Cross-Infected Laptop AND GMER.EXE ISSUE

[ChicagoIrish]

Hi,

I'm helping a friend get his and his wife's laptops "healed." I was able to sanitize his, and now I'm working on hers.

He was not using any antivirus for several months and was infested with some pretty bad stuff. My concern is that they link via a home wireless network and I suspect he's infected her, but to what extent I don't know.

Following the instructions in the new posting thread, I downloaded and ran gmer.exe. It encountered one of those "memory read errors at 01x0000000085" (or something similar; I don't recall the exact wording) and shut down.

So I started it again - and got a Blue Screen of Death, the one that starts with "....if this is the first time you've encountered this problem...." and ends with "Beginning physical dump of memory."

I turned it off and it seems to have restarted fine.

But my question: now what???

Many thanks for your help.

ChicagoIrish

[tetonbob]

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds to run the tool.

• When done, DDS.txt will open.
• Click Yes at the next prompt for Optional Scan.
• Save both reports to your desktop.
  1. DDS.txt
  2. Attach.txt

[ChicagoIrish]

Hi TetonBob -

Thanks. Below is the Scan; attached is the Attach.


DDS (Version 1.0) - NTFSx86
Run by Owner at 18:29:27.82 on 12/06/08
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.479.30 [GMT -8:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\Downloads\dds(2).com

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com/
mSearch Bar =
uInternet Settings,ProxyOverride = *.local
uSearchAssistant =
uCustomizeSearch =
mSearchAssistant = hxxp://www.google.com/ie
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPLpr] "c:\program files\synaptics\syntp\SynTPLpr.exe"
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [PRISMSVR.EXE] "c:\windows\system32\PRISMSVR.EXE" /APPLY
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - c:\program files\yahoo!\messenger\yhexbmes.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: igfxcui - igfxsrvc.dll
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - c:\progra~1\window~3\MpShHook.dll

============= SERVICES / DRIVERS ===============

R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-9-10 611664]
R2 ekrn;Eset Service;"c:\program files\eset\eset smart security\ekrn.exe" [2008-8-18 468224]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" [2007-1-11 24652]
R2 WinDefend;Windows Defender;"c:\program files\windows defender\MsMpEng.exe" [2006-11-3 13592]
S3 pc100;Linksys EtherFast 10/100 PC Card NT Driver;c:\windows\system32\drivers\pc100nds.sys [2005-5-13 30495]

=============== Created Last 30 ================

2008-12-05 21:46 107,368 a------- c:\windows\system32\GEARAspi.dll
2008-12-05 21:46 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2008-12-05 21:46 <DIR> --d----- c:\program files\iPod
2008-12-05 21:46 <DIR> --d----- c:\program files\iTunes
2008-12-05 21:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-05 21:45 <DIR> --d----- c:\program files\Bonjour
2008-12-05 19:10 <DIR> --d----- c:\program files\Windows Media Connect 2
2008-12-05 19:05 <DIR> --d----- C:\f6f20ea7eff2db474ec36e43f723b9
2008-12-05 11:26 <DIR> --d----- c:\windows\system32\NtmsData
2008-12-03 18:16 250 a------- c:\windows\gmer.ini
2008-12-02 22:10 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2008-12-02 22:10 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-02 22:10 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-02 22:10 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-02 22:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-02 22:07 <DIR> --d----- c:\program files\SpywareBlaster
2008-12-02 17:56 459,264 -c------ c:\windows\system32\dllcache\msfeeds.dll
2008-12-02 17:56 267,776 -c------ c:\windows\system32\dllcache\iertutil.dll
2008-12-02 17:56 52,224 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2008-12-02 17:56 383,488 -c------ c:\windows\system32\dllcache\ieapfltr.dll
2008-12-02 17:56 63,488 -c------ c:\windows\system32\dllcache\icardie.dll
2008-12-02 17:56 13,824 -c------ c:\windows\system32\dllcache\ieudinit.exe
2008-12-02 17:56 2,455,488 -c------ c:\windows\system32\dllcache\ieapfltr.dat
2008-12-02 17:56 991,232 -c------ c:\windows\system32\dllcache\ieframe.dll.mui
2008-12-02 17:55 6,066,176 -c------ c:\windows\system32\dllcache\ieframe.dll
2008-12-02 09:57 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-02 09:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-12-02 09:51 <DIR> --d----- c:\program files\Lavasoft
2008-12-02 09:51 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-02 09:33 <DIR> --d----- c:\docume~1\owner\applic~1\ESET
2008-12-02 09:28 <DIR> --d----- c:\program files\ESET
2008-12-02 09:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2008-12-01 21:13 <DIR> --d----- c:\windows\system32\LogFiles
2008-11-11 16:14 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 16:13 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll

==================== Find3M ====================

2008-10-24 03:21 455,296 a------- c:\windows\system32\drivers\mrxsmb.sys
2008-10-13 19:42 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-15 04:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-09 17:14 1,307,648 -------- c:\windows\system32\msxml6.dll
2007-07-19 21:34 502 -------- c:\docume~1\owner\applic~1\wklnhst.dat

============= FINISH: 18:30:14.54 ===============

[tetonbob]

Hi ChicagoIrish -

I'm not seeing any active malware in those logs. The machine seems protected.

I do see that you have malwarebytes' antimalware installed. Assuming a scan was run recently, I'd like to see the most recent log in which something was removed. You can access the logs from the Logs tab on the application.

I'd also like you to try to get a log from GMER in safe mode. It's possible that a legitimate driver had a conflict with the scanner. Sometimes, running the GMER scan in safe mode eliminates those conflicts.

[ChicagoIrish]

T.B. -

Man, thanks for the quick reply - I REALLY appreciate it!

I actually have not yet run an AntiMalware scan. Would you like me to?

Also, would it make sense to try to run the GMER in regular mode again or stick with safe? Whichever you wish....

Finally, does it make any difference what order I run the scan is (A.M. then GMER or GMER/A.M.)?

CI

[tetonbob]

Hmm, well, no, I'd rather you not perform any malware removal scans at this time. Also, since you tried twice with GMER in normal mode, and in resulted in bsod, just try in safe mode.


Once in safe mode:

• Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...say NO.
• Leave all settings at default. Ensure the Show all box is not checked.
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

[ChicagoIrish]

Hi T.B. -

See GMER log below:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-06 20:10:16
Windows 5.1.2600 Service Pack 3


---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- EOF - GMER 1.0.14 ----

[tetonbob]

Hi again -

Looks fine. No rootkit, no active malware in logs. Any troubles with the machine?

Since you have malwarebytes' antimalware (MBAM) on the machine, update it, run a quick scan, and save a log. Do NOT fix anything with it just yet. I'd like to see if it finds anything, and if so, what, before it gets removed.

[ChicagoIrish]

Roger that. Right back....

[ChicagoIrish]

Hey Teton -

Here you go. Looks good, no?

Malwarebytes' Anti-Malware 1.31
Database version: 1467
Windows 5.1.2600 Service Pack 3

12/06/08 8:45:57 PM
mbam-log-2008-12-06 (20-45-57).txt

Scan type: Quick Scan
Objects scanned: 69934
Time elapsed: 11 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[tetonbob]

I'd say you're good to go. Any problems with the machine?

[ChicagoIrish]

No sir. It seems fine. That's great help, and you were terrific. I really appreciate it.

Would you be able to help me with a bigger issue on my own machine (which really has me worried)? Would I need to post it?

Thanks again, and if you can't help me with my machine - a very Merry Christmas to you!

C.I.

[tetonbob]

That all depends on what the issue is. While I know my way around Windows pretty well, I specialize in malware removal. What's the trouble?

[ChicagoIrish]

T.B. -

OK. Here is my post from another forum (that shall go nameless, as I've not heard one thing in reply). While I wrote it with a touch of humor, it is sincere - and worrisome.

If you can't take it on, perhaps you could direct me?

Hi,

I have a problem that is driving me, well, batty. Almost every evening my computer begins to act erratically. Specifically, it freezes and returns to "normal" in what appear to be short cycles.

It actually it doesn't completely freeze; the CPU usage shoots up to at or near 100%. The mouse stops, then, in response to sliding it back and forth to determine that it is, indeed, not moving, it jerkily follows most of the path the mouse went over. This repeats two or three times, over the course of a minute or so, then it returns to something resembling normal. Then it starts again after another minute or so.

This goes on for hours, maybe all night - I wouldn't know; I get so frustrated with it that I simply shut it down, although I have considered driving a stake through the motherboard. And when I restart it, whether it's that night or the next morning, it's fine.

My first thought was that it was some sort of Scheduled Task, which I almost never use. But I checked that in Control Panel and there's nothing.

Here are the basics on the machine:

Windows XP Home / Version 2002 / SP3
Pentium 4 / 2.53 GHz / 1.25 GB Memory

Thanks.

[tetonbob]

Hi C.I. -

If you've posted at another forum, please let them know you'll no longer require assistance with the issue, in case someone decides to finally review it.

Those symptoms could be several things, but since we're here, let's see if we can eliminate malware as the issue.

Post the logs from GMER and DDS for this machine, and we'll go from there. Also...how old is the machine? Any recent hardware/software changes? Also, have you tried using Task Manager to see what process is causing the spike? I find Process Explorer to be a more useful tool than Windows' native Task manager. Gives full file paths to processes, and a process tree among other useful things.

http://technet.microsoft.com/en-us/s.../bb896653.aspx

[ChicagoIrish]

Hi T.B. -

OK. I will surely withdraw my posting on the other site.

Several times I have looked at the running processes when this phenomenon has occurred, but I have not been able to ID the culprit.

Now please understand: I know JUST enough about these things to get myself in trouble (but more than about 85% of the general population, I suspect), and since most people don't know and IT guy personally, they ask me to help - and I try to. But right about here is where I start wading out of the shallow end of the pool and into the deep end!

To answer your questions: I don't remember how old the machine is - somewhere between several and many years! It was rebuilt about three (+/-) years ago - new motherboard, sound and video, DVD drive, etc. But I wouldn't be surprised if it is, in fact, decrepit.

No recent hardware changes, and the only recent software change that I recall is adding Carbonite. I considered that as a suspect, since I felt that it probably ran its backup function more intensely later in the day (less computer use, perhaps, and less www traffic - at least that's my theory), but I can't tell. Besides, I think this started before I got Carbonite, which was only six or eight weeks ago.

Also, one other additional "symptom": there seems to be a pronounced lag between the time emails are sent/delivered and when they show up in Outlook. I haven't been able to pin it down, but it seems to be anywhere from a few minutes to a few hours. They frequently hit my BlackBerry quicker.

(BTW, I got MS Office Ultimate 2007, but DEFINITELY after this problem started - and, as an aside, I got an incredible deal from MS: I'm taking a certificate class at UCSD and so I qualified for the student discount under their "MS Office Ultimate Steal" program - the full suite, everything but Visio and one or two others, normally something like $680, for $59.95. I couldn't pass that up!)

Below are the DDS and GMER logs and attached is the DDS Attach ZIPped file. I'm in California and turning in for the night, so I may not be back. But I really do appreciate your assistance (and speed!) and hope you can help me resolve this one ASAP.


DDS (Version 1.0) - NTFSx86
Run by Scott at 22:46:54.89 on Sat 12/06/2008
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.290 [GMT -8:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Adobe\RoboSource Control 3\RSO3MiddleTierService.exe
C:\Program Files\Rosetta Stone\SMS v3.1.0hs\wrapper.exe
C:\WINDOWS\system32\java.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\SPAMfighter\sfus.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\system32\InetCntrl\InetCntrl.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Scott\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://krla870.townhall.com/
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
BHO: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\4.1.509.6972\swg.dll
BHO: {E0019445-4C1F-414D-A70E-AD80F231C584} - c:\windows\system32\inetcntrl\popupkil\BsafeBHO.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: {E0019445-4C1F-414D-A70E-AD80F231C584} - c:\windows\system32\inetcntrl\popupkil\BsafeBHO.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [InetCntrl] c:\windows\system32\inetcntrl\InetCntrl.exe
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
mRun: [SPAMfighter Agent] "c:\program files\spamfighter\SFAgent.exe" update delay 60
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: InetCntrl0011.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: lbxfile - {56831180-F115-11d2-B6AA-00104B2B9943} - c:\program files\libronix dls\system\FileProt.dll
Handler: lbxres - {24508F1B-9E94-40EE-9759-9AF5795ADF52} - c:\program files\libronix dls\system\ResProt.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R1 bsofrwl;bsofrwl;c:\windows\system32\drivers\bsofrwl.sys [2008-9-12 29024]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-2-20 33800]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;"c:\program files\microsoft small business\business contact manager\BcmSqlStartupSvc.exe" [2008-1-11 30312]
R2 ekrn;Eset Service;"c:\program files\eset\eset nod32 antivirus\ekrn.exe" [2008-2-20 472320]
R2 PAR1284;PAR1284;\??\c:\windows\system32\drivers\PAR1284.SYS [2003-12-1 54792]
R2 PPNT;PPNT;\??\c:\windows\system32\drivers\PPNT.SYS [2003-12-1 13824]
R2 RSO3MiddleTierService;RSO3 MiddleTier Service;"c:\program files\adobe\robosource control 3\RSO3MiddleTierService.exe" [2007-9-20 28672]
R2 SMS_v3_1_0;SMS_v3_1_0;"c:\program files\rosetta stone\sms v3.1.0hs\wrapper.exe" -s "c:\program files\rosetta stone\sms v3.1.0hs\service\wrapper.conf" [2007-6-7 204800]
R2 SPAMfighter Update Service;SPAMfighter Update Service;"c:\program files\spamfighter\sfus.exe" [2008-11-18 184968]
R2 WinDefend;Windows Defender;"c:\program files\windows defender\MsMpEng.exe" [2006-11-3 13592]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe" -sMSSMLBIZ [2008-2-26 29183504]
S1 CorexCardScan;CardScan USB Scanner;c:\windows\system32\drivers\slcorex.sys [2003-5-21 8448]
S3 VNUSB;VN Series Device;c:\windows\system32\drivers\VNUSB.sys []

=============== Created Last 30 ================

2008-12-06 22:43 250 a------- c:\windows\gmer.ini
2008-12-06 07:25 32,768 a------- c:\windows\_ds3B.tmp
2008-12-05 06:01 <DIR> --d----- c:\docume~1\scott\applic~1\SPAMfighter
2008-12-05 06:00 <DIR> --d----- c:\program files\common files\Application
2008-12-05 06:00 <DIR> --d----- c:\program files\SPAMfighter
2008-11-27 22:47 38,160 a------- c:\windows\system32\LMRTREND.dll
2008-11-27 22:47 140,800 a------- c:\windows\system32\tm20dec.ax
2008-11-27 22:47 182,032 a------- c:\windows\system32\dxtmsft3.dll
2008-11-27 22:47 221,184 a------- c:\windows\system32\wmpns.dll
2008-11-27 22:47 63,488 a------- c:\windows\system32\unam4ie.exe
2008-11-27 22:47 194,320 a------- c:\windows\system32\qcut.dll
2008-11-27 22:47 11,776 a------- c:\windows\system32\mciqtz.drv
2008-11-27 22:47 10,240 a------- c:\windows\system32\vidx16.dll
2008-11-27 22:47 5,672 a------- c:\windows\system32\quartz.vxd
2008-11-27 22:47 4,608 a------- c:\windows\system32\w95inf32.dll
2008-11-27 22:47 2,272 a------- c:\windows\system32\w95inf16.dll
2008-11-27 22:43 <DIR> --d----- c:\program files\LEGO Media
2008-11-27 22:40 <DIR> --d----- c:\program files\LEGO Island
2008-11-21 12:29 112 a------- c:\windows\WININIT.INI
2008-11-21 09:40 69,632 a------- c:\windows\system32\CrcCtrl.ocx
2008-11-21 09:40 <DIR> --d----- c:\program files\Duplicate Finder
2008-11-21 06:04 1,089,536 a------- c:\windows\system32\ROBOEX32.DLL
2008-11-21 05:37 <DIR> --d----- c:\program files\Garmin GPS Plugin
2008-11-21 05:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\GARMIN
2008-11-21 04:52 <DIR> --d----- c:\program files\Microsoft ActiveSync
2008-11-12 09:06 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 09:06 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2008-11-08 12:29 <DIR> --d----- c:\docume~1\scott\applic~1\Windows Search

==================== Find3M ====================

2008-10-30 11:10 37,027 a------- c:\windows\atmoUn.exe
2008-10-24 03:21 455,296 a------- c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 14:16 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2008-10-22 14:16 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-15 04:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-09 17:14 1,307,648 -------- c:\windows\system32\msxml6.dll

============= FINISH: 22:47:21.79 ===============

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-06 22:43:56
Windows 5.1.2600 Service Pack 3


---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys

---- EOF - GMER 1.0.14 ----

[tetonbob]

Good morning...The good news is, I see no active malware. The bad news is, that makes pinpointing your issue more difficult, and most likely out of the area of my expertise. That said, we have other sections of the forum where you'd be more readily able to get assistance. Before we do that...

The file you've attached is the GMER executable. Please run DDS once again, perform the secondary scan, and attach the Attach.txt. No need to zip it.

[ChicagoIrish]

Hi T.B. -

Hope all is well with you today. The Attach is attached!

C.I.

[tetonbob]

Well, I'm not seeing much I can sink my teeth into. Before sending you off to another section, let me ask how long have you had 8e6Home installed? I've encountered issues on some machines with bsafe online software, whereby the only solution for those machines was to uninstall it.

[ChicagoIrish]

Bsafe has been on for at least two years. Never had a problem with it.

So what's your advice on where to send me?

Thanks again for all your help.

CI