Jump to content

MBAM won't stay running....Volume 2

cyriously

By cyriously
in Resolved Malware Removal Logs

 Share

Recommended Posts

cyriously

cyriously

Posted
Posted

I am having what seems to be a common issue with my computer trying to load MBAM at startup (or any other time, for that matter). I have poured through several posts on here trying to fix this without bugging you guys about it, but I can't seem to find a resolution as of yet. I have tried uninstalling and reinstalling countless times using both your mbam cleaner and Revo. I have even tried both running a diagnostic startup (even disabling my antivirus software - Avast Pro) and safe mode startup and loading it that way with the same results. I have run combofix and hijackthis. Nothing is working. I have included both my event log and HJT logs below, respectively. Please let me know what is stopping this from loading properly. PS. The scans turn up nothing in as far as malware is concerned...I am suspecting a hardware incompatibility of some sort since I am basically bypassing everything short of what windows needs to startup, itself in both diagnostic and safe modes. I had put this problem in a thread before at the following link (http://www.malwarebytes.org/forums/index.php?showtopic=28662&st=0&p=147337entry147337), but it was closed before I could get back to it to do what was asked of me. Anyway, I did as asked in that thread, and here are the results...let me know what you think:

Combo-fix.log

ComboFix 09-11-04.02 - James Cyr 11/04/2009 18:55.3.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.627 [GMT -5:00]

Running from: c:\documents and settings\James Cyr\Desktop\Combo-Fix.exe

AV: avast! antivirus 4.8.1351 [VPS 091104-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

((((((((((((((((((((((((( Files Created from 2009-10-04 to 2009-11-04 )))))))))))))))))))))))))))))))

.

2009-11-04 01:46 . 2008-04-14 04:42 26624 ----a-w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll

2009-11-04 00:07 . 2009-11-04 00:07 ------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY\IETldCache

2009-10-23 00:28 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-10-23 00:28 . 2009-10-23 00:28 ------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-10-23 00:28 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-10-22 23:48 . 2009-10-22 23:48 ------- d-----w- c:\program files\Trend Micro

2009-10-22 19:02 . 2009-10-22 19:02 ------- d-----w- c:\program files\VS Revo Group

2009-10-21 20:17 . 2009-10-23 00:16 ------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-10-21 20:12 . 2009-10-22 18:30 ------- d-----w- c:\documents and settings\James Cyr\Application Data\Malwarebytes

2009-10-21 20:12 . 2009-10-22 18:30 ------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-15 07:07 . 2009-08-07 23:46 ------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-09-28 01:12 . 2009-07-16 02:18 ------- d-----w- c:\program files\Microsoft Silverlight

2009-09-11 14:18 . 2009-02-12 22:45 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-04 21:03 . 2009-02-12 22:42 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-08-29 08:08 . 2009-02-12 23:08 916480 ------w- c:\windows\system32\wininet.dll

2009-08-26 08:00 . 2009-02-12 22:53 247326 ----a-w- c:\windows\system32\strmdll.dll

2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.DLL

2009-08-17 16:10 . 2009-07-15 03:01 1279456 ----a-w- c:\windows\system32\aswBoot.exe

2009-08-17 16:06 . 2009-07-15 03:01 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys

2009-08-17 16:06 . 2009-07-15 03:01 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2009-08-17 16:05 . 2009-07-15 03:01 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys

2009-08-17 16:05 . 2009-07-15 03:01 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2009-08-17 16:04 . 2009-07-15 03:01 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2009-08-17 16:04 . 2009-07-15 03:01 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2009-08-17 16:03 . 2009-07-15 03:01 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2009-08-17 16:02 . 2009-07-15 03:01 97480 ----a-w- c:\windows\system32\AvastSS.scr

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2006-03-18 184320]

"avast!"="c:\progra~1\Avast4\ashDisp.exe" [2009-08-17 81000]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-09-10 420176]

"VTTrayp"="VTtrayp.exe" - c:\windows\system32\VTTrayp.exe [2006-08-30 180224]

"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2006-08-03 53248]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NDAS Device Management.lnk]

backup=c:\windows\pss\NDAS Device Management.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\InterVideo\\DVD6\\WinDVD.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R0 lfsfilt;Lean File Sharing;c:\windows\system32\drivers\lfsfilt.sys [9/1/2009 3:46 PM 251120]

R0 lpx;LPX Protocol;c:\windows\system32\drivers\lpx.sys [1/17/2007 5:18 PM 59632]

R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [7/14/2009 12:26 PM 11264]

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [7/14/2009 10:01 PM 114768]

R1 ndasfat;NDAS FAT;c:\windows\system32\drivers\ndasfat.sys [9/1/2009 3:46 PM 361968]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/14/2009 10:01 PM 20560]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/22/2009 7:28 PM 19160]

R3 ndasbus;NDAS Bus Driver;c:\windows\system32\drivers\ndasbus.sys [1/17/2007 5:18 PM 76144]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/22/2009 7:28 PM 269648]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\progra~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS [7/14/2009 9:39 PM 17149]

S3 ndasscsi;NDAS SCSI Miniport Driver;c:\windows\system32\drivers\ndasscsi.sys [1/17/2007 5:18 PM 183152]

S3 WPC54GSv1;Linksys Wireless Notebook Adapter WPC54GSv1 Driver;c:\windows\system32\drivers\WPC54GSv1.SYS [7/14/2009 2:48 PM 610816]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR

*NewlyCreated* - PROCEXP113

*Deregistered* - mbr

*Deregistered* - PROCEXP113

.

Contents of the 'Scheduled Tasks' folder

2009-11-04 c:\windows\Tasks\User_Feed_Synchronization-{01201D67-3758-44DC-8BB3-00FFD8694A56}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]

2009-11-04 c:\windows\Tasks\User_Feed_Synchronization-{5E8B6B81-1A7A-4945-9264-4B25D79F760B}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.grocist.com/index.py?action=Login/Logon

uInternet Connection Wizard,ShellNext = iexplore

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-11-04 19:02

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1292)

c:\windows\system32\WININET.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2009-11-05 19:05

ComboFix-quarantined-files.txt 2009-11-05 00:05

Pre-Run: 65,758,494,720 bytes free

Post-Run: 65,779,527,680 bytes free

hijackthis.log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:27:13 PM, on 11/4/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Avast4\aswUpdSv.exe

C:\Program Files\Avast4\ashServ.exe

C:\WINDOWS\system32\VTtrayp.exe

C:\WINDOWS\system32\VTTimer.exe

C:\PROGRA~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\NDAS\System\ndassvc.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Avast4\ashMaiSv.exe

C:\Program Files\Avast4\ashWebSv.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.grocist.com/index.py?action=Login/Logon

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.google.com

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1247666760671

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1247666854968

O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.38.50/ttinst.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: NDAS Service (ndassvc) - XIMETA, Inc. - C:\Program Files\NDAS\System\ndassvc.exe

--

End of file - 4664 bytes

Link to post
Share on other sites
  • 2 weeks later...
extremeboy

extremeboy

Posted
Posted

Hello and welcome to Malwarebytes.

I Apologize for the late response.

If you still require assistance, we would like to see the latest state of your system. So, please post a New Hijackthis log. In your reply, I would also like to know any symptoms you may still have and how your computer is running at the moment.

Take a read in this thread on instructions on how to post a Hijackthis log and other further instructions:

http://www.malwarebytes.org/forums/index.php?showtopic=9573

Please note that the forum is very busy and if I don

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.