Jump to content

Problems with MBAM crashing


Recommended Posts

Hi!

I posted the following in the General forum and was redirected here.

I seem to have difficulty running MBAM. When it reaches the file "C:\windows\system32\pintlpad.hlp", it simply crashes. And then drwatson32.exe also crashes right after.

I am unable to complete a MBAM scan and GMER gives me a BSOD when it gets to the "save" stage.

DDS (Ver_10-03-17.01) - NTFSx86

Run by sugar at 23:03:04.82 on 08/13/2010 Fri

Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Professional 5.1.2600.2.932.81.1033.18.2046.1206 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\PSIService.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

C:\Program Files\Sony\VAIO Event Service\VESMgr.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Sony\ISB Utility\ISBMgr.exe

C:\Program Files\Sony\VAIO Power Management\SPMgr.exe

C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe

C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe

C:\Program Files\Winamp\Winampa.exe

C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\Winamp\winamp.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\conime.exe

C:\Documents and Settings\sugar\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\sugar\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Program Files\AVG\AVG8\avgui.exe

C:\Program Files\AVG\AVG8\avgscanx.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\Documents and Settings\sugar\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\sugar\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank

uInternet Settings,ProxyOverride = *.local

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll

BHO: NTIECatcher Class: {c56cb6b0-0d96-11d6-8c65-b2868b609932} - c:\program files\xi\nettransport 2\NTIEHelper.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl

uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background

mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup

mRun: [Apoint] "c:\program files\apoint\Apoint.exe"

mRun: [intelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"

mRun: [intelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

mRun: [iSBMgr.exe] "c:\program files\sony\isb utility\ISBMgr.exe"

mRun: [sonyPowerCfg] "c:\program files\sony\vaio power management\SPMgr.exe"

mRun: [switcher.exe] "c:\program files\sony\wireless switch setting utility\Switcher.exe"

mRun: [VAIO Update 3] "c:\program files\sony\vaio update 3\VAIOUpdt.exe" /Stationary

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [VAIO Recovery] "c:\windows\sonysys\vaio recovery\PartSeal.exe"

mRun: [WinampAgent] "c:\program files\winamp\Winampa.exe"

mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\point32.exe"

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~2.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: Net Transport??????? - c:\program files\xi\nettransport 2\NTAddLink.html

IE: ???Net Transport??????? - c:\program files\xi\nettransport 2\NTAddList.html

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} - hxxp://www.live365.com/players/play365.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: avgrsstarter - avgrsstx.dll

Notify: igfxcui - igfxdev.dll

Notify: psfus - c:\windows\system32\psqlpwd.dll

Notify: VESWinlogon - VESWinlogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Notification Packages = scecli psqlpwd

Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sugar\applic~1\mozilla\firefox\profiles\78txwsu3.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.registrar.ucla.edu/schedule/detselect.aspx?termsel=09S&subareasel=CHIN&idxcrs=0185++++

FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 shpf;Sony HDD Protection Filter Driver;c:\windows\system32\drivers\shpf.sys [2007-11-6 14720]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-19 335240]

R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-10-19 27784]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-10-19 108552]

R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-10-21 908056]

R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-10-21 297752]

R2 PCID32;PCID32;c:\windows\system32\drivers\pcid32.sys [2010-5-18 7271]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-11-6 41216]

R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2007-11-6 71961]

R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2007-11-6 812544]

S3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [2007-11-6 31104]

S3 XDva349;XDva349;\??\c:\windows\system32\xdva349.sys --> c:\windows\system32\XDva349.sys [?]

S3 XDva356;XDva356;\??\c:\windows\system32\xdva356.sys --> c:\windows\system32\XDva356.sys [?]

=============== Created Last 30 ================

2010-08-14 01:03:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-14 01:03:36 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-14 01:03:36 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-14 00:07:08 0 d-----w- c:\windows\system32\wbem\Repository

2010-08-12 03:46:04 14848 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys

2010-08-12 03:46:04 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2010-07-28 22:24:57 0 d-----w- C:\gPotato

2010-07-28 21:22:39 0 d-----w- c:\docume~1\alluse~1\applic~1\PMB Files

2010-07-28 21:21:32 0 d-----w- c:\program files\Pando Networks

==================== Find3M ====================

2009-12-23 05:45:04 88 --sh--r- c:\windows\system32\0D3B9F4113.sys

2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll

2009-12-23 05:45:11 2672 --sha-w- c:\windows\system32\KGyGaAvL.sys

2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll

2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll

2007-11-06 21:14:56 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat

2008-06-25 02:21:19 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008062420080625\index.dat

============= FINISH: 23:04:17.09 ===============

Link to post
Share on other sites

  • Root Admin

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

Link to post
Share on other sites

Hi!

Here's my combofix log.

ComboFix 10-08-12.03 - sugar 4/2010 Sat 9:38.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.932.81.1033.18.2046.1337 [GMT -7:00]

Running from: c:\documents and settings\sugar\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Thumbs.db

c:\windows\system32\favicon.ico

c:\windows\system32\Thumbs.db

.

