Page 2 of 8 FirstFirst 123456 ... LastLast
Results 11 to 20 of 79

Thread: Debugger detected [97]

  1. #11
    Member
    Join Date
    Sep 2009
    Posts
    47

    Default

    Hi,

    I ran the program and let it restart the machine in normal mode. the log file opened and a Windows box popped up and stated that I was infected by malware. Something started to download that stated that it was Windows downloading it. It didn't look like a normal Windows update. The PC crashed with a blue screen and restarted by itself. I let it go to normal mode again and it crashed before I saw the welcome screen. I am now back in safe mode and here is the log.

    Logfile of The Avenger Version 2.0, (c) by Swandog46
    http://swandog46.geekstogo.com

    Platform: Windows Vista

    *******************

    Script file opened successfully.
    Script file read successfully.

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    Rootkit scan active.

    Hidden driver "ax6wpfrx" found!
    Start Type: 3 (Manual)

    Rootkit scan completed.

    File move operation "C:\WINDOWS\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll|C:\WINDOWS\System32\cngaudit.dll" completed successfully.

    Completed script processing.

    *******************

    Finished! Terminate.

    Thanks

  2. #12
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Jim,

    Please run Win32kDiag again and attach its report.

    Download DDS and save it to your desktop from here or here or here.
    Disable any script blocker, and then double click dds.scr to run the tool.
    • When done, DDS will open two (2) logs:
      1. DDS.txt
      2. Attach.txt
    • Save both reports to your desktop. Post them back to your topic.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  3. #13
    Member
    Join Date
    Sep 2009
    Posts
    47

    Default

    Hi Blade,

    Thanks again for the help.


    DDS (Ver_09-07-30.01) - NTFSx86 NETWORK
    Run by Jim's Laptop at 10:15:38.19 on Tue 09/15/2009
    Internet Explorer: 7.0.6001.18000
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3581.2807 [GMT -5:00]

    SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
    SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\Explorer.EXE
    C:\Users\JIM'SL~1\AppData\Local\Temp\spoolsv.exe
    C:\Users\JIM'SL~1\AppData\Local\Temp\setup.exe
    C:\Users\JIM'SL~1\AppData\Local\Temp\taskmgr.exe
    C:\Users\JIM'SL~1\AppData\Local\Temp\system.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Users\JIM'SL~1\AppData\Local\Temp\winamp.exe
    C:\Users\JIM'SL~1\AppData\Local\Temp\win.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Users\Jim's Laptop\Desktop\dds.scr
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uSearch Page = hxxp://www.google.com
    uStart Page = hxxp://www.google.com
    uWindow Title = Internet Explorer provided by Dell
    uSearch Bar = hxxp://www.google.com/ie
    uDefault_Search_URL = hxxp://www.google.com/ie
    mStart Page = hxxp://www.google.com
    mDefault_Search_URL = hxxp://www.google.com/ie
    mSearch Page = hxxp://www.google.com
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    BHO: c:\windows\system32\tajf83ikdmf.dll: {bf56a325-23f2-42ad-f4e4-00aac39caa53} - c:\windows\system32\tajf83ikdmf.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    uRun: [AdobeBridge] "c:\program files\adobe\adobe bridge cs4\Bridge.exe" -stealth
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [Windows System Recover!] c:\users\jim'sl~1\appdata\local\temp\win.exe
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
    mRun: [Apoint] c:\program files\delltpad\Apoint.exe
    mRun: [Logitech Hardware Abstraction Layer] "c:\program files\common files\logitech\khalshared\KHALMNPR.EXE"
    mRun: [<NO NAME>]
    mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
    mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
    mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
    mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
    mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
    mRun: [Turbine Download Manager Tray Icon] "c:\program files\turbine\turbine download manager - preview\TurbineDownloadManagerIcon.exe"
    mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdcBase.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
    mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
    mRun: [Sprint SmartView] "c:\program files\sprint\sprint smartview\SprintSV.exe" -a
    mRun: [RDVCHG] "c:\program files\sprint\sprint smartview\RDVCHG.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [bacstray] c:\program files\broadcom\bacs\BacsTray.exe
    mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
    mRun: [winupdate.exe] c:\windows\system32\winupdate.exe
    mRun: [braviax] c:\windows\system32\braviax.exe
    mRun: [Antivirus Pro 2010] "c:\program files\antiviruspro_2010\AntivirusPro_2010.exe" /hide
    dRun: [autochk] rundll32.exe c:\windows\system32\config\system~1\protect.dll,_IWMPEvents@16
    dRun: [AntiSpyware Service] c:\windows\temp\n9257qf0.exe
    dRun: [WIndows Rescue Disk] c:\windows\temp\spoolsv.exe
    dRun: [Advanced Virus Remover] c:\program files\advancedvirusremover\PAVRM.exe
    dRun: [braviax] c:\windows\system32\braviax.exe
    dRun: [Login Software 2009] c:\windows\temp\z5l35dh.exe
    dRun: [Windows System Recover!] c:\windows\temp\setup.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\setpoint.lnk - c:\program files\setpoint\SetPoint.exe
    uPolicies-explorer: NoFolderOptions = 1 (0x1)
    uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
    uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    uPolicies-system: DisableRegistryTools = 1 (0x1)
    uPolicies-system: DisableTaskMgr = 1 (0x1)
    mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
    dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    dPolicies-explorer: NoFolderOptions = 1 (0x1)
    dPolicies-system: DisableTaskMgr = 1 (0x1)
    dPolicies-system: DisableRegistryTools = 1 (0x1)
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mic273~1\office12\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    Trusted Zone: evga.com\www
    Trusted Zone: redlegion.com\www
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
    DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://dev.srtest.com/srl_bin/sysreqlab3.cab
    DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
    DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
    Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
    STS: c:\windows\system32\tajf83ikdmf.dll: {bf56a325-23f2-42ad-f4e4-00aac39caa53} - c:\windows\system32\tajf83ikdmf.dll
    STS: c:\windows\system32\ygsuhdf83id.dll: {ba603215-23f2-42ad-f4e4-00aac39caa53} - c:\windows\system32\ygsuhdf83id.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    SEH: {24daafb8-b7f5-463f-88c1-d497611fc253} - c:\windows\system32\fCrrrsTK.dll
    LSA: Authentication Packages = msv1_0 c:\windows\system32\xxyyvTKa

