Jump to content

Hijack log check - can't run Malwarbytes


Recommended Posts

Hi,

Just over from this thread:

http://www.malwarebytes.org/forums/index.p...amp;#entry97590

Although I'm in some doubt that malware is my problem, I can't run Malwarebytes because of a VB runtime error 5 (invalid procedure or call). This happens after several files have been scanned so it's not as though Malwarebytes is not running, it is.

I've tried all the suggestion to fix it in the above thread.

Can someone just scan my Hijackthis log to see if there's anything obvious :

----------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 00:23:38, on 12/07/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\Explorer.EXE

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe

C:\Program Files\DU Meter\DUMeter.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\WINDOWS\system32\wfxsnt40.exe

D:\PROGRA~1\Symantec\WinFax\WFXSWTCH.exe

C:\Program Files\NetLimiter\NetLimiter.exe

C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe

C:\Program Files\Iconoid\iconoid.exe

C:\PROGRA~1\MICROS~3\rapimgr.exe

C:\Program Files\Creative\MediaSource\RemoteControl\OSDMenu.EXE

C:\Program Files\Creative\MediaSource\RemoteControl\OSDEAX.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cssdrive.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.co.uk

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.google.co.uk

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Jaws Was here

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8118

O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - d:\Program Files\FlashGet\jccatch.dll

O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll

O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - d:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - d:\Program Files\FlashGet\getflash.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - d:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe

O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe

O4 - HKLM\..\Run: [WFXSwtch] D:\PROGRA~1\Symantec\WinFax\WFXSWTCH.exe

O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [NBJ] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe

O4 - HKCU\..\Run: [iconoid] "C:\Program Files\Iconoid\iconoid.exe"

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE

O8 - Extra context menu item: &Download All with FlashGet - D:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: &Download with FlashGet - D:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://d:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://d:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://d:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://d:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

O8 - Extra context menu item: Scan link by Dr.Web - http://www.drweb.com/online/drweb-online-en.html

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - d:\Program Files\FlashGet\FlashGet.exe

O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - d:\Program Files\FlashGet\FlashGet.exe

O15 - Trusted Zone: http://www.louiscarresi.co.uk

O17 - HKLM\System\CCS\Services\Tcpip\..\{2441D2D2-09C5-4158-A139-AD478E31599F}: NameServer = 192.168.0.1

O17 - HKLM\System\CCS\Services\Tcpip\..\{419548BB-2923-4AAA-BB36-476F9F6AF274}: NameServer = 192.168.0.1

O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll

O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\

O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

O23 - Service: WinFax Basic Edition (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE

O24 - Desktop Component 0: (no name) - (no file)

--

End of file - 7100 bytes

Link to post
Share on other sites

  • Root Admin

Please try temporarily FULLY disabling ZoneAlarm and Kaspersky AV.

Then try running MBAM again and see if you're still having the same issue.

Please run the following scanner and post back the logs.

Download
DDS
and save it to your desktop

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click
dds.scr
to run the tool.

When done, the
DDS.txt
will open.

Click Yes at the next prompt for Optional Scan.
    When done, DDS will open two (2) logs:

  1. DDS.txt
  2. Attach.txt

  • Save both reports to your desktop
  • Please include the following logs in your next reply:
    DDS.txt
    and
    Attach.txt

Link to post
Share on other sites

Please try temporarily FULLY disabling ZoneAlarm and Kaspersky AV.

Ok thanks. Kaspersky is only run on demand. Zonealarm I can shutdown and switch to windows firewall however, I believe that vsmon still stays at a lower level. Zonealarm however, does not operate.

Under these circumstances the results are the same.

Ok here is DDS.txt and I'm attaching a zip of Attach.txt to go with it as per the scripts instructions.

