Invalid Process Attach Attempt - Stop 5
I recieved the computer and it had a corrupted boot sector. I rebuilt with windows recovery using a CHKDSK /r and it found and repaired the errors. I installed a "writeable" CDrom drive and when it started to write, it gave the error. I replaced it with another drive and the same thing happened. I checked here and there is a note about this error, and the fix was memory. I replaced the memory and tried again. Still get the error. I disconnected the CDrom and ran the system without. It worked okay for awhile but then got the error again. I decided that maybe something was corrupt on windows and rebuilt it by inserting the CD and doing a recovery of windows. (not a new install) Again, it worked for a short while then the error re-appead.
I VS the disk using AVG and all seems to be okay. A few minor problems. I checked the disk for fragmentation and it was 58% fragmented. I de-fragmented but it crashed in the middle. I booted into safe mode and de-fragmented it there. Re installed the CD and rebooted. The system crashed yet again. I cloned the disk using Acronis and booted that disk and again it booted okay but crashed with the same error.
I would really like to keep the data on this machine if possible. With the exception of the MB, is there anything else I can do to possibly offset the issue?
I VS the disk using AVG and all seems to be okay. A few minor problems. I checked the disk for fragmentation and it was 58% fragmented. I de-fragmented but it crashed in the middle. I booted into safe mode and de-fragmented it there. Re installed the CD and rebooted. The system crashed yet again. I cloned the disk using Acronis and booted that disk and again it booted okay but crashed with the same error.
I would really like to keep the data on this machine if possible. With the exception of the MB, is there anything else I can do to possibly offset the issue?
ASKER
I just tried the event viewer and the system crashed again...
Invalid_process_attach_att
Stop 0x00000005:(0x00000000 0x82A58728 0x000000001 0x0000000)
The system never crashes in safe mode. I have booted up there to see if the eveng viewer contains any valid data. The data there is from 18/09/2007, and indicates a RASMAN errors 20035 at 11:42, but there is nothing else present.
Invalid_process_attach_att
Stop 0x00000005:(0x00000000 0x82A58728 0x000000001 0x0000000)
The system never crashes in safe mode. I have booted up there to see if the eveng viewer contains any valid data. The data there is from 18/09/2007, and indicates a RASMAN errors 20035 at 11:42, but there is nothing else present.
Probably some virus/ rootkit.
Try running HijackThis log and post it here, also run some rootkit detector (virus scanners usually cannot detect an installed rootkit, because it can hide its files from them).
Also, I observed this behavior with some badly-designed antivirus (won't say name), so try uninstalling any antivirus software that is there and install some decent one.
To scan for a rootkit, remove hard-drive, connect it to other pc as slave and run virus scan from other windows installation (on master drive).
Try running HijackThis log and post it here, also run some rootkit detector (virus scanners usually cannot detect an installed rootkit, because it can hide its files from them).
Also, I observed this behavior with some badly-designed antivirus (won't say name), so try uninstalling any antivirus software that is there and install some decent one.
To scan for a rootkit, remove hard-drive, connect it to other pc as slave and run virus scan from other windows installation (on master drive).
ASKER
Here is the HiJack this log. I will throw the disk on a different P.C. running McAfee and report back soon.
Thanks,
Logfile of HijackThis v1.97.7
Scan saved at 6:59:14 AM, on 9/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spools
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
C:\PROGRA~1\Grisoft\AVG7\a
C:\Program Files\ScanSoft\OmniPageSE2
C:\Program Files\iTunes\iTunesHelper.
C:\WINDOWS\system32\RUNDLL
C:\PROGRA~1\Grisoft\AVG7\a
C:\Program Files\Google\GoogleToolbar
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\PROGRA~1\Grisoft\AVG7\a
C:\PROGRA~1\Grisoft\AVG7\a
C:\Program Files\Handspring\HOTSYNC.E
C:\WINDOWS\system32\nvsvc3
C:\WINDOWS\System32\svchos
C:\Program Files\iPod\bin\iPodService
C:\WINDOWS\system32\wuaucl
C:\Documents and Settings\computer\Desktop\
R0 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: (no name) - {59879FA4-4790-461c-A1CC-4
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-C
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTr
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\a
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbar
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.E
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Ad
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSear
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
O16 - DPF: {00B71CFB-6864-4346-A978-C
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D
O16 - DPF: {14B87622-7E19-4EA8-93B3-9
O16 - DPF: {166B1BCA-3F9C-11CF-8075-4
O16 - DPF: {1754A1BA-A1DF-4F10-B199-A
O16 - DPF: {4C39376E-FA9D-4349-BACC-D
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-C
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O16 - DPF: {8E0D4DE5-3180-4024-A327-4
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-5
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-2
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7
Thanks,
Logfile of HijackThis v1.97.7
Scan saved at 6:59:14 AM, on 9/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spools
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
C:\PROGRA~1\Grisoft\AVG7\a
C:\Program Files\ScanSoft\OmniPageSE2
C:\Program Files\iTunes\iTunesHelper.
