PsychoSeraph Posted October 12, 2010 ID:326428 Share Posted October 12, 2010 I have been going thru scan after scan and trying to get rid of ONE bug. Through a series of scans with MBAM in safe mode and normal mode AND by manually deleting files - I was able to get my infected count from 33 to only ONE. This ONE has been difficult to get rid of and, short of buying a new laptop, I don't know what else to do.some weird things:1) This bug doesn't show up in either quick scan or full scan in safe mode. I scanned 3 times EACH and was clean all 6 times.2) In normal mode on either quick or full scan I get an error (see attached pic "MBAM error screenshot") and even though "rootkit.agent" shows up in the results - it doesn't show up as being removed in the log. I click "remove selected files" and a successful removal pop up appears, but then the log shows all nothing. See attached pic "successfully removed scnsht."MBAM has been updated as of October 10th, 2010. Here is my most recent MBAM log:Malwarebytes' Anti-Malware 1.45www.malwarebytes.orgDatabase version: 4792Windows 6.0.6002 Service Pack 2Internet Explorer 8.0.6001.1894310/12/2010 11:25:26 PMmbam-log-2010-10-12 (23-25-26).txtScan type: Quick scanObjects scanned: 140107Time elapsed: 7 minute(s), 32 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)and here is my DDS.txt log:DDS (Ver_10-10-10.03) - NTFSx86 Run by John and Lindsey at 0:14:33.00 on 10/13/2010 WedInternet Explorer: 8.0.6001.18943 BrowserJavaVersion: 1.6.0_19SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}============== Running Processes ===============C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k rpcssC:\Windows\System32\svchost.exe -k secsvcsC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k GPSvcGroupC:\Windows\system32\SLsvc.exeC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\system32\WLANExt.exeC:\Windows\System32\spoolsv.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkC:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestrictedC:\Program Files\SMINST\BLService.exeC:\Program Files\CyberLink\Shared files\RichVideo.exeC:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exeC:\Windows\system32\svchost.exe -k imgsvcC:\Windows\System32\svchost.exe -k WerSvcGroupC:\Windows\system32\SearchIndexer.exeC:\Windows\system32\DRIVERS\xaudio.exeC:\Windows\system32\Dwm.exeC:\Windows\system32\taskeng.exeC:\Windows\Explorer.EXEC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Windows Defender\MSASCui.exeC:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exeC:\Program Files\HP\HP Software Update\hpwuSchd2.exeC:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exeC:\Program Files\Common Files\Java\Java Update\jusched.exeC:\Windows\system32\wbem\wmiprvse.exeC:\Program Files\HP\QuickPlay\QPService.exeC:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Windows\System32\igfxpers.exeC:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exeC:\Program Files\Windows Sidebar\sidebar.exeC:\Program Files\Skype\Phone\Skype.exeC:\Windows\ehome\ehtray.exeC:\Windows\system32\wbem\wmiprvse.exeC:\Program Files\Windows Media Player\wmpnscfg.exeC:\Windows\system32\igfxsrvc.exeC:\Program Files\Microsoft Office\Office12\ONENOTEM.EXEC:\Program Files\Stardock\ObjectDock\ObjectDock.exeC:\Windows\ehome\ehmsas.exeC:\Program Files\Windows Media Player\wmpnetwk.exeC:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXEC:\Program Files\Windows Sidebar\sidebar.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exeC:\Program Files\Hewlett-Packard\Shared\HpqToaster.exeC:\Program Files\Skype\Plugin Manager\skypePM.exeC:\Program Files\Synaptics\SynTP\SynTPHelper.exec:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exeC:\Windows\system32\wuauclt.exeC:\Users\John and Lindsey\appdata\local\google\chrome\application\chrome.exeC:\Users\John and Lindsey\appdata\local\google\chrome\application\chrome.exeC:\Users\John and Lindsey\appdata\local\google\chrome\application\chrome.exe"C:\Windows\System32\svchost.exe""C:\Windows\System32\svchost.exe"C:\Users\John and Lindsey\appdata\local\google\chrome\application\chrome.exeC:\Users\John and Lindsey\appdata\local\google\chrome\application\chrome.exeC:\Users\John and Lindsey\appdata\local\google\chrome\application\chrome.exeC:\Users\John and Lindsey\appdata\local\google\chrome\application\chrome.exeC:\Windows\system32\conime.exeC:\Windows\system32\SearchProtocolHost.exeC:\Windows\system32\SearchFilterHost.exeC:\Users\John and Lindsey\Documents\Downloads\dds.com============== Pseudo HJT Report ===============uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnbuDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnbmStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnbmDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnbuInternet Settings,ProxyOverride = *.localBHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dllBHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dllBHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dllBHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLLBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllTB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLLTB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No FileTB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No FileuRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hiddenuRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRunuRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimizeduRun: [ares] "c:\program files\ares\Ares.exe" -huRun: [ehTray.exe] c:\windows\ehome\ehTray.exeuRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /backgrounduRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exeuRun: [wuaucldt] c:\users\john and lindsey\wuaucldt.exemRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exemRun: [updateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"mRun: [updatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hidemRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /StartmRun: [updateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"mRun: [updatePDIRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exemRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exemRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exemRun: [uSB2Check] RUNDLL32.EXE "c:\windows\system32\PCLECoInst.dll",CheckUSBControllermRun: [MCE Tunes Video Encoder] "c:\program files\proxure\mce tunes pro\EncService.exe"mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottimemRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"mRun: [igfxTray] c:\windows\system32\igfxtray.exemRun: [HotKeysCmds] c:\windows\system32\hkcmd.exemRun: [Persistence] c:\windows\system32\igfxpers.exeStartupFolder: c:\users\johnan~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXEStartupFolder: c:\users\johnan~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\stardo~1.lnk - c:\program files\stardock\objectdock\ObjectDock.exemPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)mPolicies-system: EnableLUA = 0 (0x0)mPolicies-system: EnableUIADesktopToggle = 0 (0x0)IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000IE: QQ - c:\program files\tencent\qqintl\bin\AddEmotion.htmIE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dllIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLLDPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabHandler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLLNotify: igfxcui - igfxdev.dllSTS: NtcallosMsr.Ntcallos: {1f0a311f-7962-420c-b037-3b60736350ca} - c:\windows\system32\ntcallos.dllmASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"================= FIREFOX ===================FF - ProfilePath - c:\users\johnan~1\appdata\roaming\mozilla\firefox\profiles\nolbxet7.default\FF - prefs.js: browser.search.selectedEngine - Baidu SearchFF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=enFF - prefs.js: keyword.URL - hxxp://search.avg.com/dispatcher.aspx?i=48&tp=ab&q=FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dllFF - plugin: c:\program files\google\picasa3\npPicasa3.dllFF - plugin: c:\program files\microsoft\office live\npOLW.dllFF - plugin: c:\users\john and lindsey\appdata\roaming\move networks\plugins\npqmp071503000010.dllFF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}---- FIREFOX POLICIES ----c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);============= SERVICES / DRIVERS ===============R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2009-4-22 365952]R2 WinRing0_1_2_0;WinRing0_1_2_0;c:\users\john and lindsey\appdata\local\microsoft\windows sidebar\gadgets\intelcoreseries24.gadget\WinRing0.sys [2010-6-8 14416]R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2009-4-22 193840]R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-6-29 112128]R3 OA004Ufd;Creative Camera OA004 Upper Filter Driver;c:\windows\system32\drivers\OA004Ufd.sys [2008-6-3 144672]R3 OA004Vid;Creative Camera OA004 Function Driver;c:\windows\system32\drivers\OA004Vid.sys [2008-7-18 269760]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]S2 Norton Internet Security;Norton Internet Security;"c:\program files\norton internet security\engine\16.0.0.125\ccsvchst.exe" /s "norton internet security" /m "c:\program files\norton internet security\engine\16.0.0.125\dimaster.dll" /prefetch:1 --> c:\program files\norton internet security\engine\16.0.0.125\ccSvcHst.exe [?]S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]S3 Pxrmcet;Pxrmcet;c:\windows\system32\drivers\pxrmcet.sys [2009-4-3 16904]S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [2006-10-1 26624]S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2010-10-5 25704]S3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [2010-10-5 25704]S3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [2010-10-5 25704]S3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [2010-10-5 25704]============== File Associations ===============txtfile=c:\windows\notepad.exe %1=============== Created Last 30 ================I did run GMER but my computer hits a blue screen of death about 15 minutes into the scan. It does however find and post in red text this file "[bOOT] fvaxonv" and I have gotten hits in MBAM on "fvaxonv.sys" before - not sure if this is related to "rootkit.agent" but I assume so.I have been getting a blue screen about 4 times a day for the past 2 days. I believe my computer caught this thing 2 or 3 days ago - when this blue screen nonsense started - so again, I assume they are related.Please help me get this thing off my computer. I was just about to go through and start cleaning up this computer (removing pgms, updating software, etc) to get it ready for my wife to use as I'm about to buy myself a new one - I don't want her to ask me 4 times a day "what does this blue screen mean?" Other than the blue screen, I haven't noticed anything different with my system. Nothing seems to be running slower, boot up is still rather quick, pgms respond fast, etc - we just get this effin' blue screen screwing with us.PLEASE HELP,Thanks,JohnAttach.rar Link to post Share on other sites More sharing options...