--------------------------------------------------------------------------------------------------------------

DDS (Ver_09-06-26.01) - FAT32x86

Run by LC at 13:09:55.06 on 14/07/2009

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1581 [GMT 1:00]

AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

SVCHOST.EXE

SVCHOST.EXE

SVCHOST.EXE

SVCHOST.EXE

C:\WINDOWS\Explorer.EXE

C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\WINDOWS\system32\wfxsnt40.exe

D:\PROGRA~1\Symantec\WinFax\WFXSWTCH.exe

C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe

C:\Program Files\Iconoid\iconoid.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\PROGRA~1\MICROS~3\rapimgr.exe

SVCHOST.EXE

SVCHOST.EXE

C:\WINDOWS\Explorer.EXE

C:\Program Files\PMAIL\winpm-32.exe

C:\WINDOWS\system32\ntvdm.exe

C:\PROGRA~1\INTERN~1\iexplore.exe

C:\DOCUME~1\Louiscar\Local Settings\Temporary Internet Files\Content.IE5\OOTDW8LC\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.cssdrive.com/

uWindow Title = Microsoft Internet Explorer provided by Jaws Was here

uInternet Settings,ProxyServer = localhost:8118

mSearchAssistant = hxxp://www.google.co.uk

mCustomizeSearch = hxxp://www.google.co.uk

BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - d:\program files\flashget\jccatch.dll

BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll

BHO: WsftpBrowserHelper Class: {601ed020-fb6c-11d3-87d8-0050da59922b} - d:\program files\ipswitch\ws_ftp pro\wsbho2k0.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - d:\program files\flashget\getflash.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - d:\program files\canon\easy-webprint\Toolband.dll

TB: {2913D3DD-9363-4C21-B205-C19A584A0674} - No File

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [NBJ] c:\program files\creative\mediasource\remotecontrol\RcMan.exe

uRun: [iconoid] "c:\program files\iconoid\iconoid.exe"

uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"

mRun: [Zone Labs Client] "c:\program files\zone labs\zonealarm\zlclient.exe"

mRun: [AsioReg] REGSVR32.EXE /S CTASIO.DLL

mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r

mRun: [DU Meter] c:\program files\du meter\DUMeter.exe

mRun: [Easy-PrintToolBox] c:\program files\canon\easy-printtoolbox\BJPSMAIN.EXE /logon

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"

mRun: [WinFaxAppPortStarter] wfxsnt40.exe

mRun: [WFXSwtch] d:\progra~1\symantec\winfax\WFXSWTCH.exe

mRun: [NetLimiter] c:\program files\netlimiter\NetLimiter.exe /s

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

StartupFolder: c:\docume~1\louiscar\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE

uPolicies-explorer: NoSMMyPictures = 1 (0x1)

uPolicies-explorer: NoStartMenuMyMusic = 1 (0x1)

IE: &Download All with FlashGet - d:\program files\flashget\jc_all.htm

IE: &Download with FlashGet - d:\program files\flashget\jc_link.htm

IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Easy-WebPrint Add To Print List - d:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - d:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - d:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html

IE: Easy-WebPrint Print - d:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html

IE: Scan link by Dr.Web - http://www.drweb.com/online/drweb-online-en.html

IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - d:\program files\flashget\FlashGet.exe

LSP: c:\program files\netlimiter\nl_lsp.dll

Trusted Zone: louiscarresi.co.uk\www

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

TCP: {2441D2D2-09C5-4158-A139-AD478E31599F} = 192.168.0.1

TCP: {419548BB-2923-4AAA-BB36-476F9F6AF274} = 192.168.0.1

Notify: AtiExtEvent - Ati2evxx.dll

Notify: SASWINLO.dll - PCANotify.dll

AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll

SEH: WinFax PRO IShellExecuteHook: {a213b520-c6c2-11d0-af9d-008029e1027e} - d:\program files\symantec\winfax\WfxSeh32.Dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\louiscar\applic~1\mozilla\firefox\profiles\6bdy4tde.default\

FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)

FF - prefs.js: browser.startup.homepage - about:blank

FF - component: c:\documents and settings\louiscar\application data\mozilla\firefox\profiles\6bdy4tde.default\extensions\{fcab6fdd-5585-425b-95c1-5ed856f3fd08}\components\nsCatcher.dll

FF - component: d:\program files\free download manager\firefox\extension\components\vmsfdmff.dll

FF - plugin: c:\program files\adobe\acrobat 8.0\acrobat\browser\nppdf32.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeploytk.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npjp2.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\quicktime\plugins\npqtplugin.dll

