Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Slow computer and shuts down when GMER runs


  • This topic is locked This topic is locked
41 replies to this topic

#1 lucyc123

lucyc123

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 05 September 2012 - 11:06 AM

Hi there, my computer runs very very slowly and I experience pop ups for various things. I updated my AVG definitions, ran a scan in safe mode and nothing was found. I ran TDSSKiller and the computer closed down half way through - a blue screen with white writing appeared saying that Windows detected a problem and had to close to prevent system damage. This happened again when I tried to run GMER to get a log - I ran GMER twice and the same thing happened. I have removed all software that I don't use and tried a defragmentation and the machine is still painfully slow. If you could look at my logs for me and tell me if there is a problem, I would really appreciate that. Thank you.

Here is the DSS.txt file:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19088
Run by lucy at 16:22:08 on 2012-09-05
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.1013.181 [GMT 1:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\WLANExt.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Orange\ICON 225 USB Connect\GtDetectSc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Thomson\SpeedTouch USB\dragdiag.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\AVG Secure Search\vprot.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Orange\ICON 225 USB Connect\ICON 225 USB Connect.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\sdclt.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apple Software Update\SoftwareUpdate.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = hxxp://safesearch.cyberdefender.com/smallsearch.html
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\9.0.0.18\AVG Secure Search_toolbar.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\9.0.0.18\AVG Secure Search_toolbar.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [STManager] "c:\program files\speedtouch\dr speedtouch\drst.exe" -b
uRun: [Google Update] "c:\users\lucy\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SpeedTouch USB Diagnostics] "c:\program files\thomson\speedtouch usb\Dragdiag.exe" /icon
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\users\lucy\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\icon22~1.lnk - c:\program files\orange\icon 225 usb connect\ICON 225 USB Connect.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{25660409-600C-4692-8B09-4DF7E965D6F6} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{3E51F9B4-38BC-43B9-B765-4B66576CA279} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{934521EA-2FBD-4197-9956-6F10D560DF63} : DhcpNameServer = 149.254.230.7 149.254.199.126
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\9.0.1\ViProtocol.dll
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-5 297168]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-8-18 7390560]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R2 GtDetectSc;GtDetectSc;c:\program files\orange\icon 225 usb connect\GtDetectSc.exe [2007-12-18 196704]
R2 vToolbarUpdater;vToolbarUpdater;c:\program files\common files\avg secure search\vtoolbarupdater\9.0.1\ToolbarUpdater.exe [2011-12-14 855904]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-5-27 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 28624]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-13 136176]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-5-25 167264]
S3 GT72NDISIPXP;GT 72 IP NDIS;c:\windows\system32\drivers\Gt51Ip.sys [2007-11-13 106112]
S3 GT72UBUS;GT 72 U BUS;c:\windows\system32\drivers\gt72ubus.sys [2007-10-9 59264]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-11-13 136176]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-09-05 13:44:32 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2012-09-05 13:44:31 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2012-09-05 13:44:31 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2012-09-05 13:44:31 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2012-09-05 13:44:31 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2012-09-05 13:44:31 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2012-09-05 13:44:31 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
.
==================== Find3M ====================
.
.
============= FINISH: 16:25:22.69 ===============



(I could not obtain a log from GMER)


Thank you for your time.

Attached Files



BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,026 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:05 PM

Posted 07 September 2012 - 02:47 PM

Greetings lucyc123 and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary. If you prefer I call you something other than your screen name I would be pleased to do so. :thumbup2:


===================================================


Ground Rules:

  • First, I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  • When you post your reply, do not use the Posted Image button but use the Posted Image button instead.
  • In the upper right hand corner of the topic you will see the Posted Image button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:

===================================================


Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far.

I would like you to run GMER again after running the following program.


===================================================


Rkill

-------------------

Please download Rkill by Grinler from one of the 4 links below (if one of them does not work try another...) and save it to your desktop:

  • In order for Rkill to run properly you must disable your anti-malware software. Please refer to this page if you are not sure how.
  • Double-click on Rkill. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
    • Note: You may have to run Rkill a few times before it is successful. You may also have to download Rkill from a different link which will save it as a different file name.
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • An Rkill.log will appear. Please copy and paste the contents in your reply (file also located at c:\rkill.log)
  • Do not reboot your computer after running Rkill as the malware programs will start again. If your computer reboots, run Rkill again before continuing on to the next step.
  • If nothing happens or if the tool does not run, please let me know in your next reply.

