Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Blue screen of death and redirects


  • Please log in to reply

#16
PaulG!

PaulG!

    Member

  • Topic Starter
  • Member
  • PipPip
  • 80 posts
H Jintan,
I downloaded the files to my USB but when I started the infected laptop from the USB, it just booted as if normal; no xPUD startup screen. This is my second attempt, the first time I tried it, I got some kind of message that the OS was created with an different version of windows; the clean computer is Win7 (work laptop), the infected computer is XP. Does this change the way you want me to proceed?

I also attempted your second instruction (only once) and after pasting the 'process call create tdlfsreader.exe' it showed a few lines of results (I remember seeing something was successfully created) but don't see the C:\TDL_FS folder. Also (probably minor), when I typed 'exit' it changed the dir from 'wmic:root\cli>' to the c: root. I typed 'exit' again and then it closed the window. I looked in My Computer for the folder (or anything created recently) and didn't see anything but a 'pagefile.sys'. I tried to open it, with Notepad, to copy the contents here (the file size is 393,216KB) but couldn't because the file is being used by another process.

I don't know if any of this info is useful; I'll let you be the judge. :)

Sorry for the mostly uneventful post, I'll continue to try and execute your instructions and obtain some kind of result. Thanks for helping!
  • 0

Advertisements


#17
Jintan

Jintan

    Trusted Helper

  • Malware Removal
  • 904 posts
Let's stay with the USB drive for now. For one, please also download NoahDFear's Dumpit from here, and place a copy of that on the xPud usb drive.

Before we continue on using that USB drive, we will need to set the stage so the system will boot from it. Two ways are either making a change in the computer's BIOS, or accessing a Boot Device menu as the system boots up. What is the make and model of the infected computer please? Just as the computer starts up, you should see, perhaps briefly, a 'splash screen", that displays some key options. For example - F2 - Setup, or similar. Do you see an option then for a Boot Menu? F12 is often the default key selection for that (especially Dells).
  • 0

#18
PaulG!

PaulG!

    Member

  • Topic Starter
  • Member
  • PipPip
  • 80 posts
Hi Jintan, sorry for the delay.

I've tried the whole process several times and still it boots like normal. I press F12 and select the USB as the boot source but then it boots like normal. Is there a setting somewhere that prohibits booting from another source other than the hard drive? I'm just hoping for an easy fix. Oh, my laptop is an Inspiron 8600 running XP.
  • 0

#19
Jintan

Jintan

    Trusted Helper

  • Malware Removal
  • 904 posts
May need to make a change in the BIOS. See the info here, under "Enter the System Setup on the Computer". As the system first boots up, you may see the correct key choice to access Setup, which is accessing the BIOS.

Once your are at the BIOS display, you use the keyboard arrows to navigate, and look for the entry for Boot Options, or similar. See if there is a listing for a USB device, and make the changes so it is the first boot device. There are usually instructions for making changes on the right side or bottom of each page. When you have made the changes, hit the F10 key, and Save them, and try booting from the USB then please.
  • 0

#20
PaulG!

PaulG!

    Member

  • Topic Starter
  • Member
  • PipPip
  • 80 posts
Sorry for the inactivity. I tried to boot using my home computer (which is XP) to make the boot thumb drive, but still no success. Is there anything else I can try?
  • 0

#21
Jintan

Jintan

    Trusted Helper

  • Malware Removal
  • 904 posts
Let's revert to what we/you have or can do there for now.

Run aswMBR again, but this time, have an open Internet connection, and allow it to download the latest Avast engine detections.

Then click Scan, save the log and post that here please.

----------

Open Gmer again. Once it has completed it's opening scan, this time just right click in the white space in the display and select Options - Only non MS files. Then click Scan and allow Gmer to run a different scan. Once that completes click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.
  • 0

#22
PaulG!

PaulG!

