Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 7 blue screens when booting in normal mode


  • This topic is locked This topic is locked
1 reply to this topic

#1 MBrown3

MBrown3

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Massachusetts, USA
  • Local time:02:17 AM

Posted 19 July 2012 - 10:58 AM

This computer goes to a BSOD whenever booting into normal mode. Booting to safe mode avoids this problem. It's a Windows 7 Pro 32-bit system. I've scanned with Malwarebytes and Avast! anti-virus but even after cleaning the "infected" files and registry entries the problem persists.

I've followed the recommended steps and the requested logs follow:

DDS Log
***********************************
.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 9.0.8112.16421
Run by Mara at 11:06:51 on 2012-07-19
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3062.2582 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://forum.posepro.net/index.php?topic=15081.0
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Somoto Toolbar: {652853ad-5592-4231-88c6-706613a52e61} - c:\program files\somototoolbar\vmntemplateX.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: Somoto Toolbar: {652853ad-5592-4231-88c6-706613a52e61} - c:\program files\somototoolbar\vmntemplateX.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [RESTART_STICKY_NOTES] c:\windows\system32\StikyNot.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Google Update] "c:\users\mara\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Deployment] rundll32.exe "c:\users\mara\appdata\local\google\deployment\eryjskxyq.dll",CreateInstance
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil32_11_3_300_257_ActiveX.exe -update activex
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [LWS] c:\program files\logitech\lws\webcam software\LWS.exe -hide
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000003}\_SC_Acrobat.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobea~2.lnk - c:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Free YouTube to iPod Converter - c:\users\mara\appdata\roaming\dvdvideosoftiehelpers\freeyoutubetoipodconverter.htm
DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} - hxxp://esupport.sony.com/VaioInfo.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{2E159025-7D40-4BF4-8749-ED43E312AE3E} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{2E159025-7D40-4BF4-8749-ED43E312AE3E}\1436365637370205162747E6562737D27657563747 : DhcpNameServer = 10.1.10.1
TCP: Interfaces\{2E159025-7D40-4BF4-8749-ED43E312AE3E}\35452594055425 : DhcpNameServer = 192.168.1.1 71.243.0.12
TCP: Interfaces\{2E159025-7D40-4BF4-8749-ED43E312AE3E}\4656661657C647 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{2E159025-7D40-4BF4-8749-ED43E312AE3E}\7586964756020516E64616D27657563747 : DhcpNameServer = 68.87.66.246 68.87.64.242 192.168.33.1
TCP: Interfaces\{2E159025-7D40-4BF4-8749-ED43E312AE3E}\95F657E676D4F6F63756D27657563747 : DhcpNameServer = 68.87.71.226 68.87.73.242
TCP: Interfaces\{2E159025-7D40-4BF4-8749-ED43E312AE3E}\D41636167237D27657563747 : DhcpNameServer = 75.75.75.75 75.75.76.76 192.168.33.1
TCP: Interfaces\{3BE2ABA5-BB5C-46C4-948C-FA915E4CA962} : DhcpNameServer = 192.168.1.1 71.243.0.12
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath -
.
============= SERVICES / DRIVERS ===============
.
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
R3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\drivers\SFEP.sys [2010-7-25 9344]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2007-8-3 14720]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-7-13 311296]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-9-17 612184]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-9-17 337880]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-9-17 20696]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-9-17 57688]