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • Rkill.log
  • GMER

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 lucyc123

lucyc123
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 10 September 2012 - 10:33 AM

Hi there, thank you for your reply and sorry for the delay in mine. First of all I must tell you that after I posted, a friend ran Malwarebytes anti-malware. For this reason, I repeated the DDS scan and have the log. I ran RKill and tried to run GMER again; the scan got much further than the previous times when it had closed down near the beginning. This time, a blue screen with white writing came up. It said something about verifying the driver, and doing a crash dump.

Here is the DDS log from after running MBAM:


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19088
Run by lucy at 14:59:12 on 2012-09-10
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.1013.96 [GMT 1:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Orange\ICON 225 USB Connect\GtDetectSc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\11.2.0\ToolbarUpdater.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\AVG Secure Search\vprot.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Orange\ICON 225 USB Connect\ICON 225 USB Connect.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\AVG\AVG10\avgscanx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Windows\system32\taskeng.exe
C:\Windows\ehome\mcupdate.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\sdclt.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\RacAgent.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = hxxp://safesearch.cyberdefender.com/smallsearch.html
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\11.1.0.12\AVG Secure Search_toolbar.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\11.1.0.12\AVG Secure Search_toolbar.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [STManager] "c:\program files\speedtouch\dr speedtouch\drst.exe" -b
uRun: [Google Update] "c:\users\lucy\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{25660409-600C-4692-8B09-4DF7E965D6F6} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{3E51F9B4-38BC-43B9-B765-4B66576CA279} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{934521EA-2FBD-4197-9956-6F10D560DF63} : DhcpNameServer = 149.254.230.7 149.254.199.126
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\11.2.0\ViProtocol.dll
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R? AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service
R? AVG Security Toolbar Service;AVG Security Toolbar Service
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? GT72NDISIPXP;GT 72 IP NDIS
R? GT72UBUS;GT 72 U BUS
R? gupdate;Google Update Service (gupdate)
R? gupdatem;Google Update Service (gupdatem)
R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0
S? AVGIDSAgent;AVGIDSAgent
S? AVGIDSDriver;AVGIDSDriver
S? AVGIDSEH;AVGIDSEH
S? AVGIDSFilter;AVGIDSFilter
S? AVGIDSShim;AVGIDSShim
S? Avgldx86;AVG AVI Loader Driver
S? Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield
S? Avgrkx86;AVG Anti-Rootkit Driver
S? Avgtdix;AVG TDI Driver
S? avgwd;AVG WatchDog
S? GtDetectSc;GtDetectSc
S? vToolbarUpdater11.2.0;vToolbarUpdater11.2.0
.
=============== Created Last 30 ================
.
2012-09-10 13:48:03 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-10 13:48:03 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-08 13:10:28 -------- d-----w- c:\program files\ESET
2012-09-08 12:52:28 388096 ----a-r- c:\users\lucy\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-09-08 12:52:24 -------- d-----w- c:\program files\Trend Micro
2012-09-07 17:31:02 -------- d-----w- c:\program files\VS Revo Group
2012-09-07 17:12:01 -------- d-----w- c:\users\lucy\appdata\local\AVG Secure Search
2012-09-07 16:30:42 -------- d-----w- c:\users\lucy\appdata\roaming\Malwarebytes
2012-09-07 16:30:24 -------- d-----w- c:\programdata\Malwarebytes
2012-09-07 16:30:22 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-07 16:30:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-09-07 16:19:47 -------- d-----w- c:\program files\CCleaner
2012-09-05 13:44:32 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2012-09-05 13:44:31 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2012-09-05 13:44:31 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2012-09-05 13:44:31 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2012-09-05 13:44:31 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2012-09-05 13:44:31 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2012-09-05 13:44:31 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
.
==================== Find3M ====================
.
.
============= FINISH: 15:03:55.40 ===============



Here is the RKill log:



Rkill 2.3.10 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 09/10/2012 03:13:15 PM in x86 mode.
Windows Version: Windows Vista ™ Home Premium Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* C:\Windows\System32\WLTRYSVC.EXE (PID: 1736) [WD-HEUR]
* C:\Windows\System32\bcmwltry.exe (PID: 1748) [WD-HEUR]
* C:\Windows\System32\WLTRAY.EXE (PID: 3564) [WD-HEUR]

3 proccesses terminated!

