978E60-11B0-9E0B-FF4C-8F22D224EA9E}@nagplcinnbafddhphghdbpeihdfg 0x6B 0x61 0x65 0x68 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9E978E60-11B0-9E0B-FF4C-8F22D224EA9E}@oaapnebjccibdiphimkbeapcmkphil 0x6B 0x61 0x65 0x68 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F9F8F5F5-F073-8CF0-A52C-9A50410506BE}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F9F8F5F5-F073-8CF0-A52C-9A50410506BE}@pamcgjbbappmdghnjieboepbkljefcfc 0x6B 0x61 0x69 0x6E ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F9F8F5F5-F073-8CF0-A52C-9A50410506BE}@oagciiffdlnepeniemheimplnpmkkm 0x6B 0x61 0x69 0x6E ...


---- EOF - GMER 1.0.15 ----

Regards,
John (NH Guy)

Edited by hamluis, 18 January 2012 - 10:10 AM.


#3 shelf life

shelf life

  • Malware Response Team
  • 2,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:12:08 PM

Posted 22 January 2012 - 09:17 AM

hi NHGuy,

If you still need help simply reply back and we will see if we can figure out whats going on.

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users