aszu12

Sirefef.b, Rootkit, missing internet & network connection

45 posts in this topic

Yes, feel free to turn on wireless. Does normal mode work now or do you still have the same problem?

Share this post


Link to post
Share on other sites

Hi Elise -- no, I get the dreaded blue screen of death with the same warning messages as above.

Share this post


Link to post
Share on other sites

Hi again, let me know if the following helps.

CF-SCRIPT

-------------

We need to execute a CF-script.

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:


Driver::
plwgljkh

Rootkit::
c:\windows\system32\drivers\tgnmsga.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Share this post


Link to post
Share on other sites

Elise, I got a new error when running ComboFix in safe mode -- tried it twice and error appeared both times. Another blue screen of death with the following:

"A problem has been detected and windows has been shut down to prevent damage to your computer.

DRIVER_IRQL_NOT_LESS_OR_EQUAL

. . . .

Technical information:

*** STOP: 0x000000D1 (0x00000004, 0x00000002, 0x00000000, 0xF7B4AE6E)

*** iaStor.sys - Address F7B4AE6E base at F7B0F000, DateStamp, 48550e8d

Beginning dump of physical memory

Share this post


Link to post
Share on other sites

Does this appear after running combofix, or during running combofix (in other words, can you still access safe mode normally afterwards)?

Share this post


Link to post
Share on other sites

Yes, I can still access safe mode after reboot. I think that it was in the process of either finishing a run or preparing a report when the blue screen appeared.

Share this post


Link to post
Share on other sites

ComboFix 12-02-25.02 - User 02/27/2012 16:43:00.6.2 - x86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2000.1568 [GMT -5:00]

Running from: c:\documents and settings\User\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_plwgljkh

.

.

((((((((((((((((((((((((( Files Created from 2012-01-27 to 2012-02-27 )))))))))))))))))))))))))))))))

.

.

2012-02-25 23:24 . 2008-04-14 04:51 162816 ----a-w- c:\windows\system32\drivers\netbt.sys

2012-02-25 23:24 . 2008-04-14 04:51 162816 ----a-w- c:\windows\system32\dllcache\netbt.sys

2012-02-15 00:12 . 2008-04-14 03:05 154624 ----a-w- c:\windows\system32\dllcache\wlluc48.sys

2012-02-15 00:11 . 2001-08-17 18:28 397502 ----a-w- c:\windows\system32\dllcache\vpctcom.sys

2012-02-15 00:10 . 2001-08-18 03:36 50176 ----a-w- c:\windows\system32\dllcache\umaxp60.dll

2012-02-15 00:09 . 2001-08-17 19:56 81408 ----a-w- c:\windows\system32\dllcache\tgiul50.dll

2012-02-15 00:08 . 2004-08-04 10:00 101376 ----a-w- c:\windows\system32\dllcache\srusbusd.dll

2012-02-15 00:07 . 2004-08-04 10:00 30208 ----a-w- c:\windows\system32\dllcache\sm87w.dll

2012-02-15 00:06 . 2001-08-17 18:51 23936 ----a-w- c:\windows\system32\dllcache\sccmusbm.sys

2012-02-15 00:05 . 2001-08-18 03:36 86097 ----a-w- c:\windows\system32\dllcache\reslog32.dll

2012-02-15 00:04 . 2001-08-18 03:36 16384 ----a-w- c:\windows\system32\dllcache\philcam1.dll

2012-02-15 00:03 . 2001-08-17 17:50 198144 ----a-w- c:\windows\system32\dllcache\nv3.sys

2012-02-15 00:02 . 2001-08-17 18:50 75520 ----a-w- c:\windows\system32\dllcache\mxport.sys

2012-02-15 00:01 . 2004-08-04 10:00 34304 ----a-w- c:\windows\system32\dllcache\migisol.exe

2012-02-15 00:00 . 2004-08-04 10:00 5632 ----a-w- c:\windows\system32\dllcache\kbdusa.dll

