There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
 
Malware Removal & HijackThis Logs
Tag Cloud
audio bios blue screen boot bsod computer connection crash dcom dell driver drivers email error excel firefox google hard drive hardware hijackthis internet laptop logon logs off macro malware microsoft motherboard network networking problem ram recovery router screen slow software sound trojan usb userinit.exe virus vista webcam wifi windows windows 7 windows 7 64 bit windows xp wireless
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Malware Removal & HijackThis Logs >
0x804E1BF8 Blue Screen on Boot Up (In Progress)

Tip: Click here to scan for System Errors and Optimize PC performance
[ Sponsored Link ]

Closed Thread
 
Thread Tools
MaryMorrison's Avatar
Junior Member with 15 posts.
  
Join Date: Nov 2009
22-Nov-2009, 02:50 AM #1
0x804E1BF8 Blue Screen on Boot Up
It's worth noting that it's not my computer. I was called in to take a look at it, as I'm somewhat experienced with computers. When I first booted it up, it gave me this error. I rebooted in last known good config mode, and it booted normally. I got avast!, malwarebytes, and a free spyware removal tool. I ran all three, encountered a few problems, and solved them. Rebooted normally, no problems. Unfortunately, something was interferring with avast's protection services. When troubleshooting that, I was told that it may be because it wasn't updated recently. I ran windows update, rebooted, and got the error. Tried LKG config, got the error. I'm currently using Safe Mode with networking, and have the Windows XP + SP1 Dell disk handy. What could be my issue?


Quote:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:02:00 PM, on 11/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\mary\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.techguy.org/malware-re...ml#post7045713
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: ::1 localhost
O1 - Hosts: 94.232.248.66 browser-security.microsoft.com
O1 - Hosts: 94.232.248.66 antivaresys.com
O1 - Hosts: 94.232.248.66 www.antivaresys.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?Link...04&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...a/LSSupCtl.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/01b7a9f9...p/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1119414867953
O16 - DPF: {6632A7E9-FE1F-43D2-A04A-A15951ED63E0} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1129519391243
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...l/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...nt/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSII1s.exe
O23 - Service: M-Audio Micro Installer (MAudioMicroService) - Avid Technology, Inc. - C:\Program Files\M-Audio\M-Audio Micro\MAUSBMRInst.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 7468 bytes
Register for free to hide this ad!
Phantom010's Avatar
Computer Specs
Distinguished Member with 10,565 posts.
  
Join Date: Mar 2009
Location: Cyberspace
Experience: Advanced
22-Nov-2009, 10:02 PM #2
Your computer is infected. Please click on the Report button and kindly ask to be moved to the Malware Removal forum.
dvk01's Avatar
Moderator with 28,655 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
23-Nov-2009, 02:26 AM #3
Download to Desktop: DDS by sUBs from one of these locations:

http://download.bleepingcomputer.com/sUBs/dds.com
http://download.bleepingcomputer.com/sUBs/dds.scr
http://www.forospyware.com/sUBs/dds

double click DDS.scr to run

When complete, DDS.txt will open.

Click Yes for Optional Scan.
Save both reports to your desktop.
DDS.txt
Attach.txt

Attach the contents of both logs back here.

then

=====
GMER:
=====

Download GMER Rootkit Scanner from here or here.

Ensure you have uninstalled any CD Emulation programs before you run GMER as outlined here
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..


    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
  • Save it where you can easily find it, such as your desktop. Attach that to your next reply

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
__________________
Derek Microsoft MVP/Windows - Security Thespykiller | Security & Privacy
I am helping you, please help me by donating to help keep the Hedgehog Rescue Centre running
MaryMorrison's Avatar
Junior Member with 15 posts.
  
Join Date: Nov 2009
23-Nov-2009, 03:17 PM #4
I will have this by the end of tomorrow. I'm headed back over there later tonight. Thank you for looking into this, and I will get back to you soon.
MaryMorrison's Avatar
Junior Member with 15 posts.
  