S2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-6-15 44768]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 FlipShareServer;FlipShare Server;c:\program files\flip video\flipshareserver\FlipShareServer.exe [2011-5-6 1085440]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-6-15 136176]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\roxio\digital home 10\RoxioUpnpService10.exe [2009-6-26 362992]
S2 SampleCollector;VAIO Care Performance Service;c:\program files\sony\vaio care\VCPerfService.exe [2011-8-7 187792]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-2-29 158856]
S2 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2011-8-19 450848]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-4-14 45736]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-6-15 136176]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-7-18 113120]
S3 R5U870FLx86;R5U870 UVC Lower Filter ;c:\windows\system32\drivers\R5U870FLx86.sys [2011-8-7 75392]
S3 R5U870FUx86;R5U870 UVC Upper Filter ;c:\windows\system32\drivers\R5U870FUx86.sys [2011-8-7 43904]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\roxio\digital home 10\RoxioUPnPRenderer10.exe [2009-6-26 313840]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2011-8-7 812544]
S3 VUAgent;VUAgent;c:\program files\sony\vaio update common\VUAgent.exe [2011-10-27 1086568]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-8-7 1343400]
.
=============== Created Last 30 ================
.
2012-07-19 15:05:05 -------- d-----w- C:\SecurityTools
2012-07-19 14:17:05 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{39566c9a-47e5-4e7f-988a-04367cface15}\offreg.dll
2012-07-19 01:05:20 -------- d-----w- C:\Sophos
2012-07-19 00:45:42 6762896 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{39566c9a-47e5-4e7f-988a-04367cface15}\mpengine.dll
2012-07-17 12:41:28 -------- d-----w- c:\users\mara\appdata\local\{B0FD5BC6-FF0D-4908-850E-2E5ED225DBE7}
2012-07-17 12:41:15 -------- d-----w- c:\users\mara\appdata\local\{69D191A6-67B6-4715-A5B0-FAC9B3740874}
2012-07-16 14:08:27 -------- d-----w- c:\users\mara\appdata\local\{97AD4D0D-D93B-42C6-A8E4-3A1BC081E918}
2012-07-16 14:08:13 -------- d-----w- c:\users\mara\appdata\local\{02A14C32-883D-4CF5-8E2D-F1DDF2D18C7A}
2012-07-16 01:46:51 -------- d-----w- c:\users\mara\appdata\local\{2F1D1DCB-66C0-4856-B90F-7C67CD6B4D15}
2012-07-16 01:46:28 -------- d-----w- c:\users\mara\appdata\local\{20B91B1A-0A33-44B9-8D1B-C3D6DBF6F140}
2012-07-15 13:46:15 -------- d-----w- c:\users\mara\appdata\local\{A64CBE83-7F15-4B93-89EF-B97AC13DD7DD}
2012-07-15 13:45:57 -------- d-----w- c:\users\mara\appdata\local\{0CA57EF7-8166-4159-8F5E-89E8E16537BE}
2012-07-14 14:04:57 -------- d-----w- c:\users\mara\appdata\local\{AD1944B3-75AA-4D08-B11C-7E2D0AEDAB16}
2012-07-14 14:04:45 -------- d-----w- c:\users\mara\appdata\local\{99090A2B-D368-4E5A-A169-72D6DFF98FB5}
2012-07-14 14:02:42 -------- d-----w- c:\users\mara\appdata\local\{6EC3CA33-FE54-4332-BA3D-90560CEF4DAD}
2012-07-13 14:20:11 -------- d-----w- c:\users\mara\appdata\local\{87D48488-35E5-42AD-82C4-B78663C1733C}
2012-07-13 14:19:49 -------- d-----w- c:\users\mara\appdata\local\{F84ED4A6-328D-4D5C-BA0A-472A85D503ED}
2012-07-12 14:20:59 -------- d-----w- c:\users\mara\appdata\local\{293F7251-877D-42B7-B452-A782564FFE57}
2012-07-12 14:20:45 -------- d-----w- c:\users\mara\appdata\local\{59D22208-FA91-490C-9059-90AED4975E6C}
2012-07-12 00:59:34 -------- d-----w- c:\users\mara\appdata\local\{8DAF9A8B-C52E-4F38-B71D-F7324AC7DFB8}
2012-07-12 00:59:11 -------- d-----w- c:\users\mara\appdata\local\{10B4662E-E618-4FB6-A4AD-5E99BDBDE382}
2012-07-11 12:58:45 -------- d-----w- c:\users\mara\appdata\local\{BD39915B-7787-4456-A621-0A1F0925A56E}
2012-07-11 12:58:29 -------- d-----w- c:\users\mara\appdata\local\{245D5BC9-C08E-458A-93EB-6F968B563C09}
2012-07-10 14:28:29 -------- d-----w- c:\users\mara\appdata\local\{24819FCC-EE86-45FA-8EE1-DC100323CB60}
2012-07-10 14:28:17 -------- d-----w- c:\users\mara\appdata\local\{DF257091-ECE9-4392-BBE9-EFBD2A8417B6}