C:\WINDOWS\system32\RUNDLL
C:\PROGRA~1\Grisoft\AVG7\a
C:\Program Files\Google\GoogleToolbar
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\PROGRA~1\Grisoft\AVG7\a
C:\PROGRA~1\Grisoft\AVG7\a
C:\Program Files\Handspring\HOTSYNC.E
C:\WINDOWS\system32\nvsvc3
C:\WINDOWS\System32\svchos
C:\Program Files\iPod\bin\iPodService
C:\WINDOWS\system32\wuaucl
C:\Documents and Settings\computer\Desktop\
R0 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: (no name) - {59879FA4-4790-461c-A1CC-4
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-C
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTr
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\a
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbar
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.E
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Ad
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSear
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
O16 - DPF: {00B71CFB-6864-4346-A978-C
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D
O16 - DPF: {14B87622-7E19-4EA8-93B3-9
O16 - DPF: {166B1BCA-3F9C-11CF-8075-4
O16 - DPF: {1754A1BA-A1DF-4F10-B199-A
O16 - DPF: {4C39376E-FA9D-4349-BACC-D
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-C
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O16 - DPF: {8E0D4DE5-3180-4024-A327-4
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-5
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-2
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7
Hm, it *seems* ok, but the combination of AVG and system mechanic may be trouble some (they are both trying to hook some kernel mode functions - if you cannot detect a virus, I would uninstall both of them and see if it helps.
Though, it may still be the case with some hardware (something that is not initialized in SafeMode, such as network card or usb device).
If you can't fix it in software, try removing all non-core (meaning: everything except hd, mother board, processor, graphics card and power supply) hardware and see if it works normally (it should, if it's not a software problem), then sequentially add hardware one by one until you find the culprit.
Though, it may still be the case with some hardware (something that is not initialized in SafeMode, such as network card or usb device).
If you can't fix it in software, try removing all non-core (meaning: everything except hd, mother board, processor, graphics card and power supply) hardware and see if it works normally (it should, if it's not a software problem), then sequentially add hardware one by one until you find the culprit.
I have found on my computer (once, so it's not representative trial) that iolo does write software with many useful functions, but also many bugs...
ASKER
I had added the IOLO software after the initial fix due to the system being slow on boot. I will do a remove of this software as well. But first, I will scan the HD for any virus using McAfee on a different machine and see if that helps the situation. I suppose it is possible that I have caused my own delema...
Thanks, I will report back soon.
Thanks, I will report back soon.
ASKER
While I had one of the clone disks running the VS on Mcafee, I booted the other and removed the IOLO software. The system crashed with the same bug after playing with the disks. The other finally finished the run of McAfee and the following files were found.
Trojan - Download -UA.e
Generic PUP.e
Keylog.family
Keylog-HomeKey
NDotNet
I have removed them all but the Keylog family/HomKey one would "not completely" remove. I put this one in as the master, it still has the IOLO software on it, but is now "bug free". It crashed when I tried to remove the CD that was in it, after I played with the disks.
So, the long and short is it is still crashing.
Configuration is...
MB - ASUS A7N8X-X
Video - NVIDIA GeForce FX 5200
Currently - HD New - WD800JB previous - Maxtor Diamond MAX Plus 9 80GB (primary IDE port)
Currently - HP 9100 CDRW have tried LG-8400B (Secondary IDE port)
JU256 Floppy disk
386 MB memory (currently 256 MB and 128 MB) Replaced single 512 MB memory module.
Antec Power Supply 380W
Beside Keyboard and Mouse, nothing else on the system.
Trojan - Download -UA.e
Generic PUP.e
Keylog.family
Keylog-HomeKey
NDotNet
I have removed them all but the Keylog family/HomKey one would "not completely" remove. I put this one in as the master, it still has the IOLO software on it, but is now "bug free". It crashed when I tried to remove the CD that was in it, after I played with the disks.
So, the long and short is it is still crashing.
Configuration is...
MB - ASUS A7N8X-X
Video - NVIDIA GeForce FX 5200
Currently - HD New - WD800JB previous - Maxtor Diamond MAX Plus 9 80GB (primary IDE port)
Currently - HP 9100 CDRW have tried LG-8400B (Secondary IDE port)
JU256 Floppy disk
386 MB memory (currently 256 MB and 128 MB) Replaced single 512 MB memory module.
Antec Power Supply 380W
Beside Keyboard and Mouse, nothing else on the system.
