MBAM freezes after a few seconds - hard reboot then necessary - please help

[PizzaMan]

Malwarebytes' Anti-Malware 1.40

Database version: 2573

Windows 5.1.2600 Service Pack 2

8/10/2009 8:50:00 PM

mbam-log-2009-08-10 (20-50-00).txt

Scan type: Quick Scan

Objects scanned: 1

Time elapsed: 4 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:46:54 AM, on 9/22/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\WINDOWS\System32\GEARSec.exe

C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Norton Ghost\Agent\VProSvc.exe

C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe

C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe

C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\WFXSVC.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\MsPMSPSv.exe

C:\WINDOWS\system32\PRISMSVR.EXE

C:\WinFax\WFXMOD32.EXE

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe

C:\WINDOWS\system32\Rundll32.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Norton Ghost\Agent\GhostTray.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\IPSBHO.DLL

O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - C:\WINDOWS\SYSTEM32\TwcToolbarBho.dll

O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\SYSTEM32\TwcToolbarIe7.dll

O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"

O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)

O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)

O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1118194525182

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134583722062

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{69C869D1-7408-4FDE-83D8-F1EBE7BF096C}: NameServer = 68.237.161.12,71.243.0.12

O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll

O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe

O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe

O23 - Service: Google Update Service (gupdate1c98d5e4f60a14b) (gupdate1c98d5e4f60a14b) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe

O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe

O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe

O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe

O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe

O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe

O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe

O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE

--

End of file - 11655 bytes

[AdvancedSetup]

Please try this on the computer that is having an issue.

1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.

2. Restart your computer (very important).

3. Download and run this utility. mbam-clean.exe

4. It will ask to restart your computer (please allow it to).

5. After the computer restarts, install the latest version from here. mbam-setup.exe

Note: You will need to reactivate the program using the license you were sent

Launch the program and set the Protection and Registration. Then go to the UPDATE tab if not done during installation and check for updates.

Restart the computer again and verify that MBAM is in the task tray and that you can run a quick scan and all is working as expected.

[PizzaMan]

Well, I did as you suggested (thanks for your response, by the way) and now when I tried to run MBAM I got a blue screen (BSOD) attributed to iastor.sys. Not sure what to do next.

[AdvancedSetup]

The iastor.sys is a system driver - This is a recent new change by this Malware and I need to research and verify the correct repair for this. I'll try to get back to you either later tonight or tomorrow on this.

Thanks.

[AdvancedSetup]

STEP 00

Disable the Spybot Tea Timer - DO NOT continue until you've disabled the Tea Timer

Disable Teatimer

First step:

• Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  
  
• If you have the new version 1.5, Click once on
  Resident Protection
  , then Right click the Spybot icon again and make sure
  Resident Protection
  is now
  Unchecked
  . The Spybot icon in the System tray should now be now colorless.
  
  
• If you have Version 1.4, Click on
  Exit Spybot S&D Resident
  
  

Second step, For Either Version :

• Open Spybot S&D
  
  
• Click
  Mode
  , choose
  Advanced Mode
  
  
• Go To the bottom of the Vertical Panel on the Left, Click
  Tools
  
  
• then, also in left panel, click
  Resident
  shows a red/white shield.
  
  
• If your firewall raises a question, say
  OK
  
  
• In the
  Resident protection status
  frame,
  Uncheck
  the box labeled
  Resident "Tea-Timer"(Protection of over-all system settings) active
  
  
• OK
  any prompts.
  
  
• Use
  File, Exit
  to terminate Spybot
  
  
• Reboot
  your machine for the changes to take effect.
  
  

STEP 01

Reconfigure Windows XP to show hidden files:

To enable the viewing of Hidden files follow these steps:

* Close all programs so that you are at your desktop.

* Double-click on the My Computer icon.

* Select the Tools menu and click Folder Options.

* After the new window appears select the View tab.

* Put a checkmark in the checkbox labeled Display the contents of system folders.

* Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

* Remove the checkmark from the checkbox labeled Hide file extensions for known file types.

* Remove the checkmark from the checkbox labeled Hide protected operating system files.

* Press the Apply button and then the OK button and exit My Computer.

* Now your computer is configured to show all hidden files.

STEP 02

Please see if you have the following file. C:\DRIVERS\STORAGE\SATA\ONBOARD\IASTOR.SYS

If you do then run the following.

1. Locate this file - C:\WINDOWS\SYSTEM32\DRIVERS\IASTOR.SYS
   
2. Rename it to IASTOR.SYS.BAD
   
3. Then copy the file from C:\DRIVERS\STORAGE\SATA\ONBOARD\IASTOR.SYS to C:\WINDOWS\SYSTEM32\DRIVERS\IASTOR.SYS
   
4. Reboot the computer and scan again with MBAM
   

Update and Scan with Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  
• Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
  
  • Update Malwarebytes' Anti-Malware
    
  • Select the Update tab
    
  • Click Update
    

  [*]When the update is complete, select the Scanner tab

  [*]Select Perform quick scan, then click Scan.

  [*]When the scan is complete, click OK, then Show Results to view the results.

  [*]Be sure that everything is checked, and click Remove Selected.

  [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

  • If you accidently close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    

Then post back the MBAM log and a new Hijackthis log.

STEP 03

If, and only if you DO NOT have this driver in the above location then please download the installer from Intel.

Download the Intel

[PizzaMan]

Thank you for the assistance. I have completed steps 00 and 01 successfully. In reviewing step 02, I wanted to let you know the following. I did have the iastor.sys files in both of the locations you noted. However I have a concern about renaming and replacing the files as per your instructions for the following reason:

I have a Dell Dimension 8400, Windows XP Media Center, the Intel 925X chipset. When I first purchased the PC I had many BSOD episodes which, after much troubleshooting and little ( read no) assistance from Dell, I was finally able to trace the Intel Matrix Storage Manager as the cause. I at that point upgraded to the (then) latest version from Intel and in the process the current iastor.sys file was installed into the C:\WINDOWS\SYSTEM32\DRIVERS folder. I have not had BSOD issues since (for many years).The file in the C:\DRIVERS\STORAGE\SATA\ONBOARD folder is the older version that was present when the BSOD problems first started. So I am very reluctant to utilize that older version file, which is what I would be dooing if I made the changes suggested in step 02..

I have investigated the possibility of updating the Intel Matrix Storage Manager once again, but I have found that the newer versions are not compatible with the hardware in my old PC any longer (at least I believe this to be the case).

I am not certain how to proceed from this point. I don't really want to make changes to my PC in the hopes of being able to run MBAM successfully only to find that I have caused other, more major, problems by messing with the Intel Matrix Storage Manager unless I know that the changes will not be harmful.

[AdvancedSetup]

Yes you're correct and there are MANY posts on this issue. I'm not really sure what to tell you though as it would appear that this file is infected.

Do this. Try to upload that file to http://www.virustotal.com and have it scanned. If it says it's already been scanned then have it scan again and post back the results please.

[PizzaMan]

I have had the file scanned and the results were 0/41. I think that the problem might be much deeper than that file.

When I originally had the first issues with iastor.sys causing BSOD's I had found that there were many of us Dell Dimension 8400 owners with similar issues and updating to the latest (at that time) Intel Matrix Storage Manager seemed to do the trick. But now that iastor.sys is the cause of a BSOD once again - and a different iastor.sys at that - and having read more from other Dell owners, I am beginning to believe that there is something inherently wrong about the way amny of Dell's PC's have been configured from the factory. I am not enough of a computer person to know if there is anything that I can do at this point to rectify the problem other than just not using MBAM and hope that I can avooid other iastor.sys issues until the PC is ready to visit the PC graveyard some years down the road (I hope).

The only other thing that I have done to the PC in the past few years is that I had added some RAM (went from 1 gig to 3 gig) for the (now laughable) prospect of being able to upgrade to Windows 7 at some point (ha, ha). Don't know if this could be precipitating anything.

