Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Vista - BSOD + other issues

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Vista - BSOD + other issues

Unread postby jsam » February 22nd, 2009, 2:47 pm

Over the last 48 hours, my Dell Inspiron laptop has developed the following problems:

a. Blue Screen of death (STOP code 0x0000008E)
b. I am unable to access AV sites like Ad Aware, McAfee, Spybot, etc
c. I was only able get past the BSOD by uninstalling McAfee Total Internet Security

I am running Vista. Below is my HiJack this log and a list of my installed Programs. I appreciate any guidance you can provide.

Thanks

Joe


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:31:59 AM, on 2/22/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Common Files\AOL\1178322383\ee\aolsoftware.exe
C:\Windows\System32\WLTRAY.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Users\Rajiv\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\mmc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1178322383\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\Rajiv\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P10 /q c:\users\rajiv\appdata\local\temp\HSPERF~1.SH! c:\users\rajiv\appdata\local\temp\E4JF9~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\JDJ730B1\THIRDP~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\F9X2ACWL\TCODEB~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\YH5JU95B\SI47A5~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\YH5JU95B\TCODEW~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\T5NX126L\AIM_UA~2.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\YS8U3B07\BROWSE~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\YS8U3B07\SI47A6~1.SH! c:\users\rajiv\appdata\local\temp\E4JB0F~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\4HQAG3MZ\SIZE_1~2.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\T5NX126L\SI0948~1.SH! C
O4 - HKUS\S-1-5-18\..\RunOnce: [DelayShred] "c:\program files\mcafee\mshr\ShrCL.EXE" /P5 /q C:\Users\Rajiv\AppData\Local\Temp\TEMPFO~1.AAA\xtras.SH! C:\Users\Rajiv\AppData\Local\Temp\TEMPFO~1.SH! (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P10 /q c:\users\rajiv\appdata\local\temp\HSPERF~1.SH! c:\users\rajiv\appdata\local\temp\E4JF9~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\JDJ730B1\THIRDP~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\F9X2ACWL\TCODEB~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\YH5JU95B\SI47A5~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\YH5JU95B\TCODEW~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\T5NX126L\AIM_UA~2.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\YS8U3B07\BROWSE~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\YS8U3B07\SI47A6~1.SH! c:\users\rajiv\appdata\local\temp\E4JB0F~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\4HQAG3MZ\SIZE_1~2.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\T5NX126L\SI0948~1.SH! C
O4 - HKUS\.DEFAULT\..\RunOnce: [DelayShred] "c:\program files\mcafee\mshr\ShrCL.EXE" /P5 /q C:\Users\Rajiv\AppData\Local\Temp\TEMPFO~1.AAA\xtras.SH! C:\Users\Rajiv\AppData\Local\Temp\TEMPFO~1.SH! (User 'Default user')
O4 - Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Startup: QuickSet.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O15 - Trusted Zone: http://download.windowsupdate.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{1463CD08-E315-4CD2-9AAD-935FD9021AE5}: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CCS\Services\Tcpip\..\{27BD7765-924D-41F3-805D-BC9F7B1655B0}: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CCS\Services\Tcpip\..\{D297A8D0-72B4-42C3-A368-4BFB03230238}: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CS10\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CS10\Services\Tcpip\..\{1463CD08-E315-4CD2-9AAD-935FD9021AE5}: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CS11\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CS11\Services\Tcpip\..\{1463CD08-E315-4CD2-9AAD-935FD9021AE5}: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CS12\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CS12\Services\Tcpip\..\{1463CD08-E315-4CD2-9AAD-935FD9021AE5}: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Google Update Service (gupdate1c98fc2ec2bb25e) (gupdate1c98fc2ec2bb25e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Absolute Software Corp. - C:\Windows\SYSTEM32\Rpcnet.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE

--
End of file - 11106 bytes
--------------------

List of Programs

¡En español! Level 1 Take-Home Tutor
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
Ad-Aware
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.1.0
Adobe Shockwave Player 11
AGEIA PhysX v7.09.13
AIM 6
Apple Software Update
ArcSoft PhotoImpression 5
Bonjour
CDisplay 1.7
Conexant HDA D110 MDC V.92 Modem
Corel Snapfire Plus
Creative MediaSource 5
Dell Games
Dell Support Center (Support Software)
Dell System Customization Wizard
Dell Wireless WLAN Card
DellSupport
Digital Line Detect
Documentation & Support Launcher
E.M. DVD Copy 2.01
EPSON Printer Software
EPSON Scan
EPSON Stylus CX5000 Scanner Driver Update
Games, Music, & Photos Launcher
Google Gears
Google Update Helper
GTK+ Runtime 2.14.6 rev a (remove only)
HijackThis 2.0.2
Inpaint
Intel(R) Graphics Media Accelerator Driver
iTunes
IZArc 3.81
Java(TM) 6 Update 11
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6
LiveUpdate Notice (Symantec Corporation)
Macromedia Dreamweaver 8
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
MediaDirect
Microsoft Combat Flight Simulator 3.0
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft SharedView
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Modem Diagnostic Tool
Mozilla Firefox (3.0.6)
Mozilla Thunderbird (2.0.0.19)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
NetWaiting
OutlookAddinSetup
Photosynth 2.0.1403.12
Picasa 3
QuickSet
QuickTime
Ringtone Maker 1.1
RocketDock 1.3.5
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio MyDVD DE
Roxio Update Manager
SAMSUNG Mobile Composite Device Software
SAMSUNG Mobile Modem Driver Set
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung New PC Studio
Samsung New PC Studio
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
SharpReader 0.9.7.0
SigmaTel Audio
Smart Defrag 1.10
Sonic Activation Module
Sound Blaster Audigy ADVANCED MB
Synaptics Pointing Device Driver
System Requirements Lab
TextAloud
Thinkwell
Unreal Tournament 3
Update for Microsoft Office 2007 Help for Common Features (KB957244)
Update for Microsoft Office Access 2007 Help (KB957241)
Update for Microsoft Office Excel 2007 Help (KB957242)
Update for Microsoft Office InfoPath 2007 Help (KB957243)
Update for Microsoft Office OneNote 2007 Help (KB957245)
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Microsoft Office Outlook 2007 Help (KB957246)
Update for Microsoft Office PowerPoint 2007 Help (KB957247)
Update for Microsoft Office Publisher 2007 Help (KB957249)
Update for Microsoft Office Word 2007 Help (KB957252)
Update for Microsoft Script Editor Help (KB957253)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb959634)
URL Assistant
User's Guides
WIDCOMM Bluetooth Software 6.0.1.3100
Windows Media Player Firefox Plugin
jsam
Regular Member
 
Posts: 16
Joined: February 22nd, 2009, 2:35 pm
Advertisement
Register to Remove

Re: Vista - BSOD + other issues

Unread postby Odd dude » February 26th, 2009, 11:45 am

Hi

I'm now looking over your logs.

