Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows explorer (explorer.exe) crashing - no disk


  • This topic is locked This topic is locked
2 replies to this topic

#1 ziaBear

ziaBear

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:50 PM

Posted 30 January 2012 - 11:16 PM

Hi guys,

I'm greatful to anyone who can help with this. My DH ran a version of Kapersky from unknown origins a while back..we got the blue screen of death, I managed to restore to the last version, but since then, explorer.exe and adobe ARM crash as soon as windows opens. We've tried restoring to an earlier date, we've ran MBAM, SuperAntiSpyware, Spyware Doctor, CCleaner at the suggestion of other sites when I googled the error signature (AppName: explorer.exe AppVer: 6.0.2900.5512 ModName: unknown
ModVer: 0.0.0.0 Offset: 02dffb5a)

SAS found this:
Trojan.Agent/Gen-PEC
C:\DOCUMENTS AND SETTINGS\STACY SAMSON\LOCAL SETTINGS\TEMP\RARSFX0\PROCS\EXPLORER.EXE

But quarantining hasn't resolved the issue. MBAM, SD, and CCleaner all came back clean. Everything I've read indicates that reimaging is the next step but I don't have my original install disk, and things are so tight financially, I don't have the cash to order a new disk. Help, and thank you in advance! Logs are below:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Run by Stacy Samson at 20:45:03 on 2012-01-29
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.90 [GMT -6:00]
.
AV: PC Tools Spyware Doctor with AntiVirus *Enabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\PC Tools\PC Tools Security\pctsGui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\All Users\Application Data\WeCareReminder\ReminderHelper.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\wuauclt.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.search.yahoo.com/?fr=w3i&type=W3i_SP,204,0_0,StartPage,20120104,16898,0,8,0
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearchAssistant = hxxp://start.facemoods.com/?a=ironto&s={searchTerms}&f=4
uURLSearchHooks: PC Tools Browser Defender: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\pc tools\pc tools security\bdt\PCTBrowserDefender.dll
uURLSearchHooks: NetAssistant: {e38fa08e-f56a-4169-abf5-5c71e3c153a1} - c:\program files\freeze.com\netassistant\NetAssistant.dll
uURLSearchHooks: YTNavAssistPlugin Class: {81017ea9-9aa8-4a6a-9734-7af40e7d593f} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
mURLSearchHooks: PC Tools Browser Defender: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\pc tools\pc tools security\bdt\PCTBrowserDefender.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: My Personal Homepage: {0538cf1c-8419-4800-adbb-0c00c799fda2} - c:\documents and settings\stacy samson\application data\genieo\application\ieplugins\bin\IEWrapper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PC Tools Browser Defender BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\pc tools\pc tools security\bdt\PCTBrowserDefender.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: RewardsArcadeSuite: {b6ef6c45-5e8d-4c3b-b580-a5073261a381} - c:\program files\rewardsarcadesuite\RewardsArcadeSuite.dll
BHO: WeCareReminder Class: {d824f0de-3d60-4f57-9eb1-66033ecd8abb} - c:\documents and settings\all users\application data\wecarereminder\IEHelperv2.5.0.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: NetAssistant: {e38fa08e-f56a-4169-abf5-5c71e3c153a1} - c:\program files\freeze.com\netassistant\NetAssistant.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - No File
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: PC Tools Browser Defender: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\pc tools\pc tools security\bdt\PCTBrowserDefender.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {E19E589B-749F-4641-9ED3-032DEB7A8D92} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
Trusted Zone: vistaprint.com\www
DPF: ActiveGS.cab - hxxp://www.virtualapple.org/activegs.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} - hxxp://webeffective.keynote.com/applications/pconnector/download/ConnectorLauncher.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-big-island-blends/gamehouseplayer.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} - hxxp://download-games.pogo.com/online2/pogo/mahjong_escape_ancient_japan/SpinTopGamesLauncher.cab
DPF: {8ffbe65d-2c9c-4669-84bd-5829dc0b603c} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {97770E5B-2028-48AC-B4DA-1F991376D2B6} - hxxp://download.copysafe.net/plugins5/installers/Copysafe.cab
DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://aolsvc.aol.com/onlinegames/free-trial-burger-shop/GoBitGamesPlayer_v4.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} - hxxp://games.myspace.com/gameshell/games/channel--110343720/lc--en/room--af6bde30-0f41-423e-a0c4-737047c7fd68/online/zenerchi/en/ZenerchiWeb.1.0.0.10.cab
