Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Got (1st) Blue Screen of Death While Typing in Reblog on Tumblr in Google Chrome


  • This topic is locked This topic is locked
29 replies to this topic

#1 nondenomifan

nondenomifan

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Usually my recliner when online
  • Local time:02:53 PM

Posted 06 March 2013 - 11:24 PM

I let my laptop rest for 15 minutes, then turned it back on and immediately ran SuperAnti-spyware, Malwarebytes, Comodo antivirus, Checkdsk, and (don't kill me because I've never worked with your forum before) Combofix.
 
SuperAnti-spyware found 9 tracking cookies from Youtube, and I had downloaded exactly 9 videos using Freemake Video converter. I was using the Google Chrome browser, which has become my browser of choice since I started using Tumblr and needing desperately to blacklist things with Tumblr Savior.
 
Anyway, none of the other programs found anything except for Combofix; it came up with this: "detected NTDLL code modification: ZwClose." I have never seen (to my untrained knowledge) Combofix find anything before. I should also add that the folks over at Majorgeeks have told me all but once, "Your logs are clean."
 
My laptop has been sluggish in Google Chrome and Firefox for some time, even though I removed all the nonsense extensions/add-ons. I always just chalked it up to the fact that my laptop has too little memory for today's browsers and web pages. Maybe it's because I've had a big nasty on my computer?
 
Let me know if you want to see the full Combofix log, too. Sorry I did that, but I always run that when I think I've got something really bad in the hopes that it will fix the problem. It always takes really long to start the stages on this laptop, though, too, and I find that rather odd....
 
Anyway, thanks for any and all assistance! Hope I gave you all the info you need! I'm attaching the DDS log.

Log posted by Oh My!

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.15.2
Run by Carol at 23:00:50 on 2013-03-06
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.126 [GMT -5:00]
.
AV: COMODO Antivirus *Disabled/Updated* {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *Enabled*
.
============== Running Processes ================
.
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\Carol\Application Data\Spotify\Data\SpotifyWebHelper.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe"
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {656EC4B7-072B-4698-B504-2A414C1F0037} - <orphaned>
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: LastPass Vault: {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\documents and settings\carol\application data\lastpass\LPToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\documents and settings\carol\application data\lastpass\LPToolbar.dll
uRun: [Spotify Web Helper] "c:\documents and settings\carol\application data\spotify\data\SpotifyWebHelper.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [COMODO Internet Security] c:\program files\comodo\comodo internet security\cistray.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
uPolicies-Explorer: NoLogoff = dword:1
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: HideFastUserSwitching = dword:1
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: LastPass - c:\documents and settings\carol\local settings\application data\lastpass\context.html?cmd=lastpass
IE: LastPass Fill Forms - c:\documents and settings\carol\local settings\application data\lastpass\context.html?cmd=fillforms
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\documents and settings\carol\application data\lastpass\LPToolbar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1342932546406
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1351108157812
DPF: {CAFEEFAC-0017-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{1BCC8B7C-C1D9-40C5-959E-AFFAD4EA1CF1} : NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{1BCC8B7C-C1D9-40C5-959E-AFFAD4EA1CF1} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{8C1A377C-D9D4-4ECF-B4A1-3B98355CFF53} : NameServer = 8.26.56.26,156.154.70.22
Notify: igfxcui - igfxdev.dll
SEH: Microsoft AntiMalware ShellExecuteHook - {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - c:\program files\windows defender\MpShHook.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\carol\application data\mozilla\firefox\profiles\ljeo3wy9.default\
FF - prefs.js: browser.search.selectedEngine - hxxp://www.google.com/search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - plugin: c:\documents and settings\carol\local settings\application data\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\documents and settings\carol\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1166636.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1167637.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_146.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - ExtSQL: 2013-01-17 20:43; {f13b157f-b174-47e7-a34d-4815ddfdfeb8}; c:\documents and settings\carol\application data\mozilla\firefox\profiles\ljeo3wy9.default\extensions\{f13b157f-b174-47e7-a34d-4815ddfdfeb8}.xpi
FF - ExtSQL: 2013-02-15 13:02; fmconverter@gmail.com; c:\program files\freemake\freemake video converter\browserplugin\Firefox
.
============= SERVICES / DRIVERS ===============
.
R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [2013-1-16 18536]
R1 cmdGuard;COMODO Internet Security Driver;c:\windows\system32\drivers\cmdGuard.sys [2013-1-16 586728]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2013-1-16 32824]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2011-8-11 116608]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2013-1-24 2319504]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2011-2-11 35088]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 cmdvirth;COMODO Virtual Service Manager;c:\program files\comodo\comodo internet security\cmdvirth.exe [2013-1-24 127184]
S3 PTUMWBus;PANTECH USB Modem V2 Composite Device Driver;c:\windows\system32\drivers\PTUMWBus.sys [2010-12-26 54544]
S3 PTUMWCSP;PANTECH USB Modem V2 Connection Port;c:\windows\system32\drivers\PTUMWCSP.sys [2010-12-26 160400]
S3 PTUMWFLT;PTUMWNET Filter Driver;c:\windows\system32\drivers\PTUMWFLT.sys [2010-12-26 12048]
S3 PTUMWMdm;PANTECH USB Modem V2 Modem Driver;c:\windows\system32\drivers\PTUMWMdm.sys [2010-12-26 160400]
S3 PTUMWNET;PANTECH USB Modem V2 WWAN Driver;c:\windows\system32\drivers\PTUMWNET.sys [2010-12-26 115216]
S3 PTUMWNSP;PANTECH USB Modem V2 NMEA Port;c:\windows\system32\drivers\PTUMWNSP.sys [2010-12-26 160400]
S3 PTUMWVsp;PANTECH USB Modem V2 Diagnostic Port;c:\windows\system32\drivers\PTUMWVsp.sys [2010-12-26 160400]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]
.
=============== Created Last 30 ================
.
2013-03-05 16:12:00 6954968 -c--a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{f94c3802-cb9e-43c4-ae1b-3ee3a5b37ac7}\mpengine.dll
2013-02-24 00:33:11 143872 -c--a-w- c:\windows\system32\javacpl.cpl
2013-02-24 00:32:52 94112 -c--a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-02-23 10:22:52 -------- dc----w- c:\program files\iPod
2013-02-23 10:22:09 -------- dc----w- c:\documents and settings\all users\application data\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-02-15 22:04:52 208448 -c--a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2013-02-15 22:04:52 208448 -c--a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2013-02-15 16:26:45 -------- dc----w- C:\MGtools
2013-02-15 16:22:58 1897963 -c--a-w- C:\MGtools.exe
2013-02-15 06:13:02 -------- dc----w- c:\program files\WinPcap
.
==================== Find3M ====================
.
2013-02-24 00:32:20 861088 -c--a-w- c:\windows\system32\npDeployJava1.dll
2013-02-24 00:32:20 782240 -c--a-w- c:\windows\system32\deployJava1.dll
2013-02-09 00:06:34 697712 -c--a-w- c:\windows\system32\FlashPlayerApp.exe
2013-02-09 00:06:30 74096 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-01-26 03:55:44 552448 -c--a-w- c:\windows\system32\oleaut32.dll
2013-01-25 03:43:02 35488 -c--a-w- c:\windows\system32\cmdcsr.dll
2013-01-25 03:43:02 354752 -c--a-w- c:\windows\system32\guard32.dll
2013-01-25 03:42:50 40656 -c--a-w- c:\windows\system32\cmdkbd32.dll
2013-01-25 03:42:50 263888 -c--a-w- c:\windows\system32\cmdvrt32.dll
2013-01-17 06:28:58 232336 -c----w- c:\windows\system32\MpSigStub.exe
2013-01-17 00:51:56 586728 -c--a-w- c:\windows\system32\drivers\cmdGuard.sys
2013-01-17 00:51:56 32824 -c--a-w- c:\windows\system32\drivers\cmdhlp.sys
2013-01-17 00:51:54 18536 -c--a-w- c:\windows\system32\drivers\cmderd.sys
2013-01-07 01:16:02 2193024 -c--a-w- c:\windows\system32\ntoskrnl.exe
2013-01-07 00:36:58 2069760 -c--a-w- c:\windows\system32\ntkrnlpa.exe
2013-01-04 01:20:00 1867264 -c--a-w- c:\windows\system32\win32k.sys
2013-01-02 06:49:10 148992 -c--a-w- c:\windows\system32\mpg2splt.ax
2013-01-02 06:49:10 1292288 -c--a-w- c:\windows\system32\quartz.dll
2012-12-26 20:16:29 916480 -c--a-w- c:\windows\system32\wininet.dll
2012-12-26 20:16:28 43520 -c--a-w- c:\windows\system32\licmgr10.dll
2012-12-26 20:16:28 1469440 -c----w- c:\windows\system32\inetcpl.cpl
2012-12-24 06:40:59 385024 -c--a-w- c:\windows\system32\html.iec
2012-12-16 12:23:59 290560 -c--a-w- c:\windows\system32\atmfd.dll
2012-12-14 21:49:28 21104 -c--a-w- c:\windows\system32\drivers\mbam.sys
2012-12-13 18:50:38 6112864 -c--a-w- c:\windows\system32\usbaaplrc.dll
2012-12-13 18:50:38 45056 -c--a-w- c:\windows\system32\drivers\usbaapl.sys
.
============= FINISH: 23:03:13.59 ===============

Attached Files

  • Attached File  dds.txt   13.04KB   2 downloads

Edited by Oh My, 09 March 2013 - 10:47 AM.

nondenomifan

StayCalmBeaFan_zps8e815800.jpg


BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,800 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:53 PM

Posted 09 March 2013 - 08:59 AM

Greetings nondenomifan and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that. :thumbup2:

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  • When you post your reply, do not use the StartNewTopic.gif button but use the AddReply.gif button instead.
  • In the upper right hand corner of the topic you will see the WatchTopic.gif button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Please allow me some time to review the information you have provided and I will reply as soon as possible. While I am doing that please complete the following for me. Please copy and paste information in your replies unless instructed otherwise.

===================================================

Obtaining Current ComboFix.txt

--------------------

Please copy and paste the contents of the following file in your reply.
 

C:\ComboFix.txt

 
===================================================

BlueScreenView

----------
  • Download BlueScreenView and save it to your desktop
  • Double click the BlueScreenView.exe file then click OK
  • Select Run, Next, then Next again
  • Click Install
  • When the scanning is complete, select Edit and Select All
  • Then click File and Save Selected Items
  • Save the report as BSOD.txt
  • Open BSOD.txt in Notepad, copy the entire content and paste it into your next reply
More information about the program can be found here

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:
  • Combofix log
  • BlueScreenView log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 nondenomifan

nondenomifan
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Usually my recliner when online
  • Local time:02:53 PM

Posted 09 March 2013 - 02:46 PM

Here's Combofix log:

 

ComboFix 13-03-05.01 - Carol 03/06/2013  11:35:28.1.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.503.171 [GMT -5:00]
Running from: c:\documents and settings\Carol\Desktop\ComboFix.exe
AV: COMODO Antivirus *Disabled/Updated* {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
.
(((((((((((((((((((((((((   Files Created from 2013-02-06 to 2013-03-06  )))))))))))))))))))))))))))))))
.
.
2013-03-06 04:26 . 2013-03-06 04:26    --------    dc----w-    c:\documents and settings\Limited\Application Data\Malwarebytes
2013-03-06 04:22 . 2013-03-06 04:22    --------    dc----w-    c:\documents and settings\Limited\Application Data\SUPERAntiSpyware.com
2013-03-05 16:12 . 2013-02-08 00:45    6954968    -c--a-w-    c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{F94C3802-CB9E-43C4-AE1B-3EE3A5B37AC7}\mpengine.dll
2013-02-24 00:33 . 2013-02-24 00:32    143872    -c--a-w-    c:\windows\system32\javacpl.cpl
2013-02-24 00:32 . 2013-02-24 00:32    94112    -c--a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-02-23 10:22 . 2013-02-23 10:22    --------    dc----w-    c:\program files\iPod
2013-02-23 10:22 . 2013-02-23 10:24    --------    dc----w-    c:\documents and settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-02-15 22:04 . 2013-02-15 22:04    208448    -c--a-w-    c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2013-02-15 16:26 . 2013-02-15 16:37    --------    dc----w-    C:\MGtools
2013-02-15 06:13 . 2013-02-15 06:13    --------    dc----w-    c:\program files\WinPcap
2013-02-06 06:52 . 2013-02-06 06:52    --------    dc----w-    c:\program files\Common Files\Java
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-24 00:32 . 2012-06-14 04:09    861088    -c--a-w-    c:\windows\system32\npDeployJava1.dll
2013-02-24 00:32 . 2012-02-20 18:03    782240    -c--a-w-    c:\windows\system32\deployJava1.dll
2013-02-15 16:37 . 2013-02-15 16:26    402222    -c--a-w-    C:\MGlogs.zip
2013-02-09 00:06 . 2013-01-18 01:53    697712    -c--a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-02-09 00:06 . 2013-01-18 01:53    74096    -c--a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-02-08 00:45 . 2012-02-26 09:20    6954968    -c--a-w-    c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2013-01-26 03:55 . 2004-08-04 12:00    552448    -c--a-w-    c:\windows\system32\oleaut32.dll
2013-01-25 03:43 . 2013-01-25 03:43    35488    -c--a-w-    c:\windows\system32\cmdcsr.dll
2013-01-25 03:43 . 2013-01-25 03:43    354752    -c--a-w-    c:\windows\system32\guard32.dll
2013-01-25 03:42 . 2013-01-25 03:42    40656    -c--a-w-    c:\windows\system32\cmdkbd32.dll
2013-01-25 03:42 . 2013-01-25 03:42    263888    -c--a-w-    c:\windows\system32\cmdvrt32.dll
2013-01-17 06:28 . 2012-02-26 09:19    232336    -c----w-    c:\windows\system32\MpSigStub.exe
2013-01-17 00:51 . 2013-01-17 00:51    98752    -c--a-w-    c:\windows\system32\drivers\inspect.sys
2013-01-17 00:51 . 2013-01-17 00:51    586728    -c--a-w-    c:\windows\system32\drivers\cmdGuard.sys
2013-01-17 00:51 . 2013-01-17 00:51    32824    -c--a-w-    c:\windows\system32\drivers\cmdhlp.sys
2013-01-17 00:51 . 2013-01-17 00:51    18536    -c--a-w-    c:\windows\system32\drivers\cmderd.sys
2013-01-07 01:16 . 2004-08-04 12:00    2193024    -c--a-w-    c:\windows\system32\ntoskrnl.exe
2013-01-07 00:36 . 2004-08-03 22:59    2069760    -c--a-w-    c:\windows\system32\ntkrnlpa.exe
2013-01-04 01:20 . 2004-08-04 12:00    1867264    -c--a-w-    c:\windows\system32\win32k.sys
2013-01-02 06:49 . 2004-08-04 12:00    148992    -c--a-w-    c:\windows\system32\mpg2splt.ax
2013-01-02 06:49 . 2004-08-04 12:00    1292288    -c--a-w-    c:\windows\system32\quartz.dll
2012-12-26 20:16 . 2004-08-04 12:00    916480    -c--a-w-    c:\windows\system32\wininet.dll
2012-12-26 20:16 . 2004-08-04 12:00    43520    -c--a-w-    c:\windows\system32\licmgr10.dll
2012-12-26 20:16 . 2004-08-04 12:00    1469440    -c----w-    c:\windows\system32\inetcpl.cpl
2012-12-24 06:40 . 2004-08-04 12:00    385024    -c--a-w-    c:\windows\system32\html.iec
2012-12-16 12:23 . 2004-08-04 12:00    290560    -c--a-w-    c:\windows\system32\atmfd.dll
2012-12-14 21:49 . 2012-02-13 20:14    21104    -c--a-w-    c:\windows\system32\drivers\mbam.sys
2012-12-13 18:50 . 2010-06-26 14:21    45056    -c--a-w-    c:\windows\system32\drivers\usbaapl.sys
2012-12-13 18:50 . 2010-06-26 14:21    6112864    -c--a-w-    c:\windows\system32\usbaaplrc.dll
2013-02-06 06:54 . 2013-02-06 06:53    262552    -c--a-w-    c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spotify Web Helper"="c:\documents and settings\Carol\Application Data\Spotify\Data\SpotifyWebHelper.exe" [2013-02-10 1199576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 729178]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-02 1392640]
"SigmatelSysTrayApp"="stsystra.exe" [2005-08-24 393216]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cistray.exe" [2013-01-25 1430736]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-02-20 152392]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-11 24576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideFastUserSwitching"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Carol\\Application Data\\Spotify\\spotify.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"135:TCP"= 135:TCP:DCOM(135)
.
R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [1/16/2013 7:51 PM 18536]
R1 cmdGuard;COMODO Internet Security Driver;c:\windows\system32\drivers\cmdGuard.sys [1/16/2013 7:51 PM 586728]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [1/16/2013 7:51 PM 32824]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2/11/2011 4:23 PM 35088]
S3 PTUMWBus;PANTECH USB Modem V2 Composite Device Driver;c:\windows\system32\drivers\PTUMWBus.sys [12/26/2010 3:05 PM 54544]
S3 PTUMWCSP;PANTECH USB Modem V2 Connection Port;c:\windows\system32\drivers\PTUMWCSP.sys [12/26/2010 3:05 PM 160400]
S3 PTUMWFLT;PTUMWNET Filter Driver;c:\windows\system32\drivers\PTUMWFLT.sys [12/26/2010 3:05 PM 12048]
S3 PTUMWMdm;PANTECH USB Modem V2 Modem Driver;c:\windows\system32\drivers\PTUMWMdm.sys [12/26/2010 3:05 PM 160400]
S3 PTUMWNET;PANTECH USB Modem V2 WWAN Driver;c:\windows\system32\drivers\PTUMWNET.sys [12/26/2010 3:05 PM 115216]
S3 PTUMWNSP;PANTECH USB Modem V2 NMEA Port;c:\windows\system32\drivers\PTUMWNSP.sys [12/26/2010 3:05 PM 160400]
S3 PTUMWVsp;PANTECH USB Modem V2 Diagnostic Port;c:\windows\system32\drivers\PTUMWVsp.sys [12/26/2010 3:05 PM 160400]
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2013-03-06 c:\windows\Tasks\Clean System Memory.job
- c:\windows\system32\CleanMem.exe [2012-10-24 23:27]
.
2013-03-06 c:\windows\Tasks\COMODO Cache Builder {0FB77674-7905-4F34-A362-C5A9A26F8CF9}.job
- c:\program files\COMODO\COMODO Internet Security\cfpconfg.exe [2013-01-25 03:42]
.
2013-03-06 c:\windows\Tasks\COMODO Scan {F140D794-60B6-4F00-9235-D6457AA25B22}.job
- c:\program files\COMODO\COMODO Internet Security\cfpconfg.exe [2013-01-25 03:42]
.
2013-03-06 c:\windows\Tasks\COMODO Signature Update {B9D5C6F9-17D2-4917-8BD0-614BAA1C6A59}.job
- c:\program files\COMODO\COMODO Internet Security\cfpconfg.exe [2013-01-25 03:42]
.
2013-03-06 c:\windows\Tasks\COMODO Update {A6D52E4F-569B-4756-B3D8-DF217313DA85}.job
- c:\program files\COMODO\COMODO Internet Security\cfpconfg.exe [2013-01-25 03:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: LastPass - file://c:\documents and settings\Carol\Local Settings\Application Data\LastPass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\documents and settings\Carol\Local Settings\Application Data\LastPass\context.html?cmd=fillforms
Trusted Zone: covergirl.com\www
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{1BCC8B7C-C1D9-40C5-959E-AFFAD4EA1CF1}: NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{8C1A377C-D9D4-4ECF-B4A1-3B98355CFF53}: NameServer = 8.26.56.26,156.154.70.22
FF - ProfilePath - c:\documents and settings\Carol\Application Data\Mozilla\Firefox\Profiles\ljeo3wy9.default\
FF - prefs.js: browser.search.selectedEngine - hxxp://www.google.com/search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - ExtSQL: 2013-01-17 20:43; {f13b157f-b174-47e7-a34d-4815ddfdfeb8}; c:\documents and settings\Carol\Application Data\Mozilla\Firefox\Profiles\ljeo3wy9.default\extensions\{f13b157f-b174-47e7-a34d-4815ddfdfeb8}.xpi
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-03-06 11:56
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_149_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_149_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\System\VritualRoot\MACHINE\Software\CLASSES\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\System\VritualRoot\MACHINE\Software\CLASSES\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\System\VritualRoot\MACHINE\Software\CLASSES\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1120)
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'lsass.exe'(1176)
c:\windows\system32\guard32.dll
c:\windows\system32\mswsock.dll
c:\windows\System32\wshtcpip.dll
.
- - - - - - - > 'explorer.exe'(3772)
c:\windows\system32\WININET.dll
c:\windows\system32\guard32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\WS2HELP.dll
.
- - - - - - - > 'csrss.exe'(1092)
c:\windows\system32\cmdcsr.dll
.
Completion time: 2013-03-06  12:06:43
ComboFix-quarantined-files.txt  2013-03-06 17:06
ComboFix2.txt  2013-02-15 09:20
.
Pre-Run: 9,220,939,776 bytes free
Post-Run: 9,221,914,624 bytes free
.
- - End Of File - - 9868EAD2D6646DD71AFA84C546D18059
 

Now, the BlueScreenView is a major disappointment. I can't enclose a log because there's none to enclose (only choice under file was exit program). I'm instead pasting an image of the program's window when it was finished. Crap. I hate sites that only allow image insertions via URL....Photobucket is so damned memory intensive. Well, good ol' Photobucket beta won't let me copy the direct link, so I'm going to have to attach it, sorry.

=====

 

Sorry if I sound rude; I'm really stressed/scared because I'm going to be having my gallbladder removed in a couple weeks, and I'm on a medication that could make the anesthesia be too much for me (in my opinion). I have medicinally-controlled epilepsy. Oh, I also have Asperger syndrome, so if I do something wrong, it's because I misunderstood what you told me to do. I need really clear language that leaves nothing to interpretation...though I do know that my computer needs to be plugged into the wall and turned on while we're working through these problems. ;-)

 

As far as my first name, I'm going to give you an alias (Tempe), because I don't associate my real name with my fandom names. I live in an area where the things I say, read, and write in fandom would get me tarred, feathered, and ridden out on a rail. Not to mention I've said some things in the fandom world that I'd never say in real life except to a few trusted family and friends. So, call me Tempe. :)

 

And, no, I will not do anything else without you saying so. Well, except I went back in my restore to see if there was an entry for the day the BSOD happened, and there wasn't. Figures.

 

Attached Files


nondenomifan

StayCalmBeaFan_zps8e815800.jpg


#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,800 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:53 PM

Posted 09 March 2013 - 04:44 PM

Greetings,

I am sorry to hear of all your difficuties. I will do my best to help rid you of the computer problem. And I will be sure to give you precise instructions.

Please do this for me.

===================================================

AdwCleaner by Xplode - Delete Adware

-------------------
  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browser
  • Double click on AdwCleaner.exe, select OK, then Run
  • Click on Delete
  • Confirm each time with OK
  • Your computer will be rebooted automatically. A text file will open after the restart
  • Copy and paste the contents in your reply
  • You can find the logfile at C:\AdwCleaner[S1].txt
===================================================

Junkware Removal Tool by thisisu

-------------------
  • Please download Junkware Removal Tool and save it to your desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Right-mouse click JRT.exe and select Run as administrator (Windows XP double click the icon)
  • Please allow the program time to run
  • Once completed a Notepad document will open on your desktop
  • Copy and paste the contents in your reply
===================================================

RogueKiller by Tigzy

--------------------
  • Download RogueKiller and save it to your desktop
  • Close all running programs
  • For Vista/7 users right click on the icon and select Run as Administrator
  • For Windows XP simply double click on the icon
  • When prompted, Click Scan
  • When the Status box shows Scan Finished click Delete
  • Click Report
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it winlogon.exe (or winlogon.com) and try again
  • Copy and paste the contents of the report in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:
  • AdwCleaner log
  • Junkware log
  • RogueKiller log
  • How is your computer running? What are your current symptoms?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 nondenomifan

nondenomifan
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Usually my recliner when online
  • Local time:02:53 PM

Posted 10 March 2013 - 02:48 PM

Well, this is not encouraging at all. The only tool that did what it was supposed to do was the first one. My guess is because I had to turn off COMODO Antivirus, Behavior Blocker, and ultimately the entire program to get the last two programs to run. Well, JRT would run, but I had to keep clicking "allow," and I was allowing some things that I thought I probably shouldn't have on the allow list. Anyway, here are my results:

 

===========

# AdwCleaner v2.114 - Logfile created 03/10/2013 at 14:02:24
# Updated 05/03/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Carol - CHRSNDAREGNYSZ
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Carol\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Key Deleted : HKLM\Software\Viewpoint

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v19.0.2 (en-US)

File : C:\Documents and Settings\Carol\Application Data\Mozilla\Firefox\Profiles\ljeo3wy9.default\prefs.js

Deleted : user_pref("extensions.addonfox.addit.remoteInstallItems", "{ \"software\": {\"15\": {\"id\": \"15\",[...]
Deleted : user_pref("extensions.foxlingo.addit.defaultAddons", "{ \"software\": {\"20\": {\"id\": \"20\",\"tit[...]
Deleted : user_pref("extensions.linkextend.addit.remoteInstallItems", "{ \"software\": {\"20\": {\"id\": \"20\[...]
Deleted : user_pref("extensions.skipscreen.hostMatchStr", "hxxp://www.4shared.com/(get|audio|file|document|dir[...]

File : C:\Documents and Settings\Limited\Application Data\Mozilla\Firefox\Profiles\dlkyeb2y.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v24.0.1312.57

File : C:\Documents and Settings\Carol\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [2447 octets] - [10/03/2013 14:02:24]

########## EOF - C:\AdwCleaner[S1].txt - [2507 octets] ##########

===============

 

I fell asleep during JRT, but according to its folder, I woke only 15 mins after its last temp files was made. But, like I said, no notepad file on my desktop, C:\, anywhere.

 

===============

 

The first time I clicked on report, it said, "Error: RKreport[1]_D_03102013_02d1511 can't be found," and showed a blank notepad document with that exact title. The document was also on my desktop. So, I thought, "Okay, it can find it, now." Nope. Got the same message, and the notepad document was still blank.

 

So, again, I'll attach a screen cap of the results. (It wouldn't let me expand the window so we could see all of the info. Grrrr. I scrunched the blank fields. The last field is "data.") Oh, and the RK_Quarantine folder is empty, too. I just looked.

===============

 

Behavior: Desktop icons occasionally flip, text occasionally stops before letting me type, Windows often fade down or up (open/up or close/down, most often down/close). This is even with only one program running. Google Chrome is particularly problematic and slow, but Firefox often is, too. I removed as many extensions as I possibly could, except I need the Tumblr extensions in Chrome to keep me from seeing certain posts like gifs that flash rapidly.

 

I often get the sense that someone has access to my computer and is messing with it. My tech-savvy friend (lives 2-1/2 hours away and comes to visit once a month for writers' meetings if lucky) says he sees no signs of violation of my router, but he blocked P2P (?) access on it for extra insurance.

 

Thank you again for your continued assistance. Sorry I have to attach the pictures instead of paste them into the posts.

 

Sincerely,

Tempe

Attached Files


Edited by nondenomifan, 10 March 2013 - 02:54 PM.

nondenomifan

StayCalmBeaFan_zps8e815800.jpg


#6 nondenomifan

nondenomifan
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Usually my recliner when online
  • Local time:02:53 PM

Posted 10 March 2013 - 03:06 PM

I also have an external hardrive that I haven't had attached during any of this. I just realized that. :oopsign:

 

Are we going to have to start all over, now? Because sometimes I wonder if it might be the source of some malware. It is where I put all my downloads. It is also where all the stuff I share between my my desktop and my laptop is stored, and my desktop is currently out of commission because it says it can't access the disk during chkdsk. (My friend and I have decided it's time to just modernize the whole thing. It's got some really old parts and just barely has the snuff to keep up with today's web sites. So, this "core virus," as my friend calls it, is the golden opportunity/excuse to revamp the old thing.)

 

Anyway, so with all that in mind, should we check the external harddrive, too? :blush:

 

I'm sorry I'm being such a pain.

 

Sincerely,

Tempe


Edited by nondenomifan, 10 March 2013 - 03:07 PM.

nondenomifan

StayCalmBeaFan_zps8e815800.jpg


#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,800 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:53 PM

Posted 10 March 2013 - 04:02 PM

You are not a pain at all. Let's keep the external hard drive isolated for now. We can check that later under controlled conditions.

Please rerun RogueKiller again and see if you can post the results. In addition, I would like to ask you to do this.

===================================================


Running TDSSKiller with Changed Parameters

--------------------
  • Please download TDSSKiller from here and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters

tds2.jpg

  • Check Loaded Modules, Verify Driver Digital Signature, and Detect TDLFS file system
  • If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now

2012081514h0118.png

  • Click Start Scan and allow the scan process to run

tds4-1.jpg

  • If threats are detected select Skip for all of them unless I instruct you otherwise
  • Click Continue

tds6.jpg

  • Click Reboot computer
  • Please zip and attach in your reply the TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\)
===================================================

Things I would like to see in your next reply. :thumbsup2:
  • RogueKiller log
  • TDSSKiller file (attached)

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#8 nondenomifan

nondenomifan
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Usually my recliner when online
  • Local time:02:53 PM

Posted 11 March 2013 - 12:28 PM

Same problem with RogueKiller, except [2] instead of [1]. Let me know if you want to attach a capture of the window like I did last time. TDSSKiller found 4 things, though, and that's what RogueKiller found the first time.

 

Something I noticed when running RogueKiller this time: It says at the beginning Eula requires you to agree to the terms before continuing, but the terms window is completely empty. Is it possible the download got corrupted, or is that normal? :(

 

Anyway, I'm attaching the TDSSKiller zip for you. For some reason, there are two logs--maybe from before and after the reboot. Anyway, I included them both in the zip file.

 

Thanks again, :hug:

Tempe

Attached Files


nondenomifan

StayCalmBeaFan_zps8e815800.jpg


#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,800 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:53 PM

Posted 11 March 2013 - 01:04 PM

Greetings,

The four files flagged by TDSSKiller are all legitimate files. I would like to take a deeper look into your computer which will move us away from RogueKiller.

Please do this. It is not uncommon to experience some difficulties in running these types of programs so don't be too alarmed if it doesn't go perfectly.

===================================================

xPUD MBR Dump and Driver Scan using USB

--------------------

Try this please. You will need a USB drive with no less than 64 mb of space.
  • Insert your USB drive. Caution: The next step will remove all information from your USB device.
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Download xPUD 0.9.2 iso, saving the file to your Desktop.
  • Download UNetbootin and save it to your Desktop as well.
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded.
  • Press Run then OK. Note: If you receive the message "You must select a distribution to load" just follow the instructions/image below
  • Select the Diskimage Option then click the Browse Button located on the right side of the textbox field.

SelectDiskImage.gif

  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Next download driver.sh to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?) If it is not there remove the USB device for 5 seconds then reinsert.
  • Confirm that you see driver.sh that you downloaded there
  • Click Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh and press Enter
  • After it has finished a report will be located on your USB device named report.txt
  • Now type bash driver.sh -af and press Enter
  • You will be prompted to input a file name. Please type the following then press Enter:

Winlogon.exe

  • After the search is completed please type the following then press Enter:

volsnap.sys

  • After the search is completed please type the following then press Enter:

explorer.exe

  • After the search is completed please type the following then press Enter:

Userinit.exe

  • After the search is complete please type Exit and press Enter
  • A report will be located in the USB drive as filefind.txt
  • Now please type the following and press Enter. Makes sure there is a space between the different colors.

dd if=/dev/sda of=mbr.bin bs=512 count=1

  • After it has finished (within just a few seconds) a file will be located on your USB drive named mbr.bin.
  • Remove the USB drive, insert it back in your working computer
  • Navigate to mbr.bin, zip the file, and attach it to your next reply
  • Copy and paste the contents of report.txt and filefind.txt in your reply
===================================================

Things I would like to see in your next reply. :thumbsup2:
  • mbr.zip
  • report.txt (zip and attach if too large)
  • filefind.txt

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#10 nondenomifan

nondenomifan
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Usually my recliner when online
  • Local time:02:53 PM

Posted 11 March 2013 - 01:14 PM

Are you asking me to remove all the data from my external hard drive?????


nondenomifan

StayCalmBeaFan_zps8e815800.jpg


#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,800 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:53 PM

Posted 11 March 2013 - 01:16 PM

NO, not at all. Do you have a small Thumb Drive? That is the type of USB device I was referring to.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#12 nondenomifan

nondenomifan
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Usually my recliner when online
  • Local time:02:53 PM

Posted 11 March 2013 - 01:44 PM

Oh, okay. yeah. Justasec. *wipes forehead*


nondenomifan

StayCalmBeaFan_zps8e815800.jpg


#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,800 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:53 PM

Posted 11 March 2013 - 01:49 PM

Glad you asked. :)
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#14 nondenomifan

nondenomifan
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Usually my recliner when online
  • Local time:02:53 PM

Posted 11 March 2013 - 03:01 PM

Keeping in mind I don't have a clean computer to do the stuff with the flash drive, I guess we shouldn't be surprised at this; but...another one bites the dust. I've attached the picture I took of the screen that wouldn't let me type "exit." The only thing I could get it to do was "reboot." Upon reboot, I tried the process again, but it did the same thing. *sigh*

 

Next?

 

I thank you so much for working so hard on this!

Tempe

Attached Files


nondenomifan

StayCalmBeaFan_zps8e815800.jpg


#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,800 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:53 PM

Posted 11 March 2013 - 04:15 PM

OK, thanks for the screen shot. That helped a lot. It is probably OK to do this on your infected computer.

That program is having a problem with your video card. There is a possible modification we could try but to be honest I don't have much luck taking that route so we are going to try a different program.

Please try this.

===================================================

Ubuntu MRB and Driver Report Using a USB

--------------
  • You will need a USB device with at least 2 GB of space. Warning: During this process all information will be removed from your USB device.
  • Download Ubuntu Live Ubuntu 12.04 LTS (either 64 or 32 bit) and save it to your desktop. This is a large file so allow it some time to download.
  • Download Pen Drive Linux's USB Installer and save it to your desktop
  • Double click the Universal-USB-Installer icon, select Run, then I Agree
  • On the dropdown list under Step 1 select Ubuntu 12.04 Desktop you downloaded to your desktop

create-usb-windows-1-12.png

  • Select the Browse button under Step 2, locate, and double click the Ubuntu file you downloaded to your desktop

create-usb-windows-2-12.png
create-usb-windows-3.png

  • Select your USB device under Step 3

create-usb-windows-4-12.png

  • Place a check mark in the Format (your USB drive letter, i.e E):\ Drive (Erases Content) box
  • Disregard Step 4
  • Click Create, then Yes
  • Once the process has completed click Close
  • Download udriver.sh to your USB device
  • With the USB device inserted into the infected computer restart your computer
  • If your computer does not automatically boot from the USB device please see here
  • Select Run from USB device
  • Please allow the program to automatically load to the Ubuntu desktop
  • Select English, then click Try Ubuntu
  • Click on the Dash Home icon located just underneath the Ubuntu Desktop title bar at the top
  • Type terminal in the search box then press Enter
  • A command prompt window will open
  • Now please type the following and press Enter. Makes sure there is a space between the different colors.

sudo dd if=/dev/sda of=mbr.txt bs=512 count=1

  • A mbr.txt file will be created in your Home folder
  • Type Exit then press Enter
  • Click on the Home Folder which is most likely the third icon down on the left
  • Under Devices please click the USB device (if that is not present remove the USB device and plug it back in)
  • Locate the udriver.sh icon listed in the USB contents window, right click, select Move to, then click Home
  • Close any open windows
  • Click the Dash Home icon (1st icon on left)
  • Select the Terminal icon
  • Type the following at the prompt and hit Enter

sudo bash udriver.sh

  • Wait until report.txt pops up or the command line indicates the search is finished. This can take a while, so please be patient!
  • The report.txt file will be located in the Home folder (same folder as mbr.txt)
  • Type the following at the prompt and hit Enter

sudo bash udriver.sh -af

  • You will be prompted to input a file name. Please type the following then press Enter:

Winlogon.exe

  • After the search is completed please type the following then press Enter:

volsnap.sys

  • After the search is completed please type the following then press Enter:

explorer.exe

  • After the search is completed please type the following then press Enter:

Userinit.exe

  • After the last search is complete please type Exit and press Enter
  • Click the Home Folder
  • Right click on filefind.txt, and select Send to...
  • Click the drop down list next to Send as:, select Removable disks and shares, click the USB device (may be there by default), then click Send
  • Repeat these steps for report.txt
  • Remove the USB device from your computer
  • In the upper right hand corner of your screen select the icon just to the right of the time
  • Click Shut down..., then Restart
  • Your computer should reboot into Windows
  • Insert the USB device back into your computer
  • Zip the report.txt file and attach it to your reply. Attach but do not zip the mbr.txt and filefind.txt files.
===================================================

Things I would like to see in your next reply. :thumbsup2:
  • report.zip
  • mbr.txt
  • filefind.txt

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users