2012-02-14 23:59 . 2001-08-17 19:06 154496 ----a-w- c:\windows\system32\dllcache\icam4usb.sys

2012-02-14 23:58 . 2001-08-18 03:36 32768 ----a-w- c:\windows\system32\dllcache\hpgtmcro.dll

2012-02-14 23:51 . 2001-08-17 17:15 442240 ----a-w- c:\windows\system32\dllcache\fpnpbase.sys

2012-02-14 23:50 . 2001-08-18 03:36 51200 ----a-w- c:\windows\system32\dllcache\eqnlogr.exe

2012-02-14 23:49 . 2001-08-18 03:36 229462 ----a-w- c:\windows\system32\dllcache\digifwrk.dll

2012-02-14 23:48 . 2008-04-14 05:16 17024 ----a-w- c:\windows\system32\dllcache\ccdecode.sys

2012-02-14 23:47 . 2004-08-04 10:00 49664 ----a-w- c:\windows\system32\dllcache\adrot.dll

2012-02-14 19:57 . 2012-01-06 01:19 6557240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{32855CF5-D49A-40E9-B2A0-98EC0BB5AEE5}\mpengine.dll

2012-02-14 19:42 . 2012-02-14 19:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth

2012-02-14 19:40 . 2012-02-14 19:41 -------- d-----w- c:\program files\Microsoft Security Client

2012-02-14 01:16 . 2012-02-15 03:03 26872 ----a-w- c:\windows\system32\drivers\FixTDSS.sys

2012-02-14 01:16 . 2012-02-14 01:16 -------- d-----w- c:\documents and settings\User\Application Data\FixTDSS

2012-02-12 08:34 . 2012-02-12 08:37 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2012-02-09 16:51 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-02-09 05:03 . 2012-02-09 05:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3

2012-02-08 10:26 . 2012-02-14 19:24 0 --sha-w- c:\windows\system32\dds_trash_log.cmd

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-02-25 00:21 . 2008-10-15 13:29 0 ----a-w- c:\documents and settings\User\Local Settings\Application Data\WavXMapDrive.bat

2012-01-31 12:44 . 2010-11-28 10:10 237072 ------w- c:\windows\system32\MpSigStub.exe

2010-11-16 15:45 . 2010-11-16 15:45 3143392 ----a-w- c:\program files\members_files_elderdocx_installation_elderdocxbeta_setup.exe

2010-10-28 20:52 . 2010-10-28 20:44 75019048 ----a-w- c:\program files\iTunesSetup.exe

2010-03-28 05:12 . 2010-03-28 05:10 2114184 ----a-w- c:\program files\Install_Facebook_Plug-In_1.0.3.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]

@="{022F2F51-CDDA-4873-8A29-72C66C808A3F}"

[HKEY_CLASSES_ROOT\CLSID\{022F2F51-CDDA-4873-8A29-72C66C808A3F}]

2009-11-07 05:07 297808 ----a-w- c:\windows\system32\mscoree.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]

@="{661963C1-99A1-44e7-A671-1CF3768AE9D4}"

[HKEY_CLASSES_ROOT\CLSID\{661963C1-99A1-44e7-A671-1CF3768AE9D4}]

2009-11-07 05:07 297808 ----a-w- c:\windows\system32\mscoree.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-07-01 196608]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-10 143360]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-10 170520]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-06-15 178712]

"ChangeTPMAuth"="c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe" [2008-05-30 180224]

"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2008-05-14 105472]

"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2008-06-24 243000]

"EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2008-06-24 79160]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-06-18 2220032]

"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-06-29 442467]

"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2008-06-29 466944]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]

"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]

"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]

"Nikon Message Center 2"="c:\program files\Nikon\Nikon Message Center 2\NkMC2.exe" [2010-05-25 619008]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]

"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2008-05-30 593920]

"DellConnectionManager"="c:\program files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe" [2008-09-09 1486848]