    ============= SERVICES / DRIVERS ===============

    S1 mozyFilter;mozyFilter;c:\windows\system32\drivers\mozy.sys [2009-7-17 54776]
    S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-5-28 9968]
    S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-5-28 74480]
    S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-5-27 73728]
    S2 EvdoServer;EvdoServer;c:\windows\system32\svchost.exe -k netsvcs [2008-6-4 21504]
    S2 PreviewTurbineMessageService;Turbine Message Service - Preview;c:\program files\turbine\turbine download manager - preview\TurbineMessageService.exe [2008-9-29 255472]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-9-11 1153368]
    S2 Synergy Client;Synergy Client;c:\program files\synergy\synergyc.exe [2006-4-2 446464]
    S3 CASprint;Sprint Con App Svc;c:\program files\sprint\sprint smartview\ConAppsSvc.exe [2009-3-6 124160]
    S3 mndisk;mndisk;c:\windows\system32\mndisk.sys [2008-6-4 2304]
    S3 PreviewTurbineNetworkService;Turbine Network Service - Preview;c:\program files\turbine\turbine download manager - preview\TurbineNetworkService.exe [2008-9-29 218608]
    S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-5-28 7408]
    S4 AntipPro2009_100;AntipyProex;c:\windows\svchasts.exe --> c:\windows\svchasts.exe [?]
    S4 sofatnet;sofatnet Service;c:\windows\system32\sofatnet.exe [2006-11-2 93184]

