Windows, Operating System, Security, Networking, Malware, Support, Forum, Help Site Check Our Facebook Page!
Notices

Register your FREE account to unlock additional features at WindowsBBS.com
 
 
LinkBack Thread Tools
Old 17th September 2010   #1
Inactive
THREAD STARTER
 
Profile:
Join Date: Feb 2003
Posts: 120
Computer Experience:
Intermediate
tvjohns Reputation Level

[Inactive] Compaq XP computer runs slow; locks up


My brother has a Compaq desktop running XP Home, 512meg of Ram.

The last month his computer has not only been running apps very slow, but browsing the Internet via Internet Explorer 8 or Firefox, either browser frequently locks up and even at times the entire computer locks up to where even Ctrl-Alt-Delete even freezes. Leaving him the only alternative of pushing and holding the power button till the computer shuts down completely.

A short time before this problem, he said he'd had a couple virus detected on his computer, but had removed them. He runs Avast anti-virus as well a Zone Alarm firewall. When he called me about his slow-running/lock-up problem I ran Avast in its boot-scan routine. No viruses found by Avast. Although what residual registry corruption junk might remain is anyone's guess.

I tried hitting F8 at boot-up to choose "Last Known Good Configuration " which did not improve matters at all.

Tried CCleaner, getting rid of huge number of TMP files, but no improvement there either.

Nothing I've tried so far made any improvement.

NOTE: My brother's Computer in question is a Compaq desktop running XP Home, 512meg of Ram. Model 5410-US; Intell Celeron 1.3GHz processor. He bought it new some 5 years or so ago. Still has original install, i.e., never had to reinstall system — until now which is what we are looking at if we can't fix this current problem.

Which is the reason I'm now querying you folks at recommendation of couple of tech guys from the Windows BBS XP forum I've already questioned about this problem. One of whom thinks someone on this Malware and Virus Removal forum might be able provide a fix for the slow-running/lock-up problem to save my brother the task of running the TWO Disks supplied by Compaq: Restore and a Windows XP OS disk

Any help, tips, or solution you can provide would be most appreciated

Timothy

tvjohns is offline  
Old 17th September 2010   #2
Malware Analyst
 
broni's Avatar
 
Profile:
Join Date: Aug 2002
Location: Daly City, CA
Posts: 19,544
Computer Experience:
intermediate
broni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Level

My System
Please, read this post, then post the requested log(s).

broni is offline  
Old 19th September 2010   #3
Inactive
THREAD STARTER
 
Profile:
Join Date: Feb 2003
Posts: 120
Computer Experience:
Intermediate
tvjohns Reputation Level

DDS Logs you requested:

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 10/31/2001 8:25:41 AM
System Uptime: 9/18/2010 7:01:24 PM (0 hours ago)

Motherboard: Compaq | | 07A8h
Processor: Intel(R) Celeron(TM) CPU 1300MHz | XU1 | 1295/100mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 33 GiB total, 17.915 GiB free.
D: is FIXED (FAT32) - 4 GiB total, 0.997 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is FIXED (NTFS) - 112 GiB total, 93.54 GiB free.
H: is FIXED (NTFS) - 75 GiB total, 74.361 GiB free.
I: is FIXED (FAT32) - 112 GiB total, 108.372 GiB free.
J: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: PS/2 Compatible Mouse
Device ID: ACPI\PNP0F13\4&268D196D&0
Manufacturer: Microsoft
Name: PS/2 Compatible Mouse
PNP Device ID: ACPI\PNP0F13\4&268D196D&0
Service: i8042prt