Join Date: Nov 2009
27-Nov-2009, 04:12 PM #5
Sorry for the late reply. Thankgiving plans delayed this response. Good and bad news. Good news. When I booted it up today, it booted normally and correctly. This allowed me to collect this data in a proper boot mode. Bad news is everything else: the first three links to DDS downloaded all different file extensions: .com, .pif, and .scr. They all opened identical command prompts describing the scan, but they all self-terminated about 20 seconds in. None gave me an option for an optional scan. One, the .pif, did however silently create a few files on my desktop, including a DDS.txt. Note, I disabled avast protection momentarily, since I couldn't figure out why the DDS was working improperly. The DDS.txt on my desktop was as follows:

Quote:
DDS (Ver_09-11-23.01) - NTFSx86
Run by mary at 18:08:17.17 on Mon 11/23/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.593 [GMT -5:00]

AV: avast! antivirus 4.8.1356 [VPS 091123-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\LxrSII1s.exe
C:\Program Files\M-Audio\M-Audio Micro\MAUSBMRInst.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\mary\Desktop\dds.pif
The GMER scan worked properly, however. The file is attached.
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log.
dvk01's Avatar
Moderator with 28,655 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
27-Nov-2009, 06:39 PM #6
that is showing kaspersky & avast both with active drivers and that is total recipe for disaster

I assume she tried to uninstall kaspersky & failed so

use rhe removal tool here
http://support.kaspersky.com/faq/?qid=208279463
dvk01's Avatar
Moderator with 28,655 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
27-Nov-2009, 06:41 PM #7
then

Delete any existing version of ComboFix you have sitting on your desktop
Please read and follow all these instructions very carefully

Download ComboFix from Here to your Desktop.

**Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer**
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Very Important! Temporarily disable your anti-virus and anti-malware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results" or stop combofix running at all
  • Click on THIS LINK to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
  • Remember to re enable the protection again after combofix has finished
--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running
Double click on combofix.exe & follow the prompts.
If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" for further review


****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read HERE why we disable autoruns

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.
__________________
Derek Microsoft MVP/Windows - Security Thespykiller | Security & Privacy
I am helping you, please help me by donating to help keep the Hedgehog Rescue Centre running
MaryMorrison's Avatar
Junior Member with 15 posts.
  
Join Date: Nov 2009
04-Dec-2009, 01:03 PM #8
Thanks for your help on this. However, the K removal tool doesn't detected installed Kaspersky, and I don't know what version of Kaspersky she had to do the cmmdprompt way.

I will do the combofix thing within the next couple of days. Sorry for slow response times. There's only so often I get over here. Your help is greatly appreciated.
MaryMorrison's Avatar
Junior Member with 15 posts.
  
Join Date: Nov 2009
04-Dec-2009, 01:06 PM #9
Although this may not be helpful, the computer has not been rebooted in awhile, and is still in regular boot mode. I ran a Malwarebytes scan that produced a single result, and I removed it. It asked me to reboot, but I will refrain from doing that until I have time to do the combo fix.
Quote:
Malwarebytes' Anti-Malware 1.41
Database version: 3245
Windows 5.1.2600 Service Pack 3
12/4/2009 1:03:00 PM
mbam-log-2009-12-04 (13-03-00).txt
Scan type: Full Scan (C:\|)
Objects scanned: 215353
Time elapsed: 12 hour(s), 59 minute(s), 26 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP524\A0224236.dll (Malware.Packer.T) -> Quarantined and deleted successfully.
MaryMorrison's Avatar
Junior Member with 15 posts.
  
Join Date: Nov 2009
04-Dec-2009, 02:07 PM #10
Correction. Had time to do it today.