2012-07-09 14:36:44 -------- d-----w- c:\users\mara\appdata\local\{5E91454F-E6CE-4C70-9EB9-DEC5699DA4DA}
2012-07-09 14:36:18 -------- d-----w- c:\users\mara\appdata\local\{4D708605-5AF9-4C59-A0E5-EE5D8AD44DDB}
2012-07-09 01:42:48 -------- d-----w- c:\users\mara\appdata\local\{1A2A6E14-3371-49C7-BEC9-B8C032380DFB}
2012-07-09 01:42:26 -------- d-----w- c:\users\mara\appdata\local\{E201B9D0-28DC-4508-848C-A3A8F22F8142}
2012-07-08 13:42:11 -------- d-----w- c:\users\mara\appdata\local\{186044D7-23DA-451D-8F4D-F92D81435ADE}
2012-07-08 13:41:42 -------- d-----w- c:\users\mara\appdata\local\{5762A9BD-7C1E-49E0-BAD3-5D3C76C1C228}
2012-07-08 01:36:56 -------- d-----w- c:\users\mara\appdata\local\{A551C1BF-FCCC-4730-8233-6E69D7D3EDE2}
2012-07-08 01:36:33 -------- d-----w- c:\users\mara\appdata\local\{27D4C664-65E7-4A66-9FF0-7B43D1EDAB4A}
2012-07-07 13:36:20 -------- d-----w- c:\users\mara\appdata\local\{CCE6D016-ECE5-468E-AFE0-FE060FF4A3BA}
2012-07-07 13:36:06 -------- d-----w- c:\users\mara\appdata\local\{74C3E7EF-61A4-499F-913F-92FEDC3803EC}
2012-07-07 00:12:58 -------- d-----w- c:\users\mara\appdata\local\{FB384B2F-19D2-4F17-82A6-97A7A1992784}
2012-07-07 00:12:35 -------- d-----w- c:\users\mara\appdata\local\{67F153B9-04C2-442C-BE37-087F8FC180C9}
2012-07-06 12:12:08 -------- d-----w- c:\users\mara\appdata\local\{4F71B99A-88D3-4B5E-9CCB-E053DF4D60F1}
2012-07-06 12:11:57 -------- d-----w- c:\users\mara\appdata\local\{68BD907E-8652-4921-A7A1-3E93C54C9CED}
2012-07-05 14:13:50 -------- d-----w- c:\users\mara\appdata\local\{99D2F255-7CEE-4F14-9D25-E362603AD32B}
2012-07-05 14:13:39 -------- d-----w- c:\users\mara\appdata\local\{E552F140-15BA-44A5-A6A2-7D646FFC5256}
2012-07-04 14:11:00 -------- d-----w- c:\users\mara\appdata\local\{D0316999-5498-4D7F-9591-301D74C2A4D4}
2012-07-04 14:10:48 -------- d-----w- c:\users\mara\appdata\local\{716EE627-9E46-4242-8CD2-E88BF7A21273}
2012-07-03 14:49:38 -------- d-----w- c:\users\mara\appdata\local\{CF685884-27F3-4B01-8A0A-5301BA251D4D}
2012-07-03 14:49:16 -------- d-----w- c:\users\mara\appdata\local\{14FDA59C-94D5-46D7-A5DB-9FF2E92E815E}
2012-07-03 01:15:37 -------- d-----w- c:\users\mara\appdata\local\{172F4272-8FC7-4FBD-9F47-92FE40169D50}
2012-07-03 01:15:14 -------- d-----w- c:\users\mara\appdata\local\{1F7BAA7A-4C4E-4CB1-8949-F938D75C526D}
2012-07-02 13:14:48 -------- d-----w- c:\users\mara\appdata\local\{744AD477-B2C5-4EB1-9903-B55A3286773A}
2012-07-02 13:14:25 -------- d-----w- c:\users\mara\appdata\local\{3B29C721-E0B7-47C8-B02D-5DAC8F334C52}
2012-07-02 01:14:00 -------- d-----w- c:\users\mara\appdata\local\{6A767597-F0A6-440D-A743-3077222B7CBE}
2012-07-02 01:13:38 -------- d-----w- c:\users\mara\appdata\local\{CAD98973-125D-40C1-ADEA-B4DAD5786686}
2012-07-01 13:13:12 -------- d-----w- c:\users\mara\appdata\local\{9A5F58DD-1A9E-421D-B006-D06D53E9427D}
2012-07-01 13:12:58 -------- d-----w- c:\users\mara\appdata\local\{52063519-3B30-4BC9-9660-C7C3FB1091A0}
2012-06-30 13:30:09 -------- d-----w- c:\users\mara\appdata\local\{1F0E74A2-0B46-44D0-9B19-21314F54F6E3}
2012-06-30 13:29:58 -------- d-----w- c:\users\mara\appdata\local\{913A8A7B-4521-4BB1-8090-48905FD058EE}
2012-06-29 23:52:45 -------- d-----w- c:\users\mara\appdata\local\{5405EE89-D0C1-447F-B082-6C95BB8B2F22}
2012-06-29 23:52:33 -------- d-----w- c:\users\mara\appdata\local\{C38EA6B5-3984-413F-B346-628E31D4CA7A}
2012-06-29 11:50:54 -------- d-----w- c:\users\mara\appdata\local\{5FCD06A5-101B-4190-A843-FE32D67C067E}
2012-06-29 11:50:39 -------- d-----w- c:\users\mara\appdata\local\{5AE03533-FAF1-445B-B55C-1DAB7DB18E42}
2012-06-28 14:49:46 -------- d-----w- c:\users\mara\appdata\local\{539F0E54-C06C-4F09-B042-85A92BC426BA}
2012-06-28 14:49:21 -------- d-----w- c:\users\mara\appdata\local\{2ACBD855-2D24-43DE-9E7D-971320FA5DEF}
2012-06-28 01:54:28 -------- d-----w- c:\users\mara\appdata\local\{EE865649-8FA7-4190-9BA0-764D2B991D72}
2012-06-28 01:54:05 -------- d-----w- c:\users\mara\appdata\local\{A958BAEA-F6AF-47B9-BD50-DF0B6FB675C0}