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Adobe Acrobat 4.0
Adobe ActiveShare 1.5
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
ATI Display Driver
avast! Free Antivirus
Bible Codes 2001
Board Games
Browser Hijack Blaster v1.0
Card Games for Windows
CCleaner
Chessmaster 9000
ClearType Tuning Control Panel Applet
CodeStuff Starter
Coloreal
Compaq Advisor
Compaq Wallpaper
Compaq WinDVD
Concise Oxford Dictionary (Tenth Edition)
Doom Shareware for Windows 95
Easy Access Button Support
Encarta Online
F/A-18 Precision Strike Fighter
Family Lawyer 7.0
Ghost Recon
GoBack Deluxe Edition
Google Update Helper
HijackThis 1.99.1
hp instant support
HP Photo and Imaging 1.0 - HP Photosmart Printer Series
HP PrecisionScan LTX
HP Share-to-Web
Iconoid Version 3.4.0
iFinger 2.0
InterVideo Installer
IZArc 3.7
Java(TM) 6 Update 3
KeyNote 1.6.5
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
MailFrontier Desktop
Math Advantage Pre-Algebra
Merriam-Webster
MGI PhotoSuite 8.06 (Remove Only)
Microsoft Money 2001
Microsoft Office PowerPoint Viewer 2003
Microsoft Reader
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Windows XP Inside Out eBook
Microsoft Word 2002
Microsoft Works 6.0
Mozilla Firefox (3.0.19)
Mozilla Thunderbird (1.0.2)
Norton Ghost
PaperPort 7.02
PaperPort Printer Driver
Password Safe
PDF-XChange PDF Viewer
PDFCreator
PDFCreator Toolbar
Photosmart 130,230,7150,7345,7350,7550 (Remove only)
Post-it® Software Notes Lite Version 2
PowerArchiver
Powertoys For Windows XP
Quicken 2002 New User Edition
Rainlendar (remove only)
RAMpage
Read in Microsoft Reader Add-in for Microsoft Word
RegEditX
Scientific-Atlanta WebSTAR 2000 series Cable Modem
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
SiSoftware Sandra Standard 2003 (PCExtreme.net version)
Stickies 3.6i
SWF Opener
Symantec Network Driver Update
Symnet Redirector Updater
Task Plus Freeware
TaxACT 2002
TaxACT 2003
TaxACT 2004
TaxACT Missouri 2002
TaxACT Missouri 2003
TaxACT Missouri 2004
Tools For Selling\IPLookup
Tweakui Powertoy for Windows XP
ubi.com
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
WebReaper v6.4
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
Xteq Systems X-Setup 6.2
ZoneAlarm

==== Event Viewer Messages From Past Week ========

9/17/2010 9:52:15 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
9/12/2010 4:20:57 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
9/12/2010 4:20:57 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
9/12/2010 4:20:14 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Lbd

==== End Of File ===========================


DDS (Ver_10-03-17.01) - NTFSx86
Run by Michael at 19:19:55.46 on Sat 09/18/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.258 [GMT -5:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Fast.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Accessories\RAMpage.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\Documents and Settings\Michael\Desktop\dds 2.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoosearch.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar =
uSearchAssistant = hxxp://www.google.com/ie
uCustomizeSearch =
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: System=lsass.exe
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: PDFCreator Toolbar Helper: {c451c08a-ec37-45df-aaad-18b51ab5e837} - c:\program files\pdfcreator toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
TB: PDFCreator Toolbar: {31cf9ebe-5755-4a1d-ac25-2834d952d9b4} - c:\program files\pdfcreator toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: iFinger: {0cbd5120-990b-11d3-8abd-00c04fa95ee0} - c:\windows\system32\SHDOCVW.DLL
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [RAMpage] "c:\program files\accessories\rampage.exe" m=28 t=4 a lg p="c:\program files\accessories\RAMpageConfig.exe"
mRun: [GhostStartTrayApp] c:\program files\symantec\norton ghost 2003\GhostStartTrayApp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\goback.lnk - c:\program files\roxio\goback\GBTray.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\michael\applic~1\mozilla\firefox\profiles\psy6cd57.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-5-29 165584]
R1 GhPciScan;GhostPciScanner;c:\program files\symantec\norton ghost 2003\GhPciScan.sys [2003-12-17 5632]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-1-28 394160]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-5-29 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-22 40384]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-22 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-22 40384]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S1 EACMOS;EACMOS;c:\windows\system32\drivers\eacmos.sys --> c:\windows\system32\drivers\EACMOS.SYS [?]
S3 Gcr432;Gcr432;c:\windows\system32\drivers\Gcr432.sys [2001-9-6 89371]
S4 gupdate;Google Update Service (gupdate);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]

============== File Associations ===============

vbefile\shell\edit\command=%SystemRoot%\System32\Notepad.exe %1
vbsfile\shell\edit\command=%SystemRoot%\System32\Notepad.exe %1
jsefile\shell\edit\command=%SystemRoot%\System32\Notepad.exe %1