DPF: {C0C0CB9B-BFEB-47C2-90FA-BE9692875ADB} - hxxp://aolsvc.aol.com/onlinegames/free-trial-pet-shop-hop/petshophopweb.1.0.0.16.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://mwmus.webex.com/client/v_mywebex-mwm/mywebex/ieatgpc.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{42EB371F-6754-4CEE-95F5-9A519506D84C} : DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, msansspc.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\stacy samson\application data\mozilla\firefox\profiles\eip6i22u.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.startup.homepage - facebook.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=w3is&type=W3i_IA,206,0_0,StartPage,20111146,18482,0,0,6434&p=
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2012-1-7 331880]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2012-1-7 341656]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2012-1-7 660992]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2012-1-10 54328]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2012-1-10 574424]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2012-1-7 253096]
R1 PCTSD;PC Tools Spyware Doctor Driver;c:\windows\system32\drivers\PCTSD.sys [2012-1-7 185560]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2011-7-18 116608]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-1-29 20464]
R3 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-1-29 652872]
S1 9df2ded6;9df2ded6;c:\windows\system32\drivers\9df2ded6.sys [2008-10-23 0]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-1-29 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-1-29 136176]
S3 PCTBD;PC Tools Browser Defender Driver;c:\windows\system32\drivers\PCTBD.sys [2012-1-7 56840]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2012-1-7 70536]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2012-1-10 35264]
S4 Browser Defender Update Service;Browser Defender Update Service;c:\program files\pc tools\pc tools security\bdt\BDTUpdateService.exe [2012-1-7 546768]
S4 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2008-4-17 192512]
S4 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools\pc tools security\pctsAuxs.exe [2012-1-7 402336]
S4 sdCoreService;PC Tools Security Service;c:\program files\pc tools\pc tools security\pctsSvc.exe [2012-1-7 1117624]
S4 ThreatFire;ThreatFire;c:\program files\pc tools\pc tools security\tfengine\tfservice.exe service --> c:\program files\pc tools\pc tools security\tfengine\TFService.exe service [?]
.
=============== Created Last 30 ================
.
2012-01-29 21:16:00 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-29 21:16:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-29 20:30:47 -------- d-----w- c:\program files\CCleaner
2012-01-29 06:01:51 -------- d-----w- c:\documents and settings\stacy samson\application data\SUPERAntiSpyware.com
2012-01-29 06:00:56 -------- d-----w- c:\documents and settings\all users\application data\!SASCORE
2012-01-29 06:00:30 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-01-29 06:00:30 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-01-29 05:52:48 388096 ----a-r- c:\documents and settings\stacy samson\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-01-29 05:52:46 -------- d-----w- c:\program files\Trend Micro
2012-01-28 00:46:05 -------- d-----w- c:\documents and settings\stacy samson\application data\com.w3i.intune
2012-01-28 00:40:13 -------- d-----w- c:\program files\Free Offers from Freeze.com
2012-01-28 00:40:12 -------- d-----w- c:\program files\Freeze.com
2012-01-28 00:40:00 -------- d-----w- c:\documents and settings\stacy samson\local settings\application data\RewardsArcadeSuite
2012-01-28 00:39:57 -------- d-----w- c:\program files\RewardsArcadeSuite
2012-01-28 00:39:43 -------- d-----w- c:\documents and settings\all users\application data\WeCareReminder
2012-01-23 11:32:20 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-22 22:08:03 7168 ----a-w- c:\windows\system32\dllcache\wamregps.dll
2012-01-22 22:07:49 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2012-01-22 22:07:33 7680 ----a-w- c:\windows\system32\dllcache\inetmgr.exe
2012-01-22 22:07:33 19968 ----a-w- c:\windows\system32\dllcache\inetsloc.dll
2012-01-22 22:07:32 5632 ----a-w- c:\windows\system32\dllcache\iisrstap.dll
2012-01-22 22:07:32 169984 ----a-w- c:\windows\system32\dllcache\iisui.dll
2012-01-22 22:07:32 14336 ----a-w- c:\windows\system32\dllcache\iisreset.exe
2012-01-22 22:07:31 6144 ----a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2012-01-22 17:20:36 -------- d-----w- C:\418352dc603ff00b4be4
2012-01-20 06:03:36 -------- d-----w- C:\dc5974001cae26dc096f9cca9c
2012-01-20 06:01:50 -------- d-----w- C:\e2c0040a8d43498cbe8a39
2012-01-16 22:18:56 -------- d-sh--w- c:\windows\system32\AI_RecycleBin
2012-01-16 22:18:20 -------- d-----w- c:\program files\W3i
2012-01-16 22:18:19 -------- d-----w- c:\documents and settings\all users\application data\W3i
2012-01-16 22:16:40 -------- d-----w- c:\documents and settings\stacy samson\application data\Genieo
2012-01-16 22:15:56 -------- d-----w- c:\documents and settings\stacy samson\application data\W3i, LLC
2012-01-13 11:04:34 -------- d-----w- c:\documents and settings\stacy samson\local settings\application data\Proxure
2012-01-13 11:03:57 -------- d-----w- c:\documents and settings\all users\application data\ClubSanDisk
2012-01-13 09:31:20 -------- d-----w- c:\documents and settings\stacy samson\application data\Systweak