FF - plugin: c:\program files\quicktime\plugins\npqtplugin2.dll

FF - plugin: c:\program files\quicktime\plugins\npqtplugin3.dll

FF - plugin: c:\program files\quicktime\plugins\npqtplugin4.dll

FF - plugin: c:\program files\quicktime\plugins\npqtplugin5.dll

FF - plugin: c:\program files\quicktime\plugins\npqtplugin6.dll

FF - plugin: c:\program files\quicktime\plugins\npqtplugin7.dll

FF - plugin: c:\program files\windows media player\npdrmv2.dll

FF - plugin: c:\program files\windows media player\npdsplay.dll

FF - plugin: c:\program files\windows media player\npwmsdrm.dll

FF - plugin: d:\program files\google\picasa3\npPicasa3.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2008-3-19 39472]

R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [2008-9-27 11264]

R1 atitray;atitray;c:\program files\ray adams\ati tray tools\atitray.sys [2006-9-27 13952]

R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2003-11-17 11165]

R1 bizVSerial;Franson VSerial;c:\windows\system32\drivers\bizVSerialNT.sys [2006-4-3 14949]

R1 HCW88AUD;Hauppauge WinTV 88x Audio Capture;c:\windows\system32\drivers\hcw88aud.sys [2009-3-4 12928]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]

R1 VD_FileDisk;VD_FileDisk;c:\windows\system32\drivers\vd_filedisk.sys [2006-1-13 15872]

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2004-10-28 279880]

R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2006-8-11 14976]

R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

R3 HCW88BDA;Hauppauge WinTV 88x DVB Tuner/Demod;c:\windows\system32\drivers\hcw88bda.sys [2009-3-4 182400]

R3 HCW88TSE;Hauppauge WinTV 88x MPEG/TS Capture;c:\windows\system32\drivers\hcw88tse.sys [2009-3-4 320256]

R3 HCW88TUNE;Hauppauge WinTV 88x Tuner;c:\windows\system32\drivers\hcw88tun.sys [2009-3-4 74624]

R3 hcw88vid;Hauppauge WinTV 88x Video;c:\windows\system32\drivers\hcw88vid.sys [2009-3-4 394880]

R3 HCW88XBAR;Hauppauge WinTV 88x Crossbar;c:\windows\system32\drivers\hcw88bar.sys [2009-3-4 17280]

S3 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe [2008-4-25 201992]

S3 ctgame;Game Port;c:\windows\system32\drivers\CTGAME.SYS [2008-3-21 12160]

S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\lavalys\everest ultimate edition\kerneld.wnt [2008-1-11 11776]

S3 GearAspiWDM_BackUp;GEARAspiWDM;c:\windows\system32\drivers\GEARAspiWDM.sys [2005-9-9 15664]

S3 LabelServices;Label Services;c:\program files\common files\europlus shared\LblServices.exe [2009-5-7 1597608]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-7-11 38160]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]

S3 SbieDrv;SbieDrv;d:\program files\sandboxie\SbieDrv.sys [2008-11-15 102912]

S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;c:\windows\system32\drivers\SWUSBFLT.SYS [2004-10-31 3968]

S4 AUSBD_FilterService;AUSBD Filter Service;c:\windows\system32\drivers\gbtusbd.sys --> c:\windows\system32\drivers\gbtusbd.sys [?]

S4 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2005-11-21 11008]

S4 awhost32;Symantec pcAnywhere Host Service;g:\program files\symantec\pcanywhere\awhost32.exe [2006-2-14 106496]

S4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-12-13 198256]

S4 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-12-13 79472]

S4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-12-13 165488]

S4 Franson GpsGate 2.0;Franson GpsGate 2.0;c:\program files\franson\gpsgate 2.0\GpsGateService.exe [2007-7-9 253952]

S4 GEARSecurity_BackUp;GEARSecurity_BackUp;system32\gearsec.exe --> system32\gearsec.exe [?]

S4 ikhlayer;Kernel Anti-Spyware Driver;c:\windows\system32\drivers\ikhlayer.sys [2006-3-7 50048]

S4 PORTMON;PORTMON;\??\c:\!system tools\portmsys.sys --> c:\!system tools\PORTMSYS.SYS [?]