    =============== Created Last 30 ================

    2009-09-15 06:06 132,096 a------- c:\windows\system32\wiwow64.exe
    2009-09-15 05:32 0 a------- c:\windows\system32\491.exe
    2009-09-15 04:32 0 a------- c:\windows\system32\9961.exe
    2009-09-15 03:32 0 a------- c:\windows\system32\16827.exe
    2009-09-15 02:32 0 a------- c:\windows\system32\23281.exe
    2009-09-15 01:32 0 a------- c:\windows\system32\28145.exe
    2009-09-15 00:32 0 a------- c:\windows\system32\5705.exe
    2009-09-14 23:32 0 a------- c:\windows\system32\24464.exe
    2009-09-14 22:32 0 a------- c:\windows\system32\26962.exe
    2009-09-14 21:32 0 a------- c:\windows\system32\29358.exe
    2009-09-14 20:32 0 a------- c:\windows\system32\11478.exe
    2009-09-14 19:32 0 a------- c:\windows\system32\15724.exe
    2009-09-14 14:37 15,000 a------- c:\windows\system32\ygsuhdf83id.dll
    2009-09-14 14:32 831 a------- c:\windows\system32\critical_warning.html
    2009-09-12 07:40 0 a------- c:\windows\system32\19169.exe
    2009-09-12 06:39 0 a------- c:\windows\system32\26500.exe
    2009-09-12 05:39 0 a------- c:\windows\system32\6334.exe
    2009-09-12 04:51 19,965 a------- c:\program files\common files\wykoja.bin
    2009-09-12 04:51 18,412 a------- c:\windows\haxivel.ban
    2009-09-12 04:51 18,390 a------- c:\program files\common files\apogotu.dll
    2009-09-12 04:51 16,082 a------- c:\windows\system32\hafecyc.vbs
    2009-09-12 04:51 12,681 a------- c:\windows\system32\kero.dat
    2009-09-12 04:51 11,633 a------- c:\program files\common files\inojyx.pif
    2009-09-12 04:51 11,486 a------- c:\windows\system32\afavywosyx.vbs
    2009-09-12 04:51 10,154 a------- c:\programdata\lumenyxisu.reg
    2009-09-12 04:51 10,154 a------- c:\progra~2\lumenyxisu.reg
    2009-09-12 04:51 10,038 a------- c:\windows\ygezimiji.dl
    2009-09-12 04:50 <DIR> --d----- c:\program files\AntivirusPro_2010
    2009-09-12 04:45 188,016 a------- c:\windows\system32\wisdstr.exe
    2009-09-12 04:45 10,752 a------- c:\windows\system32\braviax.exe
    2009-09-12 04:39 0 a------- c:\windows\system32\18467.exe
    2009-09-12 03:43 <DIR> --d----- c:\program files\AdvancedVirusRemover
    2009-09-12 03:39 0 a------- c:\windows\system32\41.exe
    2009-09-12 03:39 206 a------- c:\windows\system32\winhelper.dll
    2009-09-12 03:39 24,490 a------- c:\windows\system32\winupdate.exe
    2009-09-12 03:39 15,000 a------- c:\windows\system32\tajf83ikdmf.dll
    2009-09-11 20:13 318,976 a------- c:\windows\system32\cmd.execf
    2009-09-11 17:38 <DIR> --d-h--- c:\windows\PIF
    2009-09-11 15:08 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
    2009-09-11 15:08 <DIR> --d----- c:\program files\Spybot - Search & Destroy
    2009-09-11 15:08 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
    2009-09-11 14:52 <DIR> a-d----- c:\programdata\TEMP
    2009-09-11 14:52 <DIR> --d----- c:\program files\SpywareBlaster
    2009-09-10 07:46 <DIR> --d----- c:\programdata\Windows Genuine Advantage
    2009-09-09 07:43 20,992 a--sh--- c:\windows\system32\autochk.dll
    2009-09-08 23:38 40,448 a------- c:\windows\system32\lkod.dll
    2009-09-08 23:38 320 a------- c:\windows\system32\jlksf
    2009-09-08 17:09 <DIR> --d----- c:\users\jim'sl~1\appdata\roaming\Malwarebytes
    2009-09-08 17:09 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-09-08 17:09 19,160 a------- c:\windows\system32\drivers\mbam.sys
    2009-09-08 17:09 <DIR> --d----- c:\programdata\Malwarebytes
    2009-09-08 17:09 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
    2009-09-08 17:09 <DIR> --d----- c:\progra~2\Malwarebytes
    2009-09-08 17:09 <DIR> --d----- c:\program files\Trend Micro
    2009-09-08 09:55 <DIR> --d----- C:\Root
    2009-09-08 09:55 <DIR> --d----- c:\program files\Activision
    2009-09-07 21:10 <DIR> --d----- c:\windows\system32\xlive
    2009-09-07 21:10 <DIR> --d----- c:\program files\Microsoft Games for Windows - LIVE
    2009-09-07 20:49 <DIR> --d----- c:\program files\Eidos
    2009-09-07 13:35 <DIR> --d----- c:\program files\THQ
    2009-09-07 08:56 <DIR> --d----- c:\program files\Paradox Interactive
    2009-08-19 23:20 <DIR> --d----- c:\programdata\FLEXnet
    2009-08-19 23:15 <DIR> --d----- c:\programdata\ALM
    2009-08-19 23:15 <DIR> --d----- c:\progra~2\ALM
    2009-08-19 23:06 <DIR> --d----- c:\program files\common files\Macrovision Shared