=============== Created Last 30 ================

2010-09-18 19:53:41 0 d-----w- C:\HP Scanner
2010-08-22 18:52:57 38848 ----a-w- c:\windows\avastSS.scr
2010-08-22 18:52:36 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-08-22 18:25:47 0 d-----w- c:\windows\SxsCaPendDel
2010-08-21 15:40:14 0 ----a-w- c:\windows\iPlayer.INI
2010-08-21 15:26:36 0 d-----w- c:\program files\InterActual

==================== Find3M ====================

2010-09-12 23:36:26 4001562624 --sha-w- C:\gobackio.bin
2002-06-17 04:55:33 382 ------w- c:\program files\Program Files.lnk
2002-04-29 01:44:35 437 ------w- c:\program files\Go.lnk

============= FINISH: 19:20:59.23 ===============

tvjohns is offline  
Old 19th September 2010   #4
Malware Analyst
 
broni's Avatar
 
Profile:
Join Date: Aug 2002
Location: Daly City, CA
Posts: 19,544
Computer Experience:
intermediate
broni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Level

My System
STEP 1. Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick Scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt


STEP 2. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
Do NOT use the computer while GMER is running!
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.


STEP 3. Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.



DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

broni is offline  
Old 21st September 2010   #5
Inactive
THREAD STARTER
 
Profile:
Join Date: Feb 2003
Posts: 120
Computer Experience:
Intermediate
tvjohns Reputation Level

I have downloaded the 3 malware/rootkit apps as you have instructed me and will have a chance either today or tomorrow to run them on my brother's computer. In fact, I intend to run them on my own Vista laptop as well.

I have one question: both my brother and I have external Western Digital USB hard drives connected to our computers. Can these malware/rootkit trouble-shooting apps be run successfully on a USB Hard drive? And how about small USB pocket key drives? I have for instance, 2 4GB key drives often connected to my computer to load on files. Would these 3 apps work OK on them? And regarding the USB hard drives and key drives would these 3 apps need to be loaded on the USB devices or could work on the USBs when run from c:\ drive?

tvjohns is offline  
Old 21st September 2010   #6
Malware Analyst
 
broni's Avatar
 
Profile:
Join Date: Aug 2002
Location: Daly City, CA
Posts: 19,544
Computer Experience:
intermediate
broni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Level

My System
IF your computer is infected, you should install the following on it before connecting any USB devices....

Download, and run Flash Disinfector, and save it to your desktop.

*Please disable any AV / ScriptBlockers as they might detect Flash Disinfector to be malicious and block it. Hence, the failure in executing. You can enable them back after the cleaning process*
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Once your computer is clean, we don't want to get it reinfected, if any external device may contain some malicious files.

Scanning your USB devices with your AV program and Malwarebytes should be enough to make sure, they're clean.

broni is offline  
Old 22nd September 2010   #7
Inactive
THREAD STARTER
 
Profile:
Join Date: Feb 2003
Posts: 120
Computer Experience:
Intermediate
tvjohns Reputation Level

I have just tried running GMER, not on my brother's Compaq but on my own Vista laptop. I ran MalwareBytes first—No Files Infected. Then I tried running GMER, 1st without checking Run as Administrator which didn't work, so naturally I next chose Run as Admin. Got what looks like the regular GMER screen tried running it. GMER wouldn't run, locked. Even had to reboot to get desktop working again. Tried unchecking Devices as you recommend. Didn't help. Seemed to start scanning, program quickly stopped.

Next I tried running GMER in Safe Mode. Again started to run Rootkit scan, seemed to run little longer then stopped again. Brought up error screen with following message:

GMER stopped working
Problem Event Name: APPCRASH
Application Name: gmer.exe
Application Version: 1.0.15.15281
Application Timestamp: 4b2763f0
Fault Module Name: gmer.exe
Fault Module Version: 1.0.15.15281
Fault Module Timestamp: 4b2763f0
Exception Code: c0000005
Exception Offset: 0000c4b1
OS Version: 6.0.6001.2.1.0.768.3
Locale ID: 1033
Additional Information 1: fd00
Additional Information 2: ea6f5fe8924aaa756324d57f87834160
Additional Information 3: fd00
Additional Information 4: ea6f5fe8924aaa756324d57f87834160

QUESTION: Does this mean I have a rootkit infection smart enough to defend itself against GMER? OR Does GMER not compatible with Vista? OR Can you suggest other GMER run solution OR different Rootkit detector/killer?

Timothy

tvjohns is offline  
Old 22nd September 2010   #8
Inactive
THREAD STARTER
 
Profile:
Join Date: Feb 2003
Posts: 120
Computer Experience:
Intermediate
tvjohns Reputation Level

P.S. I run Avast Anti-virus on my laptop. The two times my entire laptop locked up, forcing not a hot reboot but total shutdown and cold-boot was when Avast was still running. Only after I shut down Avast could I run GMER — though even then as I noted just above, GMER quit after just a few seconds scanning, producing the error message I note above. So obviously Avast, or presumably any other AV app interferes with GMER. But running in Safe Mode failed also.

Timothy

tvjohns is offline  
Old 22nd September 2010   #9
Malware Analyst
 
broni's Avatar
 
Profile:
Join Date: Aug 2002
Location: Daly City, CA
Posts: 19,544
Computer Experience:
intermediate
broni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Level

My System
OK, let's not mix two computers into one thread.
We stay with one computer here.

Skip GMER and give me MBRCheck log, please.

broni is offline  
Old 25th September 2010   #10
Inactive
THREAD STARTER
 
Profile:
Join Date: Feb 2003
Posts: 120
Computer Experience:
Intermediate
tvjohns Reputation Level

Have just run the 3 scanners you've directed to be run on my brother's Compaq Computer: Malwarebytes; GMER; MBRCheck. 3 combined printouts follow:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4693

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

9/25/2010 3:07:13 PM
mbam-log-2010-09-25 (15-07-13).txt

Scan type: Quick scan
Objects scanned: 159824
Time elapsed: 12 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{00021494-0000-0000-c000-000000000046} (Adware.ISTBar) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{191 27ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43b f8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


********************************
********************************

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-25 18:02:56
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Michael\LOCALS~1\Temp\kgtdikow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwClose [0xBAE11CF0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwConnectPort [0xBAFA1E50]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateFile [0xBAF9E810]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateKey [0xBAE11BAC]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreatePort [0xBAFA21E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateProcess [0xBAFA8470]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateProcessEx [0xBAFA86A0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateSection [0xBAFABCC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateWaitablePort [0xBAFA22C0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteFile [0xBAF9EE90]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteKey [0xBAE12160]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteValueKey [0xBAE1208A]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDuplicateObject [0xBAFA81E0]
SSDT GoBack2K.sys (GoBack Engine Driver/Roxio, Inc.) ZwFsControlFile [0xF8517810]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwLoadKey [0xBAFAA9C0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenFile [0xBAF9ECE0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenKey [0xBAE11C86]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenProcess [0xBAFA7F30]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenThread [0xBAFA7D50]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwQueryValueKey [0xBAE11DA6]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xBAE1222E]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwReplaceKey [0xBAFAACB0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRequestWaitReplyPort [0xBAFA1AF0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRestoreKey [0xBAE11D66]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSecureConnectPort [0xBAFA2000]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetInformationFile [0xBAF9F000]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwSetValueKey [0xBAE11EE6]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwTerminateProcess [0xBAFA88D0]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0xBAE1EB0C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + E0 804E273C 4 Bytes CALL 7C3DE23A
.text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes [E0, 21, FA, BA, 70, 84, FA, ...]
PAGE ntoskrnl.exe!ObInsertObject 805643A3 3 Bytes JMP BAE1BFFA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntoskrnl.exe!ObInsertObject + 4 805643A7 1 Byte [3A]
PAGE ntoskrnl.exe!ObMakeTemporaryObject 805A10B2 5 Bytes JMP BAE1A5D4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntoskrnl.exe!ZwLoadDriver 805A407A 7 Bytes JMP BAE1EB10 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
? srescan.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1436] kernel32.dll!SetUnhandledExceptionFilter 7C84467D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [BAFA6940] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [BAFA6E60] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [BAFA6FC0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [BAFA6AB0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [BAFA6AB0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [BAFA6940] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [BAFA6E60] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [BAFA6FC0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [BAFA6940] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [BAFA6FC0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [BAFA6E60] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [BAFA6AB0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [BAFA6FC0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [BAFA6E60] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [BAFA6940] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [BAFA6AB0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [BAFA6940] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [BAFA6E60] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [BAFA6FC0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [BAFB3F90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\irda.sys[NDIS.SYS!NdisOpenAdapter] [BAFA6E60] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\irda.sys[NDIS.SYS!NdisRegisterProtocol] [BAFA6940] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\irda.sys[NDIS.SYS!NdisCloseAdapter] [BAFA6FC0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\irda.sys[NDIS.SYS!NdisDeregisterProtocol] [BAFA6AB0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [BAFA6940] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [BAFA6AB0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [BAFA6FC0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [BAFA6E60] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] [BAF9F560] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [BAF9F4B0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [BAF9F660] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] [BAF9F1C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[612] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00370002
IAT C:\WINDOWS\system32\services.exe[612] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00370000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