Quote:
ComboFix 09-12-03.06 - mary 12/04/2009 13:20.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.529 [GMT -5:00]
Running from: c:\documents and settings\mary\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1356 [VPS 091123-1] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\bt.log
c:\windows\Downloaded Program Files\RdxIE.dll
c:\windows\winhelp.ini
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe
.
((((((((((((((((((((((((( Files Created from 2009-11-04 to 2009-12-04 )))))))))))))))))))))))))))))))
.
2009-12-04 18:36 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-12-04 18:36 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-23 23:37 . 2009-11-23 23:37 -------- d-----w- c:\documents and settings\louie\Application Data\Malwarebytes
2009-11-20 22:23 . 2009-11-20 22:23 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-11-20 22:23 . 2009-11-20 22:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Talkback
2009-11-20 22:23 . 2009-11-20 22:23 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-11-20 22:23 . 2009-11-20 22:23 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-11-20 21:12 . 2008-10-16 19:13 202776 ----a-w- c:\windows\system32\wuweb.dll
2009-11-20 21:12 . 2008-10-16 19:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-11-20 21:12 . 2008-10-16 19:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-11-20 21:10 . 2008-10-16 19:13 1809944 ----a-w- c:\windows\system32\wuaueng.dll
2009-11-20 21:10 . 2008-10-16 19:12 323608 ----a-w- c:\windows\system32\wucltui.dll
2009-11-20 21:10 . 2008-10-16 19:09 51224 ----a-w- c:\windows\system32\wuauclt.exe
2009-11-20 21:10 . 2009-08-07 00:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-11-20 21:10 . 2009-08-07 00:23 575704 ----a-w- c:\windows\system32\dllcache\wuapi.dll
2009-11-20 21:10 . 2008-10-16 19:09 92696 ----a-w- c:\windows\system32\cdm.dll
2009-11-20 21:07 . 2009-11-20 21:23 32 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-11-20 21:07 . 2009-11-20 21:23 32 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-11-20 19:49 . 2008-04-30 23:06 24592 ----a-w- c:\windows\system32\drivers\klim5.sys
2009-11-20 19:48 . 2009-11-20 21:14 -------- d-----w- c:\windows\LastGood
2009-11-20 19:48 . 2009-02-05 12:45 33808 ----a-w- c:\windows\system32\drivers\klbg.sys
2009-11-20 19:42 . 2009-11-20 19:42 -------- d-----w- c:\documents and settings\mary\Local Settings\Application Data\M-Audio
2009-11-20 19:28 . 2009-11-20 21:09 117760 ----a-w- c:\documents and settings\mary\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-20 19:26 . 2009-11-20 19:26 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-20 19:26 . 2009-11-20 19:26 -------- d-----w- c:\documents and settings\mary\Application Data\SUPERAntiSpyware.com
2009-11-20 18:59 . 2009-11-20 18:59 -------- d-----w- c:\documents and settings\mary\Application Data\Malwarebytes
2009-11-20 18:59 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-20 18:59 . 2009-11-20 18:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-20 18:59 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-20 18:59 . 2009-11-20 18:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-20 18:46 . 2009-09-15 11:54 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-20 18:46 . 2009-09-15 11:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-20 18:46 . 2009-09-15 11:53 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-20 18:46 . 2009-09-15 11:53 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-20 18:46 . 2009-09-15 11:56 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-20 18:46 . 2009-09-15 11:56 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-20 18:46 . 2009-09-15 11:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-20 18:46 . 2009-09-15 11:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-20 18:46 . 2009-09-15 11:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-20 18:46 . 2009-11-20 18:46 -------- d-----w- c:\program files\Alwil Software
2009-11-20 18:33 . 2009-11-20 18:33 10586112 ----a-w- c:\documents and settings\mary\Application Data\Real\Update\setup\rp\RealPlayerSPGold.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-23 23:38 . 2009-05-26 23:22 117760 ----a-w- c:\documents and settings\louie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-23 23:37 . 2009-05-26 23:12 -------- d-----w- c:\program files\DNA
2009-11-23 23:37 . 2009-05-26 23:12 -------- d-----w- c:\documents and settings\louie\Application Data\DNA
2009-11-23 23:07 . 2004-08-22 08:29 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-23 22:55 . 2009-05-26 23:21 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-20 21:23 . 2009-11-20 21:07 32 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-11-20 21:23 . 2009-11-20 21:07 32 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-11-20 21:23 . 2004-08-22 08:37 288 ----a-w- c:\windows\system32\DVCStateBkp-{00000004-00000000-00000002-00001102-00000004-10031102}.dat
2009-11-20 21:23 . 2004-08-22 08:37 288 ----a-w- c:\windows\system32\DVCState-{00000004-00000000-00000002-00001102-00000004-10031102}.dat
2009-11-20 19:35 . 2004-12-12 07:01 -------- d-----w- c:\program files\eBay
2009-09-26 04:49 . 2009-09-26 04:48 8406648 ----a-w- c:\documents and settings\mary\Application Data\Real\Update\setup\gtb_us\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2009-09-26 04:47 . 2009-09-26 04:47 10309448 ----a-w- c:\documents and settings\mary\Application Data\Real\Update\setup\chr\ChromeInstaller.exe
2009-09-26 04:47 . 2009-09-26 04:47 64000 ----a-w- c:\documents and settings\mary\Application Data\Real\Update\setup\RUP\inst_config\gcapi_dll.dll
2009-09-26 04:47 . 2009-09-26 04:47 52288 ----a-w- c:\documents and settings\mary\Application Data\Real\Update\setup\RUP\inst_config\gtapi.dll
2009-09-26 04:47 . 2009-09-26 04:47 50688 ----a-w- c:\documents and settings\mary\Application Data\Real\Update\setup\RUP\inst_config\fftbapi.dll
2009-09-26 04:47 . 2009-09-26 04:47 114688 ----a-w- c:\documents and settings\mary\Application Data\Real\Update\setup\RUP\inst_config\compat.dll
2009-09-11 14:18 . 2009-09-11 14:18 136192 ----a-w- c:\windows\system32\SET51.tmp
2009-09-11 14:18 . 2002-08-29 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 00:46 . 2008-11-02 03:46 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-07 04:23 . 2008-03-27 22:37 488968 ----a-w- c:\documents and settings\mary\Application Data\Real\Update\setup\setup.exe
2008-12-25 21:17 . 2006-06-13 07:05 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-25 21:17 . 2006-06-13 07:05 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-25 21:17 . 2008-07-28 18:07 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-25 21:17 . 2008-07-28 18:07 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-25 21:17 . 2006-06-13 07:05 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2004-10-05 01:39 . 2004-10-04 17:38 848 --sha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-23 2001648]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-26 335872]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"ISUSScheduler"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" [2004-06-16 81920]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"AsioReg"="CTASIO.DLL" - c:\windows\SYSTEM32\CTASIO.DLL [2003-02-20 110592]
"CTHelper"="CTHELPER.EXE" - c:\windows\SYSTEM32\CTHELPER.EXE [2003-02-20 28672]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-8-22 24576]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Dcfssvc"=2 (0x2)
"Bonjour Service"=2 (0x2)
"AOL ACS"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\TeamViewer3\\TeamViewer.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"57471:TCP"= 57471:TCP:Pando Media Booster
"57471:UDP"= 57471:UDP:Pando Media Booster
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\SYSTEM32\DRIVERS\klbg.sys [11/20/2009 2:48 PM 33808]
R1 aswSP;avast! Self Protection;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [11/20/2009 1:46 PM 114768]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/11/2009 10:44 AM 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [11/20/2009 1:46 PM 20560]
R2 LxrSII1d;Secure II Driver;c:\windows\SYSTEM32\DRIVERS\LxrSII1d.sys [2/8/2009 2:22 PM 72672]
R2 MAudioMicroService;M-Audio Micro Installer;c:\program files\M-Audio\M-Audio Micro\MAUSBMRInst.exe [12/28/2007 9:07 PM 57344]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\SYSTEM32\DRIVERS\klim5.sys [11/20/2009 2:49 PM 24592]
R3 MAUSBML;Service for M-Audio Micro (WDM);c:\windows\SYSTEM32\DRIVERS\mausbmr.sys [12/28/2007 9:07 PM 110464]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/11/2009 10:44 AM 7408]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/11/2009 10:44 AM 9968]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - AAVMKER4
*NewlyCreated* - ASWRDR
*NewlyCreated* - ASWSP
*NewlyCreated* - AVAST!_MAIL_SCANNER
*NewlyCreated* - AVAST!_WEB_SCANNER
*NewlyCreated* - PXDDAPOD
*Deregistered* - pxddapod
.
Contents of the 'Scheduled Tasks' folder
2009-12-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
2009-12-03 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]
2009-12-03 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 17:58]
2009-12-04 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-08-22 18:24]
2009-12-04 c:\windows\Tasks\User_Feed_Synchronization-{E07E06EB-76D5-4D65-BD16-64993092E520}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://forums.techguy.org/malware-removal-hijackthis-logs/879369-0x804e1bf8-blue-screen-boot-up.html
uInternet Connection Wizard,ShellNext = iexplore
IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
DPF: {6632A7E9-FE1F-43D2-A04A-A15951ED63E0} - hxxp://mediaplayer.walmart.com/installer/install.cab
FF - ProfilePath - c:\documents and settings\mary\Application Data\Mozilla\Firefox\Profiles\l622l3q0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 1
FF - component: c:\progra~1\MOZILL~1\extensions\talkback@mozilla.org\components\qfaservices .dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.
- - - - ORPHANS REMOVED - - - -
AddRemove-HijackThis - c:\documents and settings\mary\Local Settings\Temporary Internet Files\Content.IE5\N5BXQ9HO\HijackThis.exe
AddRemove-MechCommander UnInstall - c:\program files\FasaInteractive\MechCmdr\DeIsL1.isu
AddRemove-RealJukebox 1.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0

**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-04 13:38
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalCo mponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalCo mponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalCo mponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(952)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2009-12-04 13:48
ComboFix-quarantined-files.txt 2009-12-04 18:47
Pre-Run: 103,116,812,288 bytes free
Post-Run: 106,883,268,608 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
Current=5 Default=5 Failed=3 LastKnownGood=6 Sets=1,2,3,5,6
- - End Of File - - 4F27263E2DB8187BE01054FFFD8EEB3E
dvk01's Avatar
Moderator with 28,655 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
04-Dec-2009, 02:21 PM #11
Download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop in the list of selections in that window & press save)

Disable any antivirus/antimalware/firewall realtime protection or script blocking in the same way you did previously before running combofix & remember to re-enable it when it has finished

Close any open browsers
Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.







This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply .


Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system and will not fix your problem. If you have a similar problem start your own topic in the malware fixing forum
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log.
__________________
Derek Microsoft MVP/Windows - Security Thespykiller | Security & Privacy
I am helping you, please help me by donating to help keep the Hedgehog Rescue Centre running
MaryMorrison's Avatar
Junior Member with 15 posts.
  
Join Date: Nov 2009
07-Dec-2009, 03:10 PM #12
I ran the txt file through combofix. It did a scan and asked me to reboot. Bad news. After the reboot, I didn't blue screen on a normal boot up; however, the internet stopped working on the machine. I rebooted in Safe Mode with Networking, and the internet still did not work. When attempting to do a Network Diagnostic, I got an Runtime error. Not good, considering the internet is the only part of the computer that the owner is really worried about. Attached are the log and the screenshot.
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log.
Last edited by MaryMorrison : 07-Dec-2009 03:16 PM.
dvk01's Avatar
Moderator with 28,655 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
07-Dec-2009, 03:40 PM #13
# Log on to the Microsoft Windows XP workstation as an administrator.
# Click Start, click Run, type cmd, and then click OK.
# At the command prompt, type the following, and then press ENTER:
netsh Winsock reset

reboot the computer and you should have internet back
MaryMorrison's Avatar
Junior Member with 15 posts.
  
Join Date: Nov 2009
21-Dec-2009, 03:18 PM #14
Sorry for the late response; it's been awhile since I've had access to the desktop in question.

Lots of odd developments that have widened the scope of the computer's issues:

After moving the computer downstairs, the computer would not boot properly, giving a 1-3-2 beep code for Dell BIOS. I assumed there was something wrong hardware-wise, and advised her to get it professionally looked at. However, completely randomly, after booting it up unsuccessfully several times, I powered it on to confirm the boot code and it booted normally.

I followed your cmd prompt instructions to restore internet; however, they did not restore the internet access. I had to system restore to Dec 1st to restore the internet access. The cause of the internet block seemed to be Kaspersky miniports. I opened the Device Manager and there were yellow exclamations, conflicts, under the Network Adapters at:
1394 Network Adapter - Kaspersky Anti Virus NDIS Miniport,
1394 Network Adapter 2 - Kaspersky Anti Virus NDIS Miniport,
1394 Network Adapter 3 - Kaspersky Anti Virus NDIS Miniport,
Broadcom NetXtreme 57xx Gigabit Controller,
and
WAN Miniport (IP) - Kaspersky Anti Virus NDIS Miniport.

I tried reinstalling them, but they said they were vital to booting, which was complete crap. I then system restored and now the only Network Adapter listed in Device Manager is Broadcom NetXtreme 57xx Gigabit Controller and it has no conflicts.

Given the issues, and the information in the last ComboFix log, what do you suggest? There's something wrong with the computer, but at the moment, it seems to be operational.
dvk01's Avatar
Moderator with 28,655 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
21-Dec-2009, 05:06 PM #15
I think with this one, it is only a matter of time before it all packs up so I suggest backing up any important docs etc

format & reinstall windows

It all looks like it is down to antivirus clashes and damaged drivers that didn't uninstall properly
Closed Thread Bookmark and Share   techguy.org/879369

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Smart Search

Find your solution!


« Previous Thread | Malware Removal & HijackThis Logs | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.

Thread Tools


Twitter Twitter! | Podcast | Mobile | Advertise
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -5. The time now is 04:45 PM.
Copyright © 1996 - 2010 TechGuy, Inc. All rights reserved.
Powered by vBulletin, Copyright © 2000 - 2010, Jelsoft Enterprises Ltd.
 Powered by Cermak Technologies, Inc.