"DCPstrApp"="c:\program files\Dell\Dell ControlPoint\Security Manager\SecurityDeviceInfoSetRegistryString.exe" [2008-08-04 6656]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-8-15 604776]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-2-27 972064]

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSimpleStartMenu"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2009-09-29 00:34 87352 ----a-w- c:\windows\system32\LMIinit.dll

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 wvauth

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\PdaNet 4.12\\PdaNet.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\McAfee\\WGET.EXE"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"8100:TCP"= 8100:TCP:*:Disabled:WorkgroupShare (Non-SSL)

"8101:TCP"= 8101:TCP:*:Disabled:WorkgroupShare (SSL)

"8102:UDP"= 8102:UDP:*:Disabled:WorkgroupShare (Monitor)

"8104:UDP"= 8104:UDP:*:Disabled:WorkgroupShare (Monitor)

"8109:TCP"= 8109:TCP:*:Disabled:WorkgroupShare (Free/Busy)

"135:TCP"= 135:TCP:*:Disabled:RPC

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\RemoteAdminSettings]

"Enabled"= 1 (0x1)

.

R0 FixTDSS;TDSS Fixtool driver;c:\windows\system32\drivers\FixTDSS.sys [2/13/2012 8:16 PM 26872]

R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [11/28/2010 5:05 AM 116608]

S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]

S2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [4/19/2007 5:56 AM 133968]

S2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [6/3/2008 3:28 PM 386328]

S2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [7/31/2008 9:41 PM 808296]

S2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [7/31/2008 9:41 PM 21352]

S2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [8/18/2008 10:39 AM 455960]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 7:35 PM 135664]

S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/9/2012 11:51 AM 652360]

S2 NecUsb3;USB3 Service;c:\windows\System32\svchost.exe -k NecUsb3Sevic [8/11/2004 5:00 PM 14336]

S2 SMManager;Smith Micro Connection Manager Service;c:\program files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe [9/9/2008 2:21 PM 69632]

S3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [10/9/2008 1:23 AM 108160]

S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [4/19/2007 5:28 AM 42832]

S3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [10/9/2008 1:25 AM 32808]

S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [10/9/2008 1:23 AM 244368]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 7:35 PM 135664]

S3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [10/9/2008 1:25 AM 110080]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/9/2012 11:51 AM 20464]

S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [10/20/2008 6:21 PM 8576]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

NecUsb3Sevic REG_MULTI_SZ NecUsb3

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

PNDIS5

ptbsync

nimcdfxk

yediex

.

Contents of the 'Scheduled Tasks' folder

.

2012-02-25 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-04 02:49]

.

2012-02-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 00:35]

.

2012-02-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 00:35]

.

2012-02-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3395202182-1961662859-2963020059-1005Core.job

- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-30 20:01]

.

2012-02-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3395202182-1961662859-2963020059-1005UA.job

- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-30 20:01]

.

2012-02-27 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5081009

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

Trusted Zone: ctest.elynx.net\gateway

Trusted Zone: ditechsecuredocs.net\www

Trusted Zone: elynx.com\gateway

Trusted Zone: elynx.net\aegis

Trusted Zone: elynx.net\ctest

Trusted Zone: elynx.net\forms

Trusted Zone: elynx.net\gateway

Trusted Zone: elynx.net\gmacforms

Trusted Zone: elynx.net\pro

Trusted Zone: elynx.net\secure

Trusted Zone: elynx.net\ssctest

Trusted Zone: elynx.net\stest

Trusted Zone: elynx.net\webpost

Trusted Zone: gmacmsecuredocs.net\www

Trusted Zone: ss3.swiftsend.com\loandocs

Trusted Zone: suntrust.com\mtgdocs

Trusted Zone: swiftsend.com\docs

Trusted Zone: swiftsend.com\gateway

Trusted Zone: swiftsend.com\loandocs

Trusted Zone: swiftsend.com\www

Trusted Zone: swiftsend2.com\docs

Trusted Zone: swiftsend2.com\loandocs

Trusted Zone: swiftview.com\products

Trusted Zone: swiftview.com\www

Trusted Zone: us.hsbc.com\mortgage-esign

TCP: DhcpNameServer = 192.168.0.1

TCP: Interfaces\{82627534-4036-4530-B136-C5C2800B8E11}: NameServer = 4.2.2.1

TCP: Interfaces\{99B9E6BD-88B7-47CD-8FBC-9D53D0D32312}: NameServer = 8.8.8.8,8.8.4.4

FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\z4wdr2c5.default\

FF - prefs.js: browser.startup.homepage - www.google.com

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-02-27 16:49

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(296)

c:\windows\system32\LMIinit.dll

c:\windows\system32\igfxdev.dll

.

- - - - - - - > 'lsass.exe'(352)

c:\windows\system32\wvauth.dll

c:\windows\system32\biolsp.dll

.

- - - - - - - > 'explorer.exe'(1268)

c:\windows\system32\WININET.dll

c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmUserInterface.dll

.

Completion time: 2012-02-27 16:50:34

ComboFix-quarantined-files.txt 2012-02-27 21:50

ComboFix2.txt 2012-02-27 16:53

ComboFix3.txt 2012-02-27 14:08

ComboFix4.txt 2012-02-26 17:14

.

Pre-Run: 63,837,605,888 bytes free

Post-Run: 63,805,849,600 bytes free

.

- - End Of File - - BD95C5AD068D0827DEEE229A4B45E257

Share this post


Link to post
Share on other sites

Hi again,

CF-SCRIPT

-------------

We need to execute a CF-script.

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:


Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"NecUsb3Sevic"=-

Driver::
NecUsb3

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Please download and run this file (it will reset the netbt service and hopefully make the BSOD disappear): http://download.bleepingcomputer.com/win-services/xp/NetBT.reg

Share this post


Link to post
Share on other sites

Hi Elise: I did both the CFScript and the NetBT reg. I am attaching the ComboFix log. After running the NetBT and rebooting, I got a new blue screen of death with the following:

"A problem has been detected yada yada . . . .

Check with your hardware vendor for any BIOLS updates Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer, press F*, etc etc.

Technical information:

*** STOP: 0x0000007E (0xC000001D, 0x9C4E5770, 0xBA4CF4A8, 0xBA4CF1A4)

Here is the CF log:

ComboFix 12-02-25.02 - User 02/28/2012 11:48:40.7.2 - x86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2000.1619 [GMT -5:00]

Running from: c:\documents and settings\User\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\User\Desktop\cfscript.txt

AV: Microsoft Security Essentials *Disabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_NECUSB3

-------\Service_NecUsb3

.

.

((((((((((((((((((((((((( Files Created from 2012-01-28 to 2012-02-28 )))))))))))))))))))))))))))))))

.

.

2012-02-25 23:24 . 2008-04-14 04:51 162816 ----a-w- c:\windows\system32\drivers\netbt.sys

2012-02-25 23:24 . 2008-04-14 04:51 162816 ----a-w- c:\windows\system32\dllcache\netbt.sys

2012-02-15 00:11 . 2001-08-17 18:28 397502 ----a-w- c:\windows\system32\dllcache\vpctcom.sys

2012-02-15 00:10 . 2001-08-18 03:36 50176 ----a-w- c:\windows\system32\dllcache\umaxp60.dll

2012-02-15 00:09 . 2001-08-17 19:56 81408 ----a-w- c:\windows\system32\dllcache\tgiul50.dll

2012-02-15 00:08 . 2004-08-04 10:00 101376 ----a-w- c:\windows\system32\dllcache\srusbusd.dll

2012-02-15 00:07 . 2004-08-04 10:00 30208 ----a-w- c:\windows\system32\dllcache\sm87w.dll

2012-02-15 00:06 . 2001-08-17 18:51 23936 ----a-w- c:\windows\system32\dllcache\sccmusbm.sys