kahdah Posted October 12, 2010 ID:326444 Share Posted October 12, 2010 Hello PsychoSeraphWelcome to Malwarebytes.=====================Please download Rootkit Unhooker and save it to your desktop.Double-click RKUnhookerLE.exe to run it.Click the Report tab, then click ScanCheck Drivers, Stealth Code, Files, and Code HooksUncheck the rest, then click OKWhen prompted to Select Disks for Scan, make sure C:\ is checked and click OKWait till the scanner has finished then go File > Save ReportSave the report somewhere you can find it, typically your desktop. Click CloseCopy the entire contents of the report and paste it in your next reply.Note - You may get this warning it is ok, just ignore it."Rootkit Unhooker has detected a parasite inside itself!It is recommended to remove parasite, okay?" Link to post Share on other sites More sharing options...
PsychoSeraph Posted October 13, 2010 Author ID:326611 Share Posted October 13, 2010 RkU Version: 3.8.388.590, Type LE (SR2)==============================================OS Name: Windows VistaVersion 6.0.6002 (Service Pack 2)Number of processors #2==============================================>Drivers==============================================0x8EC0E000 C:\Windows\system32\DRIVERS\igdkmd32.sys 9555968 bytes (Intel Corporation, Intel Graphics Kernel Mode Driver)0x8224A000 C:\Windows\system32\ntkrnlpa.exe 3903488 bytes (Microsoft Corporation, NT Kernel & System)0x8224A000 PnpManager 3903488 bytes0x8224A000 RAW 3903488 bytes0x8224A000 WMIxWDM 3903488 bytes0x996D0000 Win32k 2109440 bytes0x996D0000 C:\Windows\System32\win32k.sys 2109440 bytes (Microsoft Corporation, Multi-User Win32 Driver)0x8AE0D000 C:\Windows\system32\drivers\ql2300.sys 1277952 bytes (QLogic Corporation, QLogic Fibre Channel Stor Miniport Driver)0x8F6BD000 C:\Windows\system32\DRIVERS\athr.sys 1179648 bytes (Atheros Communications, Inc., Atheros Extensible Wireless LAN device driver)0x8B406000 C:\Windows\System32\Drivers\Ntfs.sys 1114112 bytes (Microsoft Corporation, NT File System Driver)0x8B0DC000 C:\Windows\system32\drivers\ndis.sys 1093632 bytes (Microsoft Corporation, NDIS 6.0 wrapper driver)0x8FC44000 C:\Windows\system32\DRIVERS\HSX_DPV.sys 1060864 bytes (Conexant Systems, Inc., HSF_DP driver)0x8B270000 C:\Windows\System32\drivers\tcpip.sys 958464 bytes (Microsoft Corporation, TCP/IP Driver)0x804D9000 C:\Windows\system32\CI.dll 917504 bytes (Microsoft Corporation, Code Integrity Module)0xADA01000 C:\Windows\system32\drivers\peauth.sys 909312 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)0x80711000 C:\Windows\System32\Drivers\fvaxonv.sys 864256 bytes0x8AD0A000 C:\Windows\system32\drivers\megasr.sys 749568 bytes (LSI Corporation, Inc., LSI MegaRAID Software RAID Driver)0x8FD47000 C:\Windows\system32\DRIVERS\HSX_CNXT.sys 741376 bytes (Conexant Systems, Inc., HSF_CNXT driver)0x9153C000 C:\Windows\system32\drivers\spsys.sys 720896 bytes (Microsoft Corporation, security processor)0x8F52B000 C:\Windows\System32\drivers\dxgkrnl.sys 659456 bytes (Microsoft Corporation, DirectX Graphics Kernel)0x82CF3000 C:\Windows\system32\drivers\iastorv.sys 659456 bytes (Intel Corporation, Intel Matrix Storage Manager driver (base))0x8AC08000 C:\Windows\system32\drivers\elxstor.sys 606208 bytes (Emulex, Storport Miniport Driver for LightPulse HBAs)0x8F60A000 C:\Windows\system32\DRIVERS\HDAudBus.sys 577536 bytes (Microsoft Corporation, High Definition Audio Bus Driver)0x8060A000 C:\Windows\system32\drivers\Wdf01000.sys 507904 bytes (Microsoft Corporation, WDF Dynamic)0x8B06B000 C:\Windows\System32\Drivers\ksecdd.sys 462848 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)0x8040F000 C:\Windows\system32\mcupdate_GenuineIntel.dll 458752 bytes (Microsoft Corporation, Intel Microcode Update Library)0xAD008000 C:\Windows\system32\drivers\HTTP.sys 446464 bytes (Microsoft Corporation, HTTP Protocol