[AdvancedSetup]

Okay, let's just assume that the iastor.sys warning was a fluke for now and was not involved with the current infection. Let's try some all new scans and see what we get.

STEP 00

Disable the Spybot Tea Timer - DO NOT continue until you've disabled the Tea Timer

Disable Teatimer

First step:

• Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  
  
• If you have the new version 1.5, Click once on
  Resident Protection
  , then Right click the Spybot icon again and make sure
  Resident Protection
  is now
  Unchecked
  . The Spybot icon in the System tray should now be now colorless.
  
  
• If you have Version 1.4, Click on
  Exit Spybot S&D Resident
  
  

Second step, For Either Version :

• Open Spybot S&D
  
  
• Click
  Mode
  , choose
  Advanced Mode
  
  
• Go To the bottom of the Vertical Panel on the Left, Click
  Tools
  
  
• then, also in left panel, click
  Resident
  shows a red/white shield.
  
  
• If your firewall raises a question, say
  OK
  
  
• In the
  Resident protection status
  frame,
  Uncheck
  the box labeled
  Resident "Tea-Timer"(Protection of over-all system settings) active
  
  
• OK
  any prompts.
  
  
• Use
  File, Exit
  to terminate Spybot
  
  
• Reboot
  your machine for the changes to take effect.
  
  

STEP 01

Please make sure you have the license key and any information required to reinstall your Symantec Suite and print it out to make sure.

Then fully uninstall the the Symantec AV Suite and reboot the computer.

Then run the following scans.

STEP 02

Update and Scan with Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  
• Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
  
  • Update Malwarebytes' Anti-Malware
    
  • Select the Update tab
    
  • Click Update
    

  [*]When the update is complete, select the Scanner tab

  [*]Select Perform quick scan, then click Scan.

  [*]When the scan is complete, click OK, then Show Results to view the results.

  [*]Be sure that everything is checked, and click Remove Selected.

  [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

  • If you accidently close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    

Then post back the MBAM log

STEP 03

RootRepeal - Rootkit Detector

Close ALL applications and as many items in the task tray that will stop and exit.


• Please download the following tool:
  RootRepeal - Rootkit Detector
  
  
• Direct download link is here:
  RootRepeal.rar
  
  
• If you don't already have a program to open a .RAR compressed file you can download a trial version from here:
  WinRAR
  
  
• Extract the program file to a new folder such as
  C:\RootRepeal
  
  
• Run the program
  RootRepeal.exe
  and go to the
  REPORT
  tab and click on the
  Scan
  button
  
  
• Select
  ALL
  of the checkboxes and then click
  OK
  and it will start scanning your system.
  
  
• If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  
  
• When done, click on
  Save Report
  
  
• Save it to the same location where you ran it from, such as
  C:\RootRepeal
  
  
• Save it as
  your_name_rootrepeal.txt
  - where your_name is your
  forum name
  
  
• This makes it more easy to track who the log belongs to.
  
  
• Then open that log and select all and copy/paste it back on your next reply please.
  
  
• Quit the RootRepeal program.
  
  

STEP 04

Please download the following scanning tool. GMER

• Download the randomly named EXE and copy the file to your Desktop. Remember what its name is.
  
  
• Double click on
  random named exe file
  and run it.
  
  
• It may take a minute to load and become available.
  
  
• Do not make any changes. Click on the
  SCAN
  button and DO NOT use the computer while it's scanning.
  
  
• Once the scan is done click on the
  SAVE
  button and browse to your Desktop and save the file as
  GMER.LOG
  
  
• Zip up the
  GMER.LOG
  file and save it as
  gmerlog.zip
  and attach it to your reply post.
  
  
• DO NOT
  directly post this log into a reply. You
  MUST
  attach it as a .ZIP file.
  
  
• Click OK and quit the GMER program.
  
  

How To Use Compressed (Zipped) Folders in Windows XP

Compress and uncompress files (zip files) in Vista

STEP 05

Download

DDS

and save it to your desktop

http://download.bleepingcomputer.com/sUBs/dds.scr

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click

dds.scr

to run the tool.

When done, the

DDS.txt

will open.

Click Yes at the next prompt for Optional Scan.

When done, DDS will open two (2) logs:

1. DDS.txt
   
   
2. Attach.txt
   
   

• Save both reports to your desktop
  
  
• Please include the following logs in your next reply:
  DDS.txt
  and
  Attach.txt
  
  

[PizzaMan]

Well, I looked at your last reply and figured that I'd follow the instructions at another time - it was going to be a long process (I have not uninstalled Norton). So just to try, I decided to run a Quick Scan and see if it would work and not give me a BSOD - well it did scan, much to my surprise - no iastor.sys problem this time. The one registry data item noted below is because of Norton Internet Security's firewall being used instead of Window's firewall.

I am not certain if this means that MBAM will now work or if the one complete Quick Scan is just a fluke...........or just due to TeaTimer being disabled (can I not use TeaTimer and MBAM?) and the compete MBAM re-installation.....

Malwarebytes' Anti-Malware 1.41

Database version: 2879

Windows 5.1.2600 Service Pack 2

9/30/2009 9:48:17 PM

mbam-log-2009-09-30 (21-47-59).txt

Scan type: Quick Scan

Objects scanned: 115179

Time elapsed: 6 minute(s), 30 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[AdvancedSetup]

The issue with running TeaTimer is that if/when MBAM wants to make a change to the Registry you really have to pay attention and tell TeaTimer it's okay.

Well that's good then that it ran okay. Try a reboot of the computer and try another scan tomorrow and let me know how it goes.

[AdvancedSetup]

I'll be going out of town early Friday so we need to finish up or I'll have to finish helping you on Monday.

[PizzaMan]

Well, I attempted a scan and this time, no blue screen but, I am back to a system freeze after 4 seconds. The original issue. I now seem to remember that the very first time I ever installed and ran MBAM it worked fine - that was the one and only time, with the exception of the successful scan yesterday, that I have ever been able to run a MBAM scan without a system freeze. It almost seems as though the initial MBAM scan somehow leaves some sort of "signature" and when I try to run a scan again some other process running then will recognize the MBAM scan and cause a lock-up. I wonder if the complete removal of MBAM and then its re-installation was what allowed it to run once successfully.

[AdvancedSetup]

Well up to you but something odd there to be sure.

You can try the clean removal process and re-install and see if it works but if it does that doesn't make much sense to me.

Also take a look at this post and make sure it does't apply to you still.

http://www.malwarebytes.org/forums/index.p...st&p=131222

[PizzaMan]

I looked through the system32/drivers folder and didn't find anything suspect, but then again, I am not an expert at this. Still unsure what to do next........

[AdvancedSetup]

Okay well I'm leaving out of town for the weekend so I'll have to help you further on Monday then.

[PizzaMan]

Have a nice weekend!

[AdvancedSetup]

Please run the steps in this post and let's see what we get. You can run without AV for the testing just don't go Web surfing and you should be okay.

http://www.malwarebytes.org/forums/index.p...st&p=136036

[PizzaMan]

Uninstalled Norton Internet Security 2009 and tried a scan with MBAM. Got 51 seconds into the scan and then the system froze. I have since reinstalled, but now it is NIS 2010,

[AdvancedSetup]

Well not sure what else we can do at this time. If you're using a paid version of the program you can send an email to corporate@malwarebytes.org and they will process a refund for you.

Thank you and sorry we were not able to track down this issue.

[PizzaMan]

I certainly appreciate your assistance. All I can think of is that there must be some weird peculiarity with my system - I have had it for 4 1/2 years with no major issues - only the initial problem with Intel Matrix Storage Manager. If you have any other ideas in the future, please let me know. Thank you.

[AdvancedSetup]

Okay - sorry. I'll close your post now so that other don't post to it.

Take care.