ASKER
Hello again,
To help and aid in the troubleshooting of this problem, I took a new disk, formated it on this machine, then reloaded Windows XP Pro from scratch. The version I own is pre SP1. I have now loaded XP and all of the updates. In between each update downloaded, I played with disks both IDE and CD to see if the system would crash and so far it has not. This would leave me to believe we are not seeing a hardware issue. The fact that the software has loaded correctly for windows tells me it is not a Windows Issue from the "straight" Xp side. That does not mean it does not interact with the other software loaded on the box incorrectly. I have loaded all the drivers that were on the other disk for Video, Sound and Lan connectivity and have not had the crash.
So, what would you suggest is my next step? Copy data from old disk, re-install programs, etc... perhaps looksing some data along the way, or troubleshoot original issue with the drive interaction and crash further?
Thanks,
To help and aid in the troubleshooting of this problem, I took a new disk, formated it on this machine, then reloaded Windows XP Pro from scratch. The version I own is pre SP1. I have now loaded XP and all of the updates. In between each update downloaded, I played with disks both IDE and CD to see if the system would crash and so far it has not. This would leave me to believe we are not seeing a hardware issue. The fact that the software has loaded correctly for windows tells me it is not a Windows Issue from the "straight" Xp side. That does not mean it does not interact with the other software loaded on the box incorrectly. I have loaded all the drivers that were on the other disk for Video, Sound and Lan connectivity and have not had the crash.
So, what would you suggest is my next step? Copy data from old disk, re-install programs, etc... perhaps looksing some data along the way, or troubleshoot original issue with the drive interaction and crash further?
Thanks,
ASKER
Hi,
I really would like this problem fixed. It is a difficult issue as it revolves around software intermix etc. I have upped the point value to the max.
I do not want to wipe the data from this disk but will as a last resort.
Swaff
I really would like this problem fixed. It is a difficult issue as it revolves around software intermix etc. I have upped the point value to the max.
I do not want to wipe the data from this disk but will as a last resort.
Swaff
Hm, could you post the results of driverquery command from both your troublesome system and your fresh install?
ASKER
Here is the DriverQuery.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\computer>driverqu
Module Name Display Name Driver Type Link Date
============ ====================== ============= ======================
ACPI Microsoft ACPI Driver Kernel 8/4/2004 2:07:35 AM
ACPIEC ACPIEC Kernel 8/17/2001 4:57:55 PM
aec Microsoft Kernel Acous Kernel 10/1/2004 1:00:21 PM
AFD AFD Networking Support Kernel 8/4/2004 2:14:13 AM
ALCXWDM Service for Realtek AC Kernel 2/27/2003 2:03:50 AM
AmdK7 AMD K7 Processor Drive Kernel 8/4/2004 1:59:19 AM
AsyncMac RAS Asynchronous Media Kernel 8/4/2004 2:05:02 AM
atapi Standard IDE/ESDI Hard Kernel 8/4/2004 1:59:41 AM
Atmarpc ATM ARP Client Protoco Kernel 8/4/2004 1:58:29 AM
audstub Audio Stub Driver Kernel 8/17/2001 4:59:40 PM
