Malwarebytes freezing; help!

disluinon · January 8, 2010

I was instructed by exile360 to follow some instructions and post here. My problem is that after updating Malwarebytes a few days ago, my scans freeze anywhere between 25 and a minute into the scan. The program just becomes unresponsive.

Here is my DDS log (I don't have any Malwarebytes logs because the program never finishes scanning):

DDS (Ver_09-12-01.01) - NTFSx86

Run by Justin K at 17:17:10.98 on Thu 01/07/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_10

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.543 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\CTHELPER.EXE

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

svchost.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Justin K\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [EPSON Stylus Photo RX580] c:\windows\system32\spool\drivers\w32x86\3\e_fatibpa.exe /fu "c:\windows\temp\E_S93.tmp" /EF "HKCU"

mRun: [CTHelper] CTHELPER.EXE

mRun: [AsioReg] REGSVR32.EXE /S CTASIO.DLL

mRun: [sBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [EPSON Stylus Photo RX580] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX580" /O5 "LPT1:" /M "Stylus Photo RX500"

mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

Trusted Zone: aol.com\free

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab

Notify: AtiExtEvent - Ati2evxx.dll

Notify: avgrsstarter - avgrsstx.dll

Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\justin~1\applic~1\mozilla\firefox\profiles\l53d1i86.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig

FF - plugin: c:\documents and settings\justin k\application data\mozilla\firefox\profiles\l53d1i86.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll

FF - plugin: c:\documents and settings\justin k\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-9-30 335240]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-9-30 27784]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-1 297752]

R3 KTC111;Kingston EtherRx KNE111TX NDIS 5.0 Miniport Driver;c:\windows\system32\drivers\KTC111.SYS [2008-9-28 19016]

S3 Ctn78u2vca;Ctn78u2vca; [x]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-1-2 38224]

=============== Created Last 30 ================

2010-01-07 23:13:10 20 ----a-w- c:\documents and settings\justin k\defogger_reenable

2010-01-05 21:36:56 0 d-----w- C:\VINCENT

2010-01-02 19:48:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-02 19:48:32 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-02 19:48:32 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll

2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll

2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll

2008-09-30 18:47:10 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008093020081001\index.dat

============= FINISH: 17:17:40.67 ===============

AttachAndArk.zip

screen317 · March 17, 2010

Hi and welcome to Malwarebytes.

Do you still need help?

disluinon · March 20, 2010

Hi and welcome to Malwarebytes.
Do you still need help?

I do. No one ever responded!

screen317 · March 20, 2010

Hi,

Okay. First, navigate to Start --> Run, and enter this command:

sc delete Ctn78u2vca

Press Enter.

Restart your computer.

Press CTRL + ALT + Delete to access the Task Manager. Click the processses tab. Right-click this process, and click End Process:

spoolsv.exe

Try running a Quick Scan with MBAM now; see if it still freezes.

-screen317

disluinon · March 20, 2010

It worked!

Hi,
Okay. First, navigate to Start --> Run, and enter this command:
sc delete Ctn78u2vca
Press Enter.
Restart your computer.
Press CTRL + ALT + Delete to access the Task Manager. Click the processses tab. Right-click this process, and click End Process:
spoolsv.exe
Try running a Quick Scan with MBAM now; see if it still freezes.
-screen317

screen317 · March 21, 2010

Great. Is it still working fine?

Anything else I can do for you?

disluinon · March 21, 2010

Well, it wouldn't work after restarting the computer. Do I just end the spoolsv.exe process anytime i need to scan?

Great. Is it still working fine?
Anything else I can do for you?

screen317 · March 22, 2010

No. There is a permanent solution. There are multiple entries for your printer that start when your computer starts up. They are to blame.

Please download Combofix by sUBs. Save it to your Desktop but do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the quotebox below into Notepad:

DDS::
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [EPSON Stylus Photo RX580] c:\windows\system32\spool\drivers\w32x86\3\e_fatibpa.exe /fu "c:\windows\temp\E_S93.tmp" /EF "HKCU"
KILLALL::
Driver::
Ctn78u2vca

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

Let me know if the issue remains.

