Jump to content

DDS, attach.txt, gmer, & hijack log: for xp that freezes at welcome screen!

Recommended Posts

the computer boots into safe mode but freezes often when running antimalware software

posted is the gmer, dds, hijack log, & attached is the attach.txt file

GMER - http://www.gmer.net

Rootkit scan 2011-05-04 11:53:37

Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort0 ST3120814A rev.3.AAE

Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kwriypob.sys

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\System32\Drivers\sunkfilt39.sys entry point in "init" section [0xF77D7360]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[552] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DA000A

.text C:\WINDOWS\system32\svchost.exe[552] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DB000A

.text C:\WINDOWS\system32\svchost.exe[552] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D9000C

.text C:\WINDOWS\system32\svchost.exe[552] USER32.dll!GetCursorPos 7E41BD76 5 Bytes JMP 0087000A

.text C:\WINDOWS\system32\svchost.exe[552] USER32.dll!WindowFromPoint 7E41BD8E 5 Bytes JMP 0088000A

.text C:\WINDOWS\system32\svchost.exe[552] USER32.dll!GetForegroundWindow 7E41BE4B 5 Bytes JMP 0089000A

.text C:\WINDOWS\system32\svchost.exe[552] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 00F4000A

.text C:\WINDOWS\Explorer.EXE[1008] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A

.text C:\WINDOWS\Explorer.EXE[1008] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BC000A

.text C:\WINDOWS\Explorer.EXE[1008] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T1L0-17 84E5639B

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 84E5639B

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 84E5639B

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-f 84E5639B

Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST3120814A______________________________3.AAE___#5&115fd1ed&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----


DDS (Ver_11-03-05.01) - NTFSx86 MINIMAL

Run by Administrator at 11:37:14.59 on Wed 05/04/2011

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.68 [GMT -6:00]



============== Running Processes ===============


C:\WINDOWS\system32\svchost -k DcomLaunch


C:\WINDOWS\system32\svchost.exe -k netsvcs




C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Documents and Settings\Administrator\Desktop\gmer.exe

C:\Documents and Settings\Administrator\Desktop\dds.scr


============== Pseudo HJT Report ===============


uStart Page = hxxp://www.emachines.com/

uSearch Bar = hxxp://www.google.com/ie

mSearchAssistant = hxxp://search.live.com/sphome.aspx

mWinlogon: Userinit=userinit.exe,

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll

BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: PPCScamBHO Class: {7e3659a6-4bc5-4d93-b3fd-8b5acc2feded} - c:\program files\peoplepc\toolbar\ScamGrd.dll

BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: ST: {9394ede7-c8b5-483e-8773-474bf36af6e4} - c:\program files\msn apps\st\01.03.0000.1005\en-xu\stmain.dll

BHO: PeoplePal Toolbar: {a8fb8eb3-183b-4598-924d-86f0e5e37085} - c:\program files\peoplepc\toolbar\ppctoolbar.dll_7.4.0.0.dll

BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuze.dll

BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dll

BHO: Java


Share this post

Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.


Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.