Stack)0x82E58000 C:\Windows\system32\drivers\adp94xx.sys 434176 bytes (Adaptec, Inc., Adaptec Windows SAS/SATA Storport Driver)0x8AF45000 C:\Windows\system32\drivers\ql40xx.sys 348160 bytes (QLogic Corporation, QLogic iSCSI Storport Miniport Driver)0xAD178000 C:\Windows\System32\DRIVERS\srv.sys 319488 bytes (Microsoft Corporation, Server driver)0x82EC2000 C:\Windows\system32\drivers\adpahci.sys 311296 bytes (Adaptec, Inc., Adaptec Windows SATA Storport Driver)0x99920000 C:\Windows\System32\ATMFD.DLL 311296 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)0x82C09000 C:\Windows\System32\drivers\volmgrx.sys 303104 bytes (Microsoft Corporation, Volume Manager Extension Driver)0x9140A000 C:\Windows\system32\drivers\afd.sys 294912 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)0x80693000 C:\Windows\system32\drivers\acpi.sys 286720 bytes (Microsoft Corporation, ACPI Driver for NT)0x8FE7E000 C:\Windows\system32\DRIVERS\OA004Vid.sys 270336 bytes (Creative Technology Ltd., Video Capture Device Driver)0x80498000 C:\Windows\system32\CLFS.SYS 266240 bytes (Microsoft Corporation, Common Log File System Driver)0x82E02000 C:\Windows\system32\drivers\storport.sys 266240 bytes (Microsoft Corporation, Microsoft Storage Port Driver)0x8FC06000 C:\Windows\system32\DRIVERS\HSXHWAZL.sys 253952 bytes (Conexant Systems, Inc., HSF_HWAZL WDM driver)0x8B38D000 C:\Windows\system32\DRIVERS\USBPORT.SYS 253952 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)0x91489000 C:\Windows\system32\DRIVERS\rdbss.sys 245760 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)0x82FB5000 C:\Windows\system32\drivers\uliahci.sys 245760 bytes (ULi Electronics Inc., ULi SATA Controller Driver)0x8FB5E000 C:\Windows\system32\drivers\CHDRT32.sys 241664 bytes (Conexant Systems Inc., High Definition Audio Function Driver)0x8B235000 C:\Windows\system32\drivers\NETIO.SYS 241664 bytes (Microsoft Corporation, Network I/O Subsystem)0xAD100000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 233472 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)0x8B51E000 C:\Windows\system32\drivers\volsnap.sys 233472 bytes (Microsoft Corporation, Volume Shadow Copy Driver)0x8FB18000 C:\Windows\system32\DRIVERS\usbhub.sys 217088 bytes (Microsoft Corporation, Default Hub Driver for USB)0x82217000 ACPI_HAL 208896 bytes0x82217000 C:\Windows\system32\hal.dll 208896 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)0xADB16000 C:\Windows\System32\Drivers\RDPWD.SYS 208896 bytes (Microsoft Corporation, RDP Terminal Stack Driver)0x8B029000 C:\Windows\system32\drivers\fltmgr.sys 204800 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)0x8FF8D000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)0x8B3CB000 C:\Windows\system32\DRIVERS\SynTP.sys 196608 bytes (Synaptics, Inc., Synaptics Touchpad Driver)0x8FA07000 C:\Windows\system32\DRIVERS\msiscsi.sys 192512 bytes (Microsoft Corporation, Microsoft iSCSI Initiator Driver)0x8FB99000 C:\Windows\system32\drivers\portcls.sys 184320 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))0x82DD4000 C:\Windows\system32\drivers\ulsata2.sys 180224 bytes (Promise Technology, Inc., Promise SATAII150 Series Windows Drivers)0x8B20A000 C:\Windows\system32\drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)0x8FAD7000 C:\Windows\system32\DRIVERS\ks.sys 172032 bytes (Microsoft Corporation, Kernel CSA Library)0x8FFBF000 C:\Windows\system32\DRIVERS\nwifi.sys 172032 bytes (Microsoft Corporation, NativeWiFi Miniport Driver)0x8B583000 C:\Windows\System32\drivers\ecache.sys 159744 bytes (Microsoft Corporation, Special Memory Device Cache)0x806EA000 C:\Windows\system32\drivers\pci.sys 159744 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)0xAD151000 C:\Windows\System32\DRIVERS\srv2.sys 159744 bytes (Microsoft Corporation, Smb 2.0 Server driver)0x82F4F000 C:\Windows\system32\drivers\adpu320.sys 155648 bytes (Adaptec, Inc., Adaptec StorPort Ultra320 SCSI Driver)0x8F697000 C:\Windows\system32\DRIVERS\Rtlh86.sys 155648 bytes (Realtek Corporation , Realtek 8101E/8168/8169 NDIS6 32-bit Driver )0x82F29000 C:\Windows\system32\drivers\SCSIPORT.SYS 155648 bytes (Microsoft Corporation, SCSI Port Driver)0x8FBC6000 C:\Windows\system32\drivers\drmk.sys 151552 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)0x8FEC0000 C:\Windows\system32\DRIVERS\OA004Ufd.sys 147456 bytes (Creative Technology Ltd., Video Class Upper Filter Driver)0x8FA63000 C:\Windows\system32\DRIVERS\ndiswan.sys 143360 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))0x82CC3000 C:\Windows\system32\drivers\CLASSPNP.SYS 135168 bytes (Microsoft Corporation, SCSI Class System Dll)0x8FE0A000 C:\Windows\system32\drivers\IntcHdmi.sys 135168 bytes (Intel® Corporation, Intel® High Definition Audio HDMI)0xAD0C0000 C:\Windows\system32\drivers\mrxdav.sys 135168 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)0x8AFDE000 C:\Windows\system32\drivers\ulsata.sys 135168 bytes (Promise Technology, Inc., Promise Ultra/Sata Series Driver for Win2003)0x8FF10000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)0x8B008000 C:\Windows\system32\drivers\vsmraid.sys 135168 bytes (VIA Technologies Inc.,Ltd, VIA RAID DRIVER FOR AMD-X86-64)0xAD0E1000 C:\Windows\system32\DRIVERS\mrxsmb.sys 126976 bytes (Microsoft Corporation, Windows NT SMB Minirdr)0x82D9C000 C:\Windows\system32\drivers\ataport.SYS 122880 bytes (Microsoft Corporation, ATAPI Driver Extension)0xAD075000 C:\Windows\System32\DRIVERS\srvnet.sys 118784 bytes (Microsoft Corporation, Server Network driver)0x805B9000 C:\Windows\system32\drivers\mpio.sys 114688 bytes (Microsoft Corporation, MultiPath Support Bus-Driver)0x82F0E000 C:\Windows\system32\drivers\adpu160m.sys 110592 bytes (Adaptec, Inc., Adaptec LH Ultra160 Driver (x86))0x8B35A000 C:\Windows\System32\drivers\fwpkclnt.sys 110592 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)0x91521000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)0x82CA8000 C:\Windows\system32\drivers\nvraid.sys 110592 bytes (NVIDIA Corporation, NVIDIA Link to post Share on other sites More sharing options...
kahdah Posted October 13, 2010 ID:326637 Share Posted October 13, 2010 One or more of the identified infections is a backdoor trojan or rootkit.This type of infection has the capabilities to allows hacker to remotely control your computer, steal critical system information and download and execute files.I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?When Should I Format, How Should I ReinstallWe can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.If you still want to clean it please do the following===================Please visit this webpage for download links, and instructions for running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofix* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Please include the C:\ComboFix.txt in your next reply for further review. Link to post Share on other sites More sharing options...
PsychoSeraph Posted October 13, 2010 Author ID:326655 Share Posted October 13, 2010 I'm downloading combofix now to run and will post the .txt file in the next reply. I do want to confirm however, that my computer will be 100% secure after re-installing the OS. Additionally, how can I be sure that I won't infect any external HDD I connect to the computer in order to back up all my files (mainly the 100+ gigs of music and movies [legally purchased] and our important financial/legal documents)? My plan is to: 1)clean the system as per your instructions, 2) connect external HDD to back up all files, 3) format HDD and re-install OS.Also, how will I be able to re-install the OS without a disc? My HDD is partitioned, do I have to make the discs first?Thanks for your help. Link to post Share on other sites More sharing options...