2012-02-15 00:05 . 2001-08-18 03:36 86097 ----a-w- c:\windows\system32\dllcache\reslog32.dll

2012-02-15 00:04 . 2001-08-18 03:36 16384 ----a-w- c:\windows\system32\dllcache\philcam1.dll

2012-02-15 00:03 . 2001-08-17 17:50 198144 ----a-w- c:\windows\system32\dllcache\nv3.sys

2012-02-15 00:02 . 2001-08-17 18:50 75520 ----a-w- c:\windows\system32\dllcache\mxport.sys

2012-02-15 00:01 . 2004-08-04 10:00 34304 ----a-w- c:\windows\system32\dllcache\migisol.exe

2012-02-15 00:00 . 2004-08-04 10:00 5632 ----a-w- c:\windows\system32\dllcache\kbdusa.dll

2012-02-14 23:59 . 2001-08-17 19:06 154496 ----a-w- c:\windows\system32\dllcache\icam4usb.sys

2012-02-14 23:58 . 2001-08-18 03:36 32768 ----a-w- c:\windows\system32\dllcache\hpgtmcro.dll

2012-02-14 23:51 . 2001-08-17 17:15 442240 ----a-w- c:\windows\system32\dllcache\fpnpbase.sys

2012-02-14 23:50 . 2001-08-18 03:36 51200 ----a-w- c:\windows\system32\dllcache\eqnlogr.exe

2012-02-14 23:49 . 2001-08-18 03:36 229462 ----a-w- c:\windows\system32\dllcache\digifwrk.dll

2012-02-14 23:48 . 2008-04-14 05:16 17024 ----a-w- c:\windows\system32\dllcache\ccdecode.sys

2012-02-14 23:47 . 2004-08-04 10:00 49664 ----a-w- c:\windows\system32\dllcache\adrot.dll

2012-02-14 19:57 . 2012-01-06 01:19 6557240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{32855CF5-D49A-40E9-B2A0-98EC0BB5AEE5}\mpengine.dll

2012-02-14 19:42 . 2012-02-14 19:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth

2012-02-14 19:40 . 2012-02-14 19:41 -------- d-----w- c:\program files\Microsoft Security Client

2012-02-14 01:16 . 2012-02-15 03:03 26872 ----a-w- c:\windows\system32\drivers\FixTDSS.sys

2012-02-14 01:16 . 2012-02-14 01:16 -------- d-----w- c:\documents and settings\User\Application Data\FixTDSS

2012-02-12 08:34 . 2012-02-12 08:37 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2012-02-09 16:51 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-02-09 05:03 . 2012-02-09 05:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3

2012-02-08 10:26 . 2012-02-14 19:24 0 --sha-w- c:\windows\system32\dds_trash_log.cmd

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-02-25 00:21 . 2008-10-15 13:29 0 ----a-w- c:\documents and settings\User\Local Settings\Application Data\WavXMapDrive.bat

2012-01-31 12:44 . 2010-11-28 10:10 237072 ------w- c:\windows\system32\MpSigStub.exe

2010-11-16 15:45 . 2010-11-16 15:45 3143392 ----a-w- c:\program files\members_files_elderdocx_installation_elderdocxbeta_setup.exe

2010-10-28 20:52 . 2010-10-28 20:44 75019048 ----a-w- c:\program files\iTunesSetup.exe

2010-03-28 05:12 . 2010-03-28 05:10 2114184 ----a-w- c:\program files\Install_Facebook_Plug-In_1.0.3.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]

@="{022F2F51-CDDA-4873-8A29-72C66C808A3F}"

[HKEY_CLASSES_ROOT\CLSID\{022F2F51-CDDA-4873-8A29-72C66C808A3F}]

2009-11-07 05:07 297808 ----a-w- c:\windows\system32\mscoree.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]

@="{661963C1-99A1-44e7-A671-1CF3768AE9D4}"

[HKEY_CLASSES_ROOT\CLSID\{661963C1-99A1-44e7-A671-1CF3768AE9D4}]