2012-06-27 13:53:50 -------- d-----w- c:\users\mara\appdata\local\{A76BD649-BA66-4B35-BBEF-5D5F24C34203}
2012-06-27 13:53:25 -------- d-----w- c:\users\mara\appdata\local\{8A17E7FF-B7B9-41EF-AA01-215807408705}
2012-06-26 23:26:12 -------- d-----w- c:\users\mara\appdata\local\{5925501A-BC8C-4FF8-9778-FBCBA0541F16}
2012-06-26 23:25:51 -------- d-----w- c:\users\mara\appdata\local\{4AE1CC83-989B-43C7-B5CA-3E17887A61AE}
2012-06-26 11:25:23 -------- d-----w- c:\users\mara\appdata\local\{B3F5C552-5310-4990-87B6-1059196437AB}
2012-06-26 11:24:59 -------- d-----w- c:\users\mara\appdata\local\{03E411F6-1859-4E88-A367-3412B02F6070}
2012-06-25 16:09:49 -------- d-----w- c:\users\mara\appdata\local\{7F9AB7D1-4E6F-4A01-A644-D9071423F71C}
2012-06-25 16:09:26 -------- d-----w- c:\users\mara\appdata\local\{F3141047-BDE4-4232-840C-BC4D6119E346}
2012-06-25 00:53:30 -------- d-----w- c:\users\mara\appdata\local\{801F2C32-D870-4691-B273-910BDE5B6162}
2012-06-25 00:53:09 -------- d-----w- c:\users\mara\appdata\local\{27CE5660-F56C-4118-87A1-91688E00FD3E}
2012-06-24 12:52:43 -------- d-----w- c:\users\mara\appdata\local\{CB6E0296-9049-4924-A86C-4841C960862E}
2012-06-24 12:52:18 -------- d-----w- c:\users\mara\appdata\local\{59B7ACAC-56E3-48BD-BE27-4528604DC843}
2012-06-23 13:49:24 -------- d-----w- c:\users\mara\appdata\local\{7448EF5C-CC20-41FE-A896-8C0DC2A66292}
2012-06-23 13:49:02 -------- d-----w- c:\users\mara\appdata\local\{3B110690-0DE3-4F88-8576-BA1083C65C14}
2012-06-22 15:02:26 -------- d-----w- c:\users\mara\appdata\local\{DA0ED427-AE06-4127-8437-50758591248A}
2012-06-22 15:02:02 -------- d-----w- c:\users\mara\appdata\local\{4415B7F6-6AEC-4C34-8A0F-946ECB90BC8F}
2012-06-22 00:35:48 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-21 14:17:03 -------- d-----w- c:\users\mara\appdata\local\{7482B13E-5754-439A-B230-7FF888F06F2D}
2012-06-21 14:16:41 -------- d-----w- c:\users\mara\appdata\local\{9BC3451E-C3DE-4BF0-9D96-91915706C1EB}
2012-06-21 02:16:13 -------- d-----w- c:\users\mara\appdata\local\{28B18CEF-9619-47BD-B15E-0810C40571CE}
2012-06-21 02:15:51 -------- d-----w- c:\users\mara\appdata\local\{20E392B9-ED2A-4699-891F-CF251A84CD5A}
2012-06-20 14:15:16 -------- d-----w- c:\users\mara\appdata\local\{D54295DF-8408-46EB-AA9B-EC881029985A}
2012-06-20 14:15:02 -------- d-----w- c:\users\mara\appdata\local\{98712CDE-753B-4F48-AC8C-2E4927CD8742}
2012-06-20 14:07:49 -------- d-----w- c:\users\mara\appdata\local\{D24CFA8E-F87A-4103-BECD-347A80099721}
2012-06-20 14:07:28 -------- d-----w- c:\users\mara\appdata\local\{20E6607A-C67D-4E3D-AC52-3DB2ECC5B2ED}
2012-06-20 14:01:25 -------- d-----w- c:\users\mara\appdata\local\{939150E7-31D2-4B22-B7F4-2EFE13315EED}
2012-06-20 14:01:11 -------- d-----w- c:\users\mara\appdata\local\{2CF6020C-C8EF-40AE-AEE4-E7EE9B31AECB}
.
==================== Find3M ====================
.
2012-06-22 00:35:48 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-05-17 22:45:37 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-05-17 22:35:47 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-05-17 22:35:39 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-17 22:29:45 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-05-17 22:24:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-05-15 01:12:09 2342400 ----a-w- c:\windows\system32\win32k.sys
2012-05-02 04:52:09 163328 ----a-w- c:\windows\system32\profsvc.dll
2012-04-28 03:19:47 177152 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-26 04:48:52 57856 ----a-w- c:\windows\system32\rdpwsx.dll
2012-04-26 04:48:52 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-04-26 04:43:14 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-04-24 04:47:04 139264 ----a-w- c:\windows\system32\cryptsvc.dll
2012-04-24 04:47:04 103936 ----a-w- c:\windows\system32\cryptnet.dll
2012-04-24 04:47:03 1156608 ----a-w- c:\windows\system32\crypt32.dll
.
============= FINISH: 11:08:44.40 ===============


GMER Log
********************************************
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-07-19 11:45:06
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdePort2 ST9320423AS rev.0002SDM1
Running: 5kfkoi8g.exe; Driver: C:\Users\Mara\AppData\Local\Temp\kxdiipog.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwRollbackTransaction + 13E9 81E53599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 81E78092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
? C:\Users\Mara\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[800] ntdll.dll!NtWriteFile 775F5B50 5 Bytes JMP 00013E2E
.text C:\Windows\system32\svchost.exe[800] kernel32.dll!SetUnhandledExceptionFilter 769430E2 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
.text C:\Windows\system32\svchost.exe[800] USER32.dll!GetCursorPos 7736C198 5 Bytes JMP 0001477D
.text C:\Windows\system32\svchost.exe[800] USER32.dll!GetForegroundWindow 7737565D 5 Bytes JMP 0001482C
.text C:\Windows\system32\svchost.exe[800] USER32.dll!IsWindowVisible 77376939 5 Bytes JMP 00014853
.text C:\Windows\system32\svchost.exe[800] USER32.dll!WindowFromPoint 77396D0C 5 Bytes JMP 000147CC
.text C:\Windows\system32\svchost.exe[800] USER32.dll!MessageBoxIndirectW 773BE9C3 6 Bytes [33, C0, 40, C2, 04, 00] {XOR EAX, EAX; INC EAX; RET 0x4}
.text C:\Windows\system32\svchost.exe[800] WS2_32.dll!GetAddrInfoW 775160F5 5 Bytes JMP 00014719
.text C:\Windows\system32\svchost.exe[800] ole32.dll!CoGetClassObject 76A0A394 5 Bytes JMP 00014887
.text C:\Windows\system32\svchost.exe[800] ole32.dll!CoCreateInstance 76A2590C 5 Bytes JMP 000148B1

---- Devices - GMER 1.0.15 ----

Device \Driver\ACPI_HAL \Device\00000048 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001e3da87bb3
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001e3da87bb3 (not active ControlSet)
Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\Mara\AppData\Local\Logitech\xae Webcam Software\Logishrd\LU2.0\LogitechUpdate.exe 1

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----



Any help will be greatly appreciated!

Attached Files



BC AdBot (Login to Remove)

 


#2 MBrown3

MBrown3
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Massachusetts, USA
  • Local time:02:17 AM

Posted 20 July 2012 - 11:14 AM

I've resolved my problem.

After a number of attempts I finally found that by running msconfig and selecting "diagnostic startup" I was able to get into Windows in normal mode and could then run "TDSSkiller", which found and removed the rootkit. I then changed the Windows boot setting back to normal startup and am now running full scans with Malwarebytes and Avast! to make sure that nothing's left behind.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users