Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer shuts down doing scan


  • This topic is locked This topic is locked
24 replies to this topic

#1 Steven W

Steven W

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 06 August 2012 - 03:24 PM

I was told to open a post here from boopme from the am i infected forum. Topic referenced is here: http://www.bleepingcomputer.com/forums/topic463610.html ~ OB
Wife clicked on a link that downloaded trojan on computer, mbam found infections and quatertined and i deleted them, but during avg scans puter shut down. Kaspersky free virus scan shut down the comp too.
Super antivirus also shut it down doing full scans in reg and safe modes.
I uninstalled all those except mbam and downloaded MS essentials, it also shut down system.

boopme had me run tdsskiller, and run ESET, eset found infections and i posted both those logs. Can now run full scan with Essentials, but Msert scan shuts down the system.
Here are the logs this forum guidelines requested.
DDS
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_33
Run by LINDA at 14:48:31 on 2012-08-06
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.2039.1088 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\dlbkcoms.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_3_300_270_ActiveX.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://aol.com/
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
TB: {CCE665DD-F6DD-4808-968E-EAEC971F70EF} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [<NO NAME>]
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVWSzItQUxZTUYtU0xLTFUtQVoyVUItNkdPS0ItSkhGTkg"&"inst=NzctMTM4NzkxNTg4My1LVjMrNy1UNC1GUDkrNi1CQVI5RysxLVRCOSsyLUZMKzktUUlYMSs0LVgyMDEwKzItRjEwTSs1LUYxME0xMEQrMS1MSUMrNy1GTDEwKzEtU1AxKzEtU1AxVEIrMS1TVVArNC1TUDFTMisxLVNUMTJGT0krMS1ERFQrODk0MQ"&"prod=90"&"ver=10.0.1424
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} - hxxp://webeffective.keynote.com/applications/pconnector/download/ConnectorLauncher.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.200.1
TCP: Interfaces\{8B7E12F4-8CFA-4480-ADFB-B5EA4C9D9279} : DhcpNameServer = 192.168.200.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\linda\appdata\roaming\mozilla\firefox\profiles\vdedvxws.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT3198785&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3198785&SearchSource=2&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\users\linda\appdata\roaming\mozilla\firefox\profiles\vdedvxws.default\extensions\{cce665dd-f6dd-4808-968e-eaec971f70ef}\plugins\np-mswmp.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_270.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
R1 MpKsl0c1a3a20;MpKsl0c1a3a20;c:\programdata\microsoft\microsoft antimalware\definition updates\{5b476c21-f26f-47b4-8bca-79b6f09d5332}\MpKsl0c1a3a20.sys [2012-8-5 29904]
R2 dlbk_device;dlbk_device;c:\windows\system32\dlbkcoms.exe -service --> c:\windows\system32\dlbkcoms.exe -service [?]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-8-2 21504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-6 135664]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-5-16 250056]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-6 135664]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 74112]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-3-26 214952]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-08-05 22:00:48 56200 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{5b476c21-f26f-47b4-8bca-79b6f09d5332}\offreg.dll
2012-08-05 22:00:48 29904 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{5b476c21-f26f-47b4-8bca-79b6f09d5332}\MpKsl0c1a3a20.sys
2012-08-05 21:51:34 -------- d-----w- c:\windows\system32\Lang
2012-08-05 21:51:18 -------- d-----w- C:\Intel
2012-08-05 20:42:40 6891424 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{5b476c21-f26f-47b4-8bca-79b6f09d5332}\mpengine.dll
2012-08-05 10:00:45 -------- d-----w- C:\tdsskiller
2012-08-04 20:18:47 6891424 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-08-01 11:58:25 713784 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{6ebd2f58-695b-4d90-b8f2-a819e784c3db}\gapaengine.dll
2012-08-01 11:52:27 -------- d-----w- c:\program files\Microsoft Security Client
2012-08-01 11:52:02 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2012-08-01 11:23:05 476976 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-07-31 12:34:52 -------- d-----w- c:\users\linda\appdata\roaming\Symantec
2012-07-29 00:33:59 -------- d-----w- c:\users\linda\appdata\local\Symantec_Corporation
2012-07-28 22:26:02 15664 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-07-28 22:26:02 109360 ----a-w- c:\windows\system32\GEARAspi.dll
2012-07-28 22:26:01 14072 ----a-w- c:\windows\system32\drivers\vproeventmonitor.sys
2012-07-28 22:26:01 128104 ----a-w- c:\windows\system32\drivers\WimFltr.sys
2012-07-28 22:25:59 37864 ----a-w- c:\windows\system32\drivers\v2imount.sys
2012-07-28 22:25:56 131944 ----a-w- c:\windows\system32\drivers\symsnap.sys
2012-07-28 22:25:26 -------- d-----w- c:\program files\bn
2012-07-28 22:18:02 1060864 ----a-w- c:\windows\system32\MFC71.DLL
2012-07-28 22:18:02 -------- d-----w- c:\programdata\Symantec
2012-07-28 22:18:02 -------- d-----w- c:\program files\common files\Symantec Shared
2012-07-27 20:00:29 -------- d-----w- c:\users\linda\appdata\roaming\SUPERAntiSpyware.com
2012-07-27 20:00:15 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-07-27 19:59:07 -------- d-----w- c:\program files\Conduit
2012-07-27 19:58:41 -------- d-----w- c:\users\linda\appdata\local\Conduit
2012-07-27 09:41:03 -------- d-----w- c:\programdata\AVG2012
2012-07-27 08:14:45 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{77e9f6df-c609-4d99-8b17-642779cde12c}\offreg.dll
2012-07-26 21:38:43 6891424 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{77e9f6df-c609-4d99-8b17-642779cde12c}\mpengine.dll
2012-07-26 13:24:02 -------- d-----w- c:\programdata\036E18F8004CBF00184880502F3B707C
2012-07-12 12:55:56 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-07-12 12:40:17 -------- d-----w- C:\d378e8d194b2dbc2e270b94d
2012-07-11 13:09:11 708608 ----a-w- c:\program files\common files\system\ado\msado15.dll
2012-07-11 13:09:03 1401856 ----a-w- c:\windows\system32\msxml6.dll
2012-07-11 13:09:02 1248768 ----a-w- c:\windows\system32\msxml3.dll
2012-07-11 13:08:10 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-07-11 13:08:10 204288 ----a-w- c:\windows\system32\ncrypt.dll
2012-07-11 13:08:09 278528 ----a-w- c:\windows\system32\schannel.dll
.
==================== Find3M ====================
.
2012-08-03 16:58:18 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-03 16:58:17 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-01 11:22:48 472880 ----a-w- c:\windows\system32\deployJava1.dll
2012-07-03 17:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 08:33:25 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-06-02 08:25:08 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-02 08:25:03 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-02 08:20:33 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-02 08:16:52 2382848 ----a-w- c:\windows\system32\mshtml.tlb
.
============= FINISH: 14:49:39.13 ===============

Attach is attached.
GMER
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-08-06 16:09:59
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 SAMSUNG_SP1644N rev.BV900-43
Running: gmer.exe; Driver: C:\Users\LINDA\AppData\Local\Temp\ugloapob.sys