2009-11-07 05:07 297808 ----a-w- c:\windows\system32\mscoree.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-07-01 196608]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-10 143360]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-10 170520]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-06-15 178712]

"ChangeTPMAuth"="c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe" [2008-05-30 180224]

"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2008-05-14 105472]

"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2008-06-24 243000]

"EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2008-06-24 79160]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-06-18 2220032]

"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-06-29 442467]

"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2008-06-29 466944]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]

"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]

"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]

"Nikon Message Center 2"="c:\program files\Nikon\Nikon Message Center 2\NkMC2.exe" [2010-05-25 619008]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]

"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2008-05-30 593920]

"DellConnectionManager"="c:\program files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe" [2008-09-09 1486848]

"DCPstrApp"="c:\program files\Dell\Dell ControlPoint\Security Manager\SecurityDeviceInfoSetRegistryString.exe" [2008-08-04 6656]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-8-15 604776]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-2-27 972064]

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSimpleStartMenu"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2009-09-29 00:34 87352 ----a-w- c:\windows\system32\LMIinit.dll

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 wvauth

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\PdaNet 4.12\\PdaNet.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\McAfee\\WGET.EXE"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"8100:TCP"= 8100:TCP:*:Disabled:WorkgroupShare (Non-SSL)

"8101:TCP"= 8101:TCP:*:Disabled:WorkgroupShare (SSL)

"8102:UDP"= 8102:UDP:*:Disabled:WorkgroupShare (Monitor)

"8104:UDP"= 8104:UDP:*:Disabled:WorkgroupShare (Monitor)

"8109:TCP"= 8109:TCP:*:Disabled:WorkgroupShare (Free/Busy)

"135:TCP"= 135:TCP:*:Disabled:RPC

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\RemoteAdminSettings]

"Enabled"= 1 (0x1)

.

R0 FixTDSS;TDSS Fixtool driver;c:\windows\system32\drivers\FixTDSS.sys [2/13/2012 8:16 PM 26872]

R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [11/28/2010 5:05 AM 116608]

S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]

S2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [4/19/2007 5:56 AM 133968]

S2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [6/3/2008 3:28 PM 386328]

S2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [7/31/2008 9:41 PM 808296]

S2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [7/31/2008 9:41 PM 21352]

S2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [8/18/2008 10:39 AM 455960]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 7:35 PM 135664]

S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/9/2012 11:51 AM 652360]

S2 SMManager;Smith Micro Connection Manager Service;c:\program files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe [9/9/2008 2:21 PM 69632]

S3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [10/9/2008 1:23 AM 108160]

S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [4/19/2007 5:28 AM 42832]

S3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [10/9/2008 1:25 AM 32808]

S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [10/9/2008 1:23 AM 244368]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 7:35 PM 135664]

S3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [10/9/2008 1:25 AM 110080]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/9/2012 11:51 AM 20464]

S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [10/20/2008 6:21 PM 8576]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

PNDIS5

ptbsync

nimcdfxk

yediex

.

Contents of the 'Scheduled Tasks' folder

.

2012-02-25 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-04 02:49]

.

2012-02-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 00:35]

.

2012-02-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 00:35]

.

2012-02-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3395202182-1961662859-2963020059-1005Core.job

- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-30 20:01]

.

2012-02-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3395202182-1961662859-2963020059-1005UA.job

- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-30 20:01]

.