-screen317

disluinon · March 23, 2010

ComboFix 10-03-23.03 - Justin K 03/23/2010 17:04:05.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.595 [GMT -5:00]

Running from: c:\documents and settings\Justin K\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Justin K\Desktop\CFScript.txt

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Thumbs.db

c:\windows\COUPON~1.OCX

c:\windows\CouponPrinter.ocx

c:\windows\eSellerateEngine.dll

c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((( Files Created from 2010-02-23 to 2010-03-23 )))))))))))))))))))))))))))))))

.

2010-03-20 09:06 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-20 09:06 . 2010-03-20 09:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-20 09:06 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-15 01:30 . 2010-03-19 06:30 -------- d-----w- C:\robin luke

2010-03-10 10:48 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

2010-03-05 04:10 . 2010-03-09 11:12 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2010-03-05 04:10 . 2010-03-09 11:12 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys

2010-03-05 04:10 . 2010-03-09 11:09 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2010-03-05 04:10 . 2010-03-09 11:08 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2010-03-05 04:10 . 2010-03-09 11:08 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys

2010-03-05 04:10 . 2010-03-09 11:08 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2010-03-05 04:10 . 2010-03-09 11:08 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2010-03-05 04:10 . 2010-03-09 11:24 153184 ----a-w- c:\windows\system32\aswBoot.exe

2010-03-05 04:10 . 2010-02-11 18:53 38848 ----a-w- c:\windows\system32\avastSS.scr

2010-03-05 04:10 . 2010-03-05 04:10 -------- d-----w- c:\program files\Alwil Software

2010-03-05 04:10 . 2010-03-05 04:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software

2010-02-27 03:58 . 2010-02-27 03:59 -------- d-----w- c:\documents and settings\All Users\Application Data\SmartSound Software Inc

2010-02-27 03:58 . 2010-02-27 03:58 -------- d-----w- c:\program files\SmartSound Software

2010-02-27 03:55 . 2010-02-27 03:53 118520 ------w- c:\windows\system32\pxinsi64.exe

2010-02-27 03:55 . 2010-02-27 03:53 116472 ------w- c:\windows\system32\pxcpyi64.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-23 22:08 . 2008-09-29 21:30 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000002-00000000-0000000E-00001102-00000004-20021102}.dat

2010-03-23 22:08 . 2008-09-29 21:30 384 ----a-w- c:\windows\system32\DVCState-{00000002-00000000-0000000E-00001102-00000004-20021102}.dat

2010-03-23 21:54 . 2008-09-30 00:21 -------- d-----w- c:\documents and settings\Justin K\Application Data\uTorrent

2010-03-23 01:27 . 2008-09-29 22:42 -------- d-----w- c:\program files\CCleaner

2010-03-12 23:46 . 2010-01-08 20:54 -------- d-----w- c:\program files\SpeedFan

2010-03-10 18:26 . 2008-09-29 23:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-03-10 00:48 . 2008-09-30 05:07 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink

2010-03-08 19:25 . 2009-02-14 23:20 -------- d-----w- c:\documents and settings\Justin K\Application Data\CoreFTP

2010-03-05 01:37 . 2008-10-18 02:52 -------- d-----w- c:\program files\Coupons

2010-02-27 05:15 . 2008-09-29 22:11 365768 ----a-w- c:\documents and settings\Justin K\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-02-27 03:59 . 2008-09-29 21:14 -------- d-----w- c:\program files\Common Files\InstallShield

2010-02-27 03:56 . 2008-10-17 01:20 -------- d-----w- c:\program files\Common Files\Adobe

2010-02-23 00:31 . 2008-09-30 06:26 -------- d-----w- c:\program files\AVG

2010-02-07 21:54 . 2010-02-07 21:54 -------- d-----w- c:\documents and settings\Justin K\Application Data\LEAPS

2010-02-07 21:51 . 2010-02-07 21:51 -------- d-----w- c:\program files\Pegasys Inc