Having taken a quick glance over that uninstall list, I see one malware program: URL Assistant. You should uninstall that.

Looking over your HJT log now, be back soon.
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: Vista - BSOD + other issues

Unread postby Odd dude » February 26th, 2009, 11:50 am

Hi :)

If you haven't done so already, uninstall URL Assistant.

Open HJT, click do a system scan only, put a check next to these, click fix checked:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll

Delete this folder: c:\Program Files\BAE

Do you use 'Last Known Good Configuration' a lot? Looks like you've used it twelve times!

We'll next use the following tool, if you can't download it inform me and we'll try something else.

Malwarebytes' Anti-Malware
I need you to download Malwarebytes' Anti-Malware.

  • Install the program by following the prompts after double-clicking on mbam-setup.exe
  • Once you approach the final installation screen, put a check next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish
  • MBAM (that's an acronym of Malwarebytes' Anti-Malware) will now start. Choose Perform full scan and click Scan
  • Get a cup of coffee/tea/hot chocolate and watch some TV for about an hour.
  • Once the scan has finished, click OK, then Show Results.
  • Put a check next to everything, then click Remove selected.
  • Now, a log will open. Save this to your desktop and post it.



If MBAM did download and run, post:
- MBAM log
- new hjt log
- how's the pc running?

If it didn't just say so and we'll try something else.

Oh - one last question. When the computer BSODs, does it say the name of the offending driver which caused the crash? How frequent are these crashes?
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: Vista - BSOD + other issues

Unread postby jsam » February 27th, 2009, 12:40 am

Hi

I did as you suggested. Here as the results:

a. I ran HJT and identified the 5 items you listed and click fix checked. I cannot get rid of these two:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,Customize

Even when I run in Vista - As administrator. There seems to be some problem with the "hosts" file. When I try to access it in Notepad it does not contain any of the problem files.

New log below.

b. Deleted this folder: c:\Program Files\BAE - DONE
c. Downloaded and ran Malwarebytes' Anti-Malware. It took me a while since I was being prevented from accessing the download site but I finally got it. It ran and identified 15 objects which I removed. Log below

d. The computer is working fine now. I am able to access many AV sites that were being blocked before. When I had the BSOD - it referred to an error code 0x0000008E (plus a few others). It did not seem to reference any driver.

e. I installed McAfee Total Internet Security last week and these problems started a few days after. Was the malware reacting to McAfeee because I could only get the computer back running after uninstalling McAfee. Which means I am currently unprotected. I have installed Spybot Search and Destroy, Lava Adware. Can I safely reinstall McAfee now?
f. I had accessed Last Good Configuration several times in an attempt to get my computer back. Since it kept looping to an error code, I had to try many times

Thanks so much for all the help.

Joe

g. Log files below

HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:30:00 PM, on 2/26/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Common Files\AOL\1178322383\ee\aolsoftware.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\AIM6\aim6.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Users\Rajiv\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\msfeedssync.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1178322383\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\Rajiv\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P10 /q c:\users\rajiv\appdata\local\temp\HSPERF~1.SH! c:\users\rajiv\appdata\local\temp\E4JF9~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\JDJ730B1\THIRDP~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\F9X2ACWL\TCODEB~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\YH5JU95B\SI47A5~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\YH5JU95B\TCODEW~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\T5NX126L\AIM_UA~2.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\YS8U3B07\BROWSE~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\YS8U3B07\SI47A6~1.SH! c:\users\rajiv\appdata\local\temp\E4JB0F~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\4HQAG3MZ\SIZE_1~2.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\T5NX126L\SI0948~1.SH! C
O4 - HKUS\S-1-5-18\..\RunOnce: [DelayShred] "c:\program files\mcafee\mshr\ShrCL.EXE" /P5 /q C:\Users\Rajiv\AppData\Local\Temp\TEMPFO~1.AAA\xtras.SH! C:\Users\Rajiv\AppData\Local\Temp\TEMPFO~1.SH! (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P10 /q c:\users\rajiv\appdata\local\temp\HSPERF~1.SH! c:\users\rajiv\appdata\local\temp\E4JF9~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\JDJ730B1\THIRDP~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\F9X2ACWL\TCODEB~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\YH5JU95B\SI47A5~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\YH5JU95B\TCODEW~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\T5NX126L\AIM_UA~2.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\YS8U3B07\BROWSE~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\YS8U3B07\SI47A6~1.SH! c:\users\rajiv\appdata\local\temp\E4JB0F~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\4HQAG3MZ\SIZE_1~2.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\T5NX126L\SI0948~1.SH! C
O4 - HKUS\.DEFAULT\..\RunOnce: [DelayShred] "c:\program files\mcafee\mshr\ShrCL.EXE" /P5 /q C:\Users\Rajiv\AppData\Local\Temp\TEMPFO~1.AAA\xtras.SH! C:\Users\Rajiv\AppData\Local\Temp\TEMPFO~1.SH! (User 'Default user')
O4 - Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Startup: QuickSet.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O15 - Trusted Zone: http://download.windowsupdate.com
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Google Update Service (gupdate1c98fc2ec2bb25e) (gupdate1c98fc2ec2bb25e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Absolute Software Corp. - C:\Windows\SYSTEM32\Rpcnet.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE

--
End of file - 9984 bytes


Log file: Malware

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 6.0.6001 Service Pack 1

2/26/2009 8:06:15 PM
mbam-log-2009-02-26 (20-06-15).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 252579
Time elapsed: 2 hour(s), 13 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 1
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1463cd08-e315-4cd2-9aad-935fd9021ae5}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{27bd7765-924d-41f3-805d-bc9f7b1655b0}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{27bd7765-924d-41f3-805d-bc9f7b1655b0}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{d297a8d0-72b4-42c3-a368-4bfb03230238}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{d297a8d0-72b4-42c3-a368-4bfb03230238}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.

Folders Infected:
C:\Users\Rajiv\AppData\Roaming\Microsoft\Windows\Templates\Start Menu\Programs\freshplay (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\Users\Rajiv\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T5NX126L\Free.License.v.3[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Rajiv\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\N270HCLJ\Free.License.v.3[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\autorun.inf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\RECYCLER\S-8-5-16-100023015-100032715-100032467-7708.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Delete on reboot.
C:\Windows\System32\gaopdxsecbmetm.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\drivers\gaopdxgewvrojp.sys (Trojan.Agent) -> Quarantined and deleted successfully.
jsam
Regular Member
 
Posts: 16
Joined: February 22nd, 2009, 2:35 pm

Re: Vista - BSOD + other issues

Unread postby Odd dude » February 27th, 2009, 4:45 am

If HJT says access to the hosts file is disabled, then it does not have proper privileges.

