Member Avatar for azriel

OK so I downloaded a few game files and all of a sudden got the dreaded BSOD. I do have several anti-virus/spyware etc progs (Spybot, McAffe, windows defender and spyware blocker) yet still am having this problem. I have tried running each of these in normal mode which again triggers the screen of death.

The technical information it lists as a problem is:
***STOP: 0x0000008E (0x0000005,0x006BF687,0xF65C5CF0,0x00000000


HELP pls, I have deleted suspected files of causing the problem....with no success - any help would be appreciated - THANKS!!!!

-Az.

  • 3 Contributors
  • 14 Replies
  • 153 Views
  • 1 Week Discussion Span
  • Latest Post Latest Post by gerbil

Recommended Answers

All 14 Replies

Member Avatar for gerbil

Azriel, just add to your posts, pls don't start a new thread on the same topic.... it makes us chase the thread over several windows....
A big, important point to make: you must run ONLY ONE resident AV - you have both AVG and Mcafee, so one of them must go.
Next point is the location of hijackthis - delete that copy and unzip a fresh copy to a new folder alongside your program files.
If you do not do that and things go bad, be it on your own head.
-select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local

I see no other problems....so:
==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
- Open the SmitfraudFix folder and double-click smitfraudfix.cmd, select option #1 - Search [type 1 and Enter]; a text file will appear which lists infected files (if present). It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:.. Please paste the report in your next reply. DO NOT RUN OPTION 2 YET!!!

When you are finished reboot to normal Windows mode and send that Smitfraud log in....

Member Avatar for azriel

Thank you for responding.....

I deleted the Hijack item, and moved hijack this to my program files. Downloaded and installed this program from the link you suppled but was chock full of spyware and malware - my Mcaffe stopped three programs from loading - any other files you can suggest?

Member Avatar for gerbil

That pgm? Smitfraudfix full of trojans? Mcafee must have gone off its trolley - I was getting you to run it because in part it checks to see if you have particular types of rootkits. I would happily vouch for that site, that pgm.. you shoulda kept AVG.... turn Mcafee off to dl from that link. Run it and turn Mcafee back on. I would not give you a dodgy link or pgm to run... maybe the run will pick Mcafee up as a fraud... :)

Member Avatar for azriel

I'd be happy to turn off mcaffe - its been mucho wonky - in fack everytime I try to use it to scan it blue screens - just tell me how to kill it and I will....

Also shoudl be worth noting I am getting blue screens more often with different 'error areas' if thats the correct term stating the following

the frst was:
system32: xpdt.sys-address F77735A3 base at F7771000,date stamp 46532710

the second was usbstor.sys - address F9F1B222 base atF9F1A000, Datestamp 41107d6c

Member Avatar for gerbil

Two rootkits in one day!! [am dealing with another poster also...] -Mcafee is trying, it found a rootkit, rustock-[B?].
Rustock-B rootkit removal:
==Download rustbfix.exe from http://www.uploads.ejvindh.net/rustbfix.exe
-save it to your desktop, dclick on rustbfix.exe to run the tool.
If a Rustock.b-infection is found, you will be asked to reboot the computer, perhaps twice. The procedure may be slow, but is automatic.
Afterwards 2 logfiles will open C:\avenger.txt , C:\rustbfix\pelog.txt). Post these logfiles plus a new HijackThis log.
Rclick the tray icon for mcafee virus shield and select Exit. Run the smitfraudfix tool as above, then turn mcafee back on.
Lastly, run Combofix:
==Download this file: http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
...or from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log - post that log in your next reply along with the others.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Member Avatar for azriel

SmitFraudFix v2.191

Scan done at 22:10:14.39, 2007-06-03
Run from C:\Program Files\Mozilla Firefox\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\program files\mcafee\msc\mcuimgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Prevx2\PXConsole.exe
C:\Program Files\Prevx2\PXAgent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Home


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Home\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Home\FAVORI~1

C:\DOCUME~1\Home\FAVORI~1\Online Security Test.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32-xpdt

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 24.29.103.10
DNS Server Search Order: 24.29.103.11

HKLM\SYSTEM\CCS\Services\Tcpip\..\{167EE107-A03C-400E-BB39-19769AEDCE98}: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS1\Services\Tcpip\..\{167EE107-A03C-400E-BB39-19769AEDCE98}: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS2\Services\Tcpip\..\{167EE107-A03C-400E-BB39-19769AEDCE98}: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS3\Services\Tcpip\..\{167EE107-A03C-400E-BB39-19769AEDCE98}: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=24.29.103.10 24.29.103.11


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

SmitFraudFix v2.191

Scan done at 22:10:14.39, 2007-06-03
Run from C:\Program Files\Mozilla Firefox\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\program files\mcafee\msc\mcuimgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Prevx2\PXConsole.exe
C:\Program Files\Prevx2\PXAgent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Home


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Home\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Home\FAVORI~1

C:\DOCUME~1\Home\FAVORI~1\Online Security Test.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32-xpdt

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 24.29.103.10
DNS Server Search Order: 24.29.103.11