2010-02-07 21:29 . 2010-02-07 21:29 -------- d-----w- c:\documents and settings\Justin K\Application Data\Pegasys Inc

2010-02-07 21:02 . 2010-02-07 21:01 -------- d-----w- c:\program files\K-Lite Codec Pack

2010-02-07 20:33 . 2010-02-07 20:33 -------- d-----w- c:\documents and settings\Justin K\Application Data\Panasonic

2010-02-07 20:24 . 2010-02-07 20:24 -------- d-----w- c:\program files\Panasonic

2010-02-07 20:24 . 2008-09-29 21:14 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-02-07 11:48 . 2010-02-07 11:48 -------- d-----w- c:\documents and settings\Justin K\Application Data\HandBrake

2010-02-07 11:48 . 2010-02-07 11:48 -------- d-----w- c:\program files\Handbrake

2010-02-05 09:47 . 2008-09-30 07:42 -------- d-----w- c:\documents and settings\Justin K\Application Data\foobar2000

2010-02-04 06:00 . 2010-02-04 06:00 -------- d-----w- c:\documents and settings\Justin K\Application Data\QuosaDDM

2010-02-02 18:00 . 2010-02-07 21:01 85504 ----a-w- c:\windows\system32\ff_vfw.dll

2010-01-30 02:38 . 2010-01-30 02:20 -------- d-----w- c:\documents and settings\Justin K\Application Data\ArcSoft

2010-01-30 02:28 . 2010-01-30 02:28 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft

2010-01-30 02:20 . 2010-01-30 02:20 -------- d-----w- c:\program files\Common Files\ArcSoft

2010-01-30 02:20 . 2010-01-30 02:20 -------- d-----w- c:\program files\ArcSoft

2010-01-18 15:47 . 2010-01-18 15:47 144160 ----a-w- c:\documents and settings\Justin K\Application Data\Move Networks\uninstall.exe

2010-01-18 15:47 . 2009-12-10 19:26 4187512 ----a-w- c:\documents and settings\Justin K\Application Data\Move Networks\plugins\npqmp071505000011.dll

2010-01-18 15:47 . 2010-01-18 15:46 1438976 ----a-w- c:\documents and settings\Justin K\Application Data\Move Networks\MoveMediaPlayerWin_071505000011.exe

2009-12-31 16:50 . 2003-03-31 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys

.

------- Sigcheck -------

[7] 2003-03-31 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\dllcache\beep.sys

c:\windows\System32\drivers\beep.sys ... is missing !!

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTHelper"="CTHELPER.EXE" [2003-06-20 24576]

"AsioReg"="CTASIO.DLL" [2003-06-20 118784]

"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]

"EPSON Stylus Photo RX580"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE" [2003-06-01 99840]

"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-9-29 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-05-02 07:42 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk

backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]

2008-08-14 12:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]

2008-07-04 21:00 109056 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]

2002-10-15 23:00 1818624 ----a-w- c:\windows\mixer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]

2003-06-18 06:00 45056 ----a-w- c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]

2003-07-02 15:03 57344 ----a-w- c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2008-12-17 07:49 133104 ----atw- c:\documents and settings\Justin K\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-11-11 05:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2008-10-26 06:37 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]

2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS4\\Dreamweaver.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/4/2010 11:10 PM 162640]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/4/2010 11:10 PM 19024]

R3 KTC111;Kingston EtherRx KNE111TX NDIS 5.0 Miniport Driver;c:\windows\system32\drivers\KTC111.SYS [9/28/2008 3:35 PM 19016]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [3/20/2010 4:06 AM 38224]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/18/2008 1:02 AM 717296]

.

Contents of the 'Scheduled Tasks' folder

2009-02-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-484763869-839522115-725345543-1004.job

- c:\documents and settings\Justin K\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-17 07:49]

.

------- Supplementary Scan -------

.