Avg7Core AVG7 Kernel Kernel 9/19/2007 8:42:38 AM
Avg7RsW AVG7 Wrap Driver Kernel 7/26/2005 8:10:51 AM
Avg7RsXP AVG7 Resident Driver X Kernel 1/30/2007 10:08:42 AM
AvgClean AVG7 Clean Driver Kernel 8/21/2006 6:55:15 PM
AvgTdi AVG Network Redirector Kernel 8/25/2005 5:59:58 AM
Beep Beep Kernel 8/17/2001 4:47:33 PM
cbidf2k cbidf2k Kernel 8/17/2001 4:52:06 PM
Cdaudio Cdaudio Kernel 8/17/2001 4:52:26 PM
Cdfs Cdfs File System 8/4/2004 2:14:09 AM
Cdrom D-ROM Driver Kernel 8/4/2004 1:59:52 AM
ctljystk Creative SBLive! Gamep Kernel 7/19/2001 6:28:02 PM
DgivEcp Team MFP Comm Driver Kernel 10/24/2000 4:35:54 AM
Disk Disk Driver Kernel 8/4/2004 1:59:53 AM
dmboot dmboot Kernel 8/4/2004 2:07:13 AM
dmio Logical Disk Manager D Kernel 8/4/2004 2:07:13 AM
dmload dmload Kernel 8/17/2001 4:58:15 PM
DMusic Microsoft Kernel DLS S Kernel 8/4/2004 2:07:37 AM
drmkaud Microsoft Kernel DRM A Kernel 8/4/2004 2:07:56 AM
Fastfat Fastfat File System 8/4/2004 2:14:15 AM
Fdc Floppy Disk Controller Kernel 8/4/2004 1:59:25 AM
Fips Fips Kernel 8/17/2001 9:31:49 PM
Flpydisk Floppy Disk Driver Kernel 8/4/2004 1:59:24 AM
FltMgr FltMgr File System 8/21/2006 5:14:57 AM
Ftdisk Volume Manager Driver Kernel 8/17/2001 4:52:41 PM
gameenum Game Port Enumerator Kernel 8/4/2004 2:08:20 AM
GEARAspiWDM GEARAspiWDM Kernel 8/7/2006 1:11:27 PM
Gpc Generic Packet Classif Kernel 8/4/2004 2:04:11 AM
hidusb Microsoft HID Class Dr Kernel 8/17/2001 5:02:16 PM
HTTP HTTP Kernel 3/16/2006 8:33:09 PM
i8042prt i8042 Keyboard and PS/ Kernel 8/4/2004 2:14:36 AM
Imapi CD-Burning Filter Driv Kernel 8/4/2004 2:00:12 AM
ip6fw Pv6 Windows Firewall Kernel 8/4/2004 2:00:04 AM
IpFilterDriv IP Traffic Filter Driv Kernel 8/17/2001 4:55:07 PM
IpInIp IP in IP Tunnel Driver Kernel 8/4/2004 2:04:45 AM
IpNat IP Network Address Tra Kernel 9/29/2004 6:28:36 PM
IPSec IPSEC driver Kernel 8/4/2004 2:14:27 AM
IRENUM IR Enumerator Service Kernel 8/4/2004 2:00:45 AM
isapnp PnP ISA/EISA Bus Drive Kernel 8/17/2001 4:58:01 PM
Kbdclass Keyboard Class Driver Kernel 8/4/2004 1:58:32 AM
kbdhid Keyboard HID Driver Kernel 8/4/2004 1:58:33 AM
kmixer Microsoft Kernel Wave Kernel 6/14/2006 4:47:45 AM
KSecDD KSecDD Kernel 8/4/2004 1:59:45 AM
MASPINT MASPINT Kernel 3/29/2000 4:11:19 AM
mnmdd mnmdd Kernel 8/17/2001 4:57:28 PM
Modem Modem Kernel 8/4/2004 2:08:04 AM
Mouclass Mouse Class Driver Kernel 8/4/2004 1:58:32 AM
mouhid Mouse HID Driver Kernel 8/17/2001 4:47:57 PM
MountMgr Mount Point Manager Kernel 8/4/2004 1:58:29 AM
MRxDAV WebDav Client Redirect File System 8/4/2004 2:00:49 AM
MRxSmb MRXSMB File System 5/5/2006 5:41:42 AM
Msfs Msfs File System 8/4/2004 2:00:37 AM
MSKSSRV Microsoft Streaming Se Kernel 8/4/2004 1:58:39 AM
MSPCLOCK Microsoft Streaming Cl Kernel 8/4/2004 1:58:38 AM
MSPQM Microsoft Streaming Qu Kernel 8/4/2004 1:58:39 AM
mssmbios Microsoft System Manag Kernel 8/4/2004 2:07:47 AM
ms_mpu401 Microsoft MPU-401 MIDI Kernel 8/17/2001 4:59:59 PM
Mup Mup File System 8/4/2004 2:15:20 AM
NDIS NDIS System Driver Kernel 8/4/2004 2:14:27 AM
NdisTapi Remote Access NDIS TAP Kernel 8/17/2001 4:55:29 PM
Ndisuio NDIS Usermode I/O Prot Kernel 8/4/2004 2:03:10 AM
NdisWan Remote Access NDIS WAN Kernel 8/4/2004 2:14:30 AM
NDProxy NDIS Proxy Kernel 8/17/2001 4:55:30 PM
NetBIOS NetBIOS Interface File System 8/4/2004 2:03:19 AM
NetBT NetBios over Tcpip Kernel 8/4/2004 2:14:36 AM