PsychoSeraph Posted October 13, 2010 Author ID:326694 Share Posted October 13, 2010 **one more question - is it possible to back up MS Office with out having the original CDs? We bought Office 2007 when we lived in America (over a yr ago) but we didn't bring the CDs or packaging with us when we moved to China. I don't want to have to buy a fake copy (readably available all over the place over here) and I don't want to have to purchase a brand NEW officially licensed pack online. . . any suggestions?** ComboFix 10-10-12.01 - John and Lindsey 10/13/2010 14:52:12.1.2 - x86Microsoft Link to post Share on other sites More sharing options...
kahdah Posted October 13, 2010 ID:326725 Share Posted October 13, 2010 I'm downloading combofix now to run and will post the .txt file in the next reply. I do want to confirm however, that my computer will be 100% secure after re-installing the OS. Additionally, how can I be sure that I won't infect any external HDD I connect to the computer in order to back up all my files (mainly the 100+ gigs of music and movies [legally purchased] and our important financial/legal documents)? My plan is to: 1)clean the system as per your instructions, 2) connect external HDD to back up all files, 3) format HDD and re-install OS.Also, how will I be able to re-install the OS without a disc? My HDD is partitioned, do I have to make the discs first?Thanks for your help. Is this a computer that has a recovery partition?What is the make and model?Yes after a reinstall it will be 100% clean.My plan is to: 1)clean the system as per your instructions, 2) connect external HDD to back up all files, 3) format HDD and re-install OS.Yes this will be fine.**one more question - is it possible to back up MS Office with out having the original CDs? We bought Office 2007 when we lived in America (over a yr ago) but we didn't bring the CDs or packaging with us when we moved to China. I don't want to have to buy a fake copy (readably available all over the place over here) and I don't want to have to purchase a brand NEW officially licensed pack online. . . any suggestions?**There is no way that I know of that you can move program from one install to another without having to reinstall them.Do you have a license key for office if so write it down then once you reinstall your OS then you can install the same version of office again from a trial version and activate it with your license key.As long as the key is legitinmatethen you will have no problems.1. Open notepad and copy/paste the text in the codebox below into it:http://forums.malwarebytes.org/index.php?showtopic=64696&st=0entry326655Collect::C:\Windows\system32\drivers\fvaxonv.sysSuspect::c:\windows\system32\ntcallos.dllDriver:: fvaxonvFile::C:\Windows\Temp\23a3ea358e3760bef3332fd5.tmpC:\Windows\Temp\406b34b458dd85bcbbc3e9a.tmpC:\Windows\Temp\4ad5e065bd75434dbb219f88.tmpC:\Windows\Temp\5c9e8d73c5575df6bc4ef127.tmpC:\Windows\Temp\5db7a2dbb2ed4c6b3e695697.tmpC:\Windows\Temp\84fefebdfa428f9f81464fab.tmpC:\Windows\Temp\a2eba4453b1bf8588343c3ed.tmpC:\Windows\Temp\afb28b48e5249b6f4a05053b.tmpC:\Windows\Temp\b1d7f708d186ba6d72af0edd.tmpC:\Windows\Temp\e7698b37b7095fd2ab126332.tmpFolder::c:\users\John and Lindsey\{aac55ca7-1483-4359-953e-aed7443b11d5}c:\windows\system32\x64Registry::[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\fvaxonv]2. Save the above as CFScript.txt3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.4. During this run Combofix will collect and automatically upload some sample files.You will see it say Combofix needs to upload some samples.If it fails to do that do the requested steps at the bottom of this post to manually upload the samples.5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:Combofix.txt ===========Note::If Combofix fails to upload anything please do the following:Go to Start > My Computer > C:\Then Navigate to C:\Qoobox\Quarantine\[4]-Submit_Date_Time.zipClick Here to upload the submit.zip please. Link to post Share on other sites More sharing options...
PsychoSeraph Posted October 13, 2010 Author ID:326766 Share Posted October 13, 2010 Is this a computer that has a recovery partition?What is the make and model?Yes it does have a recovery partition. It's an HP G60- 235DX http://reviews.cnet.com/laptops/hp-g60-235...7-33496192.htmlNot sure if this means anything, but after this most recent CFix, I couldn't open any executable file. I had to open up in safe mode with networking to get online to post this reply. Haven't tried normal mode yet - maybe it was just a fluke.Here's the log:ComboFix 10-10-12.01 - John and Lindsey 10/13/2010 21:52:18.2.2 - x86MicrosoftComboFix.txt Link to post Share on other sites More sharing options...