Device \FileSystem\Fastfat \FatCdrom aswSP.SYS (avast! self protection module/AVAST Software)
Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\Disk \Device\Harddisk0\DR0 GoBack2K.sys (GoBack Engine Driver/Roxio, Inc.)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\Disk \Device\Harddisk1\DR1 GoBack2K.sys (GoBack Engine Driver/Roxio, Inc.)
Device \Driver\Disk \Device\Harddisk2\DR4 GoBack2K.sys (GoBack Engine Driver/Roxio, Inc.)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior;

---- EOF - GMER 1.0.15 ----


***********************************
***********************************

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 2 (build 2600)
Logical Drives Mask: 0x000001fd

Kernel Drivers (total 137):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EC000 \WINDOWS\system32\hal.dll
0xF8AF5000 \WINDOWS\system32\KDCOM.DLL
0xF8A05000 \WINDOWS\system32\BOOTVID.dll
0xF85A6000 ACPI.sys
0xF8AF7000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xF8595000 pci.sys
0xF85F5000 isapnp.sys
0xF8BBD000 GBDevice.sys
0xF8AF9000 intelide.sys
0xF8875000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xF8605000 MountMgr.sys
0xF8576000 ftdisk.sys
0xF887D000 PartMgr.sys
0xF8615000 VolSnap.sys
0xF855E000 atapi.sys
0xF8625000 disk.sys
0xF8635000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xF853E000 fltmgr.sys
0xF8515000 GoBack2K.sys
0xF8885000 PxHelp20.sys
0xF84FE000 KSecDD.sys
0xF8471000 Ntfs.sys
0xF8444000 NDIS.sys
0xF8645000 vvoice.sys
0xF83E2000 vpctcom.sys
0xF834E000 vmodem.sys
0xF833A000 srescan.sys
0xF831F000 Mup.sys
0xF8655000 agp440.sys
0xF7635000 \SystemRoot\System32\DRIVERS\ati2mtag.sys
0xF7621000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
0xF7605000 \SystemRoot\System32\DRIVERS\ptserlp.sys
0xF895D000 \SystemRoot\System32\Drivers\Modem.SYS
0xF8965000 \SystemRoot\System32\DRIVERS\RTL8139.SYS
0xF86B5000 \SystemRoot\System32\DRIVERS\i8042prt.sys
0xF8975000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF897D000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF75F1000 \SystemRoot\System32\DRIVERS\parport.sys
0xF86C5000 \SystemRoot\System32\DRIVERS\serial.sys
0xF82DB000 \SystemRoot\System32\DRIVERS\serenum.sys
0xF8985000 \SystemRoot\System32\DRIVERS\fdc.sys
0xF86D5000 \SystemRoot\System32\Drivers\AFS2K.SYS
0xF86E5000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xF86F5000 \SystemRoot\System32\DRIVERS\redbook.sys
0xF75CE000 \SystemRoot\System32\DRIVERS\ks.sys
0xF8705000 \SystemRoot\System32\Drivers\Imapi.SYS
0xF898D000 \SystemRoot\System32\DRIVERS\usbuhci.sys
0xF75AB000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xF7593000 \SystemRoot\system32\drivers\ac97intc.sys
0xF756F000 \SystemRoot\system32\drivers\portcls.sys
0xF8715000 \SystemRoot\system32\drivers\drmk.sys
0xF8725000 \SystemRoot\System32\DRIVERS\p3.sys
0xF8BC3000 \SystemRoot\System32\DRIVERS\audstub.sys
0xF8995000 \SystemRoot\System32\DRIVERS\rasirda.sys
0xF899D000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xF8735000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xF8A91000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xF7558000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xF8745000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xF8755000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xF7547000 \SystemRoot\System32\DRIVERS\psched.sys
0xF8765000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xF89E5000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF89ED000 \SystemRoot\System32\DRIVERS\raspti.sys
0xF76EC000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF8B47000 \SystemRoot\System32\DRIVERS\swenum.sys
0xF7194000 \SystemRoot\System32\DRIVERS\update.sys
0xF8AA1000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xF89F5000 \SystemRoot\System32\DRIVERS\irsir.sys
0xF8AA5000 \SystemRoot\System32\DRIVERS\irenum.sys
0xF76AC000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xEBBC2000 \SystemRoot\System32\DRIVERS\flpydisk.sys
0xEBA71000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xF8B9B000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xF8B7F000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF77BC000 \SystemRoot\System32\Drivers\Null.SYS
0xF8B81000 \SystemRoot\System32\Drivers\Beep.SYS
0xEBBE2000 \??\C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys
0xEBBDA000 \SystemRoot\System32\DRIVERS\HIDPARSE.SYS
0xEBBD2000 \SystemRoot\System32\drivers\vga.sys