---- Kernel code sections - GMER 1.0.15 ----

? C:\Users\LINDA\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[288] ntdll.dll!LdrLoadDll 77869378 5 Bytes JMP 68085B60 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[796] USER32.dll!GetWindowInfo 7732428E 5 Bytes JMP 68200924 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[796] USER32.dll!TrackPopupMenu 773314F3 5 Bytes JMP 68200ECF C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ntdll.dll!NtCreateFile + 6 778A424A 4 Bytes [28, 00, 06, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ntdll.dll!NtCreateFile + B 778A424F 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ntdll.dll!NtCreateKey + 6 778A428A 4 Bytes [68, 01, 06, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ntdll.dll!NtCreateKey + B 778A428F 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ntdll.dll!NtCreateMutant + 6 778A42BA 4 Bytes [28, 02, 06, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ntdll.dll!NtCreateMutant + B 778A42BF 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ntdll.dll!NtCreateSection + 6 778A433A 4 Bytes [68, 02, 06, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ntdll.dll!NtCreateSection + B 778A433F 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ntdll.dll!NtMapViewOfSection + 6 778A499A 4 Bytes [A8, 04, 06, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ntdll.dll!NtMapViewOfSection + B 778A499F 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ntdll.dll!NtOpenFile + 6 778A4A2A 4 Bytes [68, 00, 06, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ntdll.dll!NtOpenFile + B 778A4A2F 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ntdll.dll!NtOpenKey + 6 778A4A5A 4 Bytes [A8, 01, 06, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ntdll.dll!NtOpenKey + B 778A4A5F 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ntdll.dll!NtOpenMutant + 6 778A4A7A 4 Bytes CALL 768A5080 C:\Windows\system32\SHELL32.dll (Windows Shell Common Dll/Microsoft Corporation)
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ntdll.dll!NtOpenMutant + B 778A4A7F 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ntdll.dll!NtOpenProcess + 6 778A4AAA 1 Byte [28]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ntdll.dll!NtOpenProcess + 6 778A4AAA 4 Bytes [28, 03, 06, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ntdll.dll!NtOpenProcess + B 778A4AAF 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ntdll.dll!NtOpenProcessToken + 6 778A4ABA 1 Byte [68]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ntdll.dll!NtOpenProcessToken + 6 778A4ABA 4 Bytes [68, 03, 06, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ntdll.dll!NtOpenProcessToken + B 778A4ABF 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ntdll.dll!NtOpenProcessTokenEx + 6 778A4ACA 4 Bytes [28, 04, 06, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ntdll.dll!NtOpenProcessTokenEx + B 778A4ACF 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ntdll.dll!NtOpenSection + 6 778A4ADA 4 Bytes [A8, 02, 06, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ntdll.dll!NtOpenSection + B 778A4ADF 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ntdll.dll!NtOpenThread + 6 778A4B1A 4 Bytes CALL 768A5121 C:\Windows\system32\SHELL32.dll (Windows Shell Common Dll/Microsoft Corporation)
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ntdll.dll!NtOpenThread + B 778A4B1F 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ntdll.dll!NtOpenThreadToken + 6 778A4B2A 1 Byte [E8]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ntdll.dll!NtOpenThreadToken + 6 778A4B2A 4 Bytes CALL 768A5132 C:\Windows\system32\SHELL32.dll (Windows Shell Common Dll/Microsoft Corporation)
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ntdll.dll!NtOpenThreadToken + B 778A4B2F 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ntdll.dll!NtOpenThreadTokenEx + 6 778A4B3A 4 Bytes [68, 04, 06, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ntdll.dll!NtOpenThreadTokenEx + B 778A4B3F 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ntdll.dll!NtQueryAttributesFile + 6 778A4BCA 4 Bytes [A8, 00, 06, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ntdll.dll!NtQueryAttributesFile + B 778A4BCF 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ntdll.dll!NtQueryFullAttributesFile + 6 778A4C7A 4 Bytes CALL 768A527F C:\Windows\system32\SHELL32.dll (Windows Shell Common Dll/Microsoft Corporation)
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ntdll.dll!NtQueryFullAttributesFile + B 778A4C7F 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ntdll.dll!NtSetInformationFile + 6 778A515A 4 Bytes [28, 01, 06, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ntdll.dll!NtSetInformationFile + B 778A515F 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ntdll.dll!NtSetInformationThread + 6 778A51AA 1 Byte [A8]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ntdll.dll!NtSetInformationThread + 6 778A51AA 4 Bytes [A8, 03, 06, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ntdll.dll!NtSetInformationThread + B 778A51AF 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ntdll.dll!NtUnmapViewOfSection + 6 778A544A 4 Bytes CALL 768A5A53 C:\Windows\system32\SHELL32.dll (Windows Shell Common Dll/Microsoft Corporation)
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ntdll.dll!NtUnmapViewOfSection + B 778A544F 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] kernel32.dll!CreateProcessW 760F1BF3 5 Bytes JMP 000100B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] kernel32.dll!CreateProcessA 760F1C28 5 Bytes JMP 000100F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] kernel32.dll!OpenEventW 7610C033 5 Bytes JMP 00010070
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] kernel32.dll!CreateEventW 7613B87E 5 Bytes JMP 00010030
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!DeleteObject 75F15A37 5 Bytes JMP 000801B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!GetDeviceCaps 75F1617F 5 Bytes JMP 000803B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!SelectObject 75F162A0 5 Bytes JMP 000805F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!SetTextColor 75F1666B 5 Bytes JMP 000809F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!SetBkMode 75F16716 5 Bytes JMP 000808B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!DeleteDC 75F168CD 5 Bytes JMP 00080170
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!GetCurrentObject 75F16B58 5 Bytes JMP 00080370
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!SetStretchBltMode 75F17206 5 Bytes JMP 00080670
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!SaveDC 75F175BA 5 Bytes JMP 00080570
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!RestoreDC 75F17675 5 Bytes JMP 00080530
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!StretchDIBits 75F178CF 5 Bytes JMP 00080730
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!ExtSelectClipRgn 75F179F8 5 Bytes JMP 000802F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!SelectClipRgn 75F17AF9 5 Bytes JMP 000805B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!MoveToEx 75F17C33 5 Bytes JMP 00080470
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!Rectangle 75F17EA9 5 Bytes JMP 00080970
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!GetTextAlign 75F182E0 5 Bytes JMP 00080D30
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!SetTextAlign 75F185CB 5 Bytes JMP 000809B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!ExtTextOutW 75F1872B 5 Bytes JMP 00080930
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!GetTextMetricsW 75F18A81 5 Bytes JMP 00080DF0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!IntersectClipRect 75F18B64 5 Bytes JMP 000803F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!GetClipBox 75F19071 5 Bytes JMP 00080330
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!SetICMMode 75F194E7 5 Bytes JMP 00080D70
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!CreateDCW 75F1A91D 5 Bytes JMP 000800F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!CreateDCA 75F1AA49 5 Bytes JMP 000800B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!CreateICW 75F1B2E9 5 Bytes JMP 00080130
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!GetTextFaceW 75F1B637 5 Bytes JMP 00080CF0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!GetFontData 75F1BA6C 5 Bytes JMP 00080C30
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!GetTextExtentPoint32W 75F1C01A 5 Bytes JMP 00080630
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!SetWorldTransform 75F1C46A 5 Bytes JMP 000806B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!LineTo 75F1C65E 5 Bytes JMP 00080430
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!GetTextMetricsA 75F1CCEB 5 Bytes JMP 00080DB0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!ExtTextOutA 75F200A5 5 Bytes JMP 000808F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!ExtEscape 75F222A7 5 Bytes JMP 000802B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!Escape 75F227F1 5 Bytes JMP 00080270
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!ResetDCW 75F23132 5 Bytes JMP 00080A70
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!EndPage 75F2375E 5 Bytes JMP 00080230
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!SetPolyFillMode 75F261D3 5 Bytes JMP 00080AF0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!SetMiterLimit 75F262E2 5 Bytes JMP 00080B30
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!GetTextFaceA 75F2F4C5 5 Bytes JMP 00080CB0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!GetGlyphOutlineW 75F3A41F 5 Bytes JMP 00080C70
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!CreateScalableFontResourceW 75F3C88B 5 Bytes JMP 00080B70
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!AddFontResourceW 75F3CC93 5 Bytes JMP 00080BB0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!RemoveFontResourceW 75F3D129 5 Bytes JMP 00080BF0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!AbortDoc 75F42CC4 5 Bytes JMP 00080030
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!EndDoc 75F430D8 5 Bytes JMP 000801F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!StartPage 75F431C3 5 Bytes JMP 000806F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!StartDocW 75F43CA7 5 Bytes JMP 000807B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!BeginPath 75F44465 5 Bytes JMP 000807F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!SelectClipPath 75F444BC 5 Bytes JMP 00080AB0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!CloseFigure 75F44517 5 Bytes JMP 00080070
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!EndPath 75F4456E 5 Bytes JMP 00080A30
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!StrokePath 75F447A0 5 Bytes JMP 00080770
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!FillPath 75F4482C 1 Byte [E9]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!FillPath 75F4482C 5 Bytes JMP 00080830
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!PolylineTo 75F44C95 5 Bytes JMP 000804F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!PolyBezierTo 75F44D25 5 Bytes JMP 000804B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] GDI32.dll!PolyDraw 75F44DD6 5 Bytes JMP 00080870
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] USER32.dll!SetCursor 7731D37D 5 Bytes JMP 00090530
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] USER32.dll!RegisterClipboardFormatW 7731D6AC 1 Byte [E9]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] USER32.dll!RegisterClipboardFormatW 7731D6AC 5 Bytes JMP 000902B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] USER32.dll!ActivateKeyboardLayout 7732478C 5 Bytes JMP 000904F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] USER32.dll!IsWindowVisible 7732878A 7 Bytes JMP 000906B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] USER32.dll!MonitorFromWindow 773288D4 7 Bytes JMP 00090630
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] USER32.dll!ScreenToClient 77328C56 7 Bytes JMP 00090670
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] USER32.dll!GetClientRect 77328F0D 7 Bytes JMP 000905B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] USER32.dll!GetParent 773290AA 7 Bytes JMP 000906F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] USER32.dll!RegisterClipboardFormatA 7732A111 5 Bytes JMP 000902F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] USER32.dll!PostMessageW 7732A175 5 Bytes JMP 000905F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] USER32.dll!MapWindowPoints 7732A30D 5 Bytes JMP 00090570
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] USER32.dll!GetClipboardFormatNameA 7732A552 5 Bytes JMP 00090270
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] USER32.dll!GetOpenClipboardWindow 773326A6 5 Bytes JMP 000903F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] USER32.dll!SetClipboardViewer 7733BA2D 5 Bytes JMP 000904B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] USER32.dll!IsClipboardFormatAvailable 7733C2E3 5 Bytes JMP 000900F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] USER32.dll!CloseClipboard 7733C2F7 5 Bytes JMP 000900B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] USER32.dll!OpenClipboard 7733C31D 5 Bytes JMP 00090070
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] USER32.dll!GetTopWindow 7733CE0A 7 Bytes JMP 00090730
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] USER32.dll!GetClipboardSequenceNumber 7733D8B7 5 Bytes JMP 00090330
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] USER32.dll!ChangeClipboardChain 7733DF83 5 Bytes JMP 00090430
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] USER32.dll!CountClipboardFormats 77340048 5 Bytes JMP 000901F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] USER32.dll!GetClipboardOwner 773426EF 5 Bytes JMP 00090370
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] USER32.dll!SetClipboardData 77356410 5 Bytes JMP 00090170
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] USER32.dll!EnumClipboardFormats 77356D16 5 Bytes JMP 000901B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] USER32.dll!SetCursorPos 77356FB2 5 Bytes JMP 00090770
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] USER32.dll!GetClipboardData 7735715A 5 Bytes JMP 00090030
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] USER32.dll!GetClipboardFormatNameW 7735A99F 5 Bytes JMP 00090230
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] USER32.dll!EmptyClipboard 7737398B 5 Bytes JMP 00090130
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] USER32.dll!GetClipboardViewer 773739ED 5 Bytes JMP 00090470
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] USER32.dll!GetPriorityClipboardFormat 77373AEF 5 Bytes JMP 000903B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ole32.dll!OleGetClipboard 775A74C9 5 Bytes JMP 000E00B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ole32.dll!OleSetClipboard 775D11E3 5 Bytes JMP 000E0030
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] ole32.dll!OleIsCurrentClipboard 775DA8F9 5 Bytes JMP 000E0070
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] Secur32.dll!FreeContextBuffer 75D92D83 5 Bytes JMP 002800F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] Secur32.dll!DeleteSecurityContext 75D92F18 5 Bytes JMP 00280270
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] Secur32.dll!FreeCredentialsHandle 75D93598 5 Bytes JMP 00280130
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] Secur32.dll!EncryptMessage 75D93745 5 Bytes JMP 002801F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] Secur32.dll!DecryptMessage 75D93813 5 Bytes JMP 00280230
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] Secur32.dll!InitializeSecurityContextA 75D987DF 5 Bytes JMP 00280170
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] Secur32.dll!AcquireCredentialsHandleA 75D98A43 5 Bytes JMP 00280030
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] Secur32.dll!QueryContextAttributesA 75D98E77 5 Bytes JMP 00280070
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] Secur32.dll!ApplyControlToken 75D9DE4F 5 Bytes JMP 002801B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe[2144] Secur32.dll!QueryCredentialsAttributesA 75D9E052 5 Bytes JMP 002800B0