    Member

  • Topic Starter
  • Member
  • PipPip
  • 80 posts
Thank you!
Here are the aswMBR results:

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2012-01-20 19:07:14
-----------------------------
19:07:14.687 OS Version: Windows 5.1.2600 Service Pack 3
19:07:14.687 Number of processors: 1 586 0xD06
19:07:14.717 ComputerName: THEPOWER UserName: Paul G!
19:07:24.751 Initialize success
19:38:38.225 AVAST engine defs: 12012001
19:40:28.254 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
19:40:28.254 Disk 0 Vendor: FUJITSU_MHT2040AH 006C Size: 38154MB BusType: 3
19:40:30.307 Disk 0 MBR read successfully
19:40:30.307 Disk 0 MBR scan
19:40:30.597 Disk 0 Windows XP default MBR code
19:40:30.607 Disk 0 scanning sectors +78140160
19:40:31.088 Disk 0 scanning C:\WINDOWS\system32\drivers
19:40:43.195 File: C:\WINDOWS\system32\drivers\netbt.sys **INFECTED** Win32:Aluroot [Rtk]
19:40:50.986 Service scanning
19:40:51.888 Service ACPI C:\WINDOWS\System32\DRIVERS\ACPI.sys **LOCKED** 32
19:40:53.420 Modules scanning
19:41:03.044 Module: C:\WINDOWS\System32\DRIVERS\netbt.sys **SUSPICIOUS**
19:41:13.599 Disk 0 trace - called modules:
19:41:13.619 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x828aaf10]<<
19:41:13.849 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82f2fab8]
19:41:13.849 3 CLASSPNP.SYS[f8656fd7] -> nt!IofCallDriver -> [0x82cc2da0]
19:41:13.849 \Driver\00003559[0x82c812c0] -> IRP_MJ_CREATE -> 0x828aaf10
19:41:20.539 AVAST engine scan C:\WINDOWS
19:41:28.961 File: C:\WINDOWS\explorer.exe **INFECTED** Win32:Patched-AAD [Trj]
19:41:54.037 AVAST engine scan C:\WINDOWS\system32
19:47:25.564 File: C:\WINDOWS\system32\stii_ci.dll **INFECTED** Win32:Malware-gen
19:47:27.226 File: C:\WINDOWS\system32\svchost.exe **INFECTED** Win32:Malware-gen
19:47:51.150 File: C:\WINDOWS\system32\winlogon.exe **INFECTED** Win32:Malware-gen
19:48:43.356 File: C:\WINDOWS\system32\Y1368513k.com_ **INFECTED** Win32:Malware-gen
19:48:49.374 AVAST engine scan C:\WINDOWS\system32\drivers
19:49:11.516 File: C:\WINDOWS\system32\drivers\netbt.sys **INFECTED** Win32:Aluroot [Rtk]
19:49:28.110 AVAST engine scan C:\Documents and Settings\Paul G!
19:49:28.420 File: C:\Documents and Settings\Paul G!\Application Data\4035B\F260C.exe **INFECTED** Win32:Cybota [Trj]
19:49:32.176 File: C:\Documents and Settings\Paul G!\Application Data\Baoblut\ycfefau.exe **INFECTED** Win32:Malware-gen
19:50:48.556 File: C:\Documents and Settings\Paul G!\Application Data\Sun\Java\Deployment\cache\6.0\4\3a95644-5d707c39 **INFECTED** Win32:MalOb-IG [Cryp]
19:50:49.387 File: C:\Documents and Settings\Paul G!\Application Data\Sun\Java\Deployment\cache\6.0\52\2f3723b4-5b8ba3de **INFECTED** Win32:MalOb-GR [Cryp]
19:50:54.154 File: C:\Documents and Settings\Paul G!\Application Data\x1zpmhgogtougcrvevgtq2ty3ijffb112\svcnost.exe **INFECTED** Win32:Malware-gen
19:51:26.520 File: C:\Documents and Settings\Paul G!\Desktop\RK_Quarantine\096.exe.vir **INFECTED** Win32:Cybota [Trj]
19:51:26.700 File: C:\Documents and Settings\Paul G!\Desktop\RK_Quarantine\F260C.exe.vir **INFECTED** Win32:Cybota [Trj]
19:53:28.195 File: C:\Documents and Settings\Paul G!\Local Settings\temp\10.tmp **INFECTED** Win32:MalOb-IA [Cryp]
19:53:28.275 File: C:\Documents and Settings\Paul G!\Local Settings\temp\127.tmp **INFECTED** Win32:Cybota [Trj]
19:53:28.385 File: C:\Documents and Settings\Paul G!\Local Settings\temp\128.tmp **INFECTED** Win32:Malware-gen
19:53:30.308 File: C:\Documents and Settings\Paul G!\Local Settings\temp\6.tmp **INFECTED** Win32:Cybota [Trj]
19:53:30.609 File: C:\Documents and Settings\Paul G!\Local Settings\temp\7.tmp **INFECTED** Win32:Cybota [Trj]
19:53:51.599 File: C:\Documents and Settings\Paul G!\Local Settings\temp\~!#1D.tmp **INFECTED** Win32:MalOb-HP [Cryp]
19:53:51.759 File: C:\Documents and Settings\Paul G!\Local Settings\temp\~!#1E.tmp **INFECTED** Win32:Cybota [Trj]
19:54:00.291 File: C:\Documents and Settings\Paul G!\Local Settings\Temporary Internet Files\Content.IE5\1QHRGUHX\plugin[1].exe **INFECTED** Win32:MalOb-IA [Cryp]
19:56:31.559 AVAST engine scan C:\Documents and Settings\All Users
19:56:37.838 File: C:\Documents and Settings\All Users\Application Data\privacy.exe **INFECTED** Win32:FakeRean [Trj]
19:56:39.490 File: C:\Documents and Settings\All Users\Documents\19792079 **INFECTED** Win32:Injector-ACI [Trj]
19:56:47.221 Scan finished successfully
19:59:08.675 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Paul G!\Desktop\MBR.dat"
19:59:08.795 The log file has been saved successfully to "C:\Documents and Settings\Paul G!\Desktop\aswMBR.txt"