((((((((((((((((((((((((( Files Created from 2010-07-14 to 2010-08-14 )))))))))))))))))))))))))))))))

.

2010-08-14 06:19 . 2010-08-14 06:19 -------- d-----w- c:\windows\system32\wbem\Repository

2010-08-14 01:03 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-14 01:03 . 2010-08-14 01:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-14 01:03 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-12 03:46 . 2004-08-04 05:58 14848 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys

2010-08-12 03:46 . 2004-08-04 05:58 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2010-07-28 22:24 . 2010-07-28 22:24 -------- d-----w- C:\gPotato

2010-07-28 21:22 . 2010-07-28 22:35 -------- d-----w- c:\documents and settings\sugar\Local Settings\Application Data\PMB Files

2010-07-28 21:22 . 2010-07-28 21:23 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files

2010-07-28 21:21 . 2010-07-28 21:21 -------- d-----w- c:\program files\Pando Networks

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-14 02:35 . 2009-02-18 07:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-08-13 09:44 . 2010-06-01 04:52 -------- d-----w- c:\documents and settings\sugar\Application Data\Skype

2010-08-13 09:35 . 2009-03-03 07:24 -------- d-----w- c:\program files\mIRC

2010-08-13 06:02 . 2010-06-01 04:54 -------- d-----w- c:\documents and settings\sugar\Application Data\skypePM

2010-08-12 09:11 . 2008-06-23 17:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-08-11 20:57 . 2010-05-18 22:43 -------- d-----w- c:\program files\Panasonic

2010-08-11 20:57 . 2007-11-06 21:19 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-06-17 23:45 . 2008-06-25 06:02 -------- d-----w- c:\program files\AIM

2010-06-14 14:30 . 2007-11-06 19:17 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe

2010-06-01 04:54 . 2010-06-01 04:54 56 ---ha-w- c:\windows\system32\ezsidmv.dat

2009-02-20 05:48 . 2008-09-25 06:49 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll

2009-02-20 05:48 . 2008-09-25 06:49 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll

2009-02-20 05:48 . 2008-09-25 06:49 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll

2009-02-20 05:48 . 2008-09-25 06:49 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll

2009-02-20 05:48 . 2008-09-25 06:49 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll

2009-12-23 05:45 . 2008-06-29 02:08 88 --sh--r- c:\windows\system32\0D3B9F4113.sys

2006-05-03 09:06 . 2009-10-20 05:33 163328 --sh--r- c:\windows\system32\flvDX.dll

2009-12-23 05:45 . 2008-06-29 02:08 2672 --sha-w- c:\windows\system32\KGyGaAvL.sys

2007-02-21 10:47 . 2009-10-20 05:33 31232 --sh--r- c:\windows\system32\msfDX.dll

2008-03-16 12:30 . 2009-10-20 05:33 216064 --sh--r- c:\windows\system32\nbDX.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]

@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"

[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]

2007-06-06 07:16 2955264 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]

@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"

[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]

2007-06-06 07:16 2955264 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AIM"="c:\program files\AIM\aim.exe" [2004-04-27 61440]

"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-27 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-12 8491008]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-09-06 118784]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-06-01 823296]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-06-01 974848]

"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]

"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2007-09-28 217088]

"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2007-01-24 176128]

"VAIO Update 3"="c:\program files\Sony\VAIO Update 3\VAIOUpdt.exe" [2007-05-31 551032]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-17 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-17 162328]

"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]

"WinampAgent"="c:\program files\Winamp\Winampa.exe" [2002-04-26 12288]

"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-04-25 333120]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-02-28 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-08 2048352]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-06-10 217088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-6-26 113664]

Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-5-22 2756608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-22 04:18 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]

2007-06-06 07:03 90112 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]

2007-05-17 04:50 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\mIRC\\mirc.exe"=

"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\WinSCP\\WinSCP.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"58921:TCP"= 58921:TCP:Pando Media Booster

"58921:UDP"= 58921:UDP:Pando Media Booster

R0 shpf;Sony HDD Protection Filter Driver;c:\windows\system32\drivers\shpf.sys [11/6/2007 11:05 AM 14720]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/19/2008 7:45 PM 335240]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/19/2008 7:45 PM 108552]

R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [10/21/2008 2:30 PM 908056]

R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/21/2008 2:30 PM 297752]

R2 PCID32;PCID32;c:\windows\system32\drivers\pcid32.sys [5/18/2010 3:44 PM 7271]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [11/6/2007 11:05 AM 41216]

R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [11/6/2007 4:13 AM 71961]

R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [11/6/2007 11:05 AM 812544]

S3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [11/6/2007 11:05 AM 31104]

S3 XDva349;XDva349;\??\c:\windows\system32\XDva349.sys --> c:\windows\system32\XDva349.sys [?]