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

---- EOF - GMER 1.0.15 ----

Thanks for any help!

Attached Files


Edited by Orange Blossom, 09 August 2012 - 03:38 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:52 AM

Posted 11 August 2012 - 03:25 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/464126 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows, you should not bother creating a GMER log.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Steven W

Steven W
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 14 August 2012 - 01:04 PM

I was told to open a post here from boopme from the am i infected forum. Topic referenced is here: http://www.bleepingcomputer.com/forums/topic463610.html ~ OB
Wife clicked on a link that downloaded trojan on computer, mbam found infections and quatertined and i deleted them, but during avg scans puter shut down. Kaspersky free virus scan shut down the comp too.
Super antivirus also shut it down doing full scans in reg and safe modes.
I uninstalled all those except mbam and downloaded MS essentials, it also shut down system.

boopme had me run tdsskiller, and run ESET, eset found infections and i posted both those logs. Can now run full scan with Essentials, but Msert scan shuts down the system.

DDS

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_33
Run by LINDA at 11:33:51 on 2012-08-14
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.2039.1291 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\dlbkcoms.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://aol.com/
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
TB: {CCE665DD-F6DD-4808-968E-EAEC971F70EF} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [<NO NAME>]
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVWSzItQUxZTUYtU0xLTFUtQVoyVUItNkdPS0ItSkhGTkg"&"inst=NzctMTM4NzkxNTg4My1LVjMrNy1UNC1GUDkrNi1CQVI5RysxLVRCOSsyLUZMKzktUUlYMSs0LVgyMDEwKzItRjEwTSs1LUYxME0xMEQrMS1MSUMrNy1GTDEwKzEtU1AxKzEtU1AxVEIrMS1TVVArNC1TUDFTMisxLVNUMTJGT0krMS1ERFQrODk0MQ"&"prod=90"&"ver=10.0.1424
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} - hxxp://webeffective.keynote.com/applications/pconnector/download/ConnectorLauncher.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.200.1
TCP: Interfaces\{8B7E12F4-8CFA-4480-ADFB-B5EA4C9D9279} : DhcpNameServer = 192.168.200.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\linda\appdata\roaming\mozilla\firefox\profiles\vdedvxws.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT3198785&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3198785&SearchSource=2&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\users\linda\appdata\roaming\mozilla\firefox\profiles\vdedvxws.default\extensions\{cce665dd-f6dd-4808-968e-eaec971f70ef}\plugins\np-mswmp.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_270.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
R2 dlbk_device;dlbk_device;c:\windows\system32\dlbkcoms.exe -service --> c:\windows\system32\dlbkcoms.exe -service [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-8-2 21504]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-6 135664]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-5-16 250056]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-6 135664]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 74112]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-3-26 214952]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-08-13 14:47:21 56200 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{c354ace0-60cc-4689-aecf-644f9f7e109d}\offreg.dll
2012-08-13 14:44:49 6891424 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{c354ace0-60cc-4689-aecf-644f9f7e109d}\mpengine.dll
2012-08-12 20:22:54 6891424 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-08-05 21:51:34 -------- d-----w- c:\windows\system32\Lang
2012-08-05 21:51:18 -------- d-----w- C:\Intel
2012-08-05 10:00:45 -------- d-----w- C:\tdsskiller
2012-08-01 11:58:25 713784 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{6ebd2f58-695b-4d90-b8f2-a819e784c3db}\gapaengine.dll
2012-08-01 11:52:27 -------- d-----w- c:\program files\Microsoft Security Client
2012-08-01 11:52:02 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2012-08-01 11:23:05 476976 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-07-31 12:34:52 -------- d-----w- c:\users\linda\appdata\roaming\Symantec
2012-07-29 00:33:59 -------- d-----w- c:\users\linda\appdata\local\Symantec_Corporation
2012-07-28 22:26:02 15664 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-07-28 22:26:02 109360 ----a-w- c:\windows\system32\GEARAspi.dll
2012-07-28 22:26:01 14072 ----a-w- c:\windows\system32\drivers\vproeventmonitor.sys
2012-07-28 22:26:01 128104 ----a-w- c:\windows\system32\drivers\WimFltr.sys
2012-07-28 22:25:59 37864 ----a-w- c:\windows\system32\drivers\v2imount.sys
2012-07-28 22:25:56 131944 ----a-w- c:\windows\system32\drivers\symsnap.sys
2012-07-28 22:25:26 -------- d-----w- c:\program files\bn
2012-07-28 22:18:02 1060864 ----a-w- c:\windows\system32\MFC71.DLL
2012-07-28 22:18:02 -------- d-----w- c:\programdata\Symantec
2012-07-28 22:18:02 -------- d-----w- c:\program files\common files\Symantec Shared
2012-07-27 20:00:29 -------- d-----w- c:\users\linda\appdata\roaming\SUPERAntiSpyware.com
2012-07-27 20:00:15 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-07-27 19:59:07 -------- d-----w- c:\program files\Conduit
2012-07-27 19:58:41 -------- d-----w- c:\users\linda\appdata\local\Conduit
2012-07-27 09:41:03 -------- d-----w- c:\programdata\AVG2012
2012-07-27 08:14:45 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{77e9f6df-c609-4d99-8b17-642779cde12c}\offreg.dll
2012-07-26 21:38:43 6891424 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{77e9f6df-c609-4d99-8b17-642779cde12c}\mpengine.dll
2012-07-26 13:24:02 -------- d-----w- c:\programdata\036E18F8004CBF00184880502F3B707C
.
==================== Find3M ====================
.
2012-08-03 16:58:18 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-03 16:58:17 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-01 11:22:48 472880 ----a-w- c:\windows\system32\deployJava1.dll
2012-07-03 17:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-13 13:40:21 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 16:47:28 1401856 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 16:47:27 1248768 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 15:26:04 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 08:33:25 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-06-02 08:25:08 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-02 08:25:03 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-02 08:20:33 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-02 08:16:52 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-02 00:04:25 278528 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 00:03:42 204288 ----a-w- c:\windows\system32\ncrypt.dll
.
============= FINISH: 11:36:34.61 ===============

gmer

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-08-14 14:00:22
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-1 SAMSUNG_SP1644N rev.BV900-43
Running: gmer.exe; Driver: C:\Users\LINDA\AppData\Local\Temp\ugloapob.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

---- EOF - GMER 1.0.15 ----

Attached Files



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,769 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:52 AM

Posted 14 August 2012 - 10:34 PM

Greetings Steven W and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary. :thumbup2:


===================================================


Ground Rules:

  • First, I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  • When you post your reply, do not use the Posted Image button but use the Posted Image button instead.
  • In the upper right hand corner of the topic you will see the Posted Image button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:

===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Please allow me some time to review the information you have provided. I will post back as soon as possible.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,769 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:52 AM

Posted 15 August 2012 - 09:49 AM

Greetings Steve W,

Thank you for patiently waiting for me to review both posts. Let's start with the below step then we can re-evaluate where we are at based on the results.