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Defender Disabled

[HKLM\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

* Windows Defender (WinDefend) is not Running.
Startup Type set to: Automatic

* gpsvc => %windir%\system32\svchost.exe -k GPSvcGroup [Incorrect ImagePath]

Searching for Missing Digital Signatures:

* No issues found.

Program finished at: 09/10/2012 03:13:36 PM
Execution time: 0 hours(s), 0 minute(s), and 21 seconds(s)


Thank you for your reply!

Attached Files



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,026 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:05 PM

Posted 10 September 2012 - 02:51 PM

Greetings lucyc123,

Thank you for posting the fresh information. It appears ESET Online Scanner was also run on September 8th.

Please complete the following for me, if you would, so I can review what has already been deleted and also try to take a peek at what is causing your Blue Screen.


===================================================


ESET Online Scanner Log

--------------------

  • Please navigate to the below listed file location

    C:\Program Files\ESET\ESET Online Scanner\log.txt
  • Double click log.txt and a Notepad document will open
  • Copy and paste that information into your reply

===================================================


Posting Previous Malwarebytes Log

--------------------

  • Launch Malwarebytes
  • Select the Logs tab
  • Highlight the last scan entry, select Open, and a Notepad document will open on your desktop
  • Copy and paste the contents of the document in your reply

===================================================


BlueScreenView

----------

  • Download BlueScreenView and save it to your desktop
  • Double click the BlueScreenView.exe file then click OK
  • Select Run, Next, then Next again
  • Click Install
  • When the scanning is complete, select Edit and Select All
  • Then click File and Save Selected Items
  • Save the report as BSOD.txt
  • Open BSOD.txt in Notepad, copy the entire content and paste it into your next reply
More information about the program can be found here


===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • ESET log
  • Malwarebytes log
  • BSOD.txt

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 lucyc123

lucyc123
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 10 September 2012 - 04:00 PM

Hi Gary, thanks for getting back to me.

Here is the ESET log:


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=1ec750406c6c95429381b1694328c915
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-09-08 03:09:52
# local_time=2012-09-08 04:09:52 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=6.0.6001 NT Service Pack 1
# compatibility_mode=512 16777215 100 0 1301 1301 0 0
# compatibility_mode=1032 16777213 100 95 0 90274189 0 0
# compatibility_mode=5892 16776573 100 100 57469206 184642773 0 0
# compatibility_mode=8192 67108863 100 0 217 217 0 0
# scanned=130745
# found=0
# cleaned=0
# scan_time=6947




Here is the MBAM log:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.09.07.10

Windows Vista Service Pack 1 x86 NTFS
Internet Explorer 8.0.6001.19088
lucy :: LUCY-PC [administrator]

07/09/2012 17:32:15
mbam-log-2012-09-07 (17-32-15).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 193186
Time elapsed: 18 minute(s), 53 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 10
C:\ProgramData\2ACA5CC3-0F83-453D-A079-1076FE1A8B65 (Adware.Seekmo) -> Quarantined and deleted successfully.
C:\Users\lucy\AppData\Roaming\HBLite (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\ProgramData\HBLiteSA (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\ProgramData\ResultBar (Adware.ResultBar) -> Quarantined and deleted successfully.
C:\Program Files\HBLite (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\HBLite\bin (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\HBLite\bin\11.0.327.0 (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\HBLite\bin\11.0.327.0\firefox (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\HBLite\bin\11.0.327.0\firefox\extensions (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\ResultBar (Adware.ResultBar) -> Quarantined and deleted successfully.

Files Detected: 7
C:\Users\lucy\Downloads\virus.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\ProgramData\HBLiteSA\HBLiteSA.dat (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\ProgramData\HBLiteSA\HBLiteSAAbout.mht (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\ProgramData\HBLiteSA\HBLiteSAau.dat (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\ProgramData\HBLiteSA\HBLiteSAEULA.mht (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\ProgramData\HBLiteSA\HBLiteSA_kyf.dat (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\HBLite\bin\11.0.327.0\firefox\extensions\install.rdf (Adware.Hotbar) -> Quarantined and deleted successfully.