Here are the GMER results:

GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2012-01-20 20:16:31
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\PAULG!~1\LOCALS~1\Temp\uwliipoc.sys


---- Modules - GMER 1.0.15 ----

Module \SystemRoot\System32\DRIVERS\nv4_mini.sys (NVIDIA Compatible Windows 2000 Miniport Driver, Version 78.11 /NVIDIA Corporation) F7DA0000-F80B0000 (3211264 bytes)
Module \SystemRoot\System32\DRIVERS\bcmwl5.sys (Broadcom 802.11 Network Adapter wireless driver/Broadcom Corporation) F7D00000-F7D68000 (425984 bytes)
Module \SystemRoot\system32\drivers\stac97.sys (SigmaTel Audio Driver (WDM)/SigmaTel, Inc.) F7C88000-F7CC9000 (266240 bytes)
Module \SystemRoot\System32\DRIVERS\ptilink.sys (Parallel Technologies DirectParallel IO Library/Parallel Technologies, Inc.) F8946000-F894B000 (20480 bytes)
Module \SystemRoot\System32\nv4_disp.dll (NVIDIA Compatible Windows 2000 Display driver, Version 78.11 /NVIDIA Corporation) BF012000-BF3CE000 (3915776 bytes)
Module \SystemRoot\System32\ATMFD.DLL (Windows NT OpenType/Type 1 Font Driver/Adobe Systems Incorporated) BF3CE000-BF415000 (290816 bytes)
Module \??\C:\DOCUME~1\PAULG!~1\LOCALS~1\Temp\aswMBR.sys B8FDA000-B8FE5000 (45056 bytes)
Module \??\C:\DOCUME~1\PAULG!~1\LOCALS~1\Temp\uwliipoc.sys (GMER) B8276000-B828F000 (102400 bytes)
Module (noname) (*** hidden *** ) F1E27000-F1E43000 (114688 bytes)

---- Processes - GMER 1.0.15 ----

Process C:\WINDOWS\Explorer.EXE (Windows Explorer/Microsoft Corporation) 364
Library C:\Malwarebytes' Anti-Malware\mbamext.dll (Malwarebytes' Anti-Malware/Malwarebytes Corporation) 0x10000000
Library C:\PROGRA~1\WinZip\WZSHLSTB.DLL (WinZip Shell Extension DLL/WinZip Computing, Inc.) 0x16200000
Library C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll (PDF Shell Extension/Adobe Systems, Inc.) 0x04060000

Process C:\Documents and Settings\Paul G!\Application Data\4035B\F260C.exe 388
Library C:\Documents and Settings\Paul G!\Application Data\4035B\F260C.exe 0x00400000

Process C:\Program Files\Internet Explorer\IEXPLORE.EXE (Internet Explorer/Microsoft Corporation) 428
Library C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe PDF Helper for Internet Explorer/Adobe Systems Incorporated) 0x10000000
Library C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe PDF Helper for Internet Explorer/Adobe Systems Incorporated) 0x03520000
Library C:\WINDOWS\system32\vgaa256.dll 0x03540000
Library C:\WINDOWS\system32\preeflib.dll 0x035F0000
Library C:\WINDOWS\system32\stii_ci.dll 0x03640000
Library C:\Program Files\Java\jre6\bin\jp2ssv.dll (Java™ Platform SE binary/Sun Microsystems, Inc.) 0x6D430000
Library C:\WINDOWS\system32\Macromed\Flash\Flash10s.ocx (Adobe Flash Player 10.3 r181/Adobe Systems, Inc.) 0x066F0000