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: aol.com\free

FF - ProfilePath - c:\documents and settings\Justin K\Application Data\Mozilla\Firefox\Profiles\l53d1i86.default\

FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com

FF - plugin: c:\documents and settings\Justin K\Application Data\Move Networks\plugins\npqmp071505000011.dll

FF - plugin: c:\documents and settings\Justin K\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-23 17:09

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(552)

c:\windows\system32\Ati2evxx.dll

c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(2804)

c:\windows\system32\WININET.dll

c:\program files\Logitech\SetPoint\lgscroll.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\Alwil Software\Avast5\AvastSvc.exe

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

c:\windows\system32\bgsvcgen.exe

c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

c:\windows\system32\wdfmgr.exe

.

**************************************************************************

.

Completion time: 2010-03-23 17:17:39 - machine was rebooted

ComboFix-quarantined-files.txt 2010-03-23 22:17

Pre-Run: 90,898,595,840 bytes free

Post-Run: 90,865,012,736 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 1A354709B5DAAADC401300FCD55E66E2

DDS (Ver_10-03-17.01) - NTFSx86

Run by Justin K at 17:20:38.09 on Tue 03/23/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_10

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.650 [GMT -5:00]

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\WINDOWS\system32\bgsvcgen.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Justin K\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

mRun: [CTHelper] CTHELPER.EXE

mRun: [AsioReg] REGSVR32.EXE /S CTASIO.DLL

mRun: [sBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [EPSON Stylus Photo RX580] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX580" /O5 "LPT1:" /M "Stylus Photo RX500"

mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

Trusted Zone: aol.com\free

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab

Notify: AtiExtEvent - Ati2evxx.dll

Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\justin~1\applic~1\mozilla\firefox\profiles\l53d1i86.default\

FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-3-4 162640]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-3-4 19024]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-4 40384]

R3 KTC111;Kingston EtherRx KNE111TX NDIS 5.0 Miniport Driver;c:\windows\system32\drivers\KTC111.SYS [2008-9-28 19016]

S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-4 40384]

S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-4 40384]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-3-20 38224]

=============== Created Last 30 ================

2010-03-23 22:00:58 0 d-sha-r- C:\cmdcons

2010-03-23 21:59:40 98816 ----a-w- c:\windows\sed.exe

2010-03-23 21:59:40 77312 ----a-w- c:\windows\MBR.exe

2010-03-23 21:59:40 261632 ----a-w- c:\windows\PEV.exe

2010-03-23 21:59:40 161792 ----a-w- c:\windows\SWREG.exe

2010-03-23 21:53:44 20 ----a-w- c:\documents and settings\justin k\defogger_reenable

2010-03-20 09:06:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-20 09:06:37 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-20 09:06:37 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-15 01:30:04 0 d-----w- C:\robin luke

2010-03-10 10:48:32 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

2010-03-05 04:10:20 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software

2010-02-27 03:58:37 0 d-----w- c:\docume~1\alluse~1\applic~1\SmartSound Software Inc

2010-02-27 03:58:20 0 d-----w- c:\program files\SmartSound Software

2010-02-27 03:55:06 118520 ------w- c:\windows\system32\pxinsi64.exe

2010-02-27 03:55:06 116472 ------w- c:\windows\system32\pxcpyi64.exe

==================== Find3M ====================

2010-02-02 18:00:00 85504 ----a-w- c:\windows\system32\ff_vfw.dll

2008-09-30 18:47:10 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008093020081001\index.dat

============= FINISH: 17:20:48.59 ===============

screen317 · March 27, 2010

Hi,

Has the freezing issue been permanently resolved?

disluinon · March 28, 2010

Unfortunately, it's still the same. (I just tried it and it froze after 27 seconds.)

Hi,
Has the freezing issue been permanently resolved?

screen317 · March 29, 2010

Hi,

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the quotebox below into Notepad:

DDS::
mRun: [EPSON Stylus Photo RX580] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX580" /O5 "LPT1:" /M "Stylus Photo RX500"
KILLALL::

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

Restart your computer and see if the issue has been permanently resolved.

-screen317

disluinon · March 30, 2010

It worked! Thanks!

ComboFix

((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-30 )))))))))))))))))))))))))))))))