===================================================


Run Combofix in Vista/7

--------------------

Combofix is a very powerful tool and special attention must be taken to allow it to work properly. Please pay careful attention to the following instructions.

  • Please download ComboFix from one of these locations:

    BleepingComputer

    ForoSpyware

  • Save Combofix.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts. It is important you do not mouseclick while the program is running or it may stall.

    Note #1: Often times it may appear as if ComboFix has stopped working. To verify it is still running please do one of the following below. Note #1: Often times it may appear as if ComboFix has stopped working. To verify it is still running please do one of the following below. If, based on the below, you have concluded ComboFix has stopped running please stop and advise me.

    • Check your computer clock. If it is still running then so is ComboFix
    • Open Task Manager and select the Applications Tab. If the status of AutoScan is Running, then ComboFix is running
    • Open Task Manager and select the Processes Tab. Under Image Name look for files ending in .3xe. If there are fluctuating numbers under CPU and Mem Usage then ComboFix is running
    Note #2: If you receive the following error "Illegal operation attempted on a registery key that has been marked for deletion" please just restart your computer to resolve this issue
  • When finished, it will produce a log. Please copy and paste the C:\Combofix.txt log information in your next reply.

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • Combofix.txt
  • How is your computer running?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#6 Steven W

Steven W
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 15 August 2012 - 04:19 PM

Combo fix log:

ComboFix 12-08-15.01 - LINDA 08/15/2012 16:22:59.1.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.2039.1129 [GMT -4:00]
Running from: c:\users\LINDA\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Blinkx
c:\program files\Blinkx\blinkx.ico
c:\program files\Blinkx\blinkxss.exe
c:\program files\Blinkx\blinkxstop.exe
c:\program files\Blinkx\lang.dll
c:\program files\Blinkx\templates\beat.ico
c:\program files\Blinkx\templates\index.html
c:\program files\Blinkx\templates\noflash.html
c:\program files\Blinkx\templates\offline.html
c:\program files\Blinkx\templates\offline.swf
c:\program files\Blinkx\templates\uninstall.exe
c:\program files\SelectRebates
c:\program files\SelectRebates\SelectRebatesDownload.exe
c:\users\LINDA\AppData\Local\{7A68A66F-1068-43FD-A8ED-921C124322D7}
c:\users\LINDA\AppData\Local\{7A68A66F-1068-43FD-A8ED-921C124322D7}\chrome.manifest
c:\users\LINDA\AppData\Local\{7A68A66F-1068-43FD-A8ED-921C124322D7}\chrome\content\overlay.xul
c:\users\LINDA\AppData\Local\{7A68A66F-1068-43FD-A8ED-921C124322D7}\install.rdf
c:\users\LINDA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum
D:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2012-07-15 to 2012-08-15 )))))))))))))))))))))))))))))))
.
.
2012-08-15 20:31 . 2012-08-15 20:31 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-15 18:10 . 2012-07-16 06:41 6891424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8A597B47-5EFB-4871-9518-D7022054E544}\mpengine.dll
2012-08-14 16:00 . 2012-07-16 06:41 6891424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-08-05 21:51 . 2012-08-05 21:51 -------- d-----w- c:\windows\system32\Lang
2012-08-05 21:51 . 2012-08-05 21:55 -------- d-----w- C:\Intel
2012-08-05 10:00 . 2012-08-05 10:01 -------- d-----w- C:\tdsskiller
2012-08-01 11:58 . 2012-02-09 18:17 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6EBD2F58-695B-4D90-B8F2-A819E784C3DB}\gapaengine.dll
2012-08-01 11:52 . 2012-08-01 11:52 -------- d-----w- c:\program files\Microsoft Security Client
2012-08-01 11:52 . 2010-04-05 20:00 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2012-08-01 11:24 . 2012-08-01 11:24 -------- d-----w- c:\program files\Common Files\Java
2012-08-01 11:23 . 2012-08-01 11:22 476976 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-08-01 11:22 . 2012-08-01 11:22 -------- d-----w- c:\program files\Java
2012-07-31 12:34 . 2012-07-31 12:34 -------- d-----w- c:\users\LINDA\AppData\Roaming\Symantec
2012-07-29 00:35 . 2012-07-29 00:35 -------- d-----w- c:\users\Default\AppData\Local\Symantec_Corporation
2012-07-29 00:33 . 2012-07-29 00:33 -------- d-----w- c:\users\LINDA\AppData\Local\Symantec_Corporation
2012-07-28 22:26 . 2007-03-29 00:12 15664 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-07-28 22:26 . 2007-03-29 00:12 109360 ----a-w- c:\windows\system32\GEARAspi.dll
2012-07-28 22:26 . 2007-07-31 21:22 14072 ----a-w- c:\windows\system32\drivers\vproeventmonitor.sys
2012-07-28 22:26 . 2007-03-29 00:49 128104 ----a-w- c:\windows\system32\drivers\WimFltr.sys
2012-07-28 22:25 . 2007-03-29 00:29 37864 ----a-w- c:\windows\system32\drivers\v2imount.sys
2012-07-28 22:25 . 2012-08-05 15:09 -------- dc----w- c:\windows\system32\DRVSTORE
2012-07-28 22:25 . 2007-03-29 00:29 131944 ----a-w- c:\windows\system32\drivers\symsnap.sys
2012-07-28 22:25 . 2012-07-29 00:26 -------- d-----w- c:\program files\bn
2012-07-28 22:18 . 2012-08-05 15:10 -------- d-----w- c:\programdata\Symantec
2012-07-28 22:18 . 2012-08-05 15:10 -------- d-----w- c:\program files\Common Files\Symantec Shared
2012-07-28 22:18 . 2003-03-19 01:19 1060864 ----a-w- c:\windows\system32\MFC71.DLL
2012-07-27 20:00 . 2012-07-27 20:00 -------- d-----w- c:\users\LINDA\AppData\Roaming\SUPERAntiSpyware.com
2012-07-27 20:00 . 2012-07-27 20:00 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-07-27 19:59 . 2012-07-27 19:59 -------- d-----w- c:\program files\Conduit
2012-07-27 19:58 . 2012-07-28 22:14 -------- d-----w- c:\users\LINDA\AppData\Local\Conduit
2012-07-27 09:41 . 2012-08-01 11:45 -------- d-----w- c:\programdata\AVG2012
2012-07-27 08:14 . 2012-07-27 08:14 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{77E9F6DF-C609-4D99-8B17-642779CDE12C}\offreg.dll
2012-07-26 21:38 . 2012-07-16 06:41 6891424 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{77E9F6DF-C609-4D99-8B17-642779CDE12C}\mpengine.dll
2012-07-26 13:24 . 2012-07-26 14:08 -------- d-----w- c:\programdata\036E18F8004CBF00184880502F3B707C
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-15 12:58 . 2012-05-16 12:35 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-15 12:58 . 2011-05-31 00:33 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-01 11:22 . 2010-05-07 15:33 472880 ----a-w- c:\windows\system32\deployJava1.dll
2012-07-03 17:46 . 2010-03-16 21:36 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-13 13:40 . 2012-07-12 12:55 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 16:47 . 2012-07-11 13:09 1401856 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 16:47 . 2012-07-11 13:09 1248768 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 15:26 . 2012-07-11 13:08 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 22:19 . 2012-06-22 12:37 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-22 12:37 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-22 12:37 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-22 12:37 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-22 12:37 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-22 12:37 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-22 12:37 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19 . 2012-06-22 12:37 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:12 . 2012-06-22 12:37 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 08:33 . 2012-07-12 12:38 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-06-02 08:25 . 2012-07-12 12:38 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-02 08:25 . 2012-07-12 12:38 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-02 08:20 . 2012-07-12 12:38 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-02 08:16 . 2012-07-12 12:38 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-02 00:04 . 2012-07-11 13:08 278528 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 00:03 . 2012-07-11 13:08 204288 ----a-w- c:\windows\system32\ncrypt.dll
2012-02-29 20:57 . 2011-05-30 02:37 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-30 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2012-07-03 973488]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"RtHDVCpl"="RtHDVCpl.exe" [2006-12-29 4317184]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-02-18 49208]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2011-11-20 126976]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-02 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-02 133656]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVWSzItQUxZTUYtU0xLTFUtQVoyVUItNkdPS0ItSkhGTkg&inst=NzctMTM4NzkxNTg4My1LVjMrNy1UNC1GUDkrNi1CQVI5RysxLVRCOSsyLUZMKzktUUlYMSs0LVgyMDEwKzItRjEwTSs1LUYxME0xMEQrMS1MSUMrNy1GTDEwKzEtU1AxKzEtU1AxVEIrMS1TVVArNC1TUDFTMisxLVNUMTJGT0krMS1ERFQrODk0MQ&prod=90&ver=10.0.1424" [?]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-15 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-16 12:58]
.
2012-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 19:37]
.
2012-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 19:37]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://aol.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.200.1
FF - ProfilePath - c:\users\LINDA\AppData\Roaming\Mozilla\Firefox\Profiles\vdedvxws.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT3198785&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3198785&SearchSource=2&q=
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
HKLM-Run-vProt - c:\program files\AVG Secure Search\vprot.exe
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
Notify-!SASWinLogon - c:\program files\SUPERAntiSpyware\SASWINLO.DLL
AddRemove-blinkx beat - c:\program files\Blinkx\templates\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-15 16:31
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-08-15 16:35:51
ComboFix-quarantined-files.txt 2012-08-15 20:35
.
Pre-Run: 100,151,042,048 bytes free
Post-Run: 100,525,404,160 bytes free
.
- - End Of File - - F8FE904560854DEBF50F489FF2C44960


I tried to run a MSERT FULL scan both normal and safe mode, the comp shut down in both modes.