0xF8B83000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF8B85000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xEBBCA000 \SystemRoot\System32\Drivers\Msfs.SYS
0xEF125000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF77BE000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xF8170000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xF8118000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xF74F7000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xBAFCE000 \SystemRoot\System32\DRIVERS\netbt.sys
0xBAF6F000 \SystemRoot\System32\vsdatant.sys
0xBAF4E000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xF74E7000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xEF11D000 \SystemRoot\System32\DRIVERS\USBSTOR.SYS
0xBAF2C000 \SystemRoot\System32\drivers\afd.sys
0xF74D7000 \SystemRoot\System32\DRIVERS\netbios.sys
0xBAF01000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xBAE92000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xF74B7000 \SystemRoot\System32\Drivers\Fips.SYS
0xF7E29000 \SystemRoot\System32\DRIVERS\usbscan.sys
0xBAE30000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xBAE09000 \SystemRoot\System32\Drivers\aswSP.SYS
0xEF105000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xF7E21000 \SystemRoot\System32\DRIVERS\hidusb.sys
0xF74A7000 \SystemRoot\System32\DRIVERS\HIDCLASS.SYS
0xEF0FD000 \SystemRoot\System32\drivers\hphius11.sys
0xBADE6000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xF7BCB000 \SystemRoot\System32\DRIVERS\mouhid.sys
0xF77A2000 \SystemRoot\System32\DRIVERS\hphid411.sys
0xF7BC7000 \SystemRoot\System32\DRIVERS\hphipr11.sys
0xBADCE000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF8B93000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF81C7000 \SystemRoot\System32\drivers\Dxapi.sys
0xEF0ED000 \SystemRoot\System32\watchdog.sys
0xBF9C3000 \SystemRoot\System32\drivers\dxg.sys
0xF8BDD000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF9D5000 \SystemRoot\System32\ati2dvag.dll
0xBFA0D000 \SystemRoot\System32\ati3d1ag.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xEE792000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xBADB8000 \SystemRoot\System32\DRIVERS\irda.sys
0xED7E0000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xBAD79000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xBAC5D000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xF7ED4000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xBACE1000 \SystemRoot\System32\Drivers\Aspi32.SYS
0xBACD9000 \SystemRoot\System32\Drivers\GBFSHook.SYS
0xBABD0000 \SystemRoot\system32\drivers\wdmaud.sys
0xF7C34000 \SystemRoot\system32\drivers\sysaudio.sys
0xBA998000 \SystemRoot\System32\DRIVERS\srv.sys
0xF7B83000 \SystemRoot\System32\DRIVERS\secdrv.sys
0xBA56E000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF88D5000 \SystemRoot\System32\Drivers\aswRdr.SYS
0xBA266000 \??\C:\DOCUME~1\Michael\LOCALS~1\Temp\kgtdikow.sys
0xBA23B000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 32):
0 System Idle Process
4 System
484 C:\WINDOWS\system32\smss.exe
544 csrss.exe
568 C:\WINDOWS\system32\winlogon.exe
612 C:\WINDOWS\system32\services.exe
624 C:\WINDOWS\system32\lsass.exe
780 C:\WINDOWS\system32\svchost.exe
828 svchost.exe
884 C:\WINDOWS\system32\svchost.exe
936 svchost.exe
1020 svchost.exe
1132 C:\WINDOWS\system32\ZoneLabs\vsmon.exe
1436 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
1708 C:\WINDOWS\system32\spoolsv.exe
1796 scardsvr.exe
2028 C:\Program Files\Roxio\GoBack\GBPoll.exe
372 C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
988 C:\WINDOWS\explorer.exe
1636 C:\WINDOWS\system32\Fast.exe
1756 C:\WINDOWS\system32\pctspk.exe
1884 C:\WINDOWS\system32\svchost.exe
232 C:\WINDOWS\system32\MsPMSPSv.exe
1556 C:\WINDOWS\system32\wscntfy.exe
2244 C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
2276 C:\Program Files\Accessories\RAMpage.exe
2300 C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
2332 C:\Program Files\Alwil Software\Avast5\AvastUI.exe
2524 C:\Program Files\Roxio\GoBack\GBTray.exe
2744 alg.exe
3648 C:\Documents and Settings\Michael\Desktop\COMPAQ ANTI-MALWARE APPS\gmer\gmer.exe
3724 C:\Documents and Settings\Michael\Desktop\COMPAQ ANTI-MALWARE APPS\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000008`577afe00 (FAT32)
\\.\G: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
\\.\H: --> \\.\PhysicalDrive0 at offset 0x00000009`511c2000 (NTFS)
\\.\I: --> \\.\PhysicalDrive2 at offset 0x00000000`00007e00 (FAT32)