Npfs Npfs File System 8/4/2004 2:00:38 AM
Ntfs Ntfs File System 2/9/2007 6:10:31 AM
Null Null Kernel 8/17/2001 4:47:39 PM
nv nv Kernel 10/6/2003 7:56:53 PM
nvatabus nvatabus Kernel 9/2/2003 9:11:55 PM
nvax Service for NVIDIA(R) Kernel 9/2/2003 9:18:11 PM
NVENET NVIDIA nForce MCP Netw Kernel 8/15/2003 10:22:15 PM
nvnforce Service for NVIDIA(R) Kernel 9/2/2003 9:18:14 PM
nv_agp NVIDIA nForce AGP Bus Kernel 3/19/2003 8:13:47 PM
NwlnkFlt IPX Traffic Filter Dri Kernel 8/17/2001 4:54:05 PM
NwlnkFwd IPX Traffic Forwarder Kernel 8/17/2001 4:54:08 PM
PalmUSBD PalmUSBD Kernel 5/19/2003 4:42:34 PM
Parport Parallel port driver Kernel 8/4/2004 1:59:04 AM
PartMgr Partition Manager Kernel 8/17/2001 9:32:23 PM
ParVdm ParVdm Kernel 8/17/2001 4:49:49 PM
PCI PCI Bus Driver Kernel 8/4/2004 2:07:45 AM
PCIIde PCIIde Kernel 8/17/2001 4:51:49 PM
Pcmcia Pcmcia Kernel 8/4/2004 2:07:45 AM
PptpMiniport WAN Miniport (PPTP) Kernel 8/4/2004 2:14:26 AM
PRISM_A02 802.11a/g USB Driver Kernel 9/9/2003 7:00:33 PM
Processor Processor Driver Kernel 8/4/2004 1:59:14 AM
PSched QoS Packet Scheduler Kernel 8/4/2004 2:04:16 AM
Ptilink Direct Parallel Link D Kernel 8/17/2001 4:49:53 PM
PxHelp20 PxHelp20 Kernel 4/25/2005 3:48:02 PM
RasAcd Remote Access Auto Con Kernel 8/17/2001 4:55:39 PM
Rasl2tp WAN Miniport (L2TP) Kernel 8/4/2004 2:14:21 AM
RasPppoe Remote Access PPPOE Dr Kernel 8/4/2004 2:05:06 AM
Raspti Direct Parallel Kernel 8/17/2001 4:55:32 PM
Rdbss Rdbss File System 5/5/2006 5:47:55 AM
RDPCDD RDPCDD Kernel 8/17/2001 4:46:56 PM
rdpdr Terminal Server Device Kernel 8/4/2004 2:01:10 AM
RDPWD RDPWD Kernel 6/9/2005 7:52:39 PM
redbook Digital CD Audio Playb Kernel 8/4/2004 1:59:34 AM
Secdrv Secdrv Kernel 2/9/2001 11:51:30 AM
serenum Serenum Filter Driver Kernel 8/4/2004 1:59:06 AM
Serial Serial port driver Kernel 8/4/2004 2:15:51 AM
Sfloppy Sfloppy Kernel 8/4/2004 1:59:53 AM
splitter Microsoft Kernel Audio Kernel 6/14/2006 4:47:46 AM
sr System Restore Filter File System 8/4/2004 2:06:22 AM
Srv Srv File System 8/14/2006 6:34:39 AM
swenum Software Bus Driver Kernel 8/4/2004 1:58:41 AM
swmidi Microsoft Kernel GS Wa Kernel 8/17/2001 5:00:42 PM
sysaudio Microsoft Kernel Syste Kernel 8/4/2004 2:15:54 AM
Tcpip TCP/IP Protocol Driver Kernel 4/20/2006 7:51:47 AM
TDPIPE TDPIPE Kernel 8/4/2004 1:58:53 AM
TDTCP TDTCP Kernel 8/4/2004 1:58:52 AM
TermDD Terminal Device Driver Kernel 8/4/2004 1:58:52 AM
Udfs Udfs File System 8/4/2004 2:00:27 AM
Update Microcode Update Drive Kernel 8/4/2004 1:58:32 AM
usbccgp Microsoft USB Generic Kernel 8/4/2004 2:08:45 AM
usbehci Microsoft USB 2.0 Enha Kernel 8/4/2004 2:08:34 AM
usbhub USB2 Enabled Hub Kernel 8/4/2004 2:08:40 AM
usbohci Microsoft USB Open Hos Kernel 8/4/2004 2:08:34 AM
usbprint Microsoft USB PRINTER Kernel 8/4/2004 2:01:23 AM
usbscan USB Scanner Driver Kernel 8/4/2004 1:58:44 AM
USBSTOR USB Mass Storage Drive Kernel 8/4/2004 2:08:44 AM
VgaSave VGA Display Controller Kernel 8/4/2004 2:07:06 AM
VolSnap VolSnap Kernel 8/4/2004 2:00:14 AM
Wanarp Remote Access IP ARP D Kernel 8/4/2004 2:04:57 AM
wdmaud Microsoft WINMM WDM Au Kernel 6/14/2006 5:00:44 AM
C:\Documents and Settings\computer>
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\computer>driverqu
Module Name Display Name Driver Type Link Date
============ ====================== ============= ======================
ACPI Microsoft ACPI Driver Kernel 8/4/2004 2:07:35 AM
ACPIEC ACPIEC Kernel 8/17/2001 4:57:55 PM
aec Microsoft Kernel Acous Kernel 10/1/2004 1:00:21 PM
AFD AFD Networking Support Kernel 8/4/2004 2:14:13 AM
ALCXWDM Service for Realtek AC Kernel 2/27/2003 2:03:50 AM
AmdK7 AMD K7 Processor Drive Kernel 8/4/2004 1:59:19 AM
AsyncMac RAS Asynchronous Media Kernel 8/4/2004 2:05:02 AM
atapi Standard IDE/ESDI Hard Kernel 8/4/2004 1:59:41 AM
Atmarpc ATM ARP Client Protoco Kernel 8/4/2004 1:58:29 AM
audstub Audio Stub Driver Kernel 8/17/2001 4:59:40 PM
Avg7Core AVG7 Kernel Kernel 9/19/2007 8:42:38 AM
Avg7RsW AVG7 Wrap Driver Kernel 7/26/2005 8:10:51 AM
Avg7RsXP AVG7 Resident Driver X Kernel 1/30/2007 10:08:42 AM
AvgClean AVG7 Clean Driver Kernel 8/21/2006 6:55:15 PM
AvgTdi AVG Network Redirector Kernel 8/25/2005 5:59:58 AM
Beep Beep Kernel 8/17/2001 4:47:33 PM
cbidf2k cbidf2k Kernel 8/17/2001 4:52:06 PM
Cdaudio Cdaudio Kernel 8/17/2001 4:52:26 PM
Cdfs Cdfs File System 8/4/2004 2:14:09 AM
Cdrom D-ROM Driver Kernel 8/4/2004 1:59:52 AM
ctljystk Creative SBLive! Gamep Kernel 7/19/2001 6:28:02 PM
DgivEcp Team MFP Comm Driver Kernel 10/24/2000 4:35:54 AM
Disk Disk Driver Kernel 8/4/2004 1:59:53 AM
dmboot dmboot Kernel 8/4/2004 2:07:13 AM
dmio Logical Disk Manager D Kernel 8/4/2004 2:07:13 AM
dmload dmload Kernel 8/17/2001 4:58:15 PM
DMusic Microsoft Kernel DLS S Kernel 8/4/2004 2:07:37 AM
drmkaud Microsoft Kernel DRM A Kernel 8/4/2004 2:07:56 AM
Fastfat Fastfat File System 8/4/2004 2:14:15 AM
Fdc Floppy Disk Controller Kernel 8/4/2004 1:59:25 AM
Fips Fips Kernel 8/17/2001 9:31:49 PM
Flpydisk Floppy Disk Driver Kernel 8/4/2004 1:59:24 AM
FltMgr FltMgr File System 8/21/2006 5:14:57 AM
Ftdisk Volume Manager Driver Kernel 8/17/2001 4:52:41 PM
gameenum Game Port Enumerator Kernel 8/4/2004 2:08:20 AM
GEARAspiWDM GEARAspiWDM Kernel 8/7/2006 1:11:27 PM
Gpc Generic Packet Classif Kernel 8/4/2004 2:04:11 AM
hidusb Microsoft HID Class Dr Kernel 8/17/2001 5:02:16 PM
HTTP HTTP Kernel 3/16/2006 8:33:09 PM
i8042prt i8042 Keyboard and PS/ Kernel 8/4/2004 2:14:36 AM
Imapi CD-Burning Filter Driv Kernel 8/4/2004 2:00:12 AM
ip6fw Pv6 Windows Firewall Kernel 8/4/2004 2:00:04 AM
IpFilterDriv IP Traffic Filter Driv Kernel 8/17/2001 4:55:07 PM
IpInIp IP in IP Tunnel Driver Kernel 8/4/2004 2:04:45 AM
IpNat IP Network Address Tra Kernel 9/29/2004 6:28:36 PM
IPSec IPSEC driver Kernel 8/4/2004 2:14:27 AM
IRENUM IR Enumerator Service Kernel 8/4/2004 2:00:45 AM
isapnp PnP ISA/EISA Bus Drive Kernel 8/17/2001 4:58:01 PM
Kbdclass Keyboard Class Driver Kernel 8/4/2004 1:58:32 AM
kbdhid Keyboard HID Driver Kernel 8/4/2004 1:58:33 AM
kmixer Microsoft Kernel Wave Kernel 6/14/2006 4:47:45 AM
KSecDD KSecDD Kernel 8/4/2004 1:59:45 AM
MASPINT MASPINT Kernel 3/29/2000 4:11:19 AM
mnmdd mnmdd Kernel 8/17/2001 4:57:28 PM
Modem Modem Kernel 8/4/2004 2:08:04 AM
Mouclass Mouse Class Driver Kernel 8/4/2004 1:58:32 AM
mouhid Mouse HID Driver Kernel 8/17/2001 4:47:57 PM
MountMgr Mount Point Manager Kernel 8/4/2004 1:58:29 AM
MRxDAV WebDav Client Redirect File System 8/4/2004 2:00:49 AM
MRxSmb MRXSMB File System 5/5/2006 5:41:42 AM
Msfs Msfs File System 8/4/2004 2:00:37 AM
MSKSSRV Microsoft Streaming Se Kernel 8/4/2004 1:58:39 AM
MSPCLOCK Microsoft Streaming Cl Kernel 8/4/2004 1:58:38 AM
MSPQM Microsoft Streaming Qu Kernel 8/4/2004 1:58:39 AM
mssmbios Microsoft System Manag Kernel 8/4/2004 2:07:47 AM
ms_mpu401 Microsoft MPU-401 MIDI Kernel 8/17/2001 4:59:59 PM
Mup Mup File System 8/4/2004 2:15:20 AM
NDIS NDIS System Driver Kernel 8/4/2004 2:14:27 AM
NdisTapi Remote Access NDIS TAP Kernel 8/17/2001 4:55:29 PM
Ndisuio NDIS Usermode I/O Prot Kernel 8/4/2004 2:03:10 AM
NdisWan Remote Access NDIS WAN Kernel 8/4/2004 2:14:30 AM
NDProxy NDIS Proxy Kernel 8/17/2001 4:55:30 PM
NetBIOS NetBIOS Interface File System 8/4/2004 2:03:19 AM
NetBT NetBios over Tcpip Kernel 8/4/2004 2:14:36 AM
Npfs Npfs File System 8/4/2004 2:00:38 AM
Ntfs Ntfs File System 2/9/2007 6:10:31 AM
Null Null Kernel 8/17/2001 4:47:39 PM
nv nv Kernel 10/6/2003 7:56:53 PM
nvatabus nvatabus Kernel 9/2/2003 9:11:55 PM
nvax Service for NVIDIA(R) Kernel 9/2/2003 9:18:11 PM
NVENET NVIDIA nForce MCP Netw Kernel 8/15/2003 10:22:15 PM
nvnforce Service for NVIDIA(R) Kernel 9/2/2003 9:18:14 PM
nv_agp NVIDIA nForce AGP Bus Kernel 3/19/2003 8:13:47 PM
NwlnkFlt IPX Traffic Filter Dri Kernel 8/17/2001 4:54:05 PM
NwlnkFwd IPX Traffic Forwarder Kernel 8/17/2001 4:54:08 PM
PalmUSBD PalmUSBD Kernel 5/19/2003 4:42:34 PM
Parport Parallel port driver Kernel 8/4/2004 1:59:04 AM
PartMgr Partition Manager Kernel 8/17/2001 9:32:23 PM
ParVdm ParVdm Kernel 8/17/2001 4:49:49 PM
PCI PCI Bus Driver Kernel 8/4/2004 2:07:45 AM
PCIIde PCIIde Kernel 8/17/2001 4:51:49 PM
Pcmcia Pcmcia Kernel 8/4/2004 2:07:45 AM
PptpMiniport WAN Miniport (PPTP) Kernel 8/4/2004 2:14:26 AM
PRISM_A02 802.11a/g USB Driver Kernel 9/9/2003 7:00:33 PM
Processor Processor Driver Kernel 8/4/2004 1:59:14 AM
PSched QoS Packet Scheduler Kernel 8/4/2004 2:04:16 AM
Ptilink Direct Parallel Link D Kernel 8/17/2001 4:49:53 PM
PxHelp20 PxHelp20 Kernel 4/25/2005 3:48:02 PM
RasAcd Remote Access Auto Con Kernel 8/17/2001 4:55:39 PM
Rasl2tp WAN Miniport (L2TP) Kernel 8/4/2004 2:14:21 AM
RasPppoe Remote Access PPPOE Dr Kernel 8/4/2004 2:05:06 AM
Raspti Direct Parallel Kernel 8/17/2001 4:55:32 PM
Rdbss Rdbss File System 5/5/2006 5:47:55 AM
RDPCDD RDPCDD Kernel 8/17/2001 4:46:56 PM
rdpdr Terminal Server Device Kernel 8/4/2004 2:01:10 AM
RDPWD RDPWD Kernel 6/9/2005 7:52:39 PM
redbook Digital CD Audio Playb Kernel 8/4/2004 1:59:34 AM
Secdrv Secdrv Kernel 2/9/2001 11:51:30 AM
serenum Serenum Filter Driver Kernel 8/4/2004 1:59:06 AM
Serial Serial port driver Kernel 8/4/2004 2:15:51 AM
Sfloppy Sfloppy Kernel 8/4/2004 1:59:53 AM
splitter Microsoft Kernel Audio Kernel 6/14/2006 4:47:46 AM
sr System Restore Filter File System 8/4/2004 2:06:22 AM
Srv Srv File System 8/14/2006 6:34:39 AM
swenum Software Bus Driver Kernel 8/4/2004 1:58:41 AM
swmidi Microsoft Kernel GS Wa Kernel 8/17/2001 5:00:42 PM
sysaudio Microsoft Kernel Syste Kernel 8/4/2004 2:15:54 AM
Tcpip TCP/IP Protocol Driver Kernel 4/20/2006 7:51:47 AM
TDPIPE TDPIPE Kernel 8/4/2004 1:58:53 AM
TDTCP TDTCP Kernel 8/4/2004 1:58:52 AM
TermDD Terminal Device Driver Kernel 8/4/2004 1:58:52 AM
Udfs Udfs File System 8/4/2004 2:00:27 AM
Update Microcode Update Drive Kernel 8/4/2004 1:58:32 AM
usbccgp Microsoft USB Generic Kernel 8/4/2004 2:08:45 AM
usbehci Microsoft USB 2.0 Enha Kernel 8/4/2004 2:08:34 AM
usbhub USB2 Enabled Hub Kernel 8/4/2004 2:08:40 AM
usbohci Microsoft USB Open Hos Kernel 8/4/2004 2:08:34 AM
usbprint Microsoft USB PRINTER Kernel 8/4/2004 2:01:23 AM
usbscan USB Scanner Driver Kernel 8/4/2004 1:58:44 AM
USBSTOR USB Mass Storage Drive Kernel 8/4/2004 2:08:44 AM
VgaSave VGA Display Controller Kernel 8/4/2004 2:07:06 AM
VolSnap VolSnap Kernel 8/4/2004 2:00:14 AM
Wanarp Remote Access IP ARP D Kernel 8/4/2004 2:04:57 AM
wdmaud Microsoft WINMM WDM Au Kernel 6/14/2006 5:00:44 AM
C:\Documents and Settings\computer>
I would get rid of dgivecp, as long as you don't have samsung or xerox printer and
gearaspiwnd, as long as you don't have Norton Ghost or DriveImage installed,
as well as secdrv (if any game requires it, it will be reinstalled, but may cause problems).
more info:
http://www.file.net/process/dgivecp.sys.html
http://www.file.net/process/gearaspiwdm.sys.html
http://www.neuber.com/taskmanager/process/secdrv.sys.html
gearaspiwnd, as long as you don't have Norton Ghost or DriveImage installed,
as well as secdrv (if any game requires it, it will be reinstalled, but may cause problems).
more info:
http://www.file.net/process/dgivecp.sys.html
http://www.file.net/process/gearaspiwdm.sys.html
http://www.neuber.com/taskmanager/process/secdrv.sys.html
ASKER
Okay, maybe I am not disabling the properly. I looked in the services.msc but the drivers were not there. I went to the following location in the registry as per an online article and set the start to 4..
HKEY_LOCAL_MACHINE\SYSTEM\
a restart of the box and a run of the driverquery still shows them as loaded. I only did the first 2 on your list, but I do not believe they are going away. In the mean time, I have struggled with the system crash as well.
Perhaps you can explain how to disable them properly to me. Obviously it did not work the way I knew or understood it would.
Thanks for your patience.
HKEY_LOCAL_MACHINE\SYSTEM\
a restart of the box and a run of the driverquery still shows them as loaded. I only did the first 2 on your list, but I do not believe they are going away. In the mean time, I have struggled with the system crash as well.
Perhaps you can explain how to disable them properly to me. Obviously it did not work the way I knew or understood it would.
Thanks for your patience.
That may mean malware!!!
Try changing Startup value under the service key to 0.
Also, run MS Defender scan. If you are still not able to get rid of them, use Avenger (but be careful!!!) to remove the files before they have got a chance to load into kernel:
http://swandog46.geekstogo.com/avengernotes.htm
Try changing Startup value under the service key to 0.
Also, run MS Defender scan. If you are still not able to get rid of them, use Avenger (but be careful!!!) to remove the files before they have got a chance to load into kernel:
http://swandog46.geekstogo.com/avengernotes.htm
Oh, and if this does not help, try running black light - it should detect any hidden files/rootkit:
http://www.f-secure.com/blacklight/try_blacklight.html
http://www.f-secure.com/blacklight/try_blacklight.html
ASKER
Hi,
I tried using Avenger, and keep getting errors when I execute my script. What follows is the script and then the errorlog after the boot.
Registry values to replace with dummy:
HKEY_LOCAL_MACHINE\SYSTEM\
HKEY_LOCAL_MACHINE\SYSTEM\
HKEY_LOCAL_MACHINE\SYSTEM\
HERE IS THE ERRORLOG AFTER BOOT>
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\C
*******************
Script file located at: \??\C:\Program Files