Tech Support Forum - View Single Post

bugisda · 07-01-2009, 11:14 AM

Spotbot recently caught some suspicious files trying to access the internet on my computer, which I said no to. On the next startup Windows immediately shut down, and has done so on every boot since. It gives a blue screen with information, some of which is:
Disable BIOS memory options such as caching or shadowing.
Technical information: ***STOP: 0x0000000A (0x000000B0,0x00000002,0x00000000,0x8050601F)
Physical memory dump complete.
IRQL_NOT_LESS_OR_EQUAL

I’ve been able to startup in Safe Mode, and attempted some spyware removal as follows:
AVG – C:\WINDOWS\System32\net.net removed to Virus Vault, identified as Trojan horse Clicker.ZWK
Spybot – MicrosoftWindowsSecurityCenter_disabled
settings HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WSCSVC\Start
BraveSentry data C:\WINDOWS\SYSTEM32\kr_done1
settings HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\kr_done1
Adaware – will not run, although it did prior to this problem
Malwarebyte – no problems found

I’m now having to use a different computer to access the internet for this posting. I couldn’t tell if GMER ran correctly in Safe Mode, but attached results anyway. My system is Windows XP Professional Edition, SP1.
Thanks for any help you can provide.

DDS (Ver_09-06-26.01) - NTFSx86 MINIMAL
Run by All at 21:45:59.96 on Tue 06/30/2009
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.511.264 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Documents and Settings\All\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
EB: MoneySide: {9404901d-06da-4b23-a0ee-3ea4f64ec9b3} - c:\program files\microsoft money\system\mnyviewer.dll
uRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
uRun: [PopUpStopperFreeEdition] "c:\progra~1\panicw~1\pop-up~1\PSFree.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunServicesOnce: [washindex] c:\program files\washer\washidx.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [DellTouch] c:\windows\MMKeybd.exe
mRun: [nwiz] nwiz.exe /install
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [Motive SmartBridge] c:\progra~1\verizo~1\suppor~1\smartb~1\MotiveSB.exe
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AdaptecDirectCD] c:\program files\adaptec\easy cd creator 5\directcd\DirectCD.exe
mRun: [Zone Labs Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [mmtask] "c:\program files\musicmatch\musicmatch jukebox\mmtask.exe"
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunServicesOnce: [washindex] c:\program files\washer\washidx.exe "Mark"
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
uExplorerRun: [servises] c:\windows\system32\servises.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\office.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wordweb.lnk - c:\program files\wordweb\wweb32.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {00000161-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaudio.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126655784140
DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37582.6951041667
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxps://www-secure.symantec.com/techsupp/activedata/SymAData.dll
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - hxxps://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
TCP: {86C9345F-FDCB-4F1A-8E5C-DCE9C2B914A1} = 127.0.0.1,192.168.1.1,192.168.1.1
TCP: {9ECFB26D-8E0F-44DA-9DEC-9948159DF0F6} = 127.0.0.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll

============= SERVICES / DRIVERS ===============

R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2009-3-31 10760]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R3 Msikbd2k;DellTouch;c:\windows\system32\drivers\Msikbd2k.sys [2002-1-30 6942]
S1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2009-3-31 821856]
S1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2009-3-31 4224]
S1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2009-3-31 27776]
S1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2004-4-13 392824]
S2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2009-3-31 418816]
S2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2009-3-31 49664]
S2 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe [2009-3-31 406528]
S2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2009-3-31 4960]
S2 CX88XBAR;KWorld PVR 883 Crossbar;c:\windows\system32\drivers\cx88xbar.sys [2007-5-12 8960]
S2 edtgxq;edtgxq;c:\windows\system32\drivers\nxwaa.sys [2009-6-29 61440]
S2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [1980-1-1 28672]
S2 PackethSvc;Virtual NIC Service;c:\windows\system32\PackethSvc.exe [2002-1-30 64512]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 CrystalSysInfo;CrystalSysInfo;c:\program files\mediacoder\SysInfo.sys [2007-9-25 15152]
S3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [1980-1-1 142336]
S3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [1980-1-1 524288]

=============== Created Last 30 ================

2009-06-29 22:08 61,440 a------- c:\windows\system32\drivers\nxwaa.sys

==================== Find3M ====================

2009-06-29 21:01 65,536 a------- c:\windows\DUMP66d3.tmp
2009-06-29 14:33 65,536 a------- c:\windows\DUMP6646.tmp
2009-06-29 12:17 65,536 a------- c:\windows\DUMP606a.tmp
2009-05-25 19:53 87,776 a------- c:\docume~1\all\applic~1\GDIPFONTCACHEV1.DAT
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-03 21:12 60,744 a------- c:\documents and settings\all\g2mdlhlpx.exe
2008-09-25 22:19 1,452,592 a------- c:\program files\yWriter412dicts-5.0.zip
2008-07-21 21:45 724,984 a------- c:\documents and settings\all\gotomypc_437.exe
2007-09-20 08:43 56 a------- c:\documents and settings\all\hiscores.dat
2005-11-13 22:24 774,144 a------- c:\program files\RngInterstitial.dll
2002-05-23 21:10 660 a------- c:\documents and settings\all\score.dat

============= FINISH: 21:48:35.31 ===============