2012-01-10 19:33:02 574424 --s---w- c:\windows\system32\drivers\TfSysMon.sys
2012-01-10 19:33:01 35264 --s---w- c:\windows\system32\drivers\TfNetMon.sys
2012-01-10 19:32:59 54328 --s---w- c:\windows\system32\drivers\TfFsMon.sys
2012-01-10 06:04:49 -------- d-----w- C:\1d0f0fce02019d32919180ebc604
2012-01-08 02:56:14 1409 ----a-w- c:\windows\QTFont.for
2012-01-07 07:40:02 767952 ----a-w- c:\windows\BDTSupport.dll0138.old
2012-01-07 07:40:02 767952 ----a-w- c:\windows\BDTSupport.dll0128.old
2012-01-07 07:40:02 767952 ----a-w- c:\windows\BDTSupport.dll
2012-01-07 07:40:02 56840 ----a-w- c:\windows\system32\drivers\PCTBD.sys
2012-01-07 07:40:01 2246608 ----a-w- c:\windows\PCTBDCore.dll0138.old
2012-01-07 07:40:01 2246608 ----a-w- c:\windows\PCTBDCore.dll0128.old
2012-01-07 07:40:01 2246608 ----a-w- c:\windows\PCTBDCore.dll
2012-01-07 07:40:01 1681360 ----a-w- c:\windows\PCTBDRes.dll
2012-01-07 07:40:01 149456 ----a-w- c:\windows\SGDetectionTool.dll0138.old
2012-01-07 07:40:01 149456 ----a-w- c:\windows\SGDetectionTool.dll0128.old
2012-01-07 07:40:01 149456 ----a-w- c:\windows\SGDetectionTool.dll
2012-01-07 07:37:52 253096 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2012-01-07 07:37:15 17848 ----a-w- c:\windows\system32\drivers\pctBTFix.sys
2012-01-07 07:36:57 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2012-01-07 07:36:37 -------- d-----w- c:\program files\PC Tools
2012-01-07 07:10:33 660992 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2012-01-07 07:10:33 341656 ----a-w- c:\windows\system32\drivers\pctDS.sys
2012-01-07 07:10:29 331880 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2012-01-07 07:10:29 162584 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2012-01-07 07:10:25 185560 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2012-01-07 07:10:25 -------- d-----w- c:\program files\common files\PC Tools
2012-01-06 21:32:16 -------- d-----w- c:\documents and settings\all users\application data\PC Drivers HeadQuarters
2012-01-06 20:29:12 -------- d-----w- C:\Inetpub
2012-01-06 08:25:03 -------- d-----w- c:\documents and settings\stacy samson\application data\TestApp
2012-01-06 07:15:53 767952 ----a-w- c:\windows\BDTSupport.dll0142.old
2012-01-06 07:15:52 1996752 ----a-w- c:\windows\PCTBDCore.dll0142.old
2012-01-06 07:15:52 149456 ----a-w- c:\windows\SGDetectionTool.dll0142.old
2012-01-06 06:28:06 -------- d-----w- c:\documents and settings\stacy samson\application data\PCTools
2012-01-05 23:44:37 94896 ----a-w- c:\windows\system32\drivers\91188348.sys
2012-01-05 07:23:33 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
.
==================== Find3M ====================
.
2011-11-25 21:57:19 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35:08 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21:44 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21:44 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-03 15:28:36 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28:36 1292288 ------w- c:\windows\system32\quartz.dll
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
.
============= FINISH: 20:47:43.23 ===============
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-30 12:20:22
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Hitachi_HTS541680J9SA00 rev.SB2OC74P
Running: gmer.exe; Driver: C:\DOCUME~1\STACYS~1\LOCALS~1\Temp\kgtyapow.sys


---- System - GMER 1.0.15 ----

SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwCreateKey [0xF80FA290]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF82A1C0C]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF82A1ED4]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwDeleteKey [0xF80FA500]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwDeleteValueKey [0xF80FA5C0]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwOpenKey [0xF80FA130]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF82D3E16]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwSetValueKey [0xF80FA7C0]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xAA0E8640]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)

Device \Driver\Tcpip \Device\Ip pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\Tcpip \Device\Tcp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
Device \Driver\Tcpip \Device\Udp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
Device \Driver\Tcpip \Device\RawIp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
Device \Driver\Tcpip \Device\IPMULTICAST pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,917 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:50 AM

Posted 04 February 2012 - 08:32 AM

Hello, my name is Elise and I'll assist you with this issue.

First of all I recommend you to uninstall ThreatFire and PCTools spyware doctor. Both are legit programs but it is not uncommon for them to cause problems. I recommend installing a free antivirus like Avast, Avira or Microsoft Security Essentials instead.

COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,917 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:50 AM

Posted 25 February 2012 - 11:44 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users