OK, I want to try something.

1) Disable UAC (instructions below)
2) Fix these lines in HJT

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
O4 - HKUS\S-1-5-18\..\Run: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P10 /q c:\users\rajiv\appdata\local\temp\HSPERF~1.SH! c:\users\rajiv\appdata\local\temp\E4JF9~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\JDJ730B1\THIRDP~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\F9X2ACWL\TCODEB~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\YH5JU95B\SI47A5~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\YH5JU95B\TCODEW~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\T5NX126L\AIM_UA~2.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\YS8U3B07\BROWSE~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\YS8U3B07\SI47A6~1.SH! c:\users\rajiv\appdata\local\temp\E4JB0F~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\4HQAG3MZ\SIZE_1~2.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\T5NX126L\SI0948~1.SH! C
O4 - HKUS\S-1-5-18\..\RunOnce: [DelayShred] "c:\program files\mcafee\mshr\ShrCL.EXE" /P5 /q C:\Users\Rajiv\AppData\Local\Temp\TEMPFO~1.AAA\xtras.SH! C:\Users\Rajiv\AppData\Local\Temp\TEMPFO~1.SH! (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P10 /q c:\users\rajiv\appdata\local\temp\HSPERF~1.SH! c:\users\rajiv\appdata\local\temp\E4JF9~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\JDJ730B1\THIRDP~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\F9X2ACWL\TCODEB~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\YH5JU95B\SI47A5~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\YH5JU95B\TCODEW~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\T5NX126L\AIM_UA~2.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\YS8U3B07\BROWSE~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\YS8U3B07\SI47A6~1.SH! c:\users\rajiv\appdata\local\temp\E4JB0F~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\4HQAG3MZ\SIZE_1~2.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\T5NX126L\SI0948~1.SH! C
O4 - HKUS\.DEFAULT\..\RunOnce: [DelayShred] "c:\program files\mcafee\mshr\ShrCL.EXE" /P5 /q C:\Users\Rajiv\AppData\Local\Temp\TEMPFO~1.AAA\xtras.SH! C:\Users\Rajiv\AppData\Local\Temp\TEMPFO~1.SH! (User 'Default user')
3) Run a scan with GMER (download link + instructions below)
4) Re-enable UAC
5) Post GMER log and tell me how the PC is doing. Any more BSODs?


Instructions on disabling UAC
  • Go to Start > Control Panel
  • Double click on the User Account icon
  • Then click Disable and validate.
Reverse this process to re-enable it.

Instructions on running a scan with GMER
GMER
Do not touch the computer while GMER is running! If you do, it'll go completely unresponsive and you'll have to shut it down using the power switch. Just don't touch the PC while GMER is working.
Please download gmer.zip by GMER and save it to your desktop.

  • Right click the file you just downloaded and choose Extract all
  • Click Next
  • Click Browse
  • Click the + next to My Computer
  • Click Local Disk (C:)
  • Click Make new folder
  • Enter GMER
  • Click OK, then Next
  • Check Show extracted files and click Finish
  • Double click on GMER.exe to run it.
  • Select the Rootkit tab.
  • On the right hand side, check all the items to be scanned, but leave Show All box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click on the Scan button.
  • When the scan is finished, click Copy to save the scan log to the Windows clipboard.
  • Open Notepad or a similar text editor.
  • Paste the clipboard contents into the text editor.
  • Save the GMER scan log and post it in your next reply.
  • Close GMER.



If the BSOD is not caused by malware, it MAY be defunct RAM. RAM can be tested for errors, but it takes A LOT of time - 10 hours or so. If you want to try that, let me know.
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: Vista - BSOD + other issues

Unread postby jsam » February 28th, 2009, 2:47 pm

Hello again

Thanks very much for your continued support.

1. I Disabled UAC (see note below)
2. I ran HJT to "fix" the 6 items you flagged. It got rid of 2 but not the other 4. I got "unexpected error" messages. It did not get rid of the 2 previous targets plus two of the 4 new ones (with P10 in it).
3. I ran GMER. I tried to run it on both my drives (C and D) but it looked like it may have ran on C only.
4. My laptop seems to be doing fine. I have no more BSOD episodes.
5. Let me know when I should reinstall McAfee Total Intenet Security

Note: I tried to disable UAC but it followed a difference sequence (for example I did not have "Disable" as an option but unchecked a check box.)

Thanks

Joe
Here are the two logs GMER and HJT

GMER Log

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-28 10:36:16
Windows 6.0.6001 Service Pack 1


---- Services - GMER 1.0.14 ----

Service system32\drivers\gaopdxgewvrojp.sys (*** hidden *** ) [SYSTEM] gaopdxserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\ControlSet010\Services\BTHPORT\Parameters\Keys\00197ee89bf7
Reg HKLM\SYSTEM\ControlSet010\Services\BTHPORT\Parameters\Keys\00197ee89bf7@0023d70f9ba4 0x46 0x73 0x82 0x12 ...
Reg HKLM\SYSTEM\ControlSet010\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet010\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet010\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxgewvrojp.sys
Reg HKLM\SYSTEM\ControlSet010\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet010\Services\gaopdxserv.sys@userdata -1
Reg HKLM\SYSTEM\ControlSet010\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet010\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxgewvrojp.sys
Reg HKLM\SYSTEM\ControlSet010\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxsecbmetm.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00197ee89bf7
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00197ee89bf7@0023d70f9ba4 0x46 0x73 0x82 0x12 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxgewvrojp.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@userdata -1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxgewvrojp.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxsecbmetm.dll
Reg HKLM\SYSTEM\ControlSet012\Services\BTHPORT\Parameters\Keys\00197ee89bf7
Reg HKLM\SYSTEM\ControlSet012\Services\BTHPORT\Parameters\Keys\00197ee89bf7@0023d70f9ba4 0x46 0x73 0x82 0x12 ...
Reg HKLM\SYSTEM\ControlSet012\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet012\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet012\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxgewvrojp.sys
Reg HKLM\SYSTEM\ControlSet012\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet012\Services\gaopdxserv.sys@userdata -1
Reg HKLM\SYSTEM\ControlSet012\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet012\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxgewvrojp.sys
Reg HKLM\SYSTEM\ControlSet012\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxsecbmetm.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib@Last Counter 5370
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib@Last Help 5371
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{76FC6226-8F3A-0CD0-206C-0BB8E864439A}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{76FC6226-8F3A-0CD0-206C-0BB8E864439A}@haggdohikdgfcnjo 0x66 0x61 0x63 0x65 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{76FC6226-8F3A-0CD0-206C-0BB8E864439A}@iafnhgeclpdfjbmbfn 0x69 0x61 0x69 0x63 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{76FC6226-8F3A-0CD0-206C-0BB8E864439A}@hapknbobamoijcnp 0x69 0x61 0x69 0x63 ...