PsychoSeraph Posted October 13, 2010 Author ID:326768 Share Posted October 13, 2010 must have been a fluke - online in normal mode now. Link to post Share on other sites More sharing options...
kahdah Posted October 13, 2010 ID:326810 Share Posted October 13, 2010 Here are instructions on how to to a factory recovery.http://h10025.www1.hp.com/ewfrf/wc/documen...60169#RecoverOSIf you get a message after reboot that an attempt was made on a registry key that is scheduled for deletion then simply reboot once more and it will be fine.1. Please open Notepad Click Start , then Runtype in notepad in the Run Box then hit ok.2. Now copy/paste the entire content of the codebox below into the Notepad window:Dequarantine::C:\Qoobox\quarantine\c\users\John and Lindsey\{aac55ca7-1483-4359-953e-aed7443b11d5}File::c:\windows\system32\drivers\fvaxonv.sysc:\windows\system32\ntcallos.dllDirLook::c:\users\John and Lindsey\AppData\Roaming\cYoc:\users\John and Lindsey\AppData\Local\cYo3. Save the above as CFScript.txt4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:Combofix.txt ============= Link to post Share on other sites More sharing options...
PsychoSeraph Posted October 13, 2010 Author ID:326819 Share Posted October 13, 2010 **didn't reboot this time**ComboFix 10-10-12.03 - John and Lindsey 10/14/2010 2:44.3.2 - x86Microsoft Link to post Share on other sites More sharing options...
kahdah Posted October 13, 2010 ID:326863 Share Posted October 13, 2010 Update Run MalwarebytesPlease update\run Malwarebytes' Anti-Malware.Double Click the Malwarebytes Anti-Malware icon to run the application.Click on the update tab then click on Check for updates.If an update is found, it will download and install the latest version.Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.=====* Go here to run an online scannner from ESET.Note: You will need to use Internet explorer for this scanTick the box next to YES, I accept the Terms of Use.Click StartWhen asked, allow the activex control to installClick StartCheck next options: Remove found threats and Scan unwanted applications.Click ScanWait for the scan to finishUse notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txtCopy and paste that log as a reply to this topic Link to post Share on other sites More sharing options...
PsychoSeraph Posted October 14, 2010 Author ID:326995 Share Posted October 14, 2010 MBAM log:Malwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 4814Windows 6.0.6002 Service Pack 2Internet Explorer 8.0.6001.1894310/14/2010 9:44:01 AMmbam-log-2010-10-14 (09-44-01).txtScan type: Quick scanObjects scanned: 152250Time elapsed: 5 minute(s), 37 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\Windows\system32\Drivers\fvaxonv.sys (Rootkit.Agent) -> Quarantined and deleted successfully.**rebooted then ran ESET online scanner, here's that log:ESETSmartInstaller@High as CAB hook log:OnlineScanner.ocx - registred OK# version=7# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)# OnlineScanner.ocx=1.0.0.6211# api_version=3.0.2# EOSSerial=87e152a68ae4954fa2bcd353fdcf635c# end=finished# remove_checked=true# archives_checked=false# unwanted_checked=true# unsafe_checked=false# antistealth_checked=true# utc_time=2010-10-14 03:28:51# local_time=2010-10-14 11:28:51 (+0800, China Standard Time)# country="United States"# lang=9# osver=6.0.6002 NT Service Pack 2# compatibility_mode=1024 16777215 100 0 18186245 18186245 0 0# compatibility_mode=5892 16776573 100 100 0 124551661 0 0# compatibility_mode=8192 67108863 100 0 0 0 0 0# scanned=231553# found=5# cleaned=5# scan_time=4397C:\Qoobox\Quarantine\C\Windows\System32\ntcallos.dll.vir Win32/BHO.NWT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 CC:\Users\John and Lindsey\Documents\Downloads\wbfs_inteligent_gui_v6.exe Win32/Packed.Autoit.E.Gen application (deleted - quarantined) 00000000000000000000000000000000 CC:\Windows\System32\ntcallos.dll Win32/BHO.NWT trojan (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 CC:\Windows\System32\prtrfixol.dll Win32/BHO.NWT trojan (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 CC:\Windows\System32\Unimoavi.exe Win32/BHO.NWT trojan (deleted - quarantined) 00000000000000000000000000000000 C Link to post Share on other sites More sharing options...
kahdah Posted October 14, 2010 ID:327135 Share Posted October 14, 2010 Great please run dds once more and post the logs please. Link to post Share on other sites More sharing options...
PsychoSeraph Posted October 14, 2010 Author ID:327194 Share Posted October 14, 2010 DDS (Ver_10-10-10.03) - NTFSx86 Run by John and Lindsey at 23:02:09.22 on Thu 10/14/2010Internet Explorer: 8.0.6001.18943 BrowserJavaVersion: 1.6.0_19MicrosoftAttach.rar Link to post Share on other sites More sharing options...
kahdah Posted October 14, 2010 ID:327269 Share Posted October 14, 2010 Great please update and run mbam once more and see if it detects the same file.You can choose a quick scan and please post the log. Link to post Share on other sites More sharing options...
