Tech Support Forum banner
Not open for further replies.
1 - 3 of 3 Posts

36 Posts
Discussion Starter · #1 ·
A friends has been having issues with her laptop running slow, freezing, sometimes "blue screening" etc so I said I'd see if I could find her any help with any of it, but as of an hour or so ago, alot of Google, Yahoo, etc search result links take you to the random BS "search engines". Same story as MANY others - lol
Ive attached the required files. Also if you do happen to see any other major problems probably causing other issues w/the computer, I would Really appreciate it if you'd let me know.
Thank you for your time & assistance! :pray:

DDS (Ver_11-03-05.01) - NTFSx86
Run by Owner at 13:19:11.13 on Thu 04/07/2011
Internet Explorer: 8.0.6001.19019
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2038.581 [GMT -5:00]
AV: AVG Anti-Virus Free *Enabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}
SP: AVG Anti-Virus Free *Enabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
============== Running Processes ===============
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\svchost.exe -k netsvcs
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\svchost.exe -k swprv
============== Pseudo HJT Report ===============
uStart Page = hxxp://
mStart Page = hxxp://
mDefault_Page_URL = hxxp://
mSearchAssistant = hxxp://
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mURLSearchHooks: eMusic Toolbar: {9ee802e8-c931-47ab-b570-aa8f791598ca} - c:\program files\emusic\tbeMu1.dll
mURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
mWinlogon: Userinit=userinit.exe
BHO: Browser Address Error Redirector - No File
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
BHO: eMusic Toolbar: {9ee802e8-c931-47ab-b570-aa8f791598ca} - c:\program files\emusic\tbeMu1.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: eMusic Toolbar: {9ee802e8-c931-47ab-b570-aa8f791598ca} - c:\program files\emusic\tbeMu1.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
TB: Ask Toolbar: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
uRun: [Sidebar] "c:\program files\windows sidebar\sidebar.exe" /autoRun
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [hpqSRMon] "c:\program files\hp\digital imaging\bin\hpqSRMon.exe"
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [<NO NAME>]
mRun: [AT&T Communication Manager] "c:\program files\at&t\communication manager\ATTCM.exe" -a
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\npjpi160_01.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
LSP: bmnet.dll
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL,avgrsstx.dll
============= SERVICES / DRIVERS ===============
R0 AFS;AFS;c:\windows\system32\drivers\AFS.SYS [2009-8-22 79052]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-10 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-7-10 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-7-10 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-7-10 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-10 297752]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-11-15 21504]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-9-22 112128]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 McShield;McAfee Real-time Scanner; [x]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\at&t\communication manager\RcAppSvc.exe [2009-10-9 121416]
S3 CAATT;AT&T Con App Svc;c:\program files\at&t\communication manager\ConAppsSvc.exe [2009-10-9 125512]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 GTFFBUS;GT FF BUS;c:\windows\system32\drivers\gtffbus.sys [2007-2-23 17152]
S3 GTMNDISIRPXP;GT M 3G+ IRP NDIS;c:\windows\system32\drivers\Gtm51Irp.sys [2007-2-23 122240]
S3 GTUQBUS;GT UQ BUS;c:\windows\system32\drivers\gtuqbus.sys [2007-12-15 36992]
S3 McSysmon;McAfee SystemGuards; [x]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]
S3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\drivers\swnc8ua3.sys [2009-3-31 190080]
S3 SWUMXA3;Sierra Wireless USB MUX Driver (UMTSA3);c:\windows\system32\drivers\swumxa3.sys [2009-5-4 148096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache;c:\windows\\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
=============== Created Last 30 ================
2011-04-06 19:32:03 -------- d-----w- c:\program files\whitesmoketoolbar
2011-04-06 18:16:34 398336 ----a-w- c:\windows\system32\TVWizudlg.exe
2011-04-06 18:16:34 140288 ----a-w- c:\windows\system32\igfxtvcx.dll
2011-04-06 18:03:00 -------- d-----w- c:\program files\SystemRequirementsLab
2011-04-05 19:17:47 -------- d-----w- c:\users\owner\appdata\roaming\532D6363306CB8B29623951B4733DA42
2011-04-05 18:05:22 -------- d-----w- c:\program files\ConduitEngine
2011-04-05 18:05:12 -------- d-----w- c:\program files\uTorrentBar
2011-04-05 18:04:57 -------- d-----w- c:\program files\uTorrent
2011-04-05 18:03:41 -------- d-----w- c:\users\owner\appdata\roaming\uTorrent
2011-04-05 17:46:43 -------- d-----w- c:\users\owner\appdata\roaming\WinPatrol
2011-04-05 17:46:25 -------- d-----w- c:\program files\BillP Studios
2011-04-05 17:46:24 -------- d-----w- c:\progra~2\InstallMate
2011-04-05 17:39:38 6792528 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{89ce89e7-a82c-4576-b74a-920a183b26d0}\mpengine.dll
2011-03-23 09:00:09 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-03-23 09:00:09 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-03-23 09:00:09 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-03-20 02:17:04 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-20 02:17:04 322560 ----a-w- c:\windows\system32\sbe.dll
2011-03-20 02:17:04 177664 ----a-w- c:\windows\system32\
2011-03-20 02:17:04 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-20 02:16:29 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-03-20 02:16:29 2067968 ----a-w- c:\windows\system32\mstscax.dll
==================== Find3M ====================
2011-02-02 23:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-20 16:08:16 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08:06 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08:06 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:08:06 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08:06 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:07:58 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07:42 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07:16 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06:38 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06:35 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04:54 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 16:04:54 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 14:28:38 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27:50 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26:30 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25:25 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24:26 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15:10 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14:03 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14:03 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12:46 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47:51 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-08 08:47:50 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28:49 292352 ----a-w- c:\windows\system32\atmfd.dll
=================== ROOTKIT ====================
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, GMER - Rootkit Detector and Remover
Windows 6.0.6002 Disk: TOSHIBA_MK1637GSX rev.DL050J -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-3
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x86215439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8621b7d0]; MOV EAX, [0x8621b84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x82081912] -> \Device\Harddisk0\DR0[0x85B78490]
3 CLASSPNP[0x885AA8B3] -> ntkrnlpa!IofCallDriver[0x82081912] -> [0x85211850]
5 acpi[0x826966BC] -> ntkrnlpa!IofCallDriver[0x82081912] -> [0x85225390]
\Driver\atapi[0x85E815A8] -> IRP_MJ_CREATE -> 0x86215439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x147; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP2T0L0-3 -> \??\IDE#DiskTOSHIBA_MK1637GSX_______________________DL050J__#5&32a5c815&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 312581806 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
============= FINISH: 13:21:16.71 ===============


TSF Security Manager, Emeritus
52,196 Posts
Hello, and Welcome to TSF.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.


One or more of the identified infections is a backdoor trojan/rootkit.

This type of infection allows hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

You can read this: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?


Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.


I don't see a log from GMER rootkit scanner. Was there a problem with that?

I'd like to try to get a log from GMER rootkit scanner.

Let's try this version of gmer.

Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run on NO, then use the following settings for a more complete scan.
  • In the right panel, you will see several boxes that have been checked. Ensure the following are unchecked
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in reply.

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

If you still have troubles, try running the scan in Safe Mode.

Restart your computer and boot into Safe Mode by tapping the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.


If you still have troubles, run the scan with ONLY the Sections and C drive boxes ticked.

Click the image to enlarge it

TSF Security Manager, Emeritus
52,196 Posts
1 - 3 of 3 Posts
Not open for further replies.