S3 XDva356;XDva356;\??\c:\windows\system32\XDva356.sys --> c:\windows\system32\XDva356.sys [?]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Net Transport??????? - c:\program files\Xi\NetTransport 2\NTAddLink.html

IE: ???Net Transport??????? - c:\program files\Xi\NetTransport 2\NTAddList.html

FF - ProfilePath - c:\documents and settings\sugar\Application Data\Mozilla\Firefox\Profiles\78txwsu3.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.registrar.ucla.edu/schedule/detselect.aspx?termsel=09S&subareasel=CHIN&idxcrs=0185++++

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-14 09:42

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(980)

c:\windows\system32\psqlpwd.dll

c:\program files\Protector Suite QL\homefus2.dll

c:\program files\Protector Suite QL\infra.dll

c:\program files\Protector Suite QL\homepass.dll

c:\program files\Protector Suite QL\bio.dll

c:\program files\Protector Suite QL\remote.dll

c:\windows\system32\VESWinlogon.dll

c:\windows\system32\imjp81.ime

c:\windows\system32\imjp81k.dll

c:\windows\IME\IMJP8_1\Dicts\IMJPCD.DIC

- - - - - - - > 'lsass.exe'(1036)

c:\windows\system32\psqlpwd.dll

c:\program files\Protector Suite QL\homefus2.dll

c:\program files\Protector Suite QL\infra.dll

.

Completion time: 2010-08-14 09:44:32

ComboFix-quarantined-files.txt 2010-08-14 16:44

ComboFix2.txt 2009-02-20 09:33

Pre-Run: 3,080,118,272 bytes free

Post-Run: 3,101,683,712 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 45F79C96D7AD2E2D2FBE5874E24CD786

Link to post
Share on other sites

  • Root Admin

The issue appears to possibly be due to the language used on your system.

Please check for updates and then go to the Settings tab then on the Scanner Settings and disable the Heuristics.Shuriken feature and try the scan again and let me know if you're still having issues.

Link to post
Share on other sites

Hi!

I was able to finish both a quick scan and a full scan. Both logs are posted below.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4439

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.11

8/17/2010 9:39:21 PM

mbam-log-2010-08-17 (21-39-21).txt

Scan type: Quick scan

Objects scanned: 141905

Time elapsed: 9 minute(s), 43 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4439

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.11

8/17/2010 11:56:54 PM

mbam-log-2010-08-17 (23-56-54).txt

Scan type: Full scan (C:\|)

Objects scanned: 319157

Time elapsed: 2 hour(s), 12 minute(s), 47 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{7E8DCA0E-BBAF-42B3-9A6B-2B8D986D1829}\RP657\A0086927.sys (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

Link to post
Share on other sites

  • Root Admin

Please clear your restore points as shown below.

Remove all but the most recent Restore Point on Windows XP

You should
Create a New Restore Point
to prevent possible reinfection from an old one.

Some of the malware you picked up could have been saved in System Restore.

Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point.

Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to
"roll-back"
to a clean working state.

The easiest and safest way to do this is

:
  • Go to
    Start
    >
    Programs
    >
    Accessories
    >
    System Tools
    and click "
    System Restore
    ".

  • If the shortcut is missing you can also click on
    START
    >
    RUN
    > and type in
    %SystemRoot%\system32\restore\rstrui.exe
    and click OK

  • Choose the radio button marked "
    Create a Restore Point
    " on the first screen then click "
    Next
    ".

  • Give the new Restore Point a name, then click "
    Create
    ".

  • The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

  • Then use the
    Disk Cleanup
    to remove all but the most recently created Restore Point.

  • Go to
    Start
    >
    Run
    and type:
    Cleanmgr.exe

  • Select the drive where Windows is installed and click "
    Ok
    ". Disk Cleanup will scan your files for several minutes, then open.

  • Click the "
    More Options
    " tab, then click the "
    Clean up
    " button under System Restore.

  • Click Ok. You will be prompted with "
    Are you sure you want to delete all but the most recent restore point?
    "

  • Click
    Yes
    , then click Ok.

  • Click
    Yes
    again when prompted with "
    Are you sure you want to perform these actions?
    "

  • Disk Cleanup will remove the files and close automatically.

  • On the
    Disk Cleanup
    tab, if the
    System Restore: Obsolete Data Stores
    entry is available remove them also.

  • These are files that were created before Windows was reformatted or reinstalled. They are obsolete and you can delete them.

selectdrivecleanup.pngselectdrivecleanup1.png

Make sure to remove any old versions of Java and only have the latest version installed, then run this online AV scan.

What we need to do now is run this online scan to search for any remnants. It can take several hours, so please be patient and allow it to run it's full course.

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

Link to post
Share on other sites

  • Root Admin

Please try the following then.

Visit this site to verify that your Java is working.

You can try this scanner below as well.

Please run this online scan to help look for remnants.

Go here to run an online scannner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic and also let me know how things are now.

Link to post
Share on other sites

  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.