PhysicalDrive0 Model Number:
PhysicalDrive1 Model Number: WDCWD1200JB-75CRA0, Rev: 16.06V16
PhysicalDrive2 Model Number: WDC WD1200VE-00KWT0, Rev:

Size Device Name MBR Status
--------------------------------------------
111 GB \\.\PhysicalDrive0 RE: Unknown MBR code
SHA1: 2B97AC1E4CC0001F5E628D06B3A72CB8C9A67E75
111 GB \\.\PhysicalDrive1 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
111 GB \\.\PhysicalDrive2 RE: Unknown MBR code
SHA1: A26D123C52D1033A30DE7A10181BC4851A874EB4


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

tvjohns is offline  
Old 26th September 2010   #11
Malware Analyst
 
broni's Avatar
 
Profile:
Join Date: Aug 2002
Location: Daly City, CA
Posts: 19,544
Computer Experience:
intermediate
broni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Level

My System
Your MBAM log says "No action taken" after each line.
Please, re-run it and make sure to FIX all issues.
Post new log.

Your MBR seems to be infected as well.

Please download NTBR by noahdfear and save it to your Desktop.
File size: 2.44 MB (2,565,432 bytes)
  • Place a blank CD in your CD drive.
  • Double click on NTBR_CD.exe file and a folder of the same name will appear.
  • Open the folder and double click on BurnItCD.cmd file. If your CD drive will open, simply close it back.
  • Follow the prompts to burn the CD.
  • Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)
  • If you have any questions about this step, ask before you proceed. If you enter the BIOS and are unsure if you have carried out the step correctly, there should be an option to exit without keeping changes, so you won't do any harm.
  • Insert the newly created CD into your infected PC and reboot your computer.
  • Once you have rebooted please press Enter when prompted to continue booting from CD - you have a whole 15 seconds to do this!
  • Read the warning and then continue as prompted.
  • You first need to select your keyboard layout - press Enter for English.
  • Next you want to select the appropriate tool. Enter 1 to choose 1. MBRWORK
  • On the following screen enter 5 to select Install Standard MBR code.
  • Enter 1 to overwrite the infected MBR Code with the Standard MBR code.
  • When asked to confirm please do so.
  • Afterwards, please enter E to leave MBRWORK, then 6 to leave the bootable CD.
  • Eject the disc and then press ctrl+alt+del to reboot the PC.
Once rebooted, run MBRCheck again and post its log.

broni is offline  
Old 30th September 2010   #12
Inactive
THREAD STARTER
 
Profile:
Join Date: Feb 2003
Posts: 120
Computer Experience:
Intermediate
tvjohns Reputation Level

RE: Your comment: Your MBAM log says "No action taken" after each line.
Please, re-run it and make sure to FIX all issues.
Post new log.