---- EOF - GMER 1.0.14 ----

HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:38:04 AM, on 2/28/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Common Files\AOL\1178322383\ee\aolsoftware.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Users\Rajiv\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1178322383\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\Rajiv\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P10 /q c:\users\rajiv\appdata\local\temp\HSPERF~1.SH! c:\users\rajiv\appdata\local\temp\E4JF9~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\JDJ730B1\THIRDP~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\F9X2ACWL\TCODEB~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\YH5JU95B\SI47A5~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\YH5JU95B\TCODEW~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\T5NX126L\AIM_UA~2.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\YS8U3B07\BROWSE~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\YS8U3B07\SI47A6~1.SH! c:\users\rajiv\appdata\local\temp\E4JB0F~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\4HQAG3MZ\SIZE_1~2.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\T5NX126L\SI0948~1.SH! C
O4 - HKUS\.DEFAULT\..\Run: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P10 /q c:\users\rajiv\appdata\local\temp\HSPERF~1.SH! c:\users\rajiv\appdata\local\temp\E4JF9~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\JDJ730B1\THIRDP~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\F9X2ACWL\TCODEB~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\YH5JU95B\SI47A5~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\YH5JU95B\TCODEW~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\T5NX126L\AIM_UA~2.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\YS8U3B07\BROWSE~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\YS8U3B07\SI47A6~1.SH! c:\users\rajiv\appdata\local\temp\E4JB0F~1.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\4HQAG3MZ\SIZE_1~2.SH! C:\Users\Rajiv\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\T5NX126L\SI0948~1.SH! C
O4 - Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Startup: QuickSet.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O15 - Trusted Zone: http://download.windowsupdate.com
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Google Update Service (gupdate1c98fc2ec2bb25e) (gupdate1c98fc2ec2bb25e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Absolute Software Corp. - C:\Windows\SYSTEM32\Rpcnet.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE

--
End of file - 9495 bytes
jsam
Regular Member
 
Posts: 16
Joined: February 22nd, 2009, 2:35 pm

Re: Vista - BSOD + other issues

Unread postby Odd dude » February 28th, 2009, 3:03 pm

That's okay, you did great. The big bad infection has been revealed.

None of those hijackthis lines are truly 'bad', so if they won't go that's not an issue.

NOTE: If you can't download the tool, STOP and tell me. DON'T go looking for an alternative way to download it.

ComboFix
IMPORTANT NOTE: ComboFix is a VERY POWERFUL tool. DO NOT use it without expert guidance.

ComboFix uses very brute tactics to rip malware off your system. Do not panic if your antivirus software warns you about the file.

:!: Please disable all your antivirus software, firewalls, and antispyware software BEFORE running ComboFix!! :!:

(If I should give more detailed instructions regarding how to do this, please inform me and do not proceed)


  • Download ComboFix from here and save it to your desktop.
  • Disable ALL antivirus/antimalware programs before proceeding!
  • Now start ComboFix by right clicking and choosing Run as administrator.
  • The tool will check whether the Recovery Console is present on your system. If it is not, ComboFix will prompt you whether you would like to install it.
  • If it is not, make sure you are connected to the internet as ComboFix needs to download a file. When you are connected to the internet, click Yes and follow the prompts. When asked whether to continue scanning or to exit, click Yes to continue scanning (no need to disconnect from the internet as ComboFix breaks your internet connection for you).
  • Do not touch the computer AT ALL while ComboFix is running! (Unless ComboFix has something to prompt you about)
  • When finished, the report will open. Reenable your protection software and post the log in your next reply.

If you cannot connect to the internet after running ComboFix, plug the cable/reciever/whatever you use to connect to the internet out and back in.



ComboFix will quarantine the infection and after that the biggest problem you have will be gone. Your HJT log is looking very good (no active infections) and CF will take out the last active infection present. In other words - after ComboFix we will need to do a few cleanup procedures and then we're done.

This means that you should reinstall McAfee as soon as ComboFix has finished running.

If you then still get BSODs then, assuming no new malware comes up, McAfee simply doesn't like your computer and you should consider changing to a different antivirus vendor.

Keep in mind that this current infection is very deeply entrenched, and it is VERY likely that this infection is (will have been) the cause of all your BSOD issues.
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: Vista - BSOD + other issues

Unread postby jsam » March 4th, 2009, 12:09 am

Hi again

It looks like the problem has been solved. I have also reinstalled McAfee. No more BSODs. I waited for a few days to see if anything went bad..but I think we are good to close this issue. Please let me know the necessary clean up steps to wrap this up.

I appreciate your help VERY very much.

Joe
jsam
Regular Member
 
Posts: 16
Joined: February 22nd, 2009, 2:35 pm

Re: Vista - BSOD + other issues

Unread postby Odd dude » March 4th, 2009, 12:37 pm

Did you run ComboFix? You still had/have one serious infection. We'll get to the cleaning up stage once that's gone.
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: Vista - BSOD + other issues

Unread postby jsam » March 4th, 2009, 4:26 pm

Sorry I was not clear in my post. Yes, I ran ComboFix 3 days ago and reinstalled Mcafee. Things are running smoothly.

Joe
jsam
Regular Member
 
Posts: 16
Joined: February 22nd, 2009, 2:35 pm

Re: Vista - BSOD + other issues

Unread postby Odd dude » March 4th, 2009, 4:44 pm

In that case I'll need to see the Combofix log. Chances are we're not yet done.
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: Vista - BSOD + other issues

Unread postby jsam » March 4th, 2009, 5:01 pm

Okay. I will do that when I get back home tonight. I will be back soon.