Process C:\Program Files\Java\jre6\bin\jqs.exe (Java™ Quick Starter Service/Sun Microsystems, Inc.) 540
Library C:\Program Files\Java\jre6\bin\jqs.exe (Java™ Quick Starter Service/Sun Microsystems, Inc.) 0x00400000

Process C:\WINDOWS\System32\nvsvc32.exe (NVIDIA Driver Helper Service, Version 78.11/NVIDIA Corporation) 560
Library C:\WINDOWS\System32\nvsvc32.exe (NVIDIA Driver Helper Service, Version 78.11/NVIDIA Corporation) 0x00400000

Process C:\WINDOWS\System32\WLTRAY.exe (Dell Wireless WLAN Card Wireless Network Tray Applet/Dell Inc.) 616
Library C:\WINDOWS\System32\WLTRAY.exe (Dell Wireless WLAN Card Wireless Network Tray Applet/Dell Inc.) 0x00400000

Process C:\Program Files\HP\HP Software Update\HPWuSchd2.exe (Hewlett-Packard Product Assistant/Hewlett-Packard Development Company, L.P.) 652
Library C:\Program Files\HP\HP Software Update\HPWuSchd2.exe (Hewlett-Packard Product Assistant/Hewlett-Packard Development Company, L.P.) 0x00400000

Process C:\Program Files\BroadJump\Client Foundation\CFD.exe 660
Library C:\Program Files\BroadJump\Client Foundation\CFD.exe 0x00400000
Library C:\Program Files\BroadJump\Client Foundation\stlport_4_0_0_DDR.dll 0x689E0000
Library C:\Program Files\BroadJump\Client Foundation\BJIntlCore_1_1_DDR.dll 0x68D60000
Library C:\Program Files\BroadJump\Client Foundation\BJComRT.dll 0x68E00000
Library C:\Program Files\BroadJump\Client Foundation\BasicLoaderService.dll 0x68EE0000
Library C:\Program Files\BroadJump\Client Foundation\AppProperties.dll 0x68FA0000
Library C:\Program Files\BroadJump\Client Foundation\BJComBase.dll 0x68E80000
Library C:\Program Files\BroadJump\Client Foundation\TimerManager.dll 0x68860000
Library C:\Program Files\BroadJump\Client Foundation\BJComSRCManager.dll 0x68DB0000
Library C:\Program Files\BroadJump\Client Foundation\BJFReg.dll 0x607A0000
Library C:\Program Files\BroadJump\Client Foundation\xerces-c_1_40_0_DDR.dll 0x68780000
Library C:\Program Files\BroadJump\Client Foundation\SSLEAY32_1-1-0_DDR.DLL 0x10000000
Library C:\Program Files\BroadJump\Client Foundation\LIBEAY32_1-1-0_DDR.DLL 0x00F50000
Library C:\Program Files\BroadJump\Client Foundation\ThirdPartyManager.dll 0x688E0000

Process C:\Program Files\Common Files\Java\Java Update\jusched.exe (Java™ Update Scheduler/Sun Microsystems, Inc.) 668
Library C:\Program Files\Common Files\Java\Java Update\jusched.exe (Java™ Update Scheduler/Sun Microsystems, Inc.) 0x00400000

Process C:\Program Files\LP\0CC4\096.exe 716
Library C:\Program Files\LP\0CC4\096.exe 0x00400000

Process C:\Documents and Settings\Paul G!\Application Data\x1zpmhgogtougcrvevgtq2ty3ijffb112\svcnost.exe 756
Library C:\Documents and Settings\Paul G!\Application Data\x1zpmhgogtougcrvevgtq2ty3ijffb112\svcnost.exe 0x00400000

Process C:\WINDOWS\system32\HPZipm12.exe (PML Driver/HP) 1264
Library C:\WINDOWS\system32\HPZipm12.exe (PML Driver/HP) 0x00400000