My recollection is that I did choose fix all malware detected, but maybe I missed step in that process. I will run it again.

tvjohns is offline  
Old 30th September 2010   #13
Malware Analyst
 
broni's Avatar
 
Profile:
Join Date: Aug 2002
Location: Daly City, CA
Posts: 19,544
Computer Experience:
intermediate
broni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Level

My System
Ok

broni is offline  
Old 3rd October 2010   #14
Inactive
THREAD STARTER
 
Profile:
Join Date: Feb 2003
Posts: 120
Computer Experience:
Intermediate
tvjohns Reputation Level

RE: Your comment: Your MBAM log says "No action taken" after each line.
Please, re-run it and make sure to FIX all issues.

I just checked MBAM log again. The bots and other infections shown as no action on my first report showed so because MBAM put them into Quarantine folder, which I didn't notice. So I have just now opened to Quarantine folder and clicked "Delete All" and of course they are GONE Now. Hope this satisfies your record needs. And if so, confirm what to do next...Run the Fdos Bootable disk?

tvjohns is offline  
Old 3rd October 2010   #15
Malware Analyst
 
broni's Avatar
 
Profile:
Join Date: Aug 2002
Location: Daly City, CA
Posts: 19,544
Computer Experience:
intermediate
broni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Levelbroni Reputation Level

My System
Most likely, you posted MBAM log from BEFORE fixes.

Go ahead with NTBR

broni is offline  


 

THIS THREAD HAS EXPIRED.

Are you having the same problem? Please post a new thread, but first you'll have to join us by Registering (FREE).



Discussion Forums
Operating Systems
Windows 8 Windows 8
Windows 7 Windows 7
Windows Vista Windows Vista
Windows XP Windows XP
Windows Server System Windows Server System
Legacy Windows OS Legacy Windows OS
Internet & Networking
Networking (Hardware & Software) Networking
Internet Explorer Internet Explorer
Microsoft Mail Microsoft Mail
Firefox, Thunderbird & SeaMonkey Firefox, Thunderbird
      & SeaMonkey

Web Applications & Cloud Web Applications & Cloud
General Internet
Security
Malware and Virus Removal Malware and Virus
     Removal

Security and Privacy Security and Privacy

Other
Other PC Software Other PC Software
Test Posts Test Posts
Hardware
PC Hardware PC Hardware
Mobile Devices Mobile Devices
Community
Introductions Introductions
General Discussions General Discussions
Site Comments & Suggestions Site Comments
      & Suggestions

News News @ WindowsBBS

Thread Tools


Find us on Facebook   Web Of Trust Rating

All times are GMT. The time now is 09:12.


Recent Discussions
[Tiger Woods PGA Tour 2008 game not.. (17)
Reset system to previous date (4)
Why doesn't format stick? (7)
printer error 0x0000000d (17)
IDT Audio Loses Settings on Restart.. (1)
windows partitioned drive propertie.. (9)
DSD_5352 Not Responding (4)
WeatherMate Library error. (15)
Photostory 3 Students not able to a.. (3)
Unwanted IE (5)
Choosing Optional Windows/Microsoft.. (4)
Best thing to do with an old XP box (12)
HP Printers Drivers for W8/8.1 (9)
Best practice regarding browser cac.. (14)
Touchpad freezes (8)
New Technology and the old folks (2)
Someone here with experience with e.. (16)
Locked Folders and Files Win 7 (9)
Spyware Blaster Update. (1)
Laptop HD running constantly (11)


Donate!
Support Windows BBS!



Powered by vBulletin® Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO
Copyright © 2002 - 2013 WindowsBBS.com. All rights reserved.
FDMA Media LLC
Terms of Use, Legal Information & Privacy Policy
Page generated in 0.47149 seconds with 7 queries