HKLM\SYSTEM\CCS\Services\Tcpip\..\{167EE107-A03C-400E-BB39-19769AEDCE98}: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS1\Services\Tcpip\..\{167EE107-A03C-400E-BB39-19769AEDCE98}: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS2\Services\Tcpip\..\{167EE107-A03C-400E-BB39-19769AEDCE98}: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS3\Services\Tcpip\..\{167EE107-A03C-400E-BB39-19769AEDCE98}: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=24.29.103.10 24.29.103.11


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


SmitFraudFix v2.191

Scan done at 22:10:14.39, 2007-06-03
Run from C:\Program Files\Mozilla Firefox\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\program files\mcafee\msc\mcuimgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Prevx2\PXConsole.exe
C:\Program Files\Prevx2\PXAgent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Home


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Home\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Home\FAVORI~1

C:\DOCUME~1\Home\FAVORI~1\Online Security Test.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32-xpdt

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 24.29.103.10
DNS Server Search Order: 24.29.103.11

HKLM\SYSTEM\CCS\Services\Tcpip\..\{167EE107-A03C-400E-BB39-19769AEDCE98}: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS1\Services\Tcpip\..\{167EE107-A03C-400E-BB39-19769AEDCE98}: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS2\Services\Tcpip\..\{167EE107-A03C-400E-BB39-19769AEDCE98}: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS3\Services\Tcpip\..\{167EE107-A03C-400E-BB39-19769AEDCE98}: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=24.29.103.10 24.29.103.11


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

************************* Rustock.b-fix v. 1.01 -- By ejvindh *************************
2007-06-03 22:13:44.59

No Rustock.b-rootkits found

******************************* End of Logfile ********************************

Ran combofix got a catch me file w/xpdt.sys locked up - however upon restart program won't seem to finish - even after 2hrs. Should I drop that zipped file in my spybot shredder?

Member Avatar for gerbil

Yes, shred it. And then run the clean option with smitfraudfix:-
- Disconnect from the net
- Check that a Restore point has been made.
- Go into safe mode.
- Start Smitfraudfix as before and press 2, Enter.
You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer Y and Enter [which will remove the desktop background and clean registry keys associated with the infection].
The tool will next check if wininet.dll is infected- if it is you will be prompted to replace the file ; type Y and press "Enter".
Reboot into normal Windows and post here the text file which will appear on your screen, along with a new HT log.
You may also have to restore your desktop background...
If so, go Start >run, type regedit and <enter>. Navigate to this key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Please export that key: in the left pane highlight system with a lclick, go File, export... , save as bluewall with file type .txt. Close regedit and post that txt file.Try ComboFix again.

Member Avatar for azriel

File successfully shredded see attached smitfraud files (2) one presafe mode and other in safe mode plus HJT file. I also successfully ran a mcaffe scan (something I was not able to do with the rootkit and would cause a bluescreen) with no nasties.
HOWEVER combofix is saying it is missing vundonames.cf with no results.

smitfraud.1
SmitFraudFix v2.191
Scan done at 18:16:59.43, 2007-06-04
Run from C:\Documents and Settings\Home\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\DOCUME~1\Home\FAVORI~1\Online Security Test.url Deleted
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 24.29.103.10
DNS Server Search Order: 24.29.103.11
HKLM\SYSTEM\CCS\Services\Tcpip\..\{167EE107-A03C-400E-BB39-19769AEDCE98}: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS1\Services\Tcpip\..\{167EE107-A03C-400E-BB39-19769AEDCE98}: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS2\Services\Tcpip\..\{167EE107-A03C-400E-BB39-19769AEDCE98}: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS3\Services\Tcpip\..\{167EE107-A03C-400E-BB39-19769AEDCE98}: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=24.29.103.10 24.29.103.11

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End


Smitfraud in safe mode:

SmitFraudFix v2.191
Scan done at 18:28:34.92, 2007-06-04
Run from C:\Documents and Settings\Home\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» DNS
HKLM\SYSTEM\CS1\Services\Tcpip\..\{167EE107-A03C-400E-BB39-19769AEDCE98}: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS2\Services\Tcpip\..\{167EE107-A03C-400E-BB39-19769AEDCE98}: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.29.103.10 24.29.103.11
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=24.29.103.10 24.29.103.11

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

HJT after smitfrauds

Logfile of HijackThis v1.99.1
Scan saved at 19:02, on 2007-06-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\findstr.exe
C:\Program Files\Hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [*combofix] C:\WINDOWS\system32\cmd.exe /e:on /f:off /v:off /c C:\ComboFix\Combofix.bat
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: Monitor.lnk.disabled
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4423/mcfscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega Activity Disk2 - Iomega Corporation - C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\System32\IomegaAccess.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\System32\ZipToA.exe

Combofix info:


Scanning for infected files . . .
This typically doesn't take more than 10 minutes
Scan times for badly infected machines may easily double
FINDSTR: Cannot open vundonames.cf
The system cannot find the file Vundonames.cf.
Could Not Find C:\ComboFix\Vundonames.cf

Member Avatar for gerbil

Looks like something has blocked CombFix. Ok, delete your copy.
Please rename hijackthis.exe to imabunny.exe, start it, press Misc Tools, press the List minor sections button and Generate Startup List log. Post that.
Now for a shot in the dark:
Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to start it, click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES. Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.
Post the contents of C:\vundofix.txt plus a new HijackThis log.
[oh, and that smitfraudfix run, it does not pay to run Option 2 when there is no detection - the pgm likes to break stuff, if it cannot find a bug it turns on your desktop and breaks that! You were lucky with that second pass...]

Member Avatar for azriel

vundofix turned up nothing so nothing removed, new HJT file below from before VUNDO run:

StartupList report, 2007-06-05, 18:08:26
StartupList version: 1.52.2
Started from : C:\Program Files\Hijackthis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16441)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
hp psc 1000 series.lnk = ?
hpoddt01.exe.lnk = ?
Kodak EasyShare software.lnk.disabled
Monitor.lnk.disabled

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
Windows Defender = "C:\Program Files\Windows Defender\MSASCui.exe" -hide
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
AVG7_CC = C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
*combofix = C:\WINDOWS\system32\cmd.exe /e:on /f:off /v:off /c C:\ComboFix\Combofix.bat

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
googletalk = "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
swg = C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
Uniblue RegistryBooster2 = C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
H/PC Connection Agent = "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}] *
StubPath = C:\WINDOWS\system32\ieudinit.exe

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -BaseSettings

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
scriptproxy - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll - {7DB2D5A0-7241-4E79-B68D-6309F01C5231}

--------------------------------------------------

Enumerating Task Scheduler jobs:

FRU Task #Hewlett-Packard#hp psc 1200 series#1107067178.job
McDefragTask.job
McQcTask.job
MP Scheduled Scan.job

--------------------------------------------------

Enumerating Download Program Files:

[McAfee.com Operating System Class]
InProcServer32 = C:\WINDOWS\system32\mcinsctl.dll
CODEBASE = http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll

[Shutterfly Picture Upload Plugin]
InProcServer32 = C:\WINDOWS\DOWNLO~1\sfuploadplugin.ocx
CODEBASE = http://web1.shutterfly.com/downloads/Uploader.cab

[DwnldGroupMgr Class]
InProcServer32 = C:\WINDOWS\system32\mcgdmgr.dll
CODEBASE = http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash8.ocx
CODEBASE = http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

[McFreeScan Class]
InProcServer32 = C:\WINDOWS\McAfee.com\FreeScan\mcfscan.dll
CODEBASE = http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4423/mcfscan.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #4: C:\Program Files\Bonjour\mdnsNSP.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (autostart)
AVG7 Update Service: C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (autostart)
Bonjour Service: "C:\Program Files\Bonjour\mDNSResponder.exe" (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Iomega Activity Disk2: "C:\PROGRA~1\Iomega\System32\ActivityDisk.exe" (autostart)
IomegaAccess: C:\WINDOWS\System32\IomegaAccess.exe /S (autostart)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
McAfee HackerWatch Service: "C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe" (autostart)
McAfee Services: C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (autostart)
McAfee Network Agent: "c:\program files\common files\mcafee\mna\mcnasvc.exe" (autostart)
McAfee Scanner: C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe (autostart)
McAfee Protection Manager: C:\PROGRA~1\McAfee\MSC\mcpromgr.exe (autostart)
McAfee Redirector Service: c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe (autostart)
McAfee Real-time Scanner: C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (autostart)
McAfee SystemGuards: C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (autostart)
mdmxsdk: System32\DRIVERS\mdmxsdk.sys (autostart)
NVIDIA Display Driver Service: %SystemRoot%\system32\nvsvc32.exe (autostart)
PfModNT: \??\C:\WINDOWS\System32\PfModNT.sys (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Defender: "C:\Program Files\Windows Defender\MsMpEng.exe" (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
ZipToA: C:\WINDOWS\System32\ZipToA.exe /S (autostart)


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
End of report, 13,248 bytes
Report generated in 1.281 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Member Avatar for gerbil

Those logs are clean. Remove AVG7 if you are keeping mcafee. Disable [turn OFF] teatimer while you attempt one more combofix run [and then turn teatimer back on if you wish!].
Teatimer setting is under Mode, advanced mode, tools, resident... -restart for the change to be made.
Apart from that, I am at a loss. What are your symptoms now?

Member Avatar for huzefad

hey i too have problem with bsod i frequently get this error ***STOP: 0x000000F4

can u guide me to fix this ! my pc has become very slow like a snail and i hve formatted the whole disk so not much data on it too ! pls reply ! thnx.

Member Avatar for azriel

Gerbil,

Thank you for all you're help. The pc hasn't crashed now for sometime. I sent you a shout out for your reputation as well. I greatly appreciate all the time you invested in walking me through that removal.


Thanks again,
-Az.

Member Avatar for gerbil

Pleased if I helped, Azriel. Cheers.
Huuzefad, it would be helpful to know the first parameter in that error msg ie the first term inside the brackets before the first comma... something like 0x000000F4 (0x00000001, .....) for example.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.