Process C:\WINDOWS\system32\spoolsv.exe (Spooler SubSystem App/Microsoft Corporation) 1608
Library C:\WINDOWS\system32\HpTcpMon.dll (Standard TCP/IP Port Monitor DLL/Hewlett Packard) 0x10000000
Library C:\WINDOWS\system32\hpzjrd01.dll (HP Rediscovery Library/Hewlett Packard) 0x00A60000
Library C:\WINDOWS\system32\HPTcpMUI.dll (Standard TCP/IP Port Monitor DLL/Microsoft Corporation) 0x00C10000
Library C:\WINDOWS\system32\hptcpmib.dll (Standard TCP/IP Port Monitor DLL/Hewlett Packard) 0x00DB0000
Library C:\WINDOWS\system32\hpzll43a.dll (LanguageMonitor/Hewlett-Packard Company) 0x00DF0000
Library C:\WINDOWS\system32\mdimon.dll (Microsoft® Document Imaging/Microsoft Corporation) 0x00E00000
Library C:\WINDOWS\System32\spool\PRTPROCS\W32X86\hpzpp43a.dll (Hewlett-Packard Corporation) 0x00E50000
Library C:\WINDOWS\System32\spool\PRTPROCS\W32X86\mdippr.dll (Microsoft® Document Imaging/Microsoft Corporation) 0x00E70000
Library C:\WINDOWS\System32\spool\PRTPROCS\W32X86\filterpipelineprintproc.dll (Print Filter Pipeline Proxy/Microsoft Corporation) 0x3F420000

Process C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe (Yahoo! Messenger Tray/Yahoo! Inc.) 1968
Library C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe (Yahoo! Messenger Tray/Yahoo! Inc.) 0x00400000
Library C:\Program Files\Yahoo!\Messenger\yui.dll 0x61110000
Library C:\Program Files\Yahoo!\Messenger\nspr4.dll (NSPR Library/Netscape Communications Corporation) 0x60220000
Library C:\Program Files\Yahoo!\Messenger\res_msgr.dll (Resource Module/Yahoo! Inc.) 0x60360000

Process C:\Program Files\Common Files\Java\Java Update\jucheck.exe (Java™ Update Checker/Sun Microsystems, Inc.) 2192
Library C:\Program Files\Common Files\Java\Java Update\jucheck.exe (Java™ Update Checker/Sun Microsystems, Inc.) 0x00400000

Process C:\Program Files\Mozilla Firefox\plugin-container.exe (Plugin Container for Firefox/Mozilla Corporation) 2260
Library C:\Program Files\Mozilla Firefox\plugin-container.exe (Plugin Container for Firefox/Mozilla Corporation) 0x00400000
Library C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) 0x10000000
Library C:\Program Files\Mozilla Firefox\mozjs.dll 0x00410000
Library C:\Program Files\Mozilla Firefox\nspr4.dll (NSPR Library/Mozilla Foundation) 0x00310000
Library C:\Program Files\Mozilla Firefox\mozutils.dll (Mozilla Foundation) 0x00350000
Library C:\Program Files\Mozilla Firefox\smime3.dll (NSS S/MIME Library/Mozilla Foundation) 0x00370000
Library C:\Program Files\Mozilla Firefox\nss3.dll (NSS Base Library/Mozilla Foundation) 0x00620000
Library C:\Program Files\Mozilla Firefox\nssutil3.dll (NSS Utility Library/Mozilla Foundation) 0x003B0000
Library C:\Program Files\Mozilla Firefox\plc4.dll (PLC Library/Mozilla Foundation) 0x003E0000
Library C:\Program Files\Mozilla Firefox\plds4.dll (PLDS Library/Mozilla Foundation) 0x006C0000
Library C:\Program Files\Mozilla Firefox\ssl3.dll (NSS SSL Library/Mozilla Foundation) 0x006E0000
Library C:\Program Files\Mozilla Firefox\mozsqlite3.dll (SQLite Database Library/sqlite.org) 0x00720000
Library C:\Program Files\Mozilla Firefox\mozalloc.dll (Mozilla Foundation) 0x00800000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000
Library C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll 0x01AC0000

Process C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 2272
Library C:\WINDOWS\System32\strmfilt.dll (Stream Filter Library/Microsoft Corporation) 0x6F290000