Thanks

Joe
jsam
Regular Member
 
Posts: 16
Joined: February 22nd, 2009, 2:35 pm

Re: Vista - BSOD + other issues

Unread postby jsam » March 5th, 2009, 12:45 am

Here is the ComboFix Log

ComboFix 09-02-28.01 - Rajiv 2009-02-28 12:17:40.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2038.1037 [GMT -8:00]
Running from: c:\users\Rajiv\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\INSTALL.LOG
c:\users\Rajiv\AppData\Roaming\.#
c:\users\Rajiv\AppData\Roaming\.#\MBX@C0C@1FF2038.###
c:\users\Rajiv\AppData\Roaming\.#\MBX@C0C@1FF2048.###
c:\users\Rajiv\AppData\Roaming\.#\MBX@C0C@1FF2058.###
c:\users\Rajiv\AppData\Roaming\.#\MBX@C0C@1FF2088.###
c:\users\Rajiv\AppData\Roaming\.#\MBX@C0C@1FF20D8.###
c:\users\Rajiv\AppData\Roaming\.#\MBX@C0C@1FF20F8.###
c:\users\Rajiv\AppData\Roaming\.#\MBX@C14@1E92038.###
c:\users\Rajiv\AppData\Roaming\.#\MBX@C14@1E92048.###
c:\users\Rajiv\AppData\Roaming\.#\MBX@C14@1E92058.###
c:\users\Rajiv\AppData\Roaming\.#\MBX@C14@1E92088.###
c:\users\Rajiv\AppData\Roaming\.#\MBX@C14@1E920D8.###
c:\users\Rajiv\AppData\Roaming\.#\MBX@C14@1E920F8.###
c:\windows\system32\gaopdxcounter
c:\windows\system32\x64
D:\Autorun.inf
d:\recycler\S-8-5-16-100023015-100032715-100032467-7708.com

.
((((((((((((((((((((((((( Files Created from 2009-01-28 to 2009-02-28 )))))))))))))))))))))))))))))))
.

2009-02-28 10:13 . 2009-02-28 10:14 250 --a------ c:\windows\gmer.ini
2009-02-26 20:14 . 2009-02-26 20:14 <DIR> d-------- c:\users\All Users\Spybot - Search & Destroy
2009-02-26 20:14 . 2009-02-26 20:14 <DIR> d-------- c:\programdata\Spybot - Search & Destroy
2009-02-26 20:14 . 2009-02-26 20:14 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-26 17:51 . 2009-02-26 17:51 <DIR> d-------- c:\users\Rajiv\AppData\Roaming\Malwarebytes
2009-02-26 17:51 . 2009-02-26 17:51 <DIR> d-------- c:\users\All Users\Malwarebytes
2009-02-26 17:51 . 2009-02-26 17:51 <DIR> d-------- c:\programdata\Malwarebytes
2009-02-26 17:51 . 2009-02-26 17:51 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-26 17:51 . 2009-02-11 10:19 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-02-26 17:51 . 2009-02-11 10:19 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-02-22 09:48 . 2009-02-22 09:48 <DIR> d-------- c:\program files\Trend Micro
2009-02-22 08:23 . 2009-01-18 13:35 15,688 --a------ c:\windows\System32\lsdelete.exe
2009-02-22 08:14 . 2009-02-22 08:15 <DIR> d-------- c:\users\All Users\Lavasoft
2009-02-22 08:14 . 2009-02-22 08:14 <DIR> d--h-c--- c:\users\All Users\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-22 08:14 . 2009-02-22 08:15 <DIR> d-------- c:\programdata\Lavasoft
2009-02-22 08:14 . 2009-02-22 08:14 <DIR> d--h-c--- c:\programdata\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-22 08:14 . 2009-02-22 08:14 <DIR> d-------- c:\program files\Lavasoft
2009-02-22 08:14 . 2009-01-18 13:30 64,160 --a------ c:\windows\System32\drivers\Lbd.sys
2009-02-19 17:28 . 2009-02-19 17:28 <DIR> d-------- c:\program files\gs
2009-02-19 17:06 . 2009-02-19 17:06 <DIR> d-------- c:\program files\IZArc
2009-02-18 20:54 . 2009-02-25 20:03 115,239,354 --a------ c:\windows\MEMORY.DMP
2009-02-18 19:54 . 2009-02-18 19:54 <DIR> d-------- c:\users\Rajiv\AppData\Roaming\CyberLink
2009-02-17 15:09 . 2009-02-21 17:54 <DIR> d-------- c:\program files\uTorrent
2009-02-17 15:08 . 2009-02-21 18:02 <DIR> d-------- c:\users\Rajiv\AppData\Roaming\uTorrent
2009-02-15 19:47 . 2009-02-16 11:14 <DIR> d-------- c:\program files\SiteAdvisor
2009-02-15 12:04 . 2009-02-15 12:04 <DIR> d-------- c:\program files\Ringtone Maker
2009-02-14 22:22 . 2008-12-04 20:32 428,544 --a------ c:\windows\System32\EncDec.dll
2009-02-14 22:22 . 2008-12-04 20:32 293,376 --a------ c:\windows\System32\psisdecd.dll
2009-02-14 22:22 . 2008-12-04 20:31 217,088 --a------ c:\windows\System32\psisrndr.ax
2009-02-14 22:22 . 2008-12-04 20:31 177,664 --a------ c:\windows\System32\mpg2splt.ax
2009-02-14 22:22 . 2008-12-04 20:31 80,896 --a------ c:\windows\System32\MSNP.ax
2009-02-13 16:06 . 2009-02-13 16:06 <DIR> d-------- c:\users\Rajiv\AppData\Roaming\IObit
2009-02-13 16:06 . 2009-02-13 16:06 <DIR> d-------- c:\program files\IObit
2009-02-12 16:03 . 2009-02-19 19:29 <DIR> d-------- c:\users\Rajiv\AppData\Roaming\Azureus
2009-02-12 16:03 . 2009-02-12 16:03 <DIR> d-------- c:\users\All Users\Azureus
2009-02-12 16:03 . 2009-02-12 16:03 <DIR> d-------- c:\programdata\Azureus
2009-02-11 15:52 . 2009-01-14 19:36 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2009-02-11 15:52 . 2009-01-14 22:11 827,392 --a------ c:\windows\System32\wininet.dll
2009-02-09 18:58 . 2009-02-09 18:58 <DIR> d-------- c:\users\Rajiv\AppData\Roaming\gtk-2.0
2009-02-09 18:57 . 2009-02-09 19:03 <DIR> d-------- c:\users\Rajiv\AppData\Roaming\.purple
2009-02-09 18:52 . 2009-02-09 19:08 <DIR> d-------- c:\program files\Pidgin
2009-02-09 18:51 . 2009-02-09 18:51 <DIR> d-------- c:\program files\Common Files\GTK
2009-02-09 10:32 . 2009-02-09 19:38 <DIR> d-------- c:\program files\Insofta Cover Commander
2009-02-01 10:02 . 2009-02-19 17:17 <DIR> dr------- C:\UDC Output Files
2009-01-31 15:13 . 2009-01-31 15:13 <DIR> d-------- c:\users\Rajiv\AppData\Roaming\EPSON
2009-01-29 16:39 . 2009-01-29 16:39 <DIR> d-------- c:\windows\System32\IOSUBSYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-28 18:00 47,104 ----a-w c:\windows\System32\Rpcnet.dll
2009-02-28 18:00 17,408 ----a-w c:\windows\System32\rpcnetp.exe
2009-02-28 18:00 17,408 ----a-w c:\windows\System32\rpcnetp.dll
2009-02-26 04:02 --------- d-----w c:\users\Rajiv\AppData\Roaming\SharpReader
2009-02-22 05:16 --------- d-----w c:\programdata\McAfee
2009-02-18 00:25 --------- d-----w c:\programdata\Microsoft Help
2009-02-16 19:13 --------- d-----w c:\program files\Mozilla Thunderbird
2009-02-15 23:13 --------- d-----w c:\program files\Google
2009-02-13 00:06 --------- d-----w c:\program files\Viewpoint
2009-02-12 00:00 --------- d-----w c:\program files\Windows Mail
2009-02-10 03:38 --------- d---a-w c:\programdata\temp
2009-02-10 03:31 --------- d-----w c:\program files\iMoneysoft
2009-02-10 03:07 --------- d-----w c:\programdata\RapidSolution
2009-02-09 21:07 --------- d-----w c:\program files\AIM6
2009-02-08 02:33 47,104 ----a-w c:\windows\System32\rpcnet.exe
2009-01-30 00:34 --------- d-----w c:\users\Rajiv\AppData\Roaming\Corel
2009-01-22 01:49 --------- d-----w c:\users\Rajiv\AppData\Roaming\Samsung
2009-01-22 01:48 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-22 01:48 --------- d-----w c:\program files\MarkAny
2009-01-22 01:47 --------- d-----w c:\program files\Samsung
2009-01-16 00:09 --------- d-----w c:\program files\Twister MP3
2009-01-15 23:52 --------- d-----w c:\programdata\NextUp
2009-01-15 23:51 --------- d-----w c:\program files\TextAloud
2009-01-15 23:48 --------- d-----w c:\program files\Aimersoft
2009-01-15 23:33 --------- d-----w c:\users\Rajiv\AppData\Roaming\NoteCable
2009-01-15 01:39 --------- d-----w c:\program files\RapidSolution
2009-01-15 01:36 --------- d-----w c:\program files\Wondershare
2009-01-15 00:46 --------- d-----w c:\program files\ImageConverter Plus
2009-01-11 22:20 410,984 ----a-w c:\windows\System32\deploytk.dll
2009-01-11 22:20 --------- d-----w c:\program files\Java
2009-01-08 17:42 36,608 ----a-w c:\windows\System32\FsUsbExDisk.Sys
2009-01-08 17:42 233,472 ----a-w c:\windows\System32\FsUsbExService.Exe
2009-01-08 17:42 110,592 ----a-w c:\windows\System32\FsUsbExDevice.Dll
2009-01-05 22:33 3,751,995 ----a-w c:\windows\System32\GPhotos.scr
2009-01-04 17:30 --------- d-----w c:\program files\Teorex
2008-12-29 22:02 --------- d-----w c:\program files\Opera
2008-12-28 06:17 --------- d-----w c:\program files\Button Shop
2008-12-28 06:08 --------- d-----w c:\program files\RocketDock
2008-12-15 23:30 2,560 ----a-w c:\windows\_MSRSTRT.EXE
2008-07-02 04:43 174 --sha-w c:\program files\desktop.ini
2008-04-22 22:44 4 --sh--r c:\users\All Users\sysqcl1129139270.dat
2008-04-22 22:44 4 --sh--r c:\programdata\sysqcl1129139270.dat
2007-06-09 17:27 262,144 ----a-w c:\programdata\ntuser.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-18 125952]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-17 49960]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"Google Update"="c:\users\Rajiv\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-09-16 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-17 815104]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-28 133656]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-28 166424]
"HostManager"="c:\program files\Common Files\AOL\1178322383\ee\AOLSoftware.exe" [2006-09-25 50736]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-27 1540096]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-11 136600]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-02-26 509784]

