wasser1

My XP Box is infected with a virus or malware. I am able run Malwarebytes in Safe Mode but Malwarebytes shuts down after 4 seconds using "Peforms quick scan" or "Perform Flash Scan". Then Malwarebytes (Mbam.exe) wont run and gives the error message 'Windows cannot access the specfic device, path or file. You may not have the appropriate permissioms to access them." No log is created. I can reinstall Malwarebytes but subsequent sessions kick out wont run again. Reenaming mbam.exe does not make any difference. GMER also crashed and wont create a log. Please help . DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_03 Run by Russ at 22:31:22 on 2011-09-24 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1564 [GMT -5:00] . AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF} FW: ZoneAlarm Firewall *Disabled* . ============== Running Processes =============== . C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe svchost.exe C:\Program Files\AVG\AVG9\avgchsvx.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\1685201356:870223259.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\explorer.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\Internet Explorer\iexplore.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.jsonline.com/ BHO: adfabonppr Object: {26d02f99-ae5b-4533-ad67-e23b4b20d60d} - c:\windows\$blstun$\qgnnv.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - :c:\program files\spybot - search & destroy\SDHelper.dll BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - :c:\program files\java\jre1.6.0_03\bin\ssv.dll BHO: brumabonpgrm Object: {795f4311-02c9-4b7b-a9bb-78d4fe68a98d} - c:\windows\$blstun$\lmatn.dll BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - :c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - :c:\program files\google\google toolbar\GoogleToolbar.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - :c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - :c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - :c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - :c:\program files\google\google gears\internet explorer\0.5.30.0\gears.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll TB: ZoneAlarm Spy Blocker Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [swg] :c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe uRun: [MSMSGS] :"c:\program files\messenger\msmsgs.exe" /background uRun: [Google Update] "c:\documents and settings\russ\local settings\application data\google\update\GoogleUpdate.exe" /c uRun: [speedUpMyPC] :"c:\program files\uniblue\speedupmypc\launcher.exe" delay 20000 uRun: [Hgobadajakucura] :rundll32.exe "c:\windows\dmodbd4.dll",Startup mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] :c:\windows\system32\igfxpers.exe mRun: [RTHDCPL] :RTHDCPL.EXE mRun: [skyTel] :SkyTel.EXE mRun: [Alcmtr] :ALCMTR.EXE mRun: [Windows Defender] :"c:\program files\windows defender\MSASCui.exe" -hide mRun: [CoolSwitch] :c:\windows\system32\taskswitch.exe mRun: [FastUser] c:\windows\system32\fast.exe mRun: [DUControl] :"c:\program files\directupdate v4\DUControl.exe" mRun: [D-Link AirPlus G] c:\program files\d-link\airplus g\AirGCFG.exe mRun: [ANIWZCS2Service] :c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe mRun: [AcronisTimounterMonitor] :c:\program files\acronis\trueimagehome\TimounterMonitor.exe mRun: [Acronis Scheduler2 Service] :"c:\program files\common files\acronis\schedule2\schedhlp.exe" mRun: [ZoneAlarm Client] :"c:\program files\zone labs\zonealarm\zlclient.exe" mRun: [brStsWnd] :c:\program files\brownie\BrstsWnd.exe Autorun mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe mRun: [MSN Toolbar] "c:\program files\msn toolbar\platform\4.0.0379.0\mswinext.exe" mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume mRun: [bSDAppUpdater] :c:\program files\common files\bsd\appupdater\BSDChecker.exe mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k mRun: [Mobile Connectivity Suite] :"c:\program files\htc\htc sync\application launcher\Application Launcher.exe" /startoptions mRun: [Cbiqotudo] :rundll32.exe "c:\windows\acubusax.dll",Startup mRun: [updatePDRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\9.0" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [lqbkkvy] c:\windows\system32\config\systemprofile\application data\ubmg.exe mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t dRun: [smad] "c:\documents and settings\russ\local settings\application data\sanctionedmedia\smad\Smad.exe" mExplorerRun: [application] c:\program files\akprog\AKProg.exe hs StartupFolder: c:\docume~1\russ\startm~1\programs\startup\aquari~1.lnk - c:\program files\aquarius soft\pc alarm clock pro\alarm.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office2000\office\OSA9.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office97\office\OSA.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\~disab~1\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\~disab~1\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\~disab~1\deskto~1.lnk - c:\program files\research in motion\blackberry\DesktopMgr.exe IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.30.0\gears.dll IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - :c:\program files\spybot - search & destroy\SDHelper.dll LSP: mswsock.dll DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/67.14/uploader2.cab DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.geni.com/ImageUploader5.cab DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100 TCP: DhcpNameServer = 192.168.0.1 TCP: Interfaces\{298712DF-6AC1-4A89-8035-19854580A189} : DhcpNameServer = 192.168.0.1 Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll Notify: avgrsstarter - avgrsstx.dll Notify: igfxcui - igfxdev.dll SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll LSA: Authentication Packages = msv1_0 relog_ap . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\russ\application data\mozilla\firefox\profiles\q7ftiz9e.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=GM2TDF&PC=GM2TDF&q= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/ FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=GM2TDF&PC=GM2TDF&q= FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll FF - component: c:\program files\google\google gears\firefox\lib\ff30\gears.dll FF - component: c:\program files\microsoft\search enhancement pack\search helper\firefoxextension\searchhelperextension\components\SEPsearchhelperff.dll FF - plugin: c:\documents and settings\russ\application data\mozilla\plugins\npgoogletalk.dll FF - plugin: c:\documents and settings\russ\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll FF - plugin: c:\program files\mozilla firefox\plugins\NPAWREM.DLL FF - plugin: c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} FF - Ext: ZoneAlarm Spy Blocker Toolbar: {E9A1DEE0-C623-4439-8932-001E7D17607D} - %profile%\extensions\{E9A1DEE0-C623-4439-8932-001E7D17607D} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg9\Firefox FF - Ext: Google Gears: {000a9d1c-beef-4f90-9363-039d445309b8} - c:\program files\google\google gears\Firefox FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension FF - Ext: MSN Toolbar: msntoolbar@msn.com - c:\program files\msn toolbar\platform\4.0.0379.0\Firefox FF - Ext: Search Helper Extension: {27182e60-b5f3-411c-b545-b44205977502} - c:\program files\microsoft\search enhancement pack\search helper\firefoxextension\SearchHelperExtension . ---- FIREFOX POLICIES ---- FF - user.js: browser.search.selectedEngine - Search FF - user.js: browser.search.order.1 - Search FF - user.js: keyword.URL - hxxp://search.internet-search-results.com/?sid=10101179100&s= ============= SERVICES / DRIVERS =============== . R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-8-26 243152] R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-6-25 353680] R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-1-4 587096] R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?] R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2007-12-19 37376] S0 nhkxcl;nhkxcl;c:\windows\system32\drivers\xjdctffe.sys --> c:\windows\system32\drivers\xjdctffe.sys [?] S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-26 216400] S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-2-5 29712] S1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [2008-2-27 33824] S2 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2009-6-25 464264] S2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-16 308136] S2 gupdate1c90e4caaec528c;Google Update Service (gupdate1c90e4caaec528c);c:\program files\google\update\GoogleUpdate.exe [2008-9-4 133104] S2 MouseDriver;MouseDriver;c:\windows\system32\config\systemprofile\application data\MouseDriver.bat [2011-9-21 113] S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592] S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2004-3-12 547744] S3 DirectUpdate;DirectUpdate engine;c:\program files\directupdate v4\DUEngine.exe [2008-2-27 184832] S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2010-10-13 24576] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2003-6-13 30336] . =============== Created Last 30 ================ . 2011-09-25 03:17:27 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-09-25 03:16:06 -------- d-----w- C:\m1 2011-09-25 02:44:07 9852544 ----a-w- C:\mbam.exe 2011-09-24 15:04:38 22216 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-09-24 15:04:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-09-21 21:08:42 103 ---h--w- c:\documents and settings\russ\application data\MouseDriver.bat 2011-09-21 21:08:38 -------- d-----w- c:\documents and settings\russ\local settings\application data\SanctionedMedia 2011-09-21 21:08:36 55808 ----a-w- c:\documents and settings\russ\application data\ubmg.exe 2011-09-21 20:55:19 -------- d-----w- c:\windows\$BLSTUN$ 2011-09-21 20:55:13 -------- d-----w- c:\documents and settings\all users\application data\WSTB 2011-09-02 04:43:51 -------- d-----w- c:\documents and settings\russ\local settings\application data\EapHelpvga . ==================== Find3M ==================== . 2004-03-01 20:58:18 561424 ----a-w- c:\program files\dao360.dll 2004-03-01 20:58:18 561424 ----a-w- c:\program files\common files\dao360.dll 1999-10-13 19:05:00 570128 ----a-w- c:\program files\Dao350.dll 1999-10-13 19:05:00 570128 ----a-w- c:\program files\common files\Dao350.dll . =================== ROOTKIT ==================== . Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net Windows 5.1.2600 Disk: ST380815AS rev.3.AAD -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-9 . device: opened successfully user: MBR read successfully . Disk trace: called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A1F4CA0]<< _asm { MOV EAX, [ESP+0x4]; MOV ECX, [EAX+0x28]; PUSH EBP; MOV EBP, [ECX+0x4]; PUSH ESI; MOV ESI, [ESP+0x10]; PUSH EDI; MOV EDI, [ESI+0x60]; MOV AL, [EDI]; CMP AL, 0x16; JNZ 0x36; PUSH ESI; } 1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x8A30BAB8] 3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E13B9] -> [0x8A284668] \Driver\00000277[0x8A283580] -> IRP_MJ_CREATE -> 0x8A1F4CA0 error: Read A device attached to the system is not functioning. kernel: MBR read successfully _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; } detected disk devices: detected hooks: \Driver\atapi DriverStartIo -> 0x8A32A31B user & kernel MBR OK Warning: possible TDL3 rootkit infection ! . ============= FINISH: 22:33:07.87 ===============