When the comp was first infected, avg (free), superanti, and kaspersky free all shut down the comp, (we used avg prior to the infection with no problems).
Running many scans with mbam, MSessentials, and your ESET online scan, several infections were found and deleted, now mbam and essentials find no infections.

My main concern is, is the computer clean? If mserts for some reason will not run on the comp, i can accept this, hopefully you can see what combo found and determine if it is clean.

THANKS for the help you are giving me.

#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,769 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:52 AM

Posted 15 August 2012 - 05:23 PM

Greetings Steve W,

Thank you for posting the information. There are a couple of tasks I would like you to perform for me but I must first advise you of the following based on the Combofix results:


===================================================


BACKDOOR WARNING!

--------------------

One or more of the identified infections is a Backdoor Trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. Please let me know if you have already noticed evedences of financial institution irregularities.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


===================================================


aswMBR

--------------------

  • Download aswMBR and save it to your desktop.
  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily. They will interfere and may cause unexpected results.
  • If you need help to disable your protection programs see here and here.
  • Double click the aswMBR.exe file to run it. Please allow when you are asked to download AVAST antivirus engine defs.
  • Wait until the AV update is done, then click on the Scan button to start. The program will launch a scan.


    Posted Image
  • When done, you will see Scan finished successfully. Please click on Save log and save the file to your desktop.


    Posted Image
  • Please post the contents of the log in your next reply.
NOTE: aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.


===================================================


SystemLook by jpshortstuff

--------------------

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2
Download Mirror #3 For 64-bit users

  • Double-click SystemLook.exe to run it.
  • Vista\Windows 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following codebox into the main textfield:

    :dir
    c:\programdata\036E18F8004CBF00184880502F3B707C
    C:\d378e8d194b2dbc2e270b94d
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • aswMBR log
  • SystemLook.txt

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#8 Steven W

Steven W
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 15 August 2012 - 08:00 PM

SystemLook 30.07.11 by jpshortstuff
Log created at 20:59 on 15/08/2012 by LINDA
Administrator - Elevation successful

========== dir ==========

c:\programdata\036E18F8004CBF00184880502F3B707C - Parameters: "(none)"

---Files---
036E18F8004CBF00184880502F3B707C --a---- 1872 bytes [13:25 26/07/2012] [13:26 26/07/2012]
036E18F8004CBF00184880502F3B707C.ico --a---- 4286 bytes [13:24 26/07/2012] [13:24 26/07/2012]

---Folders---
None found.

C:\d378e8d194b2dbc2e270b94d - Parameters: "(none)"

---Files---
$shtdwn$.req --ah--- 788 bytes [12:40 12/07/2012] [12:40 12/07/2012]
mrt.exe._p --a---- 3338328 bytes [07:17 03/07/2012] [07:17 03/07/2012]
mrtstub.exe --a---- 93144 bytes [07:09 03/07/2012] [07:09 03/07/2012]

---Folders---
None found.

-= EOF =-

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-08-15 20:35:16
-----------------------------
20:35:16.200 OS Version: Windows 6.0.6002 Service Pack 2
20:35:16.200 Number of processors: 2 586 0x407
20:35:16.202 ComputerName: LINDA-PC UserName: LINDA
20:35:17.477 Initialize success
20:35:37.975 AVAST engine defs: 12081503
20:35:43.592 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
20:35:43.596 Disk 0 Vendor: SAMSUNG_SP1644N BV900-43 Size: 152627MB BusType: 3
20:35:43.630 Disk 0 MBR read successfully
20:35:43.634 Disk 0 MBR scan
20:35:44.780 Disk 0 unknown MBR code
20:35:44.833 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 145439 MB offset 63
20:35:44.877 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 7185 MB offset 297861165
20:35:44.905 Disk 0 scanning sectors +312576705
20:35:45.363 Disk 0 scanning C:\Windows\system32\drivers
20:36:15.278 Service scanning
20:37:01.177 Modules scanning
20:37:43.117 Disk 0 trace - called modules:
20:37:43.129
20:37:45.332 AVAST engine scan C:\Windows
20:37:49.824 AVAST engine scan C:\Windows\system32
20:42:06.340 AVAST engine scan C:\Windows\system32\drivers
20:42:22.380 AVAST engine scan C:\Users\LINDA
20:50:34.026 AVAST engine scan C:\ProgramData
20:53:10.986 Scan finished successfully
20:56:43.869 Disk 0 MBR has been saved successfully to "C:\Users\LINDA\Desktop\MBR.dat"
20:56:43.876 The log file has been saved successfully to "C:\Users\LINDA\Desktop\aswMBR.txt"

#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,769 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:52 AM

Posted 15 August 2012 - 08:11 PM

Greetings Steve W,

Thank you for that information. I would like to take a deeper look into your Master Boot Record (MBR) because of this in the aswMBR report:

20:35:44.780 Disk 0 unknown MBR code

Please perform the following for me.


===================================================


Farbar's Recovery Scan Tool

--------------------

I would like you to run Farbar's Recovery Scan Tool to check your Master Boot Record (MBR). For this you will need a USB flash drive and start on a clean computer.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC and we will enter the System Recovery Options one of the two following ways:

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
Once you are in the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in Notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select Computer and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    • Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • FRST.txt
  • How is your computer running?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#10 Steven W

Steven W
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 16 August 2012 - 06:10 PM

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 15-08-2012
Ran by SYSTEM at 16-08-2012 19:03:32
Running from E:\
Windows Vista ™ Home Basic (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript [973488 2012-07-03] (Malwarebytes Corporation)
HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [40048 2007-05-11] (Adobe Systems Incorporated)
HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
HKLM\...\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49208 2011-02-18] (Hewlett-Packard)
HKLM\...\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun [126976 2011-11-20] (Google Inc.)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [141848 2008-01-02] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [166424 2008-01-02] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [133656 2008-01-02] (Intel Corporation)
HKU\LINDA\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2009-07-29] (Google Inc.)
HKLM\...\Runonce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVWSzItQUxZTUYtU0xLTFUtQVoyVUItNkdPS0ItSkhGTkg"&"inst=NzctMTM4NzkxNTg4My1LVjMrNy1UNC1GUDkrNi1CQVI5RysxLVRCOSsyLUZMKzktUUlYMSs0LVgyMDEwKzItRjEwTSs1LUYxME0xMEQrMS1MSUMrNy1GTDEwKzEtU1AxKzEtU1AxVEIrMS1TVVArNC1TUDFTMisxLVNUMTJGT0krMS1ERFQrODk0MQ"&"prod=90"&"ver=10.0.1424 [x]
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.200.1
Startup: C:\Users\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)

================================ Services (Whitelisted) ==================

2 CCALib8; C:\Program Files\Canon\CAL\CALMAIN.exe [86606 2005-06-02] (Canon Inc.)
2 dlbk_device; C:\Windows\system32\dlbkcoms.exe -service [537840 2007-06-25] ( )
2 Eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [21504 2008-01-18] (Microsoft Corporation)
2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]

========================== Drivers (Whitelisted) =============

4 adpu160m; C:\Windows\system32\drivers\adpu160m.sys [98408 2006-11-02] (Adaptec, Inc.)
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
3 RTL8023xp; C:\Windows\System32\DRIVERS\Rtnicxp.sys [50688 2006-11-24] (Realtek Semiconductor Corporation )
0 symsnap; C:\Windows\System32\DRIVERS\symsnap.sys [131944 2007-03-28] (StorageCraft)
4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x]
3 catchme; \??\C:\Users\LINDA\AppData\Local\Temp\catchme.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
1 MpKsl166ab49d; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{C354ACE0-60CC-4689-AECF-644F9F7E109D}\MpKsl166ab49d.sys [x]
1 MpKsl6abf4dd3; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{C354ACE0-60CC-4689-AECF-644F9F7E109D}\MpKsl6abf4dd3.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-08-15 16:59 - 2012-08-15 16:59 - 00001554 ____A C:\Users\LINDA\Desktop\SystemLook.txt
2012-08-15 16:57 - 2012-08-15 16:58 - 00139264 ____A C:\Users\LINDA\Desktop\SystemLook.exe
2012-08-15 16:56 - 2012-08-15 16:56 - 00001595 ____A C:\Users\LINDA\Desktop\aswMBR.txt
2012-08-15 16:56 - 2012-08-15 16:56 - 00000512 ____A C:\Users\LINDA\Desktop\MBR.dat
2012-08-15 16:32 - 2012-08-15 16:32 - 00136832 ____A C:\Windows\Minidump\Mini081512-01.dmp
2012-08-15 16:26 - 2012-08-15 16:26 - 04731392 ____A (AVAST Software) C:\Users\LINDA\Desktop\aswMBR.exe
2012-08-15 14:09 - 2012-06-28 16:52 - 12317184 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-08-15 14:09 - 2012-06-28 16:27 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-08-15 14:09 - 2012-06-28 16:16 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-08-15 14:09 - 2012-06-28 16:09 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-08-15 14:09 - 2012-06-28 16:09 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-08-15 14:09 - 2012-06-28 16:08 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-08-15 14:09 - 2012-06-28 16:07 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-08-15 14:09 - 2012-06-28 16:06 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-08-15 14:09 - 2012-06-28 16:04 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-08-15 14:09 - 2012-06-28 16:04 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-08-15 14:09 - 2012-06-28 16:01 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-08-15 14:09 - 2012-06-28 16:01 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-08-15 14:09 - 2012-06-28 16:00 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-08-15 14:09 - 2012-06-28 15:57 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-08-15 14:08 - 2012-07-04 06:02 - 02047488 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-08-15 12:43 - 2012-08-15 12:44 - 72525360 ____A (Microsoft Corporation) C:\Users\LINDA\Downloads\msert.exe
2012-08-15 12:35 - 2012-08-15 12:35 - 00012180 ____A C:\ComboFix.txt
2012-08-15 12:21 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2012-08-15 12:21 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2012-08-15 12:21 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-08-15 12:21 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-08-15 12:21 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-08-15 12:21 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2012-08-15 12:21 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2012-08-15 12:21 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2012-08-15 12:20 - 2012-08-15 12:35 - 00000000 ___AD C:\Qoobox
2012-08-15 12:20 - 2012-08-15 12:33 - 00000000 ____D C:\Windows\erdnt
2012-08-15 10:42 - 2012-08-15 10:42 - 04731145 ____R (Swearware) C:\Users\LINDA\Desktop\ComboFix.exe
2012-08-15 04:55 - 2012-06-29 08:01 - 00467968 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-08-15 04:55 - 2012-05-11 07:57 - 00623616 ____A (Microsoft Corporation) C:\Windows\System32\localspl.dll
2012-08-14 10:00 - 2012-08-14 10:00 - 00000671 ____A C:\Users\LINDA\Desktop\ark.txt
2012-08-14 07:49 - 2012-08-14 07:50 - 00136832 ____A C:\Windows\Minidump\Mini081412-02.dmp
2012-08-14 07:43 - 2012-08-14 07:44 - 00136832 ____A C:\Windows\Minidump\Mini081412-01.dmp
2012-08-14 07:37 - 2012-08-14 07:37 - 00013276 ____A C:\Users\LINDA\Desktop\Attach.txt
2012-08-14 07:37 - 2012-08-14 07:37 - 00013068 ____A C:\Users\LINDA\Desktop\DDS.txt
2012-08-06 10:57 - 2012-08-06 10:57 - 00000000 ____D C:\Users\LINDA\Desktop\gmer
2012-08-06 10:55 - 2012-08-06 10:55 - 00294216 ____A C:\Users\LINDA\Desktop\gmer.zip
2012-08-06 10:46 - 2012-08-06 10:46 - 00607260 ____R (Swearware) C:\Users\LINDA\Desktop\dds.com
2012-08-06 10:44 - 2012-08-06 10:44 - 00000000 ____A C:\Users\LINDA\defogger_reenable
2012-08-06 10:43 - 2012-08-06 10:43 - 00050477 ____A C:\Users\LINDA\Desktop\Defogger.exe
2012-08-05 13:51 - 2012-08-05 13:55 - 00000000 ____D C:\Intel
2012-08-05 13:51 - 2012-08-05 13:51 - 00000000 ____D C:\Windows\System32\Lang
2012-08-05 12:33 - 2012-08-05 12:33 - 00000000 ____A C:\Windows\setuperr.log
2012-08-05 12:33 - 2012-08-05 12:33 - 00000000 ____A C:\Windows\setupact.log
2012-08-05 06:54 - 2012-08-05 06:54 - 00000553 ____A C:\Users\LINDA\Desktop\esetscan.txt
2012-08-05 02:00 - 2012-08-05 02:01 - 00000000 ____D C:\tdsskiller
2012-08-01 17:42 - 2012-08-01 17:42 - 00159480 ____A C:\Windows\Minidump\Mini080112-01.dmp
2012-08-01 17:41 - 2012-08-15 16:32 - 178320120 ____A C:\Windows\MEMORY.DMP
2012-08-01 03:53 - 2012-08-01 03:53 - 00002154 ____A C:\Windows\epplauncher.mif
2012-08-01 03:52 - 2012-08-01 03:52 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-08-01 03:52 - 2010-04-05 12:00 - 00221568 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys
2012-08-01 03:49 - 2012-08-01 03:49 - 10288512 ____A (Microsoft Corporation) C:\Users\LINDA\Downloads\mseinstall.exe
2012-08-01 03:24 - 2012-08-01 03:24 - 00000000 ____D C:\Program Files\Common Files\Java
2012-08-01 03:23 - 2012-08-01 03:22 - 00476976 ____A (Sun Microsystems, Inc.) C:\Windows\System32\npdeployJava1.dll
2012-08-01 03:23 - 2012-08-01 03:22 - 00157488 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
2012-08-01 03:23 - 2012-08-01 03:22 - 00149296 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
2012-08-01 03:23 - 2012-08-01 03:22 - 00149296 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
2012-08-01 03:22 - 2012-08-01 03:22 - 00000000 ____D C:\Program Files\Java
2012-07-31 12:15 - 2012-07-31 12:15 - 00000756 ____A C:\Users\LINDA\Documents\cc_20120731_161526.reg
2012-07-31 04:34 - 2012-07-31 04:34 - 00000000 ____D C:\Users\LINDA\AppData\Roaming\Symantec
2012-07-29 11:47 - 2012-07-29 11:47 - 00000000 ____D C:\Users\LINDA\Downloads\Autoruns
2012-07-29 11:46 - 2012-07-29 11:46 - 00537166 ____A C:\Users\LINDA\Downloads\Autoruns.zip
2012-07-28 16:35 - 2012-07-28 16:35 - 00000000 ____D C:\Users\Default\AppData\Local\Symantec_Corporation
2012-07-28 16:35 - 2012-07-28 16:35 - 00000000 ____D C:\Users\Default User\AppData\Local\Symantec_Corporation
2012-07-28 16:33 - 2012-07-28 16:33 - 00000000 ____D C:\Users\LINDA\AppData\Local\Symantec_Corporation
2012-07-28 16:29 - 2012-07-28 16:29 - 00000006 __ASH C:\Users\Default\AppData\Roaming\desktop.ini
2012-07-28 16:29 - 2012-07-28 16:29 - 00000006 __ASH C:\Users\Default\AppData\Local\desktop.ini
2012-07-28 16:29 - 2012-07-28 16:29 - 00000006 __ASH C:\Users\Default User\AppData\Roaming\desktop.ini
2012-07-28 16:29 - 2012-07-28 16:29 - 00000006 __ASH C:\Users\Default User\AppData\Local\desktop.ini
2012-07-28 16:28 - 2012-08-15 13:07 - 00011156 ____A C:\Windows\PFRO.log
2012-07-28 14:26 - 2007-07-31 13:22 - 00014072 ____A (Symantec Corporation) C:\Windows\System32\Drivers\vproeventmonitor.sys
2012-07-28 14:26 - 2007-03-28 16:49 - 00128104 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\WimFltr.sys
2012-07-28 14:26 - 2007-03-28 16:12 - 00109360 ____A (GEAR Software Inc.) C:\Windows\System32\GEARAspi.dll
2012-07-28 14:26 - 2007-03-28 16:12 - 00015664 ____A (GEAR Software Inc.) C:\Windows\System32\Drivers\GEARAspiWDM.sys
2012-07-28 14:25 - 2012-07-28 16:26 - 00000000 ____D C:\Program Files\bn
2012-07-28 14:25 - 2007-03-28 16:29 - 00131944 ____A (StorageCraft) C:\Windows\System32\Drivers\symsnap.sys
2012-07-28 14:25 - 2007-03-28 16:29 - 00037864 ____A (Symantec Corporation) C:\Windows\System32\Drivers\v2imount.sys
2012-07-28 14:18 - 2012-08-05 07:10 - 00000000 ____D C:\Users\All Users\Symantec
2012-07-28 14:18 - 2012-08-05 07:10 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared
2012-07-28 14:18 - 2007-09-12 14:27 - 00511328 ____A (Microsoft Corporation) C:\Windows\System32\capicom.dll
2012-07-28 14:18 - 2003-03-18 17:19 - 01060864 ____A (Microsoft Corporation) C:\Windows\System32\MFC71.DLL
2012-07-27 12:00 - 2012-07-27 12:00 - 00000000 ____D C:\Users\LINDA\AppData\Roaming\SUPERAntiSpyware.com
2012-07-27 12:00 - 2012-07-27 12:00 - 00000000 ____D C:\Users\All Users\SUPERAntiSpyware.com
2012-07-27 11:59 - 2012-07-27 11:59 - 00000009 ____A C:\END
2012-07-27 11:59 - 2012-07-27 11:59 - 00000000 ____D C:\Program Files\Conduit
2012-07-27 11:58 - 2012-07-28 14:14 - 00000000 ____D C:\Users\LINDA\AppData\Local\Conduit
2012-07-27 11:54 - 2012-07-27 11:54 - 00370264 ____A C:\Users\LINDA\Downloads\superantispyware_Setup.exe
2012-07-27 11:53 - 2012-07-27 11:53 - 04765704 ____A (Red Dog Media, Inc.) C:\Users\LINDA\Downloads\PC Utility Kit Installer.exe
2012-07-27 01:41 - 2012-08-01 03:45 - 00000000 ____D C:\Users\All Users\AVG2012
2012-07-26 14:04 - 2012-07-26 14:04 - 00000258 _RASH C:\Users\All Users\ntuser.pol
2012-07-26 13:13 - 2012-07-26 13:13 - 00180000 ____A (Kaspersky Lab) C:\Users\LINDA\Downloads\kss12.0.1.117EN_RU_DE_FR_2926.exe
2012-07-26 05:24 - 2012-07-26 06:08 - 00000000 ____D C:\Users\All Users\036E18F8004CBF00184880502F3B707C


============ 3 Months Modified Files ========================

2012-08-16 14:51 - 2009-07-29 14:43 - 01627127 ____A C:\Windows\WindowsUpdate.log
2012-08-16 14:51 - 2006-11-02 04:58 - 00032656 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-08-16 14:51 - 2006-11-02 04:58 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-16 14:51 - 2006-11-02 04:45 - 00003568 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-16 14:51 - 2006-11-02 04:45 - 00003568 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-16 14:33 - 2010-02-06 11:38 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-16 13:58 - 2012-05-16 04:35 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-16 05:33 - 2010-02-06 11:38 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-08-15 16:59 - 2012-08-15 16:59 - 00001554 ____A C:\Users\LINDA\Desktop\SystemLook.txt
2012-08-15 16:58 - 2012-08-15 16:57 - 00139264 ____A C:\Users\LINDA\Desktop\SystemLook.exe
2012-08-15 16:56 - 2012-08-15 16:56 - 00001595 ____A C:\Users\LINDA\Desktop\aswMBR.txt
2012-08-15 16:56 - 2012-08-15 16:56 - 00000512 ____A C:\Users\LINDA\Desktop\MBR.dat
2012-08-15 16:32 - 2012-08-15 16:32 - 00136832 ____A C:\Windows\Minidump\Mini081512-01.dmp
2012-08-15 16:32 - 2012-08-01 17:41 - 178320120 ____A C:\Windows\MEMORY.DMP
2012-08-15 16:26 - 2012-08-15 16:26 - 04731392 ____A (AVAST Software) C:\Users\LINDA\Desktop\aswMBR.exe
2012-08-15 14:42 - 2006-11-02 04:44 - 00371832 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-15 14:10 - 2006-11-02 02:24 - 59884088 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-08-15 13:24 - 2006-11-02 02:33 - 00710764 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-15 13:07 - 2012-07-28 16:28 - 00011156 ____A C:\Windows\PFRO.log
2012-08-15 12:44 - 2012-08-15 12:43 - 72525360 ____A (Microsoft Corporation) C:\Users\LINDA\Downloads\msert.exe
2012-08-15 12:35 - 2012-08-15 12:35 - 00012180 ____A C:\ComboFix.txt
2012-08-15 12:31 - 2006-11-02 02:23 - 00000215 ____A C:\Windows\system.ini
2012-08-15 10:42 - 2012-08-15 10:42 - 04731145 ____R (Swearware) C:\Users\LINDA\Desktop\ComboFix.exe
2012-08-15 04:58 - 2012-05-16 04:35 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-08-15 04:58 - 2011-05-30 16:33 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-08-14 10:00 - 2012-08-14 10:00 - 00000671 ____A C:\Users\LINDA\Desktop\ark.txt
2012-08-14 07:50 - 2012-08-14 07:49 - 00136832 ____A C:\Windows\Minidump\Mini081412-02.dmp
2012-08-14 07:44 - 2012-08-14 07:43 - 00136832 ____A C:\Windows\Minidump\Mini081412-01.dmp
2012-08-14 07:37 - 2012-08-14 07:37 - 00013276 ____A C:\Users\LINDA\Desktop\Attach.txt
2012-08-14 07:37 - 2012-08-14 07:37 - 00013068 ____A C:\Users\LINDA\Desktop\DDS.txt
2012-08-07 01:11 - 2009-07-30 05:43 - 00006144 ____A C:\Users\LINDA\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-08-06 10:55 - 2012-08-06 10:55 - 00294216 ____A C:\Users\LINDA\Desktop\gmer.zip
2012-08-06 10:46 - 2012-08-06 10:46 - 00607260 ____R (Swearware) C:\Users\LINDA\Desktop\dds.com
2012-08-06 10:44 - 2012-08-06 10:44 - 00000000 ____A C:\Users\LINDA\defogger_reenable
2012-08-06 10:43 - 2012-08-06 10:43 - 00050477 ____A C:\Users\LINDA\Desktop\Defogger.exe
2012-08-05 12:33 - 2012-08-05 12:33 - 00000000 ____A C:\Windows\setuperr.log
2012-08-05 12:33 - 2012-08-05 12:33 - 00000000 ____A C:\Windows\setupact.log
2012-08-05 06:54 - 2012-08-05 06:54 - 00000553 ____A C:\Users\LINDA\Desktop\esetscan.txt
2012-08-01 17:42 - 2012-08-01 17:42 - 00159480 ____A C:\Windows\Minidump\Mini080112-01.dmp
2012-08-01 03:53 - 2012-08-01 03:53 - 00002154 ____A C:\Windows\epplauncher.mif
2012-08-01 03:49 - 2012-08-01 03:49 - 10288512 ____A (Microsoft Corporation) C:\Users\LINDA\Downloads\mseinstall.exe
2012-08-01 03:22 - 2012-08-01 03:23 - 00476976 ____A (Sun Microsystems, Inc.) C:\Windows\System32\npdeployJava1.dll
2012-08-01 03:22 - 2012-08-01 03:23 - 00157488 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaws.exe
2012-08-01 03:22 - 2012-08-01 03:23 - 00149296 ____A (Sun Microsystems, Inc.) C:\Windows\System32\javaw.exe
2012-08-01 03:22 - 2012-08-01 03:23 - 00149296 ____A (Sun Microsystems, Inc.) C:\Windows\System32\java.exe
2012-08-01 03:22 - 2010-05-07 07:33 - 00472880 ____A (Sun Microsystems, Inc.) C:\Windows\System32\deployJava1.dll
2012-07-31 12:15 - 2012-07-31 12:15 - 00000756 ____A C:\Users\LINDA\Documents\cc_20120731_161526.reg
2012-07-29 11:46 - 2012-07-29 11:46 - 00537166 ____A C:\Users\LINDA\Downloads\Autoruns.zip
2012-07-28 16:29 - 2012-07-28 16:29 - 00000006 __ASH C:\Users\Default\AppData\Roaming\desktop.ini
2012-07-28 16:29 - 2012-07-28 16:29 - 00000006 __ASH C:\Users\Default\AppData\Local\desktop.ini
2012-07-28 16:29 - 2012-07-28 16:29 - 00000006 __ASH C:\Users\Default User\AppData\Roaming\desktop.ini
2012-07-28 16:29 - 2012-07-28 16:29 - 00000006 __ASH C:\Users\Default User\AppData\Local\desktop.ini
2012-07-27 11:59 - 2012-07-27 11:59 - 00000009 ____A C:\END
2012-07-27 11:54 - 2012-07-27 11:54 - 00370264 ____A C:\Users\LINDA\Downloads\superantispyware_Setup.exe
2012-07-27 11:53 - 2012-07-27 11:53 - 04765704 ____A (Red Dog Media, Inc.) C:\Users\LINDA\Downloads\PC Utility Kit Installer.exe
2012-07-26 14:04 - 2012-07-26 14:04 - 00000258 _RASH C:\Users\All Users\ntuser.pol
2012-07-26 13:13 - 2012-07-26 13:13 - 00180000 ____A (Kaspersky Lab) C:\Users\LINDA\Downloads\kss12.0.1.117EN_RU_DE_FR_2926.exe
2012-07-18 06:20 - 2012-01-03 05:39 - 00000906 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-12 04:55 - 2006-11-02 02:23 - 00000219 ____A C:\Windows\win.ini
2012-07-04 06:02 - 2012-08-15 14:08 - 02047488 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-03 09:46 - 2010-03-16 13:36 - 00022344 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-29 08:01 - 2012-08-15 04:55 - 00467968 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-06-28 16:52 - 2012-08-15 14:09 - 12317184 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-28 16:27 - 2012-08-15 14:09 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-28 16:16 - 2012-08-15 14:09 - 01800704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-28 16:09 - 2012-08-15 14:09 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-28 16:09 - 2012-08-15 14:09 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-28 16:08 - 2012-08-15 14:09 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-28 16:07 - 2012-08-15 14:09 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-28 16:06 - 2012-08-15 14:09 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-28 16:04 - 2012-08-15 14:09 - 00717824 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-28 16:04 - 2012-08-15 14:09 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-28 16:01 - 2012-08-15 14:09 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-28 16:01 - 2012-08-15 14:09 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-28 16:00 - 2012-08-15 14:09 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-28 15:57 - 2012-08-15 14:09 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-27 18:32 - 2012-06-27 18:32 - 01104432 ____A C:\Users\LINDA\Downloads\UNKNOWN_PARAMETER_VALUE (2)
2012-06-27 17:58 - 2012-06-27 17:58 - 01104432 ____A C:\Users\LINDA\Downloads\UNKNOWN_PARAMETER_VALUE (1) (1)
2012-06-27 17:57 - 2012-06-27 17:57 - 01104432 ____A C:\Users\LINDA\Downloads\UNKNOWN_PARAMETER_VALUE (1)
2012-06-27 17:54 - 2012-06-27 17:54 - 01104432 ____A C:\Users\LINDA\Downloads\UNKNOWN_PARAMETER_VALUE
2012-06-08 09:47 - 2012-07-11 05:09 - 11586048 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-06 16:59 - 2012-06-06 16:59 - 01070152 ____A (Microsoft Corporation) C:\Windows\System32\MSCOMCTL.OCX
2012-06-05 08:47 - 2012-07-11 05:09 - 01401856 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 08:47 - 2012-07-11 05:09 - 01248768 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-04 07:26 - 2012-07-11 05:08 - 00440704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-03 15:26 - 2010-03-20 12:44 - 00002537 ____A C:\Users\Public\Desktop\ZoomBrowser EX.lnk
2012-06-02 14:19 - 2012-06-22 04:37 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-22 04:37 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-22 04:37 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-22 04:37 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-22 04:37 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:12 - 2012-06-22 04:37 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-22 04:37 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 11:19 - 2012-06-22 04:37 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 11:12 - 2012-06-22 04:37 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-01 16:04 - 2012-07-11 05:08 - 00278528 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 16:03 - 2012-07-11 05:08 - 00204288 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll


========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 13%
Total physical RAM: 2038.75 MB
Available physical RAM: 1757.74 MB
Total Pagefile: 1970.52 MB
Available Pagefile: 1814.08 MB
Total Virtual: 2047.88 MB
Available Virtual: 1983.52 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:142.03 GB) (Free:93.91 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive e: () (Removable) (Total:0.12 GB) (Free:0.07 GB) FAT
4 Drive r: (MS-RAMDRIVE) (Fixed) (Total:0.01 GB) (Free:0.01 GB) FAT
5 Drive x: (RECOVERY) (Fixed) (Total:7.02 GB) (Free:2.84 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 149 GB 1528 KB
Disk 1 Online 123 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 142 GB 32 KB
Partition 2 Primary 7185 MB 142 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 142 GB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 X RECOVERY NTFS Partition 7185 MB Healthy Boot

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
* Partition 1 Primary 123 MB 0 B

==================================================================================

Disk: 1
There is no partition selected.

There is no partition selected.
Please select a partition and try again.

==================================================================================

Last Boot: 2012-08-16 03:24

======================= End Of Log ==========================

Last night the comp shut down 3 times while trying to load windows after a startup, I booted in safe mode, ran a mbam and essentials quick scan, everything came up clean, i rebooted , comp started up normaly, and she told me it had been ok all day, i haven't tried a msert scan yet.

#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,769 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:52 AM

Posted 16 August 2012 - 08:54 PM

Greetings Steve W,

Thank you for the information. Your MBR looks good.

Please perform the following.


===================================================


BlueScreenView

----------

  • Download BlueScreenView and save it to your desktop
  • Double click the BlueScreenView.exe file then click OK
  • Select Run, Next, then Next again
  • Click Install
  • When the scanning is complete, select Edit and Select All
  • Then click File and Save Selected Items
  • Save the report as BSOD.txt
  • Open BSOD.txt in Notepad, copy the entire content and paste it into your next reply
More information about the program can be found here


===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • BSOD.txt

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#12 Steven W

Steven W
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 17 August 2012 - 02:27 AM

==================================================
Dump File : Mini081512-01.dmp
Crash Time : 8/15/2012 8:32:24 PM
Bug Check String : DRIVER_IRQL_NOT_LESS_OR_EQUAL
Bug Check Code : 0x000000d1
Parameter 1 : 0x00000000
Parameter 2 : 0x000000ff
Parameter 3 : 0x00000008
Parameter 4 : 0x00000000
Caused By Driver : aswMBR.sys
Caused By Address : aswMBR.sys+62af
File Description :
Product Name :
Company :
File Version :
Processor : 32-bit
Crash Address : ntkrnlpa.exe+4df99
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\Windows\Minidump\Mini081512-01.dmp
Processors Count : 2
Major Version : 15
Minor Version : 6002
Dump File Size : 136,832
==================================================

==================================================
Dump File : Mini081412-02.dmp
Crash Time : 8/14/2012 11:50:02 AM
Bug Check String : PAGE_FAULT_IN_NONPAGED_AREA
Bug Check Code : 0x00000050
Parameter 1 : 0xb8400008
Parameter 2 : 0x00000000
Parameter 3 : 0xa7fe73cb
Parameter 4 : 0x00000000
Caused By Driver : ntkrnlpa.exe
Caused By Address : ntkrnlpa.exe+98339
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.0.6002.18607 (vistasp2_gdr.120402-0336)
Processor : 32-bit
Crash Address : ntkrnlpa.exe+98339
Stack Address 1 : ntkrnlpa.exe+4dd94
Stack Address 2 : ugloapob.sys+43cb
Stack Address 3 : ugloapob.sys+2096
Computer Name :
Full Path : C:\Windows\Minidump\Mini081412-02.dmp
Processors Count : 2
Major Version : 15
Minor Version : 6002
Dump File Size : 136,832
==================================================

==================================================
Dump File : Mini081412-01.dmp
Crash Time : 8/14/2012 11:44:00 AM
Bug Check String : PAGE_FAULT_IN_NONPAGED_AREA
Bug Check Code : 0x00000050
Parameter 1 : 0xc1600008
Parameter 2 : 0x00000000
Parameter 3 : 0xa75eb3cb
Parameter 4 : 0x00000000
Caused By Driver : ntkrnlpa.exe
Caused By Address : ntkrnlpa.exe+98339
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.0.6002.18607 (vistasp2_gdr.120402-0336)
Processor : 32-bit
Crash Address : ntkrnlpa.exe+98339
Stack Address 1 : ntkrnlpa.exe+4dd94
Stack Address 2 : ugloapob.sys+43cb
Stack Address 3 : ugloapob.sys+2096
Computer Name :
Full Path : C:\Windows\Minidump\Mini081412-01.dmp
Processors Count : 2
Major Version : 15
Minor Version : 6002
Dump File Size : 136,832
==================================================

==================================================
Dump File : Mini080112-01.dmp
Crash Time : 8/1/2012 9:42:09 PM
Bug Check String :
Bug Check Code : 0x00000116
Parameter 1 : 0x85b3c488
Parameter 2 : 0x8c007190
Parameter 3 : 0x00000000
Parameter 4 : 0x0000000d
Caused By Driver : igdkmd32.sys
Caused By Address : igdkmd32.sys+6190
File Description : Intel Graphics Kernel Mode Driver
Product Name : Intel Graphics Accelerator Drivers for Windows Vista®
Company : Intel Corporation
File Version : 7.14.10.1409
Processor : 32-bit
Crash Address : ntkrnlpa.exe+cdabf
Stack Address 1 : dxgkrnl.sys+7c046
Stack Address 2 : dxgkrnl.sys+7cd36
Stack Address 3 : dxgkrnl.sys+194fd
Computer Name :
Full Path : C:\Windows\Minidump\Mini080112-01.dmp
Processors Count : 2
Major Version : 15
Minor Version : 6002
Dump File Size : 159,480
==================================================

#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,769 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:52 AM

Posted 17 August 2012 - 08:45 AM

Greetings Steve W,

There is nothing of concern in the BSOD information you provided. I wanted to make sure there wasn't something lurking under the surface we hadn't yet detected. Absent a recurring unnatural restart we won't worry about the "hiccup" which was related to running aswMBR. That is not uncommon when running intrusive programs.

Here is the plan now. I would like to run MBAM and ESET to clean up any remaining remnants. Then I would llike you to try running MSERT and see how we do.

Please perform the following for me.


===================================================


Rerun Malwarebytes

--------------------

Temporarily disable your antivirus program.

  • Please locate your Malwarebytes icon Posted Image and launch the program
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.


===================================================


ESET Online Scanner

--------------------

I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.

    Posted Image

  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:

    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • MBAM results
  • ESET results
  • MSERT results
  • How is your computer running?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,769 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:52 AM

Posted 17 August 2012 - 01:40 PM

Wrong post.

Edited by Oh My, 17 August 2012 - 01:41 PM.
Wrong post

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 Steven W

Steven W
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:52 AM

Posted 17 August 2012 - 06:48 PM

mbam

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.17.07

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
LINDA :: LINDA-PC [administrator]

8/17/2012 4:04:51 PM
mbam-log-2012-08-17 (16-04-51).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 192446
Time elapsed: 6 minute(s), 4 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

ESET online scanner found no threats, there was no export choice to click on, however there were some files in quarantine and i deleted them.

MSERT full scan shut down the comp, QUICK scan did complete with no threats found, I didn't find a log file to submit.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users