S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2008-5-18 822424]

=============== Created Last 30 ================

2009-07-12 22:04 <DIR> --d----- c:\progra~1\common~1\EuroPlus Shared

2009-07-12 22:04 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Font Downloader

2009-07-12 22:04 <DIR> --d-h--- c:\docume~1\alluse~1.win\applic~1\{5AA6E508-1A21-48C7-82CA-3E8E1188D6C5}

2009-07-12 19:55 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\EuroPlus

2009-07-11 23:46 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-07-11 23:46 19,096 a------- c:\windows\system32\drivers\mbam.sys

2009-07-11 23:38 <DIR> --d----- c:\progra~1\VS Revo Group

2009-07-11 23:36 <DIR> --d----- c:\temp\temp

2009-07-11 20:45 <DIR> --d----- c:\windows\system32\symbols

2009-07-11 20:45 <DIR> --d----- c:\windows\system32\output

2009-07-11 20:33 <DIR> --d----- C:\iisstate

2009-07-11 07:42 <DIR> --d----- c:\windows\system32\wbem\Repository

2009-07-11 06:35 <DIR> --d----- c:\windows\system32\wbem\Repository.bak

==================== Find3M ====================

2009-07-03 15:28 20 ----h--- c:\docume~1\alluse~1.win\applic~1\PKP_DLdw.DAT

2009-07-03 15:27 20 ----h--- c:\docume~1\alluse~1.win\applic~1\PKP_DLdu.DAT

2009-05-26 02:36 20 ----h--- c:\docume~1\alluse~1.win\applic~1\PKP_DLbx.DAT

2009-05-20 21:34 20 ----h--- c:\docume~1\alluse~1.win\applic~1\PKP_DLbz.DAT

2009-05-19 23:15 30,720 a------- c:\windows\system32\drivers\.sys

2009-05-10 09:19 162,816 a------- c:\windows\system32\fmod.dll

2009-05-08 19:19 685,056 a------- c:\windows\isRS-000.tmp

2009-03-25 15:44 0 ----h--- c:\docume~1\alluse~1.win\applic~1\PKP_DLdy.DAT

2009-01-12 01:24 1,377,954 a------- c:\docume~1\louiscar\Cookies.zip

2008-06-10 16:34 20 ----h--- c:\docume~1\alluse~1.win\applic~1\PKP_DLck.DAT

2008-02-14 15:24 2,151 a------- c:\docume~1\louiscar\applic~1\AVSEdit Settings.bin

2008-01-07 05:21 0 ----h--- c:\docume~1\alluse~1.win\applic~1\PKP_DLeh.DAT

2007-07-17 05:42 20 ----h--- c:\docume~1\alluse~1.win\applic~1\PKP_DLea.DAT

2006-07-18 14:48 20 ----h--- c:\docume~1\alluse~1.win\applic~1\PKP_DLec.DAT

2008-06-01 21:36 804,122,321 a--sh--- c:\windows\system32\KGyGaAvL.sys

2006-10-24 18:37 13 ---shr-- c:\windows\system32\IEcacher.dll

2006-05-03 11:06 163,328 ---shr-- c:\windows\system32\flvDX.dll

2007-02-21 12:47 31,232 ---shr-- c:\windows\system32\msfDX.dll

2008-03-16 14:30 216,064 ---shr-- c:\windows\system32\nbDX.dll

2011-09-22 15:19 1,025 a--sh--- c:\windows\page files\maxmeg.sys

============= FINISH: 13:10:38.37 ===============

Attach.zip

Attach.zip

Link to post
Share on other sites

  • Root Admin

Well after reviewing your log there I'm surprised you don't have more conflicts going on. You have a lot of software and different security software on there and any one of them can be causing an issue.

Let me review further and get back to you. We'll need to use some debugging tools to look at this further.

Link to post
Share on other sites

Well after reviewing your log there I'm surprised you don't have more conflicts going on. You have a lot of software and different security software on there and any one of them can be causing an issue.

Let me review further and get back to you. We'll need to use some debugging tools to look at this further.

Ok fwiw, most of the security service drivers are disabled. Things like spyware doctor etc. These were installed at one point and many I don't use.

This configuration was pretty much similar if not the same when Mbam last ran ok.

I think the issue has something to do with the VB files. I tried reinstalling them. The install runs too quickly and there's no confirmation dialog at the end so I suspect it's terminating before fixing the files. If there's a way I can manually get rid of the previous vb run time files and reinstall this may be a solution.

Link to post
Share on other sites

Just hang in there and I'll get you a debug version and some other information and we'll try to track down what's causing it.

Quite late here and I have to be going soon. So may be another day before I can get back to you.

No problem, urgency isn't vital on this.

Link to post
Share on other sites

  • Root Admin

Please try launching MBAM if you can and uncheck the following items on the SETTINGS tab.

Always scan memory objects

Always scan registry objects

Always scan file system

Always scan extra and heuristic objects.

Then restart the computer and see if you're still having the same issue or not and let me know.

Link to post
Share on other sites

Please try launching MBAM if you can and uncheck the following items on the SETTINGS tab.

Always scan memory objects

Always scan registry objects

Always scan file system

Always scan extra and heuristic objects.

Then restart the computer and see if you're still having the same issue or not and let me know.

All that happens there is that Mbam just says, "there were no items to scan, please check the settings tab and make proper adjustments"

Link to post
Share on other sites

Please post a status update and explain in more detail what issues you're having.

Thanks.

Sorry have been away for a bit.

Ok the probelm with Mbam is that it runs but will come up with an error "Error '5' invalid procedure or call" after it's scanned a few files. This will happen not long after it's started cycling through the files scanned.

Under the test you asked me to perform, unchecking everything will cause Mbam to complain that it has nothing to do. Checking any one of those items will start the scanning process but stop as descriibed.

So it appears we have a VB error of some kind. I've tried reinstalling the VB runtime files but to no avail. The install routine seems to go very quickly and there's no confimation after that anything has completed. Whether this is how the installation works or not I can't say but it's unusual.

Let me know if you need any further information.

Link to post
Share on other sites

Please try the following. Make sure you disable your Anti-Virus first.

Ok I ran this. Had one curious error which happened on the attempt to deregister msxml3.dll.

However, I de-registered and re-registered this manually without problems.

The Mbam problem persists.

Here are some statst btw:

Items scanned before the error: 5742

Last current file scanned shows: %systemroot%\system32\mpr.dll

This is 100% consistent however, when I first encountered this at the beginning it was some other dll that it showed so I'm not sure if this a clue or not.

Link to post
Share on other sites

  • Root Admin

STEP 01

Please temporarily disable Kaspersky AV

STEP 02

1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.

2. Restart your computer (very important).

3. Download and run this utility. mbam-clean.exe

4. It will ask to restart your computer (please allow it to).

5. After the computer restarts, Download but DO NOT install the latest version from here. mbam-setup

6. Fully disable Kaspersky AV and then install the new MBAM

7. Then follow this guide using ISSUE 3 on setting up the exclusions in Kaspersky AV

8. Then once the exclusions are in place start Kaspersky AV and then launch MBAM and try to run a Quick Scan. If there are no issues then setup the Registration and Protection of MBAM and reboot the computer.

STEP 03

Please let me know how things go.

Link to post
Share on other sites

STEP 01

Please temporarily disable Kaspersky AV

STEP 03

Please let me know how things go.

I have been through this before posting in the hijack thread but I'll do it again if you think it's worth doing.

http://www.malwarebytes.org/forums/index.php?showtopic=19082

Kaspersky is always out of memory - I run it on demand manually so there should be no issues caused by it.

I can try this all again but I'm fairly sure it's just repeating the same steps as before.

Link to post
Share on other sites

  • Root Admin

The reason to repeat it is that Kaspersky has updated their modules and we have updated our program so there is a high likelihood that it is being blocked by Kaspersky again.

I don't run Kaspersky but I can check with Exile360 who does and maybe he can tell us where the logs are that show when MBAM is blocked by Kaspersky.

Link to post
Share on other sites

The reason to repeat it is that Kaspersky has updated their modules and we have updated our program so there is a high likelihood that it is being blocked by Kaspersky again.

I don't run Kaspersky but I can check with Exile360 who does and maybe he can tell us where the logs are that show when MBAM is blocked by Kaspersky.

The point is that Kaspersky is not running therefore it can't block anything. I run the scanner manually when I feel the need, it isn't allowed to keep any resident program or guard running.

However, for the sake of completness I will do as you ask and report back.

Link to post
Share on other sites

Ok all steps performed and not surprisingly the same result.

There is a focus on Kaspersky which I do need you to understand isn't running and therefore cannot possibly be a factor in this problem.

I still believe I have some kind of issue with the VB runtime files but I'm not sure how to rectify it if that's the case.

Either way the problem persists.

Link to post
Share on other sites

  • Root Admin

Please try this

1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.

2. Restart your computer (very important).

3. Download and run this utility. http://www.malwarebytes.org/mbam-clean.exe

4. It will ask to restart your computer (please allow it to).

5. After the computer restarts, do the following.

Download this installer that will modify all the registry and file locations to ensure that Administrators have full rights to these locations.

This is an older installer that your ID/KEY will not match. Do not try to enable the Protection Module.

DO NOT check for updates. Just run the scanner as is if it will run. It will also create a random name shortcut to run it.

Then if this scanner works go ahead and run a quick scan and then if that works a Full Scan and post back the logs.

fixmbam.exe

Link to post
Share on other sites

Download this installer that will modify all the registry and file locations to ensure that Administrators have full rights to these locations.

This is an older installer that your ID/KEY will not match. Do not try to enable the Protection Module.

DO NOT check for updates. Just run the scanner as is if it will run. It will also create a random name shortcut to run it.

Then if this scanner works go ahead and run a quick scan and then if that works a Full Scan and post back the logs.

fixmbam.exe

Done all that except for 'fixmbam.exe' which tells me: "your o/s does not appear to be in english" and promptly terminates.

Where does it get that idea from?

Link to post
Share on other sites

Done all that except for 'fixmbam.exe' which tells me: "your o/s does not appear to be in english" and promptly terminates.

Where does it get that idea from?

Here is the relevant registry settings:

[HKEY_USERS\.DEFAULT\Control Panel\International]

"iCountry"="44"

"iCurrDigits"="2"

"iCurrency"="0"

"iDate"="1"

"iDigits"="2"

"iLZero"="1"

"iMeasure"="0"

"iNegCurr"="1"

"iTime"="1"

"iTLZero"="1"

"Locale"="00000809"

"s1159"="AM"

"s2359"="PM"

"sCountry"="United Kingdom"

"sCurrency"="

Link to post
Share on other sites

  • Root Admin

It has only been tested on US English and makes some changes to the system that may or may not be valid for your Language version even though it is in English.

Please try the following and see if it will run and if it helps. Reboot when done. It does not replace the current version of MBAM.

Please download and run the following file to repair file and registry permissions

fixacl.exe

Link to post
Share on other sites

It has only been tested on US English and makes some changes to the system that may or may not be valid for your Language version even though it is in English.

Please try the following and see if it will run and if it helps. Reboot when done. It does not replace the current version of MBAM.

Please download and run the following file to repair file and registry permissions

fixacl.exe

Ok that's done. Problem persists.

I decided to take a closer look at what's gong on with Process Explorer.

The stack on error shows that the last op that presumably caused the error was: ntdll.dllRtlConvertUlongToLargeIneger+0x6a

The next thing on the stack refers to error generation and goes into MSVBVM60.DLL!EbGetErrorInfo

I saw on one occasion that it stopped on a different file to mpr.dll but has reverted to that, the common thing being it's roughly 5700 files into the scan.

Now here's the interesting part: If I right click on c:\windows\system32 and choose "scan with Malwarebytes", it completes the scan sucessfully (all 9200 files including subfolders). Similarly if I scan those files it errors on it's not a problem.

One observation when scanning system32 is that it takes much longer to get to 5000 files scanned which implies that Mbam has a database which it uses to scan selective files only in the system32 folder when performing a quick scan.

Either way you can see that under certain circumstance mbam is running without problems. The question is what is different between scanning from the menu (quick or full) as opposed to right click and choose a folder?

I have a feeling that perhaps it's the previous operations to the file scanning that is causing some kind of issue when doing a menu scan.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.