2012-02-27 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5081009

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

Trusted Zone: ctest.elynx.net\gateway

Trusted Zone: ditechsecuredocs.net\www

Trusted Zone: elynx.com\gateway

Trusted Zone: elynx.net\aegis

Trusted Zone: elynx.net\ctest

Trusted Zone: elynx.net\forms

Trusted Zone: elynx.net\gateway

Trusted Zone: elynx.net\gmacforms

Trusted Zone: elynx.net\pro

Trusted Zone: elynx.net\secure

Trusted Zone: elynx.net\ssctest

Trusted Zone: elynx.net\stest

Trusted Zone: elynx.net\webpost

Trusted Zone: gmacmsecuredocs.net\www

Trusted Zone: ss3.swiftsend.com\loandocs

Trusted Zone: suntrust.com\mtgdocs

Trusted Zone: swiftsend.com\docs

Trusted Zone: swiftsend.com\gateway

Trusted Zone: swiftsend.com\loandocs

Trusted Zone: swiftsend.com\www

Trusted Zone: swiftsend2.com\docs

Trusted Zone: swiftsend2.com\loandocs

Trusted Zone: swiftview.com\products

Trusted Zone: swiftview.com\www

Trusted Zone: us.hsbc.com\mortgage-esign

TCP: DhcpNameServer = 192.168.0.1

TCP: Interfaces\{82627534-4036-4530-B136-C5C2800B8E11}: NameServer = 4.2.2.1

TCP: Interfaces\{99B9E6BD-88B7-47CD-8FBC-9D53D0D32312}: NameServer = 8.8.8.8,8.8.4.4

FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\z4wdr2c5.default\

FF - prefs.js: browser.startup.homepage - www.google.com

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-02-28 11:53

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(296)

c:\windows\system32\LMIinit.dll

.

- - - - - - - > 'lsass.exe'(360)

c:\windows\system32\wvauth.dll

c:\windows\system32\biolsp.dll

.

- - - - - - - > 'explorer.exe'(2044)

c:\windows\system32\WININET.dll

c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmUserInterface.dll

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\savedump.exe

c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe

.

**************************************************************************

.

Completion time: 2012-02-28 11:58:12 - machine was rebooted

ComboFix-quarantined-files.txt 2012-02-28 16:58

ComboFix2.txt 2012-02-27 21:50

ComboFix3.txt 2012-02-27 16:53

ComboFix4.txt 2012-02-27 14:08

ComboFix5.txt 2012-02-28 16:48

.

Pre-Run: 63,831,961,600 bytes free

Post-Run: 63,803,334,656 bytes free

.

- - End Of File - - E87FC63BC512E5D60DA41B6F162589C4

Share this post


Link to post
Share on other sites

Can you please test if Safe Mode with Networking will run or if that also BSODs?

Share this post


Link to post
Share on other sites

Hi Elise -- sorry this is such a tough one. I tried to reboot into safe mode with networking and I get the same blue death screen as in Post #34 above.

Share this post


Link to post
Share on other sites

Lets try the following:

Click Start > Run, type sfc /scannow and press enter. Let the system file checker run unhindered. When done try again to reboot normally.

If it still doesn't work, click Start > Run, type cmd and press enter. Type the following line and press enter:

netsh int ip reset

Restart your computer and let me know if it still BSODs.

Share this post


Link to post
Share on other sites

when I attempt to do the scannow, it appears that nothing happens, except that a minimized box opens with the following:

"The item 'QTMX38ppafFLNh.exe' that this shortcut refers to has been changed or moved, so this shortcut will no longer work properly. Do you want to delete this shortcut?

I didn't know if I should say yes to delete. . . .

Share this post


Link to post
Share on other sites

Hi again Elise:

I don't think anything happens -- i get the following message:

One or more essential parameters were not entered.

Verify the required parameters, and reenter them.

The syntax supplied for this command is not valid. Check help for syntax

Share this post


Link to post
Share on other sites

Try it with this command: netsh int IP reset C:\resetlog.txt

Share this post


Link to post
Share on other sites

No. :(

Still got the blue screen as above. Tried to reboot and open into safe mode with networking and got same blue screen as well.

Share this post


Link to post
Share on other sites

Please try to reboot in safe mode with networking again. Look carefully at the loaded drivers that appear on screen and let me know what the last listed file on screen is before the BSOD appears.

Share this post


Link to post
Share on other sites

Are you still with us? This topic will be closed in a few days if we do not hear back from you.

Share this post


Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.