c:\users\Rajiv\AppData\Roaming\Microsoft\Windows\Templates\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-04-30 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.i420"= i420vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Rajiv^AppData^Roaming^Microsoft^Windows^Templates^Start Menu^Programs^Startup^GameSpot Download Manager.lnk]
backup=c:\windows\pss\GameSpot Download Manager.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Rajiv^AppData^Roaming^Microsoft^Windows^Templates^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk]
backup=c:\windows\pss\Run Google Web Accelerator.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Rajiv^AppData^Roaming^Microsoft^Windows^Templates^Start Menu^Programs^Startup^ScreenHunter 5.0 Free.lnk]
path=c:\users\Rajiv\AppData\Roaming\Microsoft\Windows\Templates\Start Menu\Programs\Startup\ScreenHunter 5.0 Free.lnk
backup=c:\windows\pss\ScreenHunter 5.0 Free.lnk.Startup
backupExtension=.Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwiftToDoList

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoStartNPSAgent]
--a------ 2009-01-08 09:55 98304 c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
--a------ 2008-08-13 17:32 206064 c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
--a------ 2007-11-15 09:24 16384 c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
--a------ 2006-11-17 13:19 17920 c:\dell\E-Center\EULALauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-16 16:19 133104 c:\users\Rajiv\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 06:00 33648 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2007-05-02 18:16 184320 c:\program files\Dell\MediaDirect\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec PIF AlertEng]
--a------ 2008-01-29 16:38 583048 c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 00:00 90112 c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VolPanel]
--------- 2006-11-27 08:14 180224 c:\program files\Creative\SBAudigy\Volume Panel\VolPanlu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2008-01-18 22:38 1008184 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2007-02-07 21:11 303104 c:\windows\sttray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
"DefaultOutboundAction"= 0 (0x0)
"DefaultInboundAction"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{AA747008-D2B1-4DE7-8334-BDCCD2001213}"= UDP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{3F8491BF-68E4-44BD-9AF4-A0FF56BAA7F6}"= UDP:c:\program files\Common Files\AOL\ACS\AOLDial.exe:AOL Connectivity Service Dialer
"{B07413E8-ED81-411B-AA75-2DE491B8F601}"= TCP:c:\program files\Common Files\AOL\ACS\AOLDial.exe:AOL Connectivity Service Dialer
"{A6D08B7C-43F6-40C1-8808-2F8110167081}"= UDP:c:\program files\Common Files\AOL\ACS\AOLacsd.exe:AOL Connectivity Service
"{83431BB3-EC18-41F9-B5C2-2A6468DC93A5}"= TCP:c:\program files\Common Files\AOL\ACS\AOLacsd.exe:AOL Connectivity Service
"{4A0721E7-E2FA-48E5-A370-40A23AFED3F4}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{A53A227E-1537-4444-B2F6-1CAD761C2FDC}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{D54CB161-438C-463F-8979-65C58CCF56C3}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{900E6A25-24C3-45C8-986D-20792E9C274E}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{AAB69A77-462D-4CB6-BA31-236C661939C5}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{36864236-98A0-47AD-978C-D4A5B8850CD2}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{0F5E95A8-EE86-4DE8-84C0-DFC7EDF78ADC}"= UDP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{9DC00AF6-C62E-4F59-A716-DAA0309373C3}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{E03F8235-F3D1-41EF-98E9-18BE09FDA106}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{258C0819-E37E-450D-9CCE-7C06A50B9E0E}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{39B287EA-3582-4AAB-99F1-4BB8FC7EF65E}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{ECDCA5AF-F20A-49C6-BE32-508C92527C14}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{7C0F20A8-666D-48A4-9814-FEFBAD65ED8C}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{800A0467-5540-4D5C-A77B-7D76E09FA870}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{41306905-11FD-46BD-A59F-06AD58B0F201}"= UDP:c:\program files\Common Files\AOL\1178322383\ee\aolsoftware.exe:AOL Services
"{DF11D323-1CD1-4C6B-B890-CE6BB64EF78F}"= TCP:c:\program files\Common Files\AOL\1178322383\ee\aolsoftware.exe:AOL Services
"{CFD17B7A-21AB-4114-B3A1-8D087DD1A128}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{A08EA919-35DD-40C2-B448-C9577521F93E}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{643B4E2B-E16A-44D2-92DA-D3FE9D7D9074}"= UDP:c:\program files\Unreal Tournament 3\Binaries\UT3.exe:Unreal Tournament 3
"{336AB49F-DBE9-411C-8527-C06C7C96009F}"= TCP:c:\program files\Unreal Tournament 3\Binaries\UT3.exe:Unreal Tournament 3
"{F482BFD6-6FC2-489B-AE15-7A3DE0166118}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{57DB33C2-F27D-4F5E-98E7-A82DAFC76179}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{7E2A3217-5CA6-488C-944C-5ED2DEBD3BAF}"= UDP:c:\program files\Common Files\AOL\1178322383\ee\aolsoftware.exe:AOL Services
"{522BB1D0-EE89-46C4-9ED3-13F6A10A5B3E}"= TCP:c:\program files\Common Files\AOL\1178322383\ee\aolsoftware.exe:AOL Services
"{A285F57E-C08A-47BF-B0B1-8E579A78B6C1}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{A7B94DC7-8CC4-48E1-8593-8F8AE051D960}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{EFEEFAD7-8D83-4899-ADDD-5B9820FD27F3}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{1071A4FA-5428-40C9-9E81-DC0A58894B1B}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{F66EC930-1186-46F8-8AEC-7CD79B9F3405}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{FB1E9F0F-B80B-4891-8043-F65C42A60EA4}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{933D26AE-CCE9-4F3D-8818-39FC44E0E1C2}c:\\program files\\macromedia\\dreamweaver 8\\dreamweaver.exe"= UDP:c:\program files\macromedia\dreamweaver 8\dreamweaver.exe:Dreamweaver 8
"UDP Query User{57D07298-048B-4466-9BA1-7BBE2C7C9366}c:\\program files\\macromedia\\dreamweaver 8\\dreamweaver.exe"= TCP:c:\program files\macromedia\dreamweaver 8\dreamweaver.exe:Dreamweaver 8
"{ECCD0308-3CCB-4AC2-9523-9F7BF088F226}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{6BB76BF1-FF08-4116-B40D-3EC5947D2FA9}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{E01B9144-3ECF-4D7B-B41B-6DB884A005C4}"= UDP:c:\users\Rajiv\AppData\Roaming\Facebook\facebook.exe:Facebook
"{E3FD8D6D-C3B0-45BD-B328-8B00EB5724A4}"= TCP:c:\users\Rajiv\AppData\Roaming\Facebook\facebook.exe:Facebook
"TCP Query User{E499054B-BC5E-4160-AD77-45E5CA255E20}c:\\program files\\macromedia\\dreamweaver 8\\dreamweaver.exe"= UDP:c:\program files\macromedia\dreamweaver 8\dreamweaver.exe:Dreamweaver 8
"UDP Query User{CCA10086-8DB2-4114-88B7-AE263814403A}c:\\program files\\macromedia\\dreamweaver 8\\dreamweaver.exe"= TCP:c:\program files\macromedia\dreamweaver 8\dreamweaver.exe:Dreamweaver 8
"{5F5CC16C-CD70-420C-A4BA-99A1AD8F0160}"= UDP:c:\windows\Temp\~os8601.tmp\ossproxy.exe:ossproxy.exe
"{39E88427-6F4D-4197-919E-8BADABCE0A9D}"= UDP:c:\program files\Samsung\Samsung New PC Studio\npsasvr.exe:KTF MUSIC AoD Server
"{64E54E0D-7A13-46D8-994C-03C7D4126020}"= TCP:c:\program files\Samsung\Samsung New PC Studio\npsasvr.exe:KTF MUSIC AoD Server
"{87E680B3-182D-45ED-889D-640528A14DFF}"= UDP:c:\program files\Samsung\Samsung New PC Studio\npsvsvr.exe:KTF MUSIC VoD Server
"{C5DEB228-D919-499D-A4ED-5ACF9254EB1A}"= TCP:c:\program files\Samsung\Samsung New PC Studio\npsvsvr.exe:KTF MUSIC VoD Server
"{EB90E176-9A49-4D18-B693-0479EDC9DCB8}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{17C3D0C5-51E6-47DF-9FB7-3851BB67030D}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"TCP Query User{1A04B4E4-B94A-4763-BC21-E39E80245732}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{B4858618-5E72-4567-A087-7A3E480BF4F9}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{6FCE749F-524A-4821-B649-96E99202F344}c:\\program files\\vuze\\azureus.exe"= UDP:c:\program files\vuze\azureus.exe:Azureus
"UDP Query User{DF6C288E-24D5-4648-9AFA-BFA08E5224DA}c:\\program files\\vuze\\azureus.exe"= TCP:c:\program files\vuze\azureus.exe:Azureus
"{EBD7473C-6B49-4A26-8E83-D39DBC8EDE97}"= Disabled:UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{C58D7044-33EE-4F51-AA08-8EF52FDB51CD}"= Disabled:TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{C433B7DC-FA70-4A40-AF91-5C3009EA13DC}"= Disabled:UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{0E3A3436-907F-4882-B95B-FA18FC0B3E3C}"= Disabled:TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{0DC64835-FF49-4706-B817-A7755230E2DA}"= Disabled:UDP:c:\program files\RelevantKnowledge\rlvknlg.exe:rlvknlg.exe
"{A6D782CB-9DAD-4DF4-A621-098B943B7ACC}"= Disabled:TCP:c:\program files\RelevantKnowledge\rlvknlg.exe:rlvknlg.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"DoNotAllowExceptions"= 1 (0x1)

R0 cdburner;cdburner;c:\windows\System32\drivers\cdburner.sys [2009-01-14 15872]
R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [2009-02-22 64160]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-02-26 1153368]
S2 gupdate1c98fc2ec2bb25e;Google Update Service (gupdate1c98fc2ec2bb25e);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-15 133104]
S3 AsAudioDevice_354;AsAudioDevice_354;c:\windows\System32\drivers\AsAudioDevice_354.sys [2009-01-14 16640]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\System32\FsUsbExDisk.Sys [2009-01-21 36608]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]
S3 LTXMD_VAC;Litex Media Virtual Audio Cable (WDM);c:\windows\System32\drivers\lmvac.sys [2009-01-14 18912]
S3 wsvad_driver;WS Audio Device;c:\windows\System32\drivers\VirtualAudio.sys [2009-01-14 16896]
S4 FsUsbExService;FsUsbExService;c:\windows\System32\FsUsbExService.Exe [2009-01-21 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\shell\AutoRun\command - G:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{451d4035-fb1f-11db-a10a-00197ee89bf7}]
\shell\AutoRun\command - F:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-22 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-02-26 20:16]

2009-02-28 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-15 15:12]

2009-02-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-300775179-2714954865-3135053195-1000.job
- c:\users\Rajiv\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-16 16:19]

2009-02-14 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-01-14 13:15]

2009-02-14 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\ [2009-02-13 16:06]

2009-02-28 c:\windows\Tasks\User_Feed_Synchronization-{426F55CC-BD12-4C0D-9D3F-1A7EE5244D22}.job
- c:\windows\system32\msfeedssync.exe [2008-01-18 22:33]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{A057A204-BACC-4D26-9A9E-3AF287E2699B} - (no file)
HKLM-Run-NPSStartup - (no file)
HKU-Default-Run-DelayShred - c:\progra~1\mcafee\mshr\ShrCL.EXE
MSConfigStartUp-CaptureIt - c:\program files\CaptureIt\CaptureIt.exe
MSConfigStartUp-NoteBurner - c:\program files\NoteBurner\VTBurnerGUI.exe
MSConfigStartUp-TuneClone - c:\program files\TuneClone\TuneClone.exe
MSConfigStartUp-Uconomix SnapLogger - c:\program files\Uconomix\Uconomix SnapLogger 1.1\SnapLogger.exe
MSConfigStartUp-YOP - c:\progra~1\Yahoo!\YOP\yop.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en&amp;source=iglk
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\update
Trusted Zone: windowsupdate.com\download
FF - ProfilePath - c:\users\Rajiv\AppData\Roaming\Mozilla\Firefox\Profiles\4ivj4yrs.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - chrome://fastdial/content/fastdial.html
1 file(s) moved.
1 file(s) moved.
FF - component: c:\program files\Google\Google Gears\Firefox\components\gears.dll
FF - component: c:\users\Rajiv\AppData\Roaming\Mozilla\Firefox\Profiles\4ivj4yrs.default\extensions\{3502a070-ea2f-11dd-ba2f-0800200c9a66}\components\mintray-9178506d-2005072516-trunk.dll
FF - component: c:\users\Rajiv\AppData\Roaming\Mozilla\Firefox\Profiles\4ivj4yrs.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
FF - component: c:\users\Rajiv\AppData\Roaming\Mozilla\Firefox\Profiles\4ivj4yrs.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npff_gdm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npigl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npsharedview.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Photosynth\npPhotosynthMozilla.dll
FF - plugin: c:\users\Rajiv\AppData\Local\Google\Update\1.2.141.5\npGoogleOneClick7.dll

---- FIREFOX POLICIES ----
user_pref('capability.policy.policynames', 'localfilelinks');user_pref('capability.policy.localfilelinks.sites', 'hxxp://www.webmynd.com http://www.google.com');user_pref('capability.policy.localfilelinks.checkloaduri.enabled', 'allAccess');.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-28 12:20:16
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
Completion time: 2009-02-28 12:22:56
ComboFix-quarantined-files.txt 2009-02-28 20:22:54

Pre-Run: 40,903,950,336 bytes free
Post-Run: 41,055,899,648 bytes free

419 --- E O F --- 2009-02-28 02:33:37
jsam
Regular Member
 
Posts: 16
Joined: February 22nd, 2009, 2:35 pm

Re: Vista - BSOD + other issues

Unread postby Odd dude » March 5th, 2009, 11:23 am

Strange. ComboFix didn't take the infection down.

Run CFScript
Open notepad and copy/paste the following to it:

Code: Select all
Driver::
gaopdxserv.sys
rootkit::
c:\windows\system32\drivers\gaopdxgewvrojp.sys
Folder::
c:\users\Rajiv\AppData\Roaming\Azureus
c:\users\All Users\Azureus
c:\programdata\Azureus
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{5F5CC16C-CD70-420C-A4BA-99A1AD8F0160}"=-
"{EB90E176-9A49-4D18-B693-0479EDC9DCB8}"=-
"{17C3D0C5-51E6-47DF-9FB7-3851BB67030D}"=-
"TCP Query User{6FCE749F-524A-4821-B649-96E99202F344}c:\\program files\\vuze\\azureus.exe"=-
"UDP Query User{DF6C288E-24D5-4648-9AFA-BFA08E5224DA}c:\\program files\\vuze\\azureus.exe"=-
"{EBD7473C-6B49-4A26-8E83-D39DBC8EDE97}"=-
"{C58D7044-33EE-4F51-AA08-8EF52FDB51CD}"=-


Save this to your desktop as "CFScript.txt".

Disconnect from the internet, disable your antimalware software like you did before, and drag CFScript into ComboFix

Image

ComboFix will run again, please be patient and post the log like usual.
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: Vista - BSOD + other issues

Unread postby jsam » March 6th, 2009, 1:57 pm

Hi. I did as directed. Updated log attached.

I did get one error message while it was running
"Windows\Minidump is corrupt and unreadable. Run chkdsk utility"

Thanks

Joe
You do not have the required permissions to view the files attached to this post.
jsam
Regular Member
 
Posts: 16
Joined: February 22nd, 2009, 2:35 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 330 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware