Redirect Problems San Jose CA

**Jack Fischer** · 2010-11-27, 22:24

Hi. OTL ran fine with your code pasted in, but I was not able to get GMER to run after multiple tries. I disabled Spybot, Avira and Malwarebyte and started in safe mode, but when I double clicked it to launch the GMER software it began to scan immediately without giving the the GUI interface or letting me uncheck any boxes. And then it crashed and gave me a blue screen that said:

A problem was detected and windows was shut down to prevent damage.

DRIVER_IRQL_NOT_LESS_OR_EQUAL

Technical info:

stop:0x000000D1 (0x3F3F3F, 0x00000002,0x00000000,0xF77c33ce)
IdeChnDr.Sys-Address F77C33CE base at F77C3000,DateStamp 3bd89c65

Beginning dump of physical memory...

Here's the text from OTL:

OTL logfile created on: 11/27/2010 12:14:44 PM - Run 2
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Joycellen Floyd\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 246.00 Mb Available Physical Memory | 24.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 47.00% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.21 Gb Total Space | 11.75 Gb Free Space | 31.57% Space Free | Partition Type: NTFS
Drive D: | 7.41 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: DELL | User Name: Joycellen Floyd | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Custom Scans ==========

< %systemroot%\system32\*.dll /lockedfiles >
[2009/03/08 03:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2009/03/08 03:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll
[2010/09/09 21:58:05 | 000,184,320 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\iepeers.dll

< C:\WINDOWS\system32\DRIVERS\avgntflt.sys /md5 >
[2010/11/22 18:18:34 | 000,061,960 | ---- | M] (Avira GmbH) MD5=47B879406246FFDCED59E18D331A0E7D -- C:\WINDOWS\system32\drivers\avgntflt.sys

< C:\WINDOWS\system32\drivers\wdmaud.sys /md5 >
[2008/04/13 11:17:18 | 000,083,072 | ---- | M] (Microsoft Corporation) MD5=6768ACF64B18196494413695F0C3A00F -- C:\WINDOWS\system32\drivers\wdmaud.sys

< C:\WINDOWS\System32\Drivers\IdeChnDr.sys /md5 >
[2001/11/06 00:00:00 | 000,087,018 | ---- | M] (Intel Corporation) MD5=B5E01B50B08B440018F437AEBED0BCCF -- C:\WINDOWS\system32\drivers\IdeChnDr.sys

< End of report >

**Jack&Jill** · 2010-11-28, 08:06

Hello Jack

,

I need you to upload a few suspicious files to VirusTotal (VT) for an online scan. Click here.

Click on the Browse button or the white box beside it. A File Upload prompt will open.
Copy and paste the following file and its path to upload:
Code:
```
C:\WINDOWS\system32\DRIVERS\avgntflt.sys
```
Press Open, then Send file. The file will be uploaded for testing.
If there is any indication or prompt that the file has been scanned before, please proceed to have the file rescanned or reanalyzed.
Please wait for all the scanners to finish, then copy and paste the result into Notepad and save it to a convenient place.

Repeat for

Code:

C:\WINDOWS\System32\Drivers\IdeChnDr.sys
C:\WINDOWS\system32\dxtmsft.dll
C:\WINDOWS\system32\dxtrans.dll
C:\WINDOWS\system32\iepeers.dll

Post the results in your next response.

Alternatively, if VirusTotal is busy or inaccessible, you may try Jotti or VirScan (VS) with similar steps.

A result from either one of the above scanners would be sufficient.

--------------------

Please post back:
1. the VT / Jotti / VS results

**Jack Fischer** · 2010-11-30, 04:06

Here's the result of the Virus total scans:

1)

Inbox
Virus Total
Virustotal is a service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...
0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name:
avgntflt.sys
Submission date:
2010-11-30 02:27:07 (UTC)
Current status:
queued (#1) queued (#1) analysing finished
Result:
0/ 43 (0.0%)

VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2010.11.30.00 2010.11.29 -
AntiVir 7.10.14.136 2010.11.29 -
Antiy-AVL 2.0.3.7 2010.11.30 -
Avast 4.8.1351.0 2010.11.29 -
Avast5 5.0.677.0 2010.11.29 -
AVG 9.0.0.851 2010.11.30 -
BitDefender 7.2 2010.11.30 -
CAT-QuickHeal 11.00 2010.11.29 -
ClamAV 0.96.4.0 2010.11.30 -
Command 5.2.11.5 2010.11.30 -
Comodo 6896 2010.11.30 -
DrWeb 5.0.2.03300 2010.11.30 -
Emsisoft 5.0.0.50 2010.11.30 -
eSafe 7.0.17.0 2010.11.29 -
eTrust-Vet 36.1.8007 2010.11.29 -
F-Prot 4.6.2.117 2010.11.29 -
F-Secure 9.0.16160.0 2010.11.30 -
Fortinet 4.2.254.0 2010.11.29 -
GData 21 2010.11.30 -
Ikarus T3.1.1.90.0 2010.11.30 -
Jiangmin 13.0.900 2010.11.29 -
K7AntiVirus 9.69.3115 2010.11.29 -
Kaspersky 7.0.0.125 2010.11.29 -
McAfee 5.400.0.1158 2010.11.30 -
McAfee-GW-Edition 2010.1C 2010.11.29 -
Microsoft 1.6402 2010.11.29 -
NOD32 5659 2010.11.29 -
Norman 6.06.10 2010.11.29 -
nProtect 2010-11-29.01 2010.11.29 -
Panda 10.0.2.7 2010.11.29 -
PCTools 7.0.3.5 2010.11.30 -
Prevx 3.0 2010.11.30 -
Rising 22.75.06.04 2010.11.30 -
Sophos 4.60.0 2010.11.29 -
SUPERAntiSpyware 4.40.0.1006 2010.11.30 -
Symantec 20101.2.0.161 2010.11.29 -
TheHacker 6.7.0.1.093 2010.11.30 -
TrendMicro 9.120.0.1004 2010.11.29 -
TrendMicro-HouseCall 9.120.0.1004 2010.11.30 -
VBA32 3.12.14.2 2010.11.29 -
VIPRE 7450 2010.11.30 -
ViRobot 2010.11.29.4175 2010.11.29 -
VirusBuster 13.6.66.0 2010.11.29 -
Additional information
Show all
MD5 : 47b879406246ffdced59e18d331a0e7d
SHA1 : 839b4f08cae589f91cae2685e651926fed017706
SHA256: afe467f41eb8db905abe0478eaeb75ea16ee7b39470d56968210c191ed96418c
ssdeep: 1536:QBhB9hgPhAOoImEMuLQlstdoytJFAkNfD:6B9hoOOoDZuLQGtdoyVA2
File size : 61960 bytes
First seen: 2010-11-22 10:17:48
Last seen : 2010-11-30 02:27:07
TrID:
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Avira GmbH
copyright....: Copyright (c) 1996-2009 Avira GmbH. All rights reserved.
product......: AntiVir Workstation
description..: Avira Minifilter Driver
original name: avgntflt.sys
internal name: avgntflt.sys
file version.: 10.00.08.07
comments.....: Avira Minifilter Driver - fre_win7_x86
signers......: Avira GmbH
VeriSign Class 3 Code Signing 2004 CA
Class 3 Public Primary Certification Authority
signing date.: 6:05 PM 11/11/2010
verified.....: -
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x1174A
timedatestamp....: 0x4CDC11C7 (Thu Nov 11 15:54:47 2010)
machinetype......: 0x14c (I386)

[[ 8 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x7DBA, 0x7E00, 6.44, 7831b8ed2fbc42b8186a5f8a9872fe64
NONPAGED, 0x9000, 0x15, 0x200, 0.23, 2d3d4c9db47a525fab5be72a9b38f91a
.rdata, 0xA000, 0x694, 0x800, 3.57, 5c22563829ba936fc02ccc5255583112
.data, 0xB000, 0x36E0, 0x200, 1.37, de8cbc28c7e7d6ddccf7cc2dee8206c8
PAGE, 0xF000, 0x1832, 0x1A00, 6.09, 10b17bf5d26b5ecc3d20f466b42ed3bd
INIT, 0x11000, 0x17C4, 0x1800, 5.94, 8aeae19f5bd9f9602eb6403f893652e0
.rsrc, 0x13000, 0x538, 0x600, 3.07, eef6122de9431a83a9094c5c9a138fa9
.reloc, 0x14000, 0x1000, 0x1000, 5.96, 4881fe98a2293bb46f0f7f1af8fd054a

[[ 3 import(s) ]]
ntoskrnl.exe: RtlCompareUnicodeString, ZwReadFile, memset, ZwSetInformationFile, ZwQueryInformationFile, RtlFreeUnicodeString, wcsncat, RtlAnsiStringToUnicodeString, RtlInitAnsiString, KeQuerySystemTime, RtlLengthSid, RtlValidSid, SeQueryInformationToken, IoIsSystemThread, PsGetCurrentProcessId, IoThreadToProcess, ExInitializePagedLookasideList, strncpy, MmMapLockedPagesSpecifyCache, RtlNtStatusToDosError, memmove, PsGetCurrentThreadId, ExDeletePagedLookasideList, ExDeleteResourceLite, RtlLookupElementGenericTableAvl, ObfDereferenceObject, KeBugCheckEx, IoGetTopLevelIrp, RtlInsertElementGenericTableAvl, PsRevertToSelf, SeImpersonateClientEx, KeWaitForMultipleObjects, ObReferenceObjectByHandle, PsCreateSystemThread, IoCreateSymbolicLink, IoCreateDevice, KeClearEvent, ExInitializeResourceLite, KeQueryTimeIncrement, MmGetSystemRoutineAddress, ZwWriteFile, ZwClose, IoDeleteDevice, IoDeleteSymbolicLink, KeTickCount, RtlUnwind, RtlDeleteElementGenericTableAvl, ZwOpenKey, PsSetCreateProcessNotifyRoutine, ZwQueryValueKey, ZwQuerySymbolicLinkObject, ZwOpenSymbolicLinkObject, IoWriteErrorLogEntry, IoAllocateErrorLogEntry, RtlCopyUnicodeString, RtlUpcaseUnicodeString, toupper, RtlCompareMemory, RtlEnumerateGenericTableWithoutSplayingAvl, IoGetDeviceObjectPointer, IofCallDriver, IoBuildDeviceIoControlRequest, RtlGetVersion, KeNumberProcessors, SeTokenType, PsDereferencePrimaryToken, PsDereferenceImpersonationToken, memcpy, _wcsupr, ExAcquireResourceSharedLite, IoGetCurrentProcess, KeWaitForSingleObject, KeResetEvent, KeEnterCriticalRegion, ExAcquireResourceExclusiveLite, ExReleaseResourceLite, KeLeaveCriticalRegion, KeSetEvent, PsTerminateSystemThread, RtlInitUnicodeString, IoCreateSynchronizationEvent, _allmul, KeDelayExecutionThread, RtlInitializeGenericTableAvl, ExFreePoolWithTag, ExAllocatePoolWithTag, SeCreateClientSecurity, IoGetStackLimits, KeGetCurrentThread, InterlockedPushEntrySList, InterlockedPopEntrySList, IofCompleteRequest, KeInitializeEvent
HAL.dll: ExAcquireFastMutex, ExReleaseFastMutex, KeGetCurrentIrql
FLTMGR.SYS: FltRegisterFilter, FltBuildDefaultSecurityDescriptor, FltCreateCommunicationPort, FltFreeSecurityDescriptor, FltStartFiltering, FltObjectReference, FltObjectDereference, FltCancelFileOpen, FltReferenceFileNameInformation, FltReferenceContext, FltCloseClientPort, FltCloseCommunicationPort, FltUnregisterFilter, FltDeleteContext, FltDoCompletionProcessingWhenSafe, FltGetFileNameInformation, FltParseFileNameInformation, FltSetStreamHandleContext, FltGetStreamHandleContext, FltGetInstanceContext, FltSendMessage, FltCreateFile, FltClose, FltGetVolumeProperties, FltAllocateContext, FltSetInstanceContext, FltReleaseContext, FltReleaseFileNameInformation, FltGetRoutineAddress

VT Community

0

This file has never been reviewed by any VT Community member. Be the first one to comment on it!

VirusTotal Team
Add your comment... Remember that when you write comments as an anonymous user they receive the lowest possible reputation. So if you have not signed in yet don't forget to do so. How to markup your comments?
You can add basic styles to your comments using the following accepted bbcode tags:

text -- bold
text -- italics
text -- underline
~~text~~ -- strikethrough

Code:

text

-- preformatted text

You can also address comments to particular users using the "@" twitter-like mode. By prepending a "#" symbol to a word you can add custom tags to your comment, tags that can then be searched for.

Goodware
Malware
Spam attachment/link

P2P download
Propagating via IM
Network worm

Drive-by-download

2)
Antivirus Version Last Update Result
AhnLab-V3 2010.11.30.00 2010.11.29 -
AntiVir 7.10.14.136 2010.11.29 -
Antiy-AVL 2.0.3.7 2010.11.30 -
Avast 4.8.1351.0 2010.11.29 -
Avast5 5.0.677.0 2010.11.29 -
AVG 9.0.0.851 2010.11.30 -
BitDefender 7.2 2010.11.30 -
CAT-QuickHeal 11.00 2010.11.29 -
ClamAV 0.96.4.0 2010.11.30 -
Command 5.2.11.5 2010.11.30 -
Comodo 6896 2010.11.30 -
DrWeb 5.0.2.03300 2010.11.30 -
Emsisoft 5.0.0.50 2010.11.30 -
eSafe 7.0.17.0 2010.11.29 -
eTrust-Vet 36.1.8007 2010.11.29 -
F-Prot 4.6.2.117 2010.11.29 -
Fortinet 4.2.254.0 2010.11.29 -
GData 21 2010.11.30 -
Ikarus T3.1.1.90.0 2010.11.30 -
Jiangmin 13.0.900 2010.11.29 -
K7AntiVirus 9.69.3115 2010.11.29 -
Kaspersky 7.0.0.125 2010.11.29 -
McAfee 5.400.0.1158 2010.11.30 -
McAfee-GW-Edition 2010.1C 2010.11.29 -
Microsoft 1.6402 2010.11.29 -
NOD32 5659 2010.11.29 -
Norman 6.06.10 2010.11.29 -
nProtect 2010-11-29.01 2010.11.29 -
Panda 10.0.2.7 2010.11.29 -
PCTools 7.0.3.5 2010.11.30 -
Prevx 3.0 2010.11.30 -
Rising 22.75.06.04 2010.11.30 -
Sophos 4.60.0 2010.11.30 -
SUPERAntiSpyware 4.40.0.1006 2010.11.30 -
Symantec 20101.2.0.161 2010.11.29 -
TheHacker 6.7.0.1.093 2010.11.30 -
TrendMicro 9.120.0.1004 2010.11.29 -
TrendMicro-HouseCall 9.120.0.1004 2010.11.30 -
VBA32 3.12.14.2 2010.11.29 -
VIPRE 7450 2010.11.30 -
ViRobot 2010.11.29.4175 2010.11.29 -
VirusBuster 13.6.66.0 2010.11.29 -
Additional information
Show all
MD5 : b5e01b50b08b440018f437aebed0bccf
SHA1 : f02673d227cf6c7497ab285313fd8a93768f5cf4
SHA256: d4d478743d0590595413afe4fe5d71e7c54c72fb947200987a8b6cdcd284e0d1

3)

user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name:
dxtmsft.dll
Submission date:
2010-11-30 02:56:43 (UTC)
Current status:
queued (#4) queued (#4) analysing finished
Result:
0/ 43 (0.0%)

VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2010.11.30.00 2010.11.29 -
AntiVir 7.10.14.136 2010.11.29 -
Antiy-AVL 2.0.3.7 2010.11.30 -
Avast 4.8.1351.0 2010.11.29 -
Avast5 5.0.677.0 2010.11.29 -
AVG 9.0.0.851 2010.11.30 -
BitDefender 7.2 2010.11.30 -
CAT-QuickHeal 11.00 2010.11.29 -
ClamAV 0.96.4.0 2010.11.30 -
Command 5.2.11.5 2010.11.30 -
Comodo 6896 2010.11.30 -
DrWeb 5.0.2.03300 2010.11.30 -
Emsisoft 5.0.0.50 2010.11.30 -
eSafe 7.0.17.0 2010.11.29 -
eTrust-Vet 36.1.8007 2010.11.29 -
F-Prot 4.6.2.117 2010.11.29 -
F-Secure 9.0.16160.0 2010.11.30 -
Fortinet 4.2.254.0 2010.11.29 -
GData 21 2010.11.30 -
Ikarus T3.1.1.90.0 2010.11.30 -
Jiangmin 13.0.900 2010.11.29 -
K7AntiVirus 9.69.3115 2010.11.29 -
Kaspersky 7.0.0.125 2010.11.29 -
McAfee 5.400.0.1158 2010.11.30 -
McAfee-GW-Edition 2010.1C 2010.11.29 -
Microsoft 1.6402 2010.11.29 -
NOD32 5659 2010.11.29 -
Norman 6.06.10 2010.11.29 -
nProtect 2010-11-29.01 2010.11.29 -
Panda 10.0.2.7 2010.11.29 -
PCTools 7.0.3.5 2010.11.30 -
Prevx 3.0 2010.11.30 -
Rising 22.75.06.04 2010.11.30 -
Sophos 4.60.0 2010.11.30 -
SUPERAntiSpyware 4.40.0.1006 2010.11.30 -
Symantec 20101.2.0.161 2010.11.29 -
TheHacker 6.7.0.1.093 2010.11.30 -
TrendMicro 9.120.0.1004 2010.11.29 -
TrendMicro-HouseCall 9.120.0.1004 2010.11.30 -
VBA32 3.12.14.2 2010.11.29 -
VIPRE 7450 2010.11.30 -
ViRobot 2010.11.29.4175 2010.11.29 -
VirusBuster 13.6.66.0 2010.11.29 -

4)

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name:
dxtrans.dll
Submission date:
2010-11-30 03:00:30 (UTC)
Current status:
queued (#1) queued (#1) analysing finished
Result:
0/ 43 (0.0%)

VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2010.11.30.00 2010.11.29 -
AntiVir 7.10.14.136 2010.11.29 -
Antiy-AVL 2.0.3.7 2010.11.30 -
Avast 4.8.1351.0 2010.11.29 -
Avast5 5.0.677.0 2010.11.29 -
AVG 9.0.0.851 2010.11.30 -
BitDefender 7.2 2010.11.30 -
CAT-QuickHeal 11.00 2010.11.29 -
ClamAV 0.96.4.0 2010.11.30 -
Command 5.2.11.5 2010.11.30 -
Comodo 6896 2010.11.30 -
DrWeb 5.0.2.03300 2010.11.30 -
Emsisoft 5.0.0.50 2010.11.30 -
eSafe 7.0.17.0 2010.11.29 -
eTrust-Vet 36.1.8007 2010.11.29 -
F-Prot 4.6.2.117 2010.11.29 -
F-Secure 9.0.16160.0 2010.11.30 -
Fortinet 4.2.254.0 2010.11.29 -
GData 21 2010.11.30 -
Ikarus T3.1.1.90.0 2010.11.30 -
Jiangmin 13.0.900 2010.11.29 -
K7AntiVirus 9.69.3115 2010.11.29 -
Kaspersky 7.0.0.125 2010.11.29 -
McAfee 5.400.0.1158 2010.11.30 -
McAfee-GW-Edition 2010.1C 2010.11.29 -
Microsoft 1.6402 2010.11.29 -
NOD32 5659 2010.11.29 -
Norman 6.06.10 2010.11.29 -
nProtect 2010-11-29.01 2010.11.29 -
Panda 10.0.2.7 2010.11.29 -
PCTools 7.0.3.5 2010.11.30 -
Prevx 3.0 2010.11.30 -
Rising 22.75.06.04 2010.11.30 -
Sophos 4.60.0 2010.11.30 -
SUPERAntiSpyware 4.40.0.1006 2010.11.30 -
Symantec 20101.2.0.161 2010.11.29 -
TheHacker 6.7.0.1.093 2010.11.30 -
TrendMicro 9.120.0.1004 2010.11.29 -
TrendMicro-HouseCall 9.120.0.1004 2010.11.30 -
VBA32 3.12.14.2 2010.11.29 -
VIPRE 7450 2010.11.30 -
ViRobot 2010.11.29.4175 2010.11.29 -
VirusBuster 13.6.66.0 2010.11.29 -
Additional information
Show all
MD5 : 5e1a0476e009a1930a524dff4ca13982
SHA1 : e43784c51aa4a14122c5e880059c145609ddf0c2
SHA256: 02635287787412c2075f48a1bba60b2705c13f5e0d82f82c8c048ed9d8ab5f26

5)

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name:
iepeers.dll
Submission date:
2010-11-30 03:03:14 (UTC)
Current status:
queued (#16) queued (#6) analysing finished
Result:
0/ 43 (0.0%)

VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2010.11.30.00 2010.11.29 -
AntiVir 7.10.14.136 2010.11.29 -
Antiy-AVL 2.0.3.7 2010.11.30 -
Avast 4.8.1351.0 2010.11.29 -
Avast5 5.0.677.0 2010.11.29 -
AVG 9.0.0.851 2010.11.30 -
BitDefender 7.2 2010.11.30 -
CAT-QuickHeal 11.00 2010.11.29 -
ClamAV 0.96.4.0 2010.11.30 -
Command 5.2.11.5 2010.11.30 -
Comodo 6896 2010.11.30 -
DrWeb 5.0.2.03300 2010.11.30 -
Emsisoft 5.0.0.50 2010.11.30 -
eSafe 7.0.17.0 2010.11.29 -
eTrust-Vet 36.1.8007 2010.11.29 -
F-Prot 4.6.2.117 2010.11.29 -
F-Secure 9.0.16160.0 2010.11.30 -
Fortinet 4.2.254.0 2010.11.29 -
GData 21 2010.11.30 -
Ikarus T3.1.1.90.0 2010.11.30 -
Jiangmin 13.0.900 2010.11.29 -
K7AntiVirus 9.69.3115 2010.11.29 -
Kaspersky 7.0.0.125 2010.11.29 -
McAfee 5.400.0.1158 2010.11.30 -
McAfee-GW-Edition 2010.1C 2010.11.29 -
Microsoft 1.6402 2010.11.29 -
NOD32 5659 2010.11.29 -
Norman 6.06.10 2010.11.29 -
nProtect 2010-11-29.01 2010.11.29 -
Panda 10.0.2.7 2010.11.29 -
PCTools 7.0.3.5 2010.11.30 -
Prevx 3.0 2010.11.30 -
Rising 22.76.00.01 2010.11.30 -
Sophos 4.60.0 2010.11.30 -
SUPERAntiSpyware 4.40.0.1006 2010.11.30 -
Symantec 20101.2.0.161 2010.11.29 -
TheHacker 6.7.0.1.093 2010.11.30 -
TrendMicro 9.120.0.1004 2010.11.29 -
TrendMicro-HouseCall 9.120.0.1004 2010.11.30 -
VBA32 3.12.14.2 2010.11.29 -
VIPRE 7450 2010.11.30 -
ViRobot 2010.11.29.4175 2010.11.29 -
VirusBuster 13.6.66.0 2010.11.29 -
Additional information
Show all
MD5 : 9544f6b5812a7634747020e4a6d4d2a5
SHA1 : be22d5142a0102c29520b7b30dc24f3e2a904779
SHA256: 375d91765e08f981f12e28b254adad0bb32eecc722e767f4795aeca348378972
ssdeep: 3072:ndxZT3IHHLyyXwHDV0Lp1eIIEnE9Fuut9WQd0MlPGMUdjsnWQHS81yBI5M:/+NXwHJ0LWI
IEeHt9WuPpnWgk9
File size : 184320 bytes
First seen: 2010-10-12 17:10:16
Last seen : 2010-11-30 03:03:14
TrID:
Windows OCX File (71.0%)
Win32 Executable MS Visual C++ (generic) (21.6%)
Win32 Executable Generic (4.9%)
Generic Win/DOS Executable (1.1%)
DOS Executable Generic (1.1%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Windows_ Internet Explorer
description..: Internet Explorer Peer Objects
original name: iepeers.dll
internal name: iepeers.dll
file version.: 8.00.6001.18968 (longhorn_ie8_gdr.100824-1830)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x1589
timedatestamp....: 0x4C89C8ED (Fri Sep 10 05:58:05 2010)
machinetype......: 0x14c (I386)

[[ 4 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x1DC38, 0x1DE00, 6.35, 184789ca29255fe79b117100e3eecc88
.data, 0x1F000, 0xCE0, 0xE00, 1.53, 1c72698ab4fc2415819a5c41d4af08d7
.rsrc, 0x20000, 0xC4D0, 0xC600, 4.71, 2dd7d48a351da7de5bda739400446f86
.reloc, 0x2D000, 0x19D8, 0x1A00, 6.59, 0b28464b56662ee60a1cdcc4fca9ab0f

[[ 13 import(s) ]]
msvcrt.dll: _adjust_fdiv, _amsg_exit, _initterm, wcstol, wcschr, _wcsicmp, free, malloc, __dllonexit, _wcsnicmp, _ltow, _purecall, _vsnwprintf, __2@YAPAXI@Z, bsearch, wcsncmp, memset, memcpy, memmove, realloc, _unlock, _lock, _onexit, _XcptFilter, _wtoi, __3@YAXPAX@Z
KERNEL32.dll: LocalAlloc, ReleaseActCtx, ActivateActCtx, DeactivateActCtx, InitializeCriticalSectionAndSpinCount, SetLastError, FindResourceExW, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, SearchPathW, CreateActCtxW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetCurrentProcessId, GetTickCount, QueryPerformanceCounter, RtlUnwind, InterlockedCompareExchange, Sleep, InterlockedExchange, GetTimeFormatW, GetDateFormatW, GetLocalTime, GetProcAddress, LoadLibraryW, GetLocaleInfoW, MulDiv, GlobalUnlock, GlobalLock, LocalFree, GetDiskFreeSpaceA, WriteFile, GetSystemTimeAsFileTime, GetLastError, InterlockedDecrement, InterlockedIncrement, FileTimeToSystemTime, SystemTimeToFileTime, CompareStringW, LoadLibraryA, GetModuleFileNameA, GetFullPathNameA, SearchPathA, LoadLibraryExA, GetVersionExW, GetModuleFileNameW, lstrlenW, LoadLibraryExW, FindResourceW, LoadResource, SizeofResource, lstrlenA, FreeLibrary, CreateFileW, CreateFileMappingW, CloseHandle, MapViewOfFile, UnmapViewOfFile, MultiByteToWideChar, EnterCriticalSection, LeaveCriticalSection, GetCurrentThreadId, GetModuleHandleW, InitializeCriticalSection, DeleteCriticalSection, HeapDestroy, DisableThreadLibraryCalls, GetUserDefaultLCID, GlobalAlloc, GlobalFree, CompareFileTime
ADVAPI32.dll: GetUserNameW, RegEnumKeyExW, RegOpenKeyExW, RegCreateKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegQueryValueExW, RegSetValueExW, RegQueryInfoKeyW
SHLWAPI.dll: -, StrCmpW, -, PathAddBackslashW, SHRegGetValueW, StrCpyW, -, -, -, StrCmpIW, StrCpyNW, PathFindFileNameW, -, wnsprintfW, PathCombineA, PathAppendA, StrCmpNIW, StrDupW, SHGetValueW
ole32.dll: CreateBindCtx, CoCreateInstance, CoTaskMemFree, CoTaskMemAlloc, CoTaskMemRealloc, CLSIDFromProgID, CLSIDFromString, CreateStreamOnHGlobal
OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -
GDI32.dll: EndPage, StartDocW, EndDoc, CreateICW, GetDeviceCaps, SetViewportOrgEx, AbortDoc, StartPage, DeleteDC, CreateDCW
USER32.dll: GetDesktopWindow, CharNextW, MessageBoxW, LoadStringW
urlmon.dll: FaultInIEFeature, CoInternetParseUrl, CreateUri, CoInternetCombineUrlEx, RegisterBindStatusCallback, CoInternetCreateSecurityManager
WININET.dll: CreateUrlCacheContainerA, InternetCombineUrlW, InternetQueryOptionW, InternetGetConnectedStateExW, RetrieveUrlCacheEntryStreamW, GetUrlCacheEntryInfoW, FindCloseUrlCache, FindNextUrlCacheEntryW, FindFirstUrlCacheEntryW, InternetCrackUrlW, CommitUrlCacheEntryW, CreateUrlCacheEntryW, UnlockUrlCacheEntryStream, ReadUrlCacheEntryStream, DeleteUrlCacheEntryW
SHELL32.dll: -, SHGetFolderPathA, -, -, SHGetDesktopFolder
WINSPOOL.DRV: OpenPrinterW, GetPrinterW, DocumentPropertiesW, DeviceCapabilitiesW, ClosePrinter
iertutil.dll: -, -, -, -, -

[[ 5 export(s) ]]
DllCanUnloadNow, DllEnumClassObjects, DllGetClassObject, DllRegisterServer, DllUnregisterServer
ExifTool:
file metadata
CharacterSet: Unicode
CodeSize: 122368
CompanyName: Microsoft Corporation
EntryPoint: 0x1589
FileDescription: Internet Explorer Peer Objects
FileFlagsMask: 0x003f
FileOS: Windows NT 32-bit
FileSize: 180 kB
FileSubtype: 0
FileType: Win32 DLL
FileVersion: 8.00.6001.18968 (longhorn_ie8_gdr.100824-1830)
FileVersionNumber: 8.0.6001.18968
ImageVersion: 6.0
InitializedDataSize: 60928
InternalName: iepeers.dll
LanguageCode: English (U.S.)
LegalCopyright: Microsoft Corporation. All rights reserved.
LinkerVersion: 8.0
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 6.0
ObjectFileType: Dynamic link library
OleSelfRegister:
OriginalFilename: iepeers.dll
PEType: PE32
ProductName: Windows Internet Explorer
ProductVersion: 8.00.6001.18968
ProductVersionNumber: 8.0.6001.18968
Subsystem: Windows GUI
SubsystemVersion: 5.1
TimeStamp: 2010:09:10 07:58:05+02:00
UninitializedDataSize: 0

VT Community

**Jack&Jill** · 2010-11-30, 07:51

Hello Jack

,

We need to disable Spybot S&D's Teatimer real-time protection temporarily as it will interfere with the fix. Please minimize going online when your security softwares are disabled or not active.

First step:

Right click the Spybot icon that looks like a blue/white calendar with a padlock symbol in the System Tray (lower right corner where the clock is situated).
For version 1.6, the steps are similar to either one of the below.
If you have version 1.5, click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now unchecked (unticked). The Spybot icon should now be colorless.
If you have Version 1.4, click on Exit Spybot S&D Resident.

Second step, for either version:

Open Spybot S&D.
Click Mode, choose Advanced Mode.
Go to the bottom of the vertical panel on the left, click Tools.
Then, also in left panel, click on Resident that shows a red/white shield.
If your firewall raises a question, say OK.
In the Resident protection status frame, uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active.
OK any prompts.
Exit Spybot S&D and reboot your machine for the changes to take effect.

Remember to enable it after the fix.

--------------------

Please download ComboFix© by sUBs from one of the links below and save it to your desktop.

Link 1
Link 2

Do not mouse click on ComboFix while it is running. That may cause it to stall. ComboFix is a powerful tool and must not be used without supervision.

Install Recovery Console and run ComboFix

Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily when running ComboFix. They will interfere and may cause unexpected results.
If you need help to disable your protection programs see here and here.
Double click on ComboFix.exe and follow the prompts.
As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. You will be asked to install it if it is not present in your computer. Click Yes to proceed.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
Note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, click on Yes to continue scanning for malware.
When finished, a log will be produced as C:\ComboFix.txt. Please post this log in your next reply.
If you lose Internet connection after running ComboFix, right click on the network icon at the system tray and select Repair, or you can reboot the computer.
Enable back your security softwares as soon as you completed the ComboFix steps.

A detailed step by step tutorial to run ComboFix can be found here if you need help.

--------------------

Please post back:
1. the ComboFix log

**Jack Fischer** · 2010-12-01, 18:32

Please don't close this thread. I was unable to work on this last night, but I'll dive in tonight.

Cheers,

jack fischer

**Jack Fischer** · 2010-12-02, 06:49

Hi.

I turned off spybot and my Avira software and downloaded and ran Combofix. It installed Microsoft Windows Recovery Console but when it began to scan for malware it again crashed and gave me a blue screen with this:

A problem was detected and windows was shut down to prevent damage.

DRIVER_IRQL_NOT_LESS_OR_EQUAL

Technical info:

stop:0x000000D1 (0x3F3F3F, 0x00000002,0x00000000,0xF77c33ce)
IdeChnDr.Sys-Address F77C33CE base at F77C3000,DateStamp 3bd89c65

Beginning dump of physical memory...

What now?

Thanks very much for all your patience with this. I can't believe what a pain it is.

jack

**Jack&Jill** · 2010-12-02, 15:23

Hello Jack

,

Is there a log produced, C:\ComboFix.txt?

--------------------

The file IdeChnDr.sys is related to Intel's Application Accelerator. Is your hard drive RAID configured?

Check for RAID via Disk Management

Go to Start > Run.... Copy and paste the following text into the white box:
Code:
```
diskmgmt.msc
```
Click OK. A Disk Management window will open.
At the bottom pane under Disk 0, do you see the word Basic or Dynamic?
At the lowest portion of the window where legend of the disk type is shown, do you observe any of these five words: simple, spanned, striped, mirrored or RAID-5?
Post back the information and close the Disk Management window.

--------------------

Check IdeChnDr.sys with OTL

Double click on OTL.exe to run it.
Make sure all the None options is checked (ticked). There are eight of them.
Copy and paste the following into the white box under Custom Scans/Fixes:
Code:
```
/md5start
IdeChnDr.sys
/md5stop
```
Click on Run Scan at the top left hand corner. This might take a while.
When done, the OTL.txt file will open. Please post back the contents of this log.

--------------------

Please post back:
1. ComboFix log, if any
2. information about you hard drive and from the Disk Management
3. OTL log

**Jack Fischer** · 2010-12-03, 00:49

Okay:

1) No log generated. It crashed pretty quickly.

2) Disk management returns the following info:

Under Disk 0 it says "basic". Under that it says 37.24Gb, online. To the right of that in a small box it says 31MB FAT. To the right Of that, in a small box it says (C

and then 37.21GB NTFS.

I don't see any of the five words you were seeking.

3) OTL Log:

OTL logfile created on: 12/2/2010 3:29:44 PM - Run 3
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Joycellen Floyd\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 555.00 Mb Available Physical Memory | 54.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 68.00% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.21 Gb Total Space | 11.56 Gb Free Space | 31.06% Space Free | Partition Type: NTFS
Drive D: | 7.41 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: DELL | User Name: Joycellen Floyd | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Custom Scans ==========

< MD5 for: IDECHNDR.SYS >
[2001/11/06 00:00:00 | 000,087,018 | ---- | M] (Intel Corporation) MD5=B5E01B50B08B440018F437AEBED0BCCF -- C:\Program Files\Intel\Intel Application Accelerator\Driver\idechndr.sys
[2001/11/06 00:00:00 | 000,087,018 | ---- | M] (Intel Corporation) MD5=B5E01B50B08B440018F437AEBED0BCCF -- C:\WINDOWS\system32\drivers\IdeChnDr.sys

< End of report >

Jack

**Jack&Jill** · 2010-12-03, 01:16

Hello Jack

,

Based on the information I see, it should be alright to try uninstalling the Intel Application Accelerator via Control Panel > Add/Remove Programs. However, just to be safe, please backup all your important data to a CD before you do that.

Do a reboot and let me know how it goes, then we will move to the next step.

**Jack Fischer** · 2010-12-03, 07:57

Okay, intell accelerator uninstalled. When it rebooted it repeatedly gave me a message saying " windows has recovered from a serious error. Send report?" About ten times and then it stopped.

What next?

Best,

jack

Thread: Redirect Problems San Jose CA

Thread Tools

Display

Redirect Problems in San Jose, CA

Redirect Problems in San Jose, CA

Redirect Problems in San Jose, CA

Redirect Problems in San Jose, CA

Redirect Problems in San Jose, CA

Redirect Problems in San Jose, CA

Posting Permissions