(end)




And here is BSOD.txt:


==================================================
Dump File : Mini091012-02.dmp
Crash Time : 10/09/2012 17:11:46
Bug Check String : KERNEL_DATA_INPAGE_ERROR
Bug Check Code : 0x0000007a
Parameter 1 : 0xc046b010
Parameter 2 : 0xc0000185
Parameter 3 : 0x327f0820
Parameter 4 : 0x8d602b68
Caused By Driver : ntkrnlpa.exe
Caused By Address : ntkrnlpa.exe+89a0c
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.0.6001.18538 (vistasp1_gdr.101014-0432)
Processor : 32-bit
Crash Address : ntkrnlpa.exe+89a0c
Stack Address 1 : ntkrnlpa.exe+84d4e
Stack Address 2 : ntkrnlpa.exe+a60c3
Stack Address 3 : ntkrnlpa.exe+5ab84
Computer Name :
Full Path : C:\Windows\Minidump\Mini091012-02.dmp
Processors Count : 2
Major Version : 15
Minor Version : 6001
Dump File Size : 145,408
==================================================

==================================================
Dump File : Mini091012-01.dmp
Crash Time : 10/09/2012 16:23:35
Bug Check String : DRIVER_CORRUPTED_EXPOOL
Bug Check Code : 0x000000c5
Parameter 1 : 0x01b073b0
Parameter 2 : 0x00000002
Parameter 3 : 0x00000000
Parameter 4 : 0x81f0915e
Caused By Driver : ntkrnlpa.exe
Caused By Address : ntkrnlpa.exe+5ad54
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.0.6001.18538 (vistasp1_gdr.101014-0432)
Processor : 32-bit
Crash Address : ntkrnlpa.exe+5ad54
Stack Address 1 : ntkrnlpa.exe+ed15e
Stack Address 2 : ntkrnlpa.exe+ee6e0
Stack Address 3 : AVGIDSDriver.Sys+947c
Computer Name :
Full Path : C:\Windows\Minidump\Mini091012-01.dmp
Processors Count : 2
Major Version : 15
Minor Version : 6001
Dump File Size : 139,232
==================================================

==================================================
Dump File : Mini090512-03.dmp
Crash Time : 05/09/2012 16:53:17
Bug Check String : PAGE_FAULT_IN_NONPAGED_AREA
Bug Check Code : 0x00000050
Parameter 1 : 0x922a6008
Parameter 2 : 0x00000000
Parameter 3 : 0xa8a693cb
Parameter 4 : 0x00000000
Caused By Driver : ntkrnlpa.exe
Caused By Address : ntkrnlpa.exe+a5125
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.0.6001.18538 (vistasp1_gdr.101014-0432)
Processor : 32-bit
Crash Address : ntkrnlpa.exe+a5125
Stack Address 1 : ntkrnlpa.exe+5ab84
Stack Address 2 : pxldapob.sys+43cb
Stack Address 3 : pxldapob.sys+2096
Computer Name :
Full Path : C:\Windows\Minidump\Mini090512-03.dmp
Processors Count : 2
Major Version : 15
Minor Version : 6001
Dump File Size : 139,232
==================================================

==================================================
Dump File : Mini090512-02.dmp
Crash Time : 05/09/2012 16:40:38
Bug Check String : PAGE_FAULT_IN_NONPAGED_AREA
Bug Check Code : 0x00000050
Parameter 1 : 0xc1800008
Parameter 2 : 0x00000000
Parameter 3 : 0xa948c3cb
Parameter 4 : 0x00000002
Caused By Driver : ntkrnlpa.exe
Caused By Address : ntkrnlpa.exe+a5125
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.0.6001.18538 (vistasp1_gdr.101014-0432)
Processor : 32-bit
Crash Address : ntkrnlpa.exe+a5125
Stack Address 1 : ntkrnlpa.exe+5ab84
Stack Address 2 : pxldapob.sys+43cb
Stack Address 3 : pxldapob.sys+2096
Computer Name :
Full Path : C:\Windows\Minidump\Mini090512-02.dmp
Processors Count : 2
Major Version : 15
Minor Version : 6001
Dump File Size : 139,232
==================================================

==================================================
Dump File : Mini090512-01.dmp
Crash Time : 05/09/2012 14:17:40
Bug Check String : DRIVER_CORRUPTED_EXPOOL
Bug Check Code : 0x000000c5
Parameter 1 : 0x00000000
Parameter 2 : 0x00000002
Parameter 3 : 0x00000001
Parameter 4 : 0x81f231c3
Caused By Driver : ntkrnlpa.exe
Caused By Address : ntkrnlpa.exe+5ad54
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 6.0.6001.18538 (vistasp1_gdr.101014-0432)
Processor : 32-bit
Crash Address : ntkrnlpa.exe+5ad54
Stack Address 1 : ntkrnlpa.exe+ed1c3
Stack Address 2 : ntkrnlpa.exe+ee6e0
Stack Address 3 : ntkrnlpa.exe+ed3ae
Computer Name :
Full Path : C:\Windows\Minidump\Mini090512-01.dmp
Processors Count : 2
Major Version : 15
Minor Version : 6001
Dump File Size : 139,232
==================================================



Thank you

#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,026 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:05 PM

Posted 10 September 2012 - 07:57 PM

Greetings lucyc123,

thanks for getting back to me.

:)

I would like you to temporarily disable AVG 2011. Please see this link for instructions on how to do it.

Once that is completed I would like you right click on the GMER icon on your desktop and select Delete. Download GMER again and attempt to run both that and TDSSKiller.

Please let me know what happens.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 lucyc123

lucyc123
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 11 September 2012 - 08:03 AM

Hello, TDSSKiller ran fine and found no threats. GMER ran and completed this time, here is the log:


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-09-11 14:01:25
Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2 TOSHIBA_MK1652GSX rev.LV011D
Running: iexplore.exe.exe; Driver: C:\Users\lucy\AppData\Local\Temp\pxldapob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xA62E37A0]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xA62E3848]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xA62E38E4]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xA62E3980]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetTimerEx + 624 81ED4C48 4 Bytes [A0, 37, 2E, A6]
.text ntkrnlpa.exe!KeSetTimerEx + 854 81ED4E78 8 Bytes [48, 38, 2E, A6, E4, 38, 2E, ...] {DEC EAX; CMP [ESI], CH; CMPSB ; IN AL, 0x38; CMPS BYTE CS:[ESI]}
.text ntkrnlpa.exe!KeSetTimerEx + 8B4 81ED4ED8 4 Bytes [80, 39, 2E, A6] {CMP BYTE [ECX], 0x2e; CMPSB }

---- User code sections - GMER 1.0.15 ----

.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2468] ntdll.dll!NtCreateFile + 6 779C7C7E 4 Bytes [28, 00, 25, 00]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2468] ntdll.dll!NtCreateFile + B 779C7C83 1 Byte [E2]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2468] ntdll.dll!NtMapViewOfSection + 6 779C83CE 1 Byte [28]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2468] ntdll.dll!NtMapViewOfSection + 6 779C83CE 4 Bytes [28, 03, 25, 00]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2468] ntdll.dll!NtMapViewOfSection + B 779C83D3 1 Byte [E2]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2468] ntdll.dll!NtOpenFile + 6 779C845E 4 Bytes [68, 00, 25, 00]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2468] ntdll.dll!NtOpenFile + B 779C8463 1 Byte [E2]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2468] ntdll.dll!NtOpenProcess + 6 779C84DE 4 Bytes [A8, 01, 25, 00]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2468] ntdll.dll!NtOpenProcess + B 779C84E3 1 Byte [E2]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2468] ntdll.dll!NtOpenProcessToken + B 779C84F3 1 Byte [E2]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2468] ntdll.dll!NtOpenProcessTokenEx + 6 779C84FE 4 Bytes [A8, 02, 25, 00]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2468] ntdll.dll!NtOpenProcessTokenEx + B 779C8503 1 Byte [E2]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2468] ntdll.dll!NtOpenThread + 6 779C854E 4 Bytes [68, 01, 25, 00]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2468] ntdll.dll!NtOpenThread + B 779C8553 1 Byte [E2]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2468] ntdll.dll!NtOpenThreadToken + 6 779C855E 4 Bytes [68, 02, 25, 00]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2468] ntdll.dll!NtOpenThreadToken + B 779C8563 1 Byte [E2]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2468] ntdll.dll!NtOpenThreadTokenEx + B 779C8573 1 Byte [E2]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2468] ntdll.dll!NtQueryAttributesFile + 6 779C85FE 4 Bytes [A8, 00, 25, 00]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2468] ntdll.dll!NtQueryAttributesFile + B 779C8603 1 Byte [E2]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2468] ntdll.dll!NtQueryFullAttributesFile + B 779C86B3 1 Byte [E2]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2468] ntdll.dll!NtSetInformationFile + 6 779C8B8E 4 Bytes [28, 01, 25, 00]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2468] ntdll.dll!NtSetInformationFile + B 779C8B93 1 Byte [E2]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2468] ntdll.dll!NtSetInformationThread + 6 779C8BDE 4 Bytes [28, 02, 25, 00]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2468] ntdll.dll!NtSetInformationThread + B 779C8BE3 1 Byte [E2]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2468] ntdll.dll!NtUnmapViewOfSection + 6 779C8E7E 1 Byte [68]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2468] ntdll.dll!NtUnmapViewOfSection + 6 779C8E7E 4 Bytes [68, 03, 25, 00]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2468] ntdll.dll!NtUnmapViewOfSection + B 779C8E83 1 Byte [E2]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtCreateFile + 6 779C7C7E 4 Bytes [28, 00, 0D, 00]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtCreateFile + B 779C7C83 1 Byte [E2]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtMapViewOfSection + 6 779C83CE 1 Byte [28]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtMapViewOfSection + 6 779C83CE 4 Bytes [28, 03, 0D, 00]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtMapViewOfSection + B 779C83D3 1 Byte [E2]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtOpenFile + 6 779C845E 4 Bytes [68, 00, 0D, 00]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtOpenFile + B 779C8463 1 Byte [E2]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtOpenProcess + 6 779C84DE 4 Bytes [A8, 01, 0D, 00]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtOpenProcess + B 779C84E3 1 Byte [E2]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtOpenProcessToken + B 779C84F3 1 Byte [E2]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtOpenProcessTokenEx + 6 779C84FE 4 Bytes [A8, 02, 0D, 00]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtOpenProcessTokenEx + B 779C8503 1 Byte [E2]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtOpenThread + 6 779C854E 4 Bytes [68, 01, 0D, 00]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtOpenThread + B 779C8553 1 Byte [E2]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtOpenThreadToken + 6 779C855E 4 Bytes [68, 02, 0D, 00]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtOpenThreadToken + B 779C8563 1 Byte [E2]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtOpenThreadTokenEx + B 779C8573 1 Byte [E2]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtQueryAttributesFile + 6 779C85FE 4 Bytes [A8, 00, 0D, 00]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtQueryAttributesFile + B 779C8603 1 Byte [E2]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtQueryFullAttributesFile + B 779C86B3 1 Byte [E2]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtSetInformationFile + 6 779C8B8E 4 Bytes [28, 01, 0D, 00]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtSetInformationFile + B 779C8B93 1 Byte [E2]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtSetInformationThread + 6 779C8BDE 4 Bytes [28, 02, 0D, 00]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtSetInformationThread + B 779C8BE3 1 Byte [E2]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtUnmapViewOfSection + 6 779C8E7E 1 Byte [68]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtUnmapViewOfSection + 6 779C8E7E 4 Bytes [68, 03, 0D, 00]
.text C:\Users\lucy\AppData\Local\Google\Chrome\Application\chrome.exe[2740] ntdll.dll!NtUnmapViewOfSection + B 779C8E83 1 Byte [E2]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ???C?E??MsPorts.Dll,PortsClassInstaller??????"???F???l?????????????????SE|??MSAFD NetBIOS [\Device\NetBT_Tcpip6_{E9AF8A75-2786-4BE3-A4ED-544B78E42B3D}] DATAGRAM 4??????MSAFD NetBIOS [\Device\NetBT_Tcpip6_{934521EA-2FBD-4197-9956-6F10D560DF63}] SEQPACKET 2?????? ???C???c??????????usbport.inf?xt???????G???P?????????????Emb???????G???e???????????????0???C???????C???5???h???E?E?_?_?_??{4DB1AD10-3391-11D2-9A33-00C04FA36145}???????f?f?g???????G???????????????????????????G?????????????????????????C?&???1?1?1?1?1?1?1?1?1?1?1?1?1?1?-???$???D???????????????????????????&???G??? ??????????????????? ???????C?C???>?C?C8????????F??????????????????6368 6374 6386 6396 6406 6426 6470 6480 6518 6524 6540 6548??????????G???2??????????????e????????G???,???????????e???????)???????????e??usbport.inf?PI??? ???????C???????????B?%????????N????????????????G???t???????????P????x??C???K???????????"???G???F?????????????????126???????G???i???????????????3??? ???????1???????????B?%????????N????????????C???????C???7???h??{8ECC055D-047F-11D1

---- EOF - GMER 1.0.15 ----






Thank you

#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,026 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:05 PM

Posted 11 September 2012 - 09:30 AM

Greetings lucyc123,

There are a couple of things I would like you to do for me.


===================================================


Running a Registry Batch (.bat) File

--------------------

  • Go to Start > Run (or if no "Run", enter in search bar) and type in Notepad
  • Copy/paste the following text inside the code box into a new notepad document. Make sure that under Format menu Word Wrap is unchecked.

    REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" /v PendingFileRenameOperations >C:\PENDING.TXT
    del %0
    
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input Pending.bat.
  • Click Save.

    When done properly, the icon should look like this (or something similar) Posted Image on your desktop.
  • Close the Notepad.
  • Locate and double-click Pending.bat on the desktop.
  • Notepad will open with some text in it. Copy and paste the contents in your next reply.

===================================================


Temporary File Cleaner (TFC)

--------------------

  • Download TFC by OldTimer to your desktop.
  • Close any open windows
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run
  • Click the Start button to begin the process
  • Allow TFC to run uninterrupted
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine, if it doesn't, manually reboot to ensure a complete clean
NOTE: It's normal for the computer to boot more slowly the first time after running TFC

TFC will clear out all temporary folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder. TFC only cleans temporary folders and will not clean URL history, prefetch, or cookies



===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • Pending.txt
  • TFC results
  • How is your computer running? Any difference?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 lucyc123

lucyc123
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 11 September 2012 - 10:18 AM

The pending.bat file opens and the command box came up and said that access was denied, and no notepad document came up. I tried to three or four times and nothing was coming up.

After running TFC, it said 118MB of space was cleared and the computer does seem to be running faster

Thank you

#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,026 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:05 PM

Posted 11 September 2012 - 11:45 AM

Greetings lucyc123,

Is your computer running at the speed you had before?

I would like you to reboot your computer and run GMER again. Please post the results.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 lucyc123

lucyc123
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 12 September 2012 - 08:09 AM

I think it's running marginally faster, the slowest part is the start up time and when trying to access 'my documents'.

Here is the new GMER log:



GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-09-12 00:21:26
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2 TOSHIBA_MK1652GSX rev.LV011D
Running: iexplore.exe.exe; Driver: C:\Users\lucy\AppData\Local\Temp\pxldapob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xA5FDB7A0]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xA5FDB848]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xA5FDB8E4]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xA5FDB980]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 3F1 81EF8B74 4 Bytes [A0, B7, FD, A5]
.text ntkrnlpa.exe!KeSetEvent + 621 81EF8DA4 8 Bytes [48, B8, FD, A5, E4, B8, FD, ...] {DEC EAX; MOV EAX, 0xb8e4a5fd; STD ; MOVSD }
.text ntkrnlpa.exe!KeSetEvent + 681 81EF8E04 4 Bytes [80, B9, FD, A5]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

---- EOF - GMER 1.0.15 ----



Thank you!

#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,026 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:05 PM

Posted 12 September 2012 - 08:15 AM

Greetings lucyc123,

Thank you for running GMER again. This one looks better.

Your slow startup may be due to programs that are loaded upon startup that don't really need to be. I would like to take a look at that information. Please do this.


===================================================


Autoruns

--------------------

  • Please download AutoRuns and save it to your desktop
  • Double click the AutoRuns.zip folder
  • Double click autoruns.exe (not autorunsc.exe), select Run, then Run again and allow the information to populate
  • Select File, Save, Desktop (in the left hand pane), then Save
  • Please attach the AutoRuns.arn file to your next reply.

===================================================


Things I would like to see in your next reply. :thumbsup2:

  • Attached AutoRuns.arn file

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 lucyc123

lucyc123
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 12 September 2012 - 10:05 AM

I cannot open the Autoruns file, it keeps trying to open with Windows Media Center, and when I right click and selected 'Open with..' I can't find a program that I can open the folder with?!

Thank you

#14 lucyc123

lucyc123
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 12 September 2012 - 10:17 AM

Sorry I've opened it now, I'll carry on with Autoruns.

#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,026 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:05 PM

Posted 12 September 2012 - 10:18 AM

Download 7 zip. eXe for32 bit from here http://www.7-zip.org/download.html install and try again. Sorry sending from phone
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users