PsychoSeraph Posted October 14, 2010 Author ID:327284 Share Posted October 14, 2010 Great please update and run mbam once more and see if it detects the same file.You can choose a quick scan and please post the log. quick scan still found it - even after updating. This thing is annoying, isn't it?! Do you think I could safely attach my (brand new) external HDD to back up my files without infecting it? Or should I wait until a scan shows all clear first?Malwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 4824Windows 6.0.6002 Service Pack 2Internet Explorer 8.0.6001.1894310/15/2010 2:31:54 AMmbam-log-2010-10-15 (02-31-54).txtScan type: Quick scanObjects scanned: 152936Time elapsed: 6 minute(s), 1 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\Windows\system32\Drivers\fvaxonv.sys (Rootkit.Agent) -> Quarantined and deleted successfully. Link to post Share on other sites More sharing options...
kahdah Posted October 14, 2010 ID:327356 Share Posted October 14, 2010 At this point don't do that yet.1. Please download The Avenger2 by Swandog46 to your Desktop.Right click on the Avenger.zip folder and select "Extract All..." Follow the prompts and extract the avenger folder to your desktop2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):Drivers to disable:fvaxonvDrivers to delete:fvaxonvFiles to delete:C:\Windows\system32\Drivers\fvaxonv.sysC:\Windows\System32\prtrfixol.dllC:\Windows\System32\Unimoavi.exeC:\Windows\System32\ntcallos.dllNote: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.3. Now, open the avenger folder and start The Avenger program by clicking on its icon. Right click on the window under Input script here:, and select Paste. You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard. Click on Execute Answer "Yes" twice when prompted.4. The Avenger will automatically do the following:[*]It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.) [*]On reboot, it will briefly open a black command window on your desktop, this is normal.[*]After the restart, it creates a log file that should open with the results of Avenger Link to post Share on other sites More sharing options...
PsychoSeraph Posted October 15, 2010 Author ID:327430 Share Posted October 15, 2010 Logfile of The Avenger Version 2.0, © by Swandog46http://swandog46.geekstogo.comPlatform: Windows Vista*******************Script file opened successfully.Script file read successfully.Backups directory opened successfully at C:\Avenger*******************Beginning to process script file:Rootkit scan active.No rootkits found!Driver "fvaxonv" disabled successfully.Driver "fvaxonv" deleted successfully.File "C:\Windows\system32\Drivers\fvaxonv.sys" deleted successfully.Error: file "C:\Windows\System32\prtrfixol.dll" not found!Deletion of file "C:\Windows\System32\prtrfixol.dll" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: file "C:\Windows\System32\Unimoavi.exe" not found!Deletion of file "C:\Windows\System32\Unimoavi.exe" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existError: file "C:\Windows\System32\ntcallos.dll" not found!Deletion of file "C:\Windows\System32\ntcallos.dll" failed!Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not existCompleted script processing.*******************Finished! Terminate. Link to post Share on other sites More sharing options...
PsychoSeraph Posted October 15, 2010 Author ID:327431 Share Posted October 15, 2010 woo-hoo! I did a quick scan in MBAM to FINALLY RECEIVE A FIRST CLEAN LOG!Malwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 4824Windows 6.0.6002 Service Pack 2Internet Explorer 8.0.6001.1897510/15/2010 9:06:58 AMmbam-log-2010-10-15 (09-06-58).txtScan type: Quick scanObjects scanned: 152216Time elapsed: 4 minute(s), 49 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)**doing a full scan now. Link to post Share on other sites More sharing options...
kahdah Posted October 15, 2010 ID:327565 Share Posted October 15, 2010 Ok post the results after the full scan.Then we can wrap it up. Link to post Share on other sites More sharing options...
PsychoSeraph Posted October 16, 2010 Author ID:327959 Share Posted October 16, 2010 the full scan didn't find anything. I scanned another quick scan after that and got a blue screen. Then windows wouldn't load and I had to eventually re-install Vista Thankfully I was able to get some things backed up on an online drive, but not everything. Thanks for your help tho! Link to post Share on other sites More sharing options...
kahdah Posted October 16, 2010 ID:328121 Share Posted October 16, 2010 Ok you are welcome it was the best option at this point. Link to post Share on other sites More sharing options...
LDTate Posted October 22, 2010 ID:331638 Share Posted October 22, 2010 Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you. Link to post Share on other sites More sharing options...
Recommended Posts