    ==================== Find3M ====================

    2009-09-15 06:06 65,816 a------- c:\programdata\nvModes.dat
    2009-09-15 06:06 65,816 a------- c:\progra~2\nvModes.dat
    2009-09-12 04:51 17,023 a------- c:\program files\common files\aluci._sy
    2009-08-08 19:11 733,782 a------- C:\lynx_v283.zip
    2009-07-20 09:34 70,936 a------- c:\windows\system32\PhysXLoader.dll
    2009-07-14 17:17 15,308,440 a------- c:\windows\system32\xlive.dll
    2009-07-14 17:17 13,642,888 a------- c:\windows\system32\xlivefnt.dll
    2009-06-19 20:06 288,024 a------- c:\windows\system32\PhysXCplUI.exe
    2009-06-19 20:06 288,024 a------- c:\windows\system32\PhysXCompatCplUI.exe
    2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelTraditionalChinese.dll
    2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelSwedish.dll
    2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelSpanish.dll
    2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelSimplifiedChinese.dll
    2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelPortugese.dll
    2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelKorean.dll
    2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelJapanese.dll
    2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelGerman.dll
    2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelFrench.dll
    2009-06-19 20:06 24,344 a------- c:\windows\system32\PhysXDevice.dll
    2009-06-08 06:56 143,360 a------- c:\windows\inf\infstrng.dat
    2009-06-08 06:56 143,360 a------- c:\windows\inf\infstor.dat
    2009-06-08 06:56 86,016 a------- c:\windows\inf\infpub.dat
    2008-06-11 06:40 665,600 a------- c:\windows\inf\drvindex.dat
    2008-06-04 21:34 174 a--sh--- c:\program files\desktop.ini
    2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
    2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
    2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
    2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
    2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
    2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
    2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
    2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

    ============= FINISH: 10:16:18.34 ===============

  4. #14
    Member
    Join Date
    Sep 2009
    Posts
    47

    Default

    and the Attach file


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_09-07-30.01)

    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume3
    Install Date: 5/27/2008 1:23:24 AM
    System Uptime: 9/15/2009 6:10:20 AM (4 hours ago)

    Motherboard: Dell Inc. | | 0UK437
    Processor: Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz | Microprocessor | 1995/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 286 GiB total, 63.829 GiB free.
    D: is FIXED (NTFS) - 10 GiB total, 5.543 GiB free.
    E: is CDROM ()
    F: is CDROM ()
    Y: is NetworkDisk (FAT) - 0 GiB total, 0 GiB free.

    ==== Disabled Device Manager Items =============

    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft ISATAP Adapter
    Device ID: ROOT\*ISATAP\0002
    Manufacturer: Microsoft
    Name: Microsoft ISATAP Adapter #3
    PNP Device ID: ROOT\*ISATAP\0002
    Service: tunnel

    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft ISATAP Adapter
    Device ID: ROOT\*ISATAP\0004
    Manufacturer: Microsoft
    Name: Microsoft ISATAP Adapter #4
    PNP Device ID: ROOT\*ISATAP\0004
    Service: tunnel

    ==== System Restore Points ===================

    No restore point in system.

    ==== Installed Programs ======================

    7-Zip 4.57
    AC3Filter (remove only)
    Adobe AIR
    Adobe Anchor Service CS4
    Adobe Bridge CS4
    Adobe CMaps CS4
    Adobe Color EU Extra Settings CS4
    Adobe Color JA Extra Settings CS4
    Adobe Color NA Recommended Settings CS4
    Adobe CSI CS4
    Adobe Default Language CS4
    Adobe Device Central CS4
    Adobe Drive CS4
    Adobe ExtendScript Toolkit CS4
    Adobe Extension Manager CS4
    Adobe Flash Player 10 ActiveX
    Adobe Fonts All
    Adobe Illustrator CS4
    Adobe Linguistics CS4
    Adobe Output Module
    Adobe PDF Library Files CS4
    Adobe Reader 8.1.6
    Adobe Search for Help
    Adobe Service Manager Extension
    Adobe Setup
    Adobe Shockwave Player 11
    Adobe Type Support CS4
    Adobe Update Manager CS4
    Adobe WinSoft Linguistics Plugin
    Adobe XMP Panels CS4
    AdobeColorCommonSetCMYK
    AdobeColorCommonSetRGB
    Antivirus Pro 2010
    Apple Mobile Device Support
    Apple Software Update
    AutoUpdate
    Banctec Service Agreement
    Batman: Arkham Asylum
    Bonjour
    Broadcom Management Programs
    Browser Address Error Redirector
    Butler Advantage XE 6.3
    CDDRV_Installer
    Company of Heroes
    Compatibility Pack for the 2007 Office system
    Conexant HDA D330 MDC V.92 Modem
    Connect
    Dell DataSafe Online
    Dell Getting Started Guide
    Dell Support Center (Support Software)
    Dell Touchpad
    Digital Line Detect
    DivX Codec
    DivX Converter
    DivX Player
    DivX Web Player
    Easy Thumbnails (Remove only)
    EDocs
    EPSON Artisan 800 Series Printer Uninstall
    EPSON Scan
    EpsonNet Print
    ffdshow [rev 1685] [2007-12-06]
    FileZilla Client 3.1.0.1
    Google Desktop
    Google Earth
    Google Toolbar for Internet Explorer
    Google Updater
    GoToAssist 8.0.0.514
    Haali Media Splitter
    HijackThis 2.0.2
    HTC Touch Pro™ User Guide
    Intel(R) PROSet/Wireless Software
    iTunes
    Java(TM) SE Runtime Environment 6
    KhalSetup
    kuler
    LightScribe System Software 1.10.16.1
    Malwarebytes' Anti-Malware
    McAfee SecurityCenter
    mCore
    MediaDirect
    mHelp
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Hotfix (KB929729)
    Microsoft Expression Web
    Microsoft Expression Web MUI (English)
    Microsoft Games for Windows - LIVE
    Microsoft Games for Windows - LIVE Redistributable
    Microsoft Managed DirectX (1126)
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Standard Edition 2003
    Microsoft Publisher 2002
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Works
    mMHouse
    MobileMe Control Panel
    Modem Diagnostic Tool
    MozyHome Remote Backup
    mPfMgr
    Music, Photos & Videos Launcher
    mWMI
    Nero 8 Essentials
    neroxml
    NetWaiting
    NVIDIA Drivers
    NVIDIA PhysX
    OutlookAddinSetup
    PDF Settings CS4
    Photoshop Camera Raw
    PHP 5.3.0
    Picasa 3
    Product Documentation Launcher
    Prototype(TM)
    QuickSet
    QuickTime
    Roxio Creator Audio
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator DE
    Roxio Creator Tools
    Roxio Express Labeler 3
    Roxio Update Manager
    SetPoint
    Sprint SmartView
    Spybot - Search & Destroy
    SpywareBlaster 4.2
    Suite Shared Configuration CS4
    SUPERAntiSpyware Free Edition
    Synergy
    System Requirements Lab
    The Lord of the Rings - Conquest™
    The Lord of the Rings Online™: Shadows of Angmar™ v07.12.30.54
    The Rosetta Stone
    TotalAudioConverter
    Turbine Download Manager - Preview 1.0.3191.15414
    VCRedistSetup
    Ventrilo Client
    VideoLAN VLC media player 0.8.6f
    WIDCOMM Bluetooth Software 6.0.1.3100
    WinRAR

    ==== Event Viewer Messages From Past Week ========

    9/9/2009 8:26:29 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wcncsvc with arguments "" in order to run the server: {375FF000-DD27-11D9-8F9C-0002B3988E81}
    9/9/2009 8:26:29 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {D3DCB472-7261-43CE-924B-0704BD730D5F}
    9/9/2009 7:51:22 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B68-F52A-11D8-B9A5-505054503030}
    9/9/2009 2:43:34 PM, Error: Microsoft-Windows-Dhcp-Client [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 001F3B889927. The following error occurred: The operation was canceled by the user.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
    9/9/2009 2:34:38 PM, Error: EventLog [6008] - The previous system shutdown at 2:32:52 PM on 9/9/2009 was unexpected.
    9/8/2009 6:03:06 PM, Error: EventLog [6008] - The previous system shutdown at 6:01:10 PM on 9/8/2009 was unexpected.
    9/8/2009 6:00:16 PM, Error: EventLog [6008] - The previous system shutdown at 5:58:26 PM on 9/8/2009 was unexpected.
    9/8/2009 5:57:33 PM, Error: EventLog [6008] - The previous system shutdown at 5:55:18 PM on 9/8/2009 was unexpected.
    9/8/2009 5:32:47 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: mozyFilter SASDIFSV SASKUTIL spldr Wanarpv6
    9/8/2009 5:32:03 PM, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\System32\IWMSSvc.dll Error Code: 21
    9/8/2009 5:31:37 PM, Error: EventLog [6008] - The previous system shutdown at 5:29:04 PM on 9/8/2009 was unexpected.
    9/8/2009 5:29:04 PM, Error: EventLog [6008] - The previous system shutdown at 5:25:31 PM on 9/8/2009 was unexpected.
    9/8/2009 5:15:13 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC mozyFilter MPFP NetBIOS netbt nsiproxy PSched RasAcd rdbss SASDIFSV SASKUTIL Smb spldr Tcpip tdx Wanarpv6
    9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.
    9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The TCP/IP Registry Compatibility service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.
    9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
    9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
    9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    9/8/2009 5:14:32 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
    9/8/2009 5:14:30 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
    9/8/2009 5:14:30 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    9/8/2009 5:14:30 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
    9/8/2009 5:14:26 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    9/8/2009 5:14:14 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    9/8/2009 5:14:06 PM, Error: Microsoft-Windows-TerminalServices-LocalSessionManager [1048] - Terminal Service start failed. The relevant status code was This service cannot be started in Safe Mode .
    9/8/2009 5:14:06 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service TermService with arguments "" in order to run the server: {F9A874B6-F8A8-4D73-B5A8-AB610816828B}
    9/8/2009 5:12:18 PM, Error: Service Control Manager [7034] - The AntipyProex service terminated unexpectedly. It has done this 1 time(s).
    9/8/2009 4:21:13 PM, Error: EventLog [6008] - The previous system shutdown at 4:19:21 PM on 9/8/2009 was unexpected.
    9/8/2009 4:18:28 PM, Error: EventLog [6008] - The previous system shutdown at 4:16:08 PM on 9/8/2009 was unexpected.
    9/8/2009 4:16:08 PM, Error: EventLog [6008] - The previous system shutdown at 4:14:14 PM on 9/8/2009 was unexpected.
    9/8/2009 4:13:44 PM, Error: EventLog [6008] - The previous system shutdown at 4:11:10 PM on 9/8/2009 was unexpected.
    9/8/2009 4:11:10 PM, Error: EventLog [6008] - The previous system shutdown at 4:08:47 PM on 9/8/2009 was unexpected.
    9/8/2009 4:08:47 PM, Error: EventLog [6008] - The previous system shutdown at 4:06:38 PM on 9/8/2009 was unexpected.
    9/8/2009 4:04:27 PM, Error: Microsoft-Windows-TerminalServices-LocalSessionManager [1048] - Terminal Service start failed. The relevant status code was The remote procedure call failed. .
    9/8/2009 4:04:27 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1726" attempting to start the service TermService with arguments "" in order to run the server: {F9A874B6-F8A8-4D73-B5A8-AB610816828B}
    9/8/2009 3:30:16 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
    9/8/2009 3:26:58 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    9/8/2009 3:25:05 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service McNASvc with arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}
    9/8/2009 11:44:48 PM, Error: Service Control Manager [7031] - The McAfee Services service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    9/8/2009 11:44:23 PM, Error: Service Control Manager [7031] - The McAfee Personal Firewall Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Run the configured recovery program.
    9/8/2009 11:43:29 PM, Error: Service Control Manager [7031] - The McAfee Services service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    9/8/2009 11:31:27 PM, Error: EventLog [6008] - The previous system shutdown at 11:28:46 PM on 9/8/2009 was unexpected.
    9/8/2009 11:28:46 PM, Error: EventLog [6008] - The previous system shutdown at 11:26:30 PM on 9/8/2009 was unexpected.
    9/15/2009 6:11:10 AM, Error: EventLog [6008] - The previous system shutdown at 6:09:27 AM on 9/15/2009 was unexpected.
    9/14/2009 7:47:40 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
    9/11/2009 3:37:38 PM, Error: EventLog [6008] - The previous system shutdown at 3:35:07 PM on 9/11/2009 was unexpected.
    9/11/2009 3:01:58 PM, Error: Service Control Manager [7000] - The McAfee Scanner service failed to start due to the following error: Access is denied.
    9/11/2009 3:01:58 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "5" attempting to start the service MCODS with arguments "" in order to run the server: {C98F04D7-CD30-4BB0-B7D7-8DD7448520F2}
    9/11/2009 2:48:07 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service McShield with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
    9/11/2009 2:42:26 PM, Error: EventLog [6008] - The previous system shutdown at 2:39:50 PM on 9/11/2009 was unexpected.
    9/10/2009 5:01:26 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.104 for the Network Card with network address 001F3B889927 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    9/10/2009 3:43:09 PM, Error: Microsoft-Windows-Dhcp-Client [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 001F3B889927. The following error occurred: The semaphore timeout period has expired.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
    9/10/2009 3:34:18 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

    ==== End Of File ===========================

  5. #15
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Please visit this webpage for download links, and instructions for running ComboFix tool:

    http://www.bleepingcomputer.com/comb...o-use-combofix

    Please ensure you read this guide carefully first.


    Please continue as follows:

    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
      Remember to re-enable them afterwards.

    2. Click Yes to allow ComboFix to continue scanning for malware.


    When the tool is finished, it will produce a report for you.

    Please include the following reports for further review, and so we may continue cleansing the system:

    C:\ComboFix.txt
    New dds.txt log.


    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.


    Run also Win32kDiag again after ComboFix run is done.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  6. #16
    Member
    Join Date
    Sep 2009
    Posts
    47

    Default

    ComboFix is claiming that I still have Spybot and Super Antispyware still running. I have disabled them in msconfig and rebooted.
    Should I uninstall the prorgams or ignore the ComboFix warning that states it is not responsible for any damage it may cause

    Thanks

  7. #17
    Member
    Join Date
    Sep 2009
    Posts
    47

    Default

    Just FYI
    I'm in safe mode and I can't launch Spybot or Super AntiSpyware. I get the path error that was in my original post. That is why I disabled them in msconfig

    Thanks

  8. #18
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Ignore ComboFix warning and let it run.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  9. #19
    Member
    Join Date
    Sep 2009
    Posts
    47

    Default

    Hi Blaze,

    Ok I ran Combofix the first time and got an error "The instruction at 0x00c4cdfb referenced memory at 0x0000000. The memory could not be read. I had to click to terminate. ComboFix continued and found the rootkit file rotscxkoxxveis.sys.

    ComboFix completed with all 50 stages and deleted some files, the PC rebooted itself.

    I got a blue screen with a memory dump.

    PC restarted into mormal again.

    Blue screen with memory dump

    PC restarted and I restarted in safe mode.

    ComboFix.txt didn't generate, but I did get a bug.txt file added to C:\

    I reran ComboFix and basically got the same thing as above.

    Thanks

  10. #20
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Download GMER here by clicking download exe -button and then saving it your desktop:
    • Double-click .exe that you downloaded
    • Click rootkit-tab and then scan.
    • Don't check
      Show All
      box while scanning in progress!
    • When scanning is ready, click Copy.
    • This copies log to clipboard
    • Post log in your reply.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •