Debugger detected [97]

[thegraz]

Hi and thanks for taking my problem.

I have read the stickies and cannot include a HJT scan as the program does not work. I was able to install it but when I go to run it I get a Windows Error "windows cannot access the specified device, path, or file, you may not have the appropriate permission to access the item" which of course is not true. I am the owner of the Laptop.

Now on to the problem
The infected machines OS is Vista Home Ed. I have tried Malwarebytes Anti Malware in safe mode and this does not work. When I start my machine I receive about 20 Debugger detected [97] warnings. I can close all of those and anytime I click to run an application I get the Debugger detected [97] error and the application shuts down. I can right click and start the app as an administrator, but still can't get programs like anti virus and malware removers to work.

McAfee and Super Anti spy ware can not be started and are/were up to date with the latest patches.

The machine will close everything whenever, reboot sometimes on its own, go to Safe Mode on its own, and a lot of other very strange behavior. I am using another PC in the house to write this and work on a fix.

Thanks for the help,

 

[Blade81]

Hi Jim,

Please save this file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

 

[thegraz]

Hi blade,

Here is the log

Log file is located at: C:\Users\Jim's Laptop\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Found mount point : C:\Windows\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF2.tmp\ZAP2DF2.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP81A.tmp\ZAP81A.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB4AE.tmp\ZAPB4AE.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE752.tmp\ZAPE752.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEEF0.tmp\ZAPEEF0.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Cannot access: C:\Windows\bthservsdp.dat

 

[Blade81]

Hi,

I'm not sure but that log looks a bit short. Could you attach the file as an attachment? I want to make sure whole log gets included.

 

[thegraz]

Hi,

Sure here it is.
I am in Safe Mode FYI, since I can't log in normally. If I try and start Vista normally I get an errer that my machine will restart in 1 min. Sometimes I just get a blue screen, as well.

Thanks

 

[Blade81]

Ok. Looks like it was complete log after all.

Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@echo off
dir /a/s C:\WINDOWS\scecli.dll C:\WINDOWS\netlogon.dll C:\WINDOWS\eventlog.dll C:\Windows\cngaudit.dll >c:\LogIt.txt
start c:\LogIt.txt

Double-click on fixes.bat file to execute it. LogIt.txt file should open up. Copy-paste contents to your reply.

 

[thegraz]

Hi,
Here is the LogIt.txt

Volume in drive C is OS
Volume Serial Number is 66B3-F6AE

Directory of C:\WINDOWS\System32

01/19/2008 02:36 AM 177,152 scecli.dll

Directory of C:\WINDOWS\System32

01/19/2008 02:35 AM 592,384 netlogon.dll

Directory of C:\WINDOWS\System32

11/02/2006 04:46 AM 61,952 cngaudit.dll
3 File(s) 831,488 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6

11/02/2006 04:46 AM 11,776 cngaudit.dll
1 File(s) 11,776 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e

11/02/2006 04:46 AM 176,640 scecli.dll
1 File(s) 176,640 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12

01/19/2008 02:36 AM 177,152 scecli.dll
1 File(s) 177,152 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6000.16386_none_fb80f5473b0ed783

11/02/2006 04:46 AM 559,616 netlogon.dll
1 File(s) 559,616 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857

01/19/2008 02:35 AM 592,384 netlogon.dll
1 File(s) 592,384 bytes

Total Files Listed:
8 File(s) 2,349,056 bytes
0 Dir(s) 68,522,024,960 bytes free

 

[Blade81]

Hi,

• Download The Avenger by Swandog46 from here.
• Unzip/extract it to a folder on your desktop.
• Double click on avenger.exe to run The Avenger.
• Click OK.
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
• Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
  

  Files to move:
  C:\WINDOWS\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll|C:\WINDOWS\System32\cngaudit.dll

• In the avenger window, click the Paste Script from Clipboard,
  
  button.
• Click the Execute button.
• You will be asked Are you sure you want to execute the current script?.
• Click Yes.
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
• Click Yes.
• Your PC will now be rebooted.
• Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
• If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
• After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
• Please post this log in your next reply.

 

[thegraz]

Hi and thanks

Just so I don't mess things up. Usually when I reboot normally I get and error that the PC will reboot in a minute and then it will.

In order to do everything I am doing now I have to be in safe mode.

So, when I Execute and it reboots should I let it go or should I Safe Mode it?

Thanks

 

[Blade81]

Try to let it boot into normal mode.

 

[thegraz]

Hi,

I ran the program and let it restart the machine in normal mode. the log file opened and a Windows box popped up and stated that I was infected by malware. Something started to download that stated that it was Windows downloading it. It didn't look like a normal Windows update. The PC crashed with a blue screen and restarted by itself. I let it go to normal mode again and it crashed before I saw the welcome screen. I am now back in safe mode and here is the log.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "ax6wpfrx" found!
Start Type: 3 (Manual)

Rootkit scan completed.

File move operation "C:\WINDOWS\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll|C:\WINDOWS\System32\cngaudit.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

Thanks

 

[Blade81]

Jim,

Please run Win32kDiag again and attach its report.

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt
• Save both reports to your desktop. Post them back to your topic.

 

[thegraz]

Hi Blade,

Thanks again for the help.


DDS (Ver_09-07-30.01) - NTFSx86 NETWORK
Run by Jim's Laptop at 10:15:38.19 on Tue 09/15/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3581.2807 [GMT -5:00]

SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Users\JIM'SL~1\AppData\Local\Temp\spoolsv.exe
C:\Users\JIM'SL~1\AppData\Local\Temp\setup.exe
C:\Users\JIM'SL~1\AppData\Local\Temp\taskmgr.exe
C:\Users\JIM'SL~1\AppData\Local\Temp\system.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\JIM'SL~1\AppData\Local\Temp\winamp.exe
C:\Users\JIM'SL~1\AppData\Local\Temp\win.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Jim's Laptop\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com
uWindow Title = Internet Explorer provided by Dell
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: c:\windows\system32\tajf83ikdmf.dll: {bf56a325-23f2-42ad-f4e4-00aac39caa53} - c:\windows\system32\tajf83ikdmf.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [AdobeBridge] "c:\program files\adobe\adobe bridge cs4\Bridge.exe" -stealth
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Windows System Recover!] c:\users\jim'sl~1\appdata\local\temp\win.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [Logitech Hardware Abstraction Layer] "c:\program files\common files\logitech\khalshared\KHALMNPR.EXE"
mRun: [<NO NAME>]
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Turbine Download Manager Tray Icon] "c:\program files\turbine\turbine download manager - preview\TurbineDownloadManagerIcon.exe"
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdcBase.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [Sprint SmartView] "c:\program files\sprint\sprint smartview\SprintSV.exe" -a
mRun: [RDVCHG] "c:\program files\sprint\sprint smartview\RDVCHG.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [bacstray] c:\program files\broadcom\bacs\BacsTray.exe
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [winupdate.exe] c:\windows\system32\winupdate.exe
mRun: [braviax] c:\windows\system32\braviax.exe
mRun: [Antivirus Pro 2010] "c:\program files\antiviruspro_2010\AntivirusPro_2010.exe" /hide
dRun: [autochk] rundll32.exe c:\windows\system32\config\system~1\protect.dll,_IWMPEvents@16
dRun: [AntiSpyware Service] c:\windows\temp\n9257qf0.exe
dRun: [WIndows Rescue Disk] c:\windows\temp\spoolsv.exe
dRun: [Advanced Virus Remover] c:\program files\advancedvirusremover\PAVRM.exe
dRun: [braviax] c:\windows\system32\braviax.exe
dRun: [Login Software 2009] c:\windows\temp\z5l35dh.exe
dRun: [Windows System Recover!] c:\windows\temp\setup.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\setpoint.lnk - c:\program files\setpoint\SetPoint.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mic273~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: evga.com\www
Trusted Zone: redlegion.com\www
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://dev.srtest.com/srl_bin/sysreqlab3.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
STS: c:\windows\system32\tajf83ikdmf.dll: {bf56a325-23f2-42ad-f4e4-00aac39caa53} - c:\windows\system32\tajf83ikdmf.dll
STS: c:\windows\system32\ygsuhdf83id.dll: {ba603215-23f2-42ad-f4e4-00aac39caa53} - c:\windows\system32\ygsuhdf83id.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: {24daafb8-b7f5-463f-88c1-d497611fc253} - c:\windows\system32\fCrrrsTK.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\xxyyvTKa

============= SERVICES / DRIVERS ===============

S1 mozyFilter;mozyFilter;c:\windows\system32\drivers\mozy.sys [2009-7-17 54776]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-5-28 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-5-28 74480]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-5-27 73728]
S2 EvdoServer;EvdoServer;c:\windows\system32\svchost.exe -k netsvcs [2008-6-4 21504]
S2 PreviewTurbineMessageService;Turbine Message Service - Preview;c:\program files\turbine\turbine download manager - preview\TurbineMessageService.exe [2008-9-29 255472]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-9-11 1153368]
S2 Synergy Client;Synergy Client;c:\program files\synergy\synergyc.exe [2006-4-2 446464]
S3 CASprint;Sprint Con App Svc;c:\program files\sprint\sprint smartview\ConAppsSvc.exe [2009-3-6 124160]
S3 mndisk;mndisk;c:\windows\system32\mndisk.sys [2008-6-4 2304]
S3 PreviewTurbineNetworkService;Turbine Network Service - Preview;c:\program files\turbine\turbine download manager - preview\TurbineNetworkService.exe [2008-9-29 218608]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-5-28 7408]
S4 AntipPro2009_100;AntipyProex;c:\windows\svchasts.exe --> c:\windows\svchasts.exe [?]
S4 sofatnet;sofatnet Service;c:\windows\system32\sofatnet.exe [2006-11-2 93184]

=============== Created Last 30 ================

2009-09-15 06:06 132,096 a------- c:\windows\system32\wiwow64.exe
2009-09-15 05:32 0 a------- c:\windows\system32\491.exe
2009-09-15 04:32 0 a------- c:\windows\system32\9961.exe
2009-09-15 03:32 0 a------- c:\windows\system32\16827.exe
2009-09-15 02:32 0 a------- c:\windows\system32\23281.exe
2009-09-15 01:32 0 a------- c:\windows\system32\28145.exe
2009-09-15 00:32 0 a------- c:\windows\system32\5705.exe
2009-09-14 23:32 0 a------- c:\windows\system32\24464.exe
2009-09-14 22:32 0 a------- c:\windows\system32\26962.exe
2009-09-14 21:32 0 a------- c:\windows\system32\29358.exe
2009-09-14 20:32 0 a------- c:\windows\system32\11478.exe
2009-09-14 19:32 0 a------- c:\windows\system32\15724.exe
2009-09-14 14:37 15,000 a------- c:\windows\system32\ygsuhdf83id.dll
2009-09-14 14:32 831 a------- c:\windows\system32\critical_warning.html
2009-09-12 07:40 0 a------- c:\windows\system32\19169.exe
2009-09-12 06:39 0 a------- c:\windows\system32\26500.exe
2009-09-12 05:39 0 a------- c:\windows\system32\6334.exe
2009-09-12 04:51 19,965 a------- c:\program files\common files\wykoja.bin
2009-09-12 04:51 18,412 a------- c:\windows\haxivel.ban
2009-09-12 04:51 18,390 a------- c:\program files\common files\apogotu.dll
2009-09-12 04:51 16,082 a------- c:\windows\system32\hafecyc.vbs
2009-09-12 04:51 12,681 a------- c:\windows\system32\kero.dat
2009-09-12 04:51 11,633 a------- c:\program files\common files\inojyx.pif
2009-09-12 04:51 11,486 a------- c:\windows\system32\afavywosyx.vbs
2009-09-12 04:51 10,154 a------- c:\programdata\lumenyxisu.reg
2009-09-12 04:51 10,154 a------- c:\progra~2\lumenyxisu.reg
2009-09-12 04:51 10,038 a------- c:\windows\ygezimiji.dl
2009-09-12 04:50 <DIR> --d----- c:\program files\AntivirusPro_2010
2009-09-12 04:45 188,016 a------- c:\windows\system32\wisdstr.exe
2009-09-12 04:45 10,752 a------- c:\windows\system32\braviax.exe
2009-09-12 04:39 0 a------- c:\windows\system32\18467.exe
2009-09-12 03:43 <DIR> --d----- c:\program files\AdvancedVirusRemover
2009-09-12 03:39 0 a------- c:\windows\system32\41.exe
2009-09-12 03:39 206 a------- c:\windows\system32\winhelper.dll
2009-09-12 03:39 24,490 a------- c:\windows\system32\winupdate.exe
2009-09-12 03:39 15,000 a------- c:\windows\system32\tajf83ikdmf.dll
2009-09-11 20:13 318,976 a------- c:\windows\system32\cmd.execf
2009-09-11 17:38 <DIR> --d-h--- c:\windows\PIF
2009-09-11 15:08 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-09-11 15:08 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-09-11 15:08 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2009-09-11 14:52 <DIR> a-d----- c:\programdata\TEMP
2009-09-11 14:52 <DIR> --d----- c:\program files\SpywareBlaster
2009-09-10 07:46 <DIR> --d----- c:\programdata\Windows Genuine Advantage
2009-09-09 07:43 20,992 a--sh--- c:\windows\system32\autochk.dll
2009-09-08 23:38 40,448 a------- c:\windows\system32\lkod.dll
2009-09-08 23:38 320 a------- c:\windows\system32\jlksf
2009-09-08 17:09 <DIR> --d----- c:\users\jim'sl~1\appdata\roaming\Malwarebytes
2009-09-08 17:09 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-08 17:09 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-08 17:09 <DIR> --d----- c:\programdata\Malwarebytes
2009-09-08 17:09 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-08 17:09 <DIR> --d----- c:\progra~2\Malwarebytes
2009-09-08 17:09 <DIR> --d----- c:\program files\Trend Micro
2009-09-08 09:55 <DIR> --d----- C:\Root
2009-09-08 09:55 <DIR> --d----- c:\program files\Activision
2009-09-07 21:10 <DIR> --d----- c:\windows\system32\xlive
2009-09-07 21:10 <DIR> --d----- c:\program files\Microsoft Games for Windows - LIVE
2009-09-07 20:49 <DIR> --d----- c:\program files\Eidos
2009-09-07 13:35 <DIR> --d----- c:\program files\THQ
2009-09-07 08:56 <DIR> --d----- c:\program files\Paradox Interactive
2009-08-19 23:20 <DIR> --d----- c:\programdata\FLEXnet
2009-08-19 23:15 <DIR> --d----- c:\programdata\ALM
2009-08-19 23:15 <DIR> --d----- c:\progra~2\ALM
2009-08-19 23:06 <DIR> --d----- c:\program files\common files\Macrovision Shared

==================== Find3M ====================

2009-09-15 06:06 65,816 a------- c:\programdata\nvModes.dat
2009-09-15 06:06 65,816 a------- c:\progra~2\nvModes.dat
2009-09-12 04:51 17,023 a------- c:\program files\common files\aluci._sy
2009-08-08 19:11 733,782 a------- C:\lynx_v283.zip
2009-07-20 09:34 70,936 a------- c:\windows\system32\PhysXLoader.dll
2009-07-14 17:17 15,308,440 a------- c:\windows\system32\xlive.dll
2009-07-14 17:17 13,642,888 a------- c:\windows\system32\xlivefnt.dll
2009-06-19 20:06 288,024 a------- c:\windows\system32\PhysXCplUI.exe
2009-06-19 20:06 288,024 a------- c:\windows\system32\PhysXCompatCplUI.exe
2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelTraditionalChinese.dll
2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelSwedish.dll
2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelSpanish.dll
2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelSimplifiedChinese.dll
2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelPortugese.dll
2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelKorean.dll
2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelJapanese.dll
2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelGerman.dll
2009-06-19 20:06 58,648 a------- c:\windows\system32\AgCPanelFrench.dll
2009-06-19 20:06 24,344 a------- c:\windows\system32\PhysXDevice.dll
2009-06-08 06:56 143,360 a------- c:\windows\inf\infstrng.dat
2009-06-08 06:56 143,360 a------- c:\windows\inf\infstor.dat
2009-06-08 06:56 86,016 a------- c:\windows\inf\infpub.dat
2008-06-11 06:40 665,600 a------- c:\windows\inf\drvindex.dat
2008-06-04 21:34 174 a--sh--- c:\program files\desktop.ini
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 10:16:18.34 ===============

 

[thegraz]

and the Attach file


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 5/27/2008 1:23:24 AM
System Uptime: 9/15/2009 6:10:20 AM (4 hours ago)

Motherboard: Dell Inc. | | 0UK437
Processor: Intel(R) Core(TM)2 Duo CPU T7250 @ 2.00GHz | Microprocessor | 1995/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 286 GiB total, 63.829 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 5.543 GiB free.
E: is CDROM ()
F: is CDROM ()
Y: is NetworkDisk (FAT) - 0 GiB total, 0 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft ISATAP Adapter
Device ID: ROOT\*ISATAP\0002
Manufacturer: Microsoft
Name: Microsoft ISATAP Adapter #3
PNP Device ID: ROOT\*ISATAP\0002
Service: tunnel

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft ISATAP Adapter
Device ID: ROOT\*ISATAP\0004
Manufacturer: Microsoft
Name: Microsoft ISATAP Adapter #4
PNP Device ID: ROOT\*ISATAP\0004
Service: tunnel

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

7-Zip 4.57
AC3Filter (remove only)
Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Drive CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Fonts All
Adobe Illustrator CS4
Adobe Linguistics CS4
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Reader 8.1.6
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Shockwave Player 11
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Antivirus Pro 2010
Apple Mobile Device Support
Apple Software Update
AutoUpdate
Banctec Service Agreement
Batman: Arkham Asylum
Bonjour
Broadcom Management Programs
Browser Address Error Redirector
Butler Advantage XE 6.3
CDDRV_Installer
Company of Heroes
Compatibility Pack for the 2007 Office system
Conexant HDA D330 MDC V.92 Modem
Connect
Dell DataSafe Online
Dell Getting Started Guide
Dell Support Center (Support Software)
Dell Touchpad
Digital Line Detect
DivX Codec
DivX Converter
DivX Player
DivX Web Player
Easy Thumbnails (Remove only)
EDocs
EPSON Artisan 800 Series Printer Uninstall
EPSON Scan
EpsonNet Print
ffdshow [rev 1685] [2007-12-06]
FileZilla Client 3.1.0.1
Google Desktop
Google Earth
Google Toolbar for Internet Explorer
Google Updater
GoToAssist 8.0.0.514
Haali Media Splitter
HijackThis 2.0.2
HTC Touch Pro™ User Guide
Intel(R) PROSet/Wireless Software
iTunes
Java(TM) SE Runtime Environment 6
KhalSetup
kuler
LightScribe System Software 1.10.16.1
Malwarebytes' Anti-Malware
McAfee SecurityCenter
mCore
MediaDirect
mHelp
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB929729)
Microsoft Expression Web
Microsoft Expression Web MUI (English)
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Managed DirectX (1126)
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard Edition 2003
Microsoft Publisher 2002
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
mMHouse
MobileMe Control Panel
Modem Diagnostic Tool
MozyHome Remote Backup
mPfMgr
Music, Photos & Videos Launcher
mWMI
Nero 8 Essentials
neroxml
NetWaiting
NVIDIA Drivers
NVIDIA PhysX
OutlookAddinSetup
PDF Settings CS4
Photoshop Camera Raw
PHP 5.3.0
Picasa 3
Product Documentation Launcher
Prototype(TM)
QuickSet
QuickTime
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
SetPoint
Sprint SmartView
Spybot - Search & Destroy
SpywareBlaster 4.2
Suite Shared Configuration CS4
SUPERAntiSpyware Free Edition
Synergy
System Requirements Lab
The Lord of the Rings - Conquest™
The Lord of the Rings Online™: Shadows of Angmar™ v07.12.30.54
The Rosetta Stone
TotalAudioConverter
Turbine Download Manager - Preview 1.0.3191.15414
VCRedistSetup
Ventrilo Client
VideoLAN VLC media player 0.8.6f
WIDCOMM Bluetooth Software 6.0.1.3100
WinRAR

==== Event Viewer Messages From Past Week ========

9/9/2009 8:26:29 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wcncsvc with arguments "" in order to run the server: {375FF000-DD27-11D9-8F9C-0002B3988E81}
9/9/2009 8:26:29 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {D3DCB472-7261-43CE-924B-0704BD730D5F}
9/9/2009 7:51:22 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B68-F52A-11D8-B9A5-505054503030}
9/9/2009 2:43:34 PM, Error: Microsoft-Windows-Dhcp-Client [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 001F3B889927. The following error occurred: The operation was canceled by the user.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
9/9/2009 2:34:38 PM, Error: EventLog [6008] - The previous system shutdown at 2:32:52 PM on 9/9/2009 was unexpected.
9/8/2009 6:03:06 PM, Error: EventLog [6008] - The previous system shutdown at 6:01:10 PM on 9/8/2009 was unexpected.
9/8/2009 6:00:16 PM, Error: EventLog [6008] - The previous system shutdown at 5:58:26 PM on 9/8/2009 was unexpected.
9/8/2009 5:57:33 PM, Error: EventLog [6008] - The previous system shutdown at 5:55:18 PM on 9/8/2009 was unexpected.
9/8/2009 5:32:47 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: mozyFilter SASDIFSV SASKUTIL spldr Wanarpv6
9/8/2009 5:32:03 PM, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\System32\IWMSSvc.dll Error Code: 21
9/8/2009 5:31:37 PM, Error: EventLog [6008] - The previous system shutdown at 5:29:04 PM on 9/8/2009 was unexpected.
9/8/2009 5:29:04 PM, Error: EventLog [6008] - The previous system shutdown at 5:25:31 PM on 9/8/2009 was unexpected.
9/8/2009 5:15:13 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC mozyFilter MPFP NetBIOS netbt nsiproxy PSched RasAcd rdbss SASDIFSV SASKUTIL Smb spldr Tcpip tdx Wanarpv6
9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.
9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The TCP/IP Registry Compatibility service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.
9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/8/2009 5:15:13 PM, Error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/8/2009 5:14:32 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
9/8/2009 5:14:30 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
9/8/2009 5:14:30 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
9/8/2009 5:14:30 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
9/8/2009 5:14:26 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
9/8/2009 5:14:14 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
9/8/2009 5:14:06 PM, Error: Microsoft-Windows-TerminalServices-LocalSessionManager [1048] - Terminal Service start failed. The relevant status code was This service cannot be started in Safe Mode .
9/8/2009 5:14:06 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service TermService with arguments "" in order to run the server: {F9A874B6-F8A8-4D73-B5A8-AB610816828B}
9/8/2009 5:12:18 PM, Error: Service Control Manager [7034] - The AntipyProex service terminated unexpectedly. It has done this 1 time(s).
9/8/2009 4:21:13 PM, Error: EventLog [6008] - The previous system shutdown at 4:19:21 PM on 9/8/2009 was unexpected.
9/8/2009 4:18:28 PM, Error: EventLog [6008] - The previous system shutdown at 4:16:08 PM on 9/8/2009 was unexpected.
9/8/2009 4:16:08 PM, Error: EventLog [6008] - The previous system shutdown at 4:14:14 PM on 9/8/2009 was unexpected.
9/8/2009 4:13:44 PM, Error: EventLog [6008] - The previous system shutdown at 4:11:10 PM on 9/8/2009 was unexpected.
9/8/2009 4:11:10 PM, Error: EventLog [6008] - The previous system shutdown at 4:08:47 PM on 9/8/2009 was unexpected.
9/8/2009 4:08:47 PM, Error: EventLog [6008] - The previous system shutdown at 4:06:38 PM on 9/8/2009 was unexpected.
9/8/2009 4:04:27 PM, Error: Microsoft-Windows-TerminalServices-LocalSessionManager [1048] - Terminal Service start failed. The relevant status code was The remote procedure call failed. .
9/8/2009 4:04:27 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1726" attempting to start the service TermService with arguments "" in order to run the server: {F9A874B6-F8A8-4D73-B5A8-AB610816828B}
9/8/2009 3:30:16 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
9/8/2009 3:26:58 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
9/8/2009 3:25:05 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service McNASvc with arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}
9/8/2009 11:44:48 PM, Error: Service Control Manager [7031] - The McAfee Services service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
9/8/2009 11:44:23 PM, Error: Service Control Manager [7031] - The McAfee Personal Firewall Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Run the configured recovery program.
9/8/2009 11:43:29 PM, Error: Service Control Manager [7031] - The McAfee Services service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
9/8/2009 11:31:27 PM, Error: EventLog [6008] - The previous system shutdown at 11:28:46 PM on 9/8/2009 was unexpected.
9/8/2009 11:28:46 PM, Error: EventLog [6008] - The previous system shutdown at 11:26:30 PM on 9/8/2009 was unexpected.
9/15/2009 6:11:10 AM, Error: EventLog [6008] - The previous system shutdown at 6:09:27 AM on 9/15/2009 was unexpected.
9/14/2009 7:47:40 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
9/11/2009 3:37:38 PM, Error: EventLog [6008] - The previous system shutdown at 3:35:07 PM on 9/11/2009 was unexpected.
9/11/2009 3:01:58 PM, Error: Service Control Manager [7000] - The McAfee Scanner service failed to start due to the following error: Access is denied.
9/11/2009 3:01:58 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "5" attempting to start the service MCODS with arguments "" in order to run the server: {C98F04D7-CD30-4BB0-B7D7-8DD7448520F2}
9/11/2009 2:48:07 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service McShield with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
9/11/2009 2:42:26 PM, Error: EventLog [6008] - The previous system shutdown at 2:39:50 PM on 9/11/2009 was unexpected.
9/10/2009 5:01:26 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.104 for the Network Card with network address 001F3B889927 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
9/10/2009 3:43:09 PM, Error: Microsoft-Windows-Dhcp-Client [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 001F3B889927. The following error occurred: The semaphore timeout period has expired.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
9/10/2009 3:34:18 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

==== End Of File ===========================

 

[Blade81]

Hi,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
   Remember to re-enable them afterwards.
   
   
2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds.txt log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.


Run also Win32kDiag again after ComboFix run is done.

 

[thegraz]

ComboFix is claiming that I still have Spybot and Super Antispyware still running. I have disabled them in msconfig and rebooted.
Should I uninstall the prorgams or ignore the ComboFix warning that states it is not responsible for any damage it may cause

Thanks

 

[thegraz]

Just FYI
I'm in safe mode and I can't launch Spybot or Super AntiSpyware. I get the path error that was in my original post. That is why I disabled them in msconfig

Thanks

 

[Blade81]

Hi,

Ignore ComboFix warning and let it run.

 

[thegraz]

Hi Blaze,

Ok I ran Combofix the first time and got an error "The instruction at 0x00c4cdfb referenced memory at 0x0000000. The memory could not be read. I had to click to terminate. ComboFix continued and found the rootkit file rotscxkoxxveis.sys.

ComboFix completed with all 50 stages and deleted some files, the PC rebooted itself.

I got a blue screen with a memory dump.

PC restarted into mormal again.

Blue screen with memory dump

PC restarted and I restarted in safe mode.

ComboFix.txt didn't generate, but I did get a bug.txt file added to C:\

I reran ComboFix and basically got the same thing as above.

Thanks

 

[Blade81]

Hi,

Download GMER here by clicking download exe -button and then saving it your desktop:

• Double-click .exe that you downloaded
• Click rootkit-tab and then scan.
• Don't check
  Show All
  box while scanning in progress!
• When scanning is ready, click Copy.
• This copies log to clipboard
• Post log in your reply.