Process C:\Documents and Settings\All Users\Documents\Jellyfish Backgammon\JFL3532.exe (JellyFish Light 3.5/JellyFish AS) 2328
Library C:\Documents and Settings\All Users\Documents\Jellyfish Backgammon\JFL3532.exe (JellyFish Light 3.5/JellyFish AS) 0x00400000

Process C:\WINDOWS\System32\WLTRYSVC.EXE 2552
Library C:\WINDOWS\System32\WLTRYSVC.EXE 0x00400000

Process C:\Program Files\5B4B9\lvvm.exe 2576
Library C:\Program Files\5B4B9\lvvm.exe 0x00400000

Process C:\WINDOWS\System32\bcmwltry.exe (Dell Wireless WLAN Card Wireless Network Controller/Dell Inc.) 2604
Library C:\WINDOWS\System32\bcmwltry.exe (Dell Wireless WLAN Card Wireless Network Controller/Dell Inc.) 0x00400000
Library C:\WINDOWS\System32\bcm1xsup.dll 0x10000000
Library C:\WINDOWS\System32\bcmwlpkt.dll (Packet/CACE Technologies) 0x00340000
Library C:\WINDOWS\System32\wltrynt.dll (Wireless Notification Provider/Broadcom Corporation) 0x00CA0000

Process C:\Documents and Settings\Paul G!\Desktop\gmer.exe 2660
Library C:\Documents and Settings\Paul G!\Desktop\gmer.exe 0x00400000

Process C:\Program Files\Internet Explorer\IEXPLORE.EXE (Internet Explorer/Microsoft Corporation) 3168
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) 3452
Library C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) 0x00400000
Library C:\Program Files\Mozilla Firefox\nspr4.dll (NSPR Library/Mozilla Foundation) 0x10000000
Library C:\Program Files\Mozilla Firefox\mozutils.dll (Mozilla Foundation) 0x003B0000
Library C:\Program Files\Mozilla Firefox\plc4.dll (PLC Library/Mozilla Foundation) 0x003D0000
Library C:\Program Files\Mozilla Firefox\plds4.dll (PLDS Library/Mozilla Foundation) 0x003F0000
Library C:\Program Files\Mozilla Firefox\mozalloc.dll (Mozilla Foundation) 0x00A80000
Library C:\Program Files\Mozilla Firefox\mozsqlite3.dll (SQLite Database Library/sqlite.org) 0x00AA0000
Library C:\Program Files\Mozilla Firefox\nssutil3.dll (NSS Utility Library/Mozilla Foundation) 0x00F70000
Library C:\Program Files\Mozilla Firefox\softokn3.dll (NSS PKCS #11 Library/Mozilla Foundation) 0x01020000
Library C:\Program Files\Mozilla Firefox\nss3.dll (NSS Base Library/Mozilla Foundation) 0x01060000
Library C:\Program Files\Mozilla Firefox\ssl3.dll (NSS SSL Library/Mozilla Foundation) 0x01110000
Library C:\Program Files\Mozilla Firefox\smime3.dll (NSS S/MIME Library/Mozilla Foundation) 0x01160000
Library C:\Program Files\Mozilla Firefox\mozjs.dll 0x011A0000
Library C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) 0x01420000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000
Library C:\Program Files\Mozilla Firefox\xpcom.dll (Mozilla Foundation) 0x013B0000
Library C:\Program Files\Mozilla Firefox\components\browsercomps.dll (Mozilla Foundation) 0x03800000
Library C:\Program Files\Mozilla Firefox\nssdbm3.dll (Legacy Database Driver/Mozilla Foundation) 0x06860000
Library C:\Program Files\Mozilla Firefox\freebl3.dll (NSS freebl Library/Mozilla Foundation) 0x06890000
Library C:\Program Files\Mozilla Firefox\nssckbi.dll (NSS Builtin Trusted Root CAs/Mozilla Foundation) 0x06B00000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\DRIVERS\b57xp32.sys (Broadcom NetXtreme Gigabit Ethernet NDIS5.1 Driver./Broadcom Corporation) [MANUAL] b57w2k
Service C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys (Broadcom Corporation NDIS 5.0 BCM42XX miniport driver/Broadcom Corporation) [MANUAL] BCM42XX
Service C:\WINDOWS\System32\DRIVERS\bcmwl5.sys (Broadcom 802.11 Network Adapter wireless driver/Broadcom Corporation) [MANUAL] BCM43XX
Service C:\WINDOWS\system32\DRIVERS\BCM4E5.SYS (Broadcom Corporation NDIS 5.0 BCM42XX miniport driver/Broadcom Corporation) [MANUAL] BCM44X2
Service C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys (Broadcom Corporation NDIS 5.1 ethernet driver/Broadcom Corporation) [MANUAL] bcm4sbxp
Service BCMLogon
Service C:\WINDOWS\system32\drivers\BVRPMPR5.SYS (BVRP NDIS 5.0 MPR Protocol Driver/Avanquest Software) [MANUAL] BVRPMPR5
Service C:\DOCUME~1\PAULG!~1\LOCALS~1\Temp\catchme.sys [MANUAL] catchme
Service C:\Program [MANUAL] getPlus® Helper
Service C:\WINDOWS\system32\DRIVERS\HPZid412.sys (IEEE-1284.4-1999 Driver (Windows 2000)/HP) [MANUAL] HPZid412
Service C:\WINDOWS\system32\DRIVERS\HPZipr12.sys (IEEE-1284.4-1999 Print Class Driver/HP) [MANUAL] HPZipr12
Service C:\WINDOWS\system32\DRIVERS\HPZius12.sys (1284.4<->Usb Datalink Driver (Windows 2000)/HP) [MANUAL] HPZius12
Service C:\Program Files\Java\jre6\bin\jqs.exe (Java™ Quick Starter Service/Sun Microsystems, Inc.) [AUTO] JavaQuickStarterService
Service MSDTC Bridge 3.0.0.0
Service nm
Service C:\WINDOWS\system32\drivers\NPF.sys (npf.sys (NT5/6 x86) Kernel Driver/CACE Technologies, Inc.) [MANUAL] NPF
Service C:\WINDOWS\System32\DRIVERS\nv4_mini.sys (NVIDIA Compatible Windows 2000 Miniport Driver, Version 78.11 /NVIDIA Corporation) [MANUAL] nv
Service C:\WINDOWS\System32\nvsvc32.exe (NVIDIA Driver Helper Service, Version 78.11/NVIDIA Corporation) [AUTO] NVSvc
Service Outlook
Service C:\ComboFix\pev.3XE [AUTO] PEVSystemStart
Service C:\WINDOWS\system32\HPZipm12.exe (PML Driver/HP) [AUTO] Pml Driver HPZ12
Service C:\WINDOWS\System32\DRIVERS\ptilink.sys (Parallel Technologies DirectParallel IO Library/Parallel Technologies, Inc.) [MANUAL] Ptilink
Service C:\WINDOWS\System32\DRIVERS\secdrv.sys (Macrovision SECURITY Driver/Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [MANUAL] Secdrv
Service ServiceModelEndpoint 3.0.0.0
Service ServiceModelOperation 3.0.0.0
Service ServiceModelService 3.0.0.0
Service SMSvcHost 3.0.0.0
Service C:\WINDOWS\system32\drivers\stac97.sys (SigmaTel Audio Driver (WDM)/SigmaTel, Inc.) [MANUAL] STAC97
Service C:\WINDOWS\System32\DRIVERS\w29n51.sys (Intel® Wireless LAN Driver/Intel® Corporation) [MANUAL] w29n51
Service Windows Workflow Foundation 3.0.0.0
Service C:\WINDOWS\System32\WLTRYSVC.EXE [AUTO] wltrysvc

---- EOF - GMER 1.0.15 ----


Thank you for your help Jintan. Let me know what else you need me to do!

PaulG
  • 0

#23
Jintan

Jintan

    Trusted Helper

  • Malware Removal
  • 904 posts
If this were school, that would be a failing grade report card. Many malware processes running independent, so more or less have command of things, and the explorer.exe file itself altered by malware as well, and other important processes, such as winlogon and svchost, with malware loaded into them.

xPUD would truly be beneficial at this point. You can use that same xpud-0.9.2.iso you downloaded for that usb drive creation, but instead see if you can just burn that image to a CD. All systems have the wherewithal to boot from a CD, with fewer issues. If you don't have an image burning app, you can download a simple InfraRecorder one from here. Just install that, and direct it to burn a disk image using that xPUD iso file.

Once you have done that, put that xPUD cd into the CD drive, and reboot. Then as the system boots up, press F12, and select the CD drive from that boot menu.

For the moment, see if you can accomplish that. If you can, once the xPUD display is booted to, insert that xPUD usb drive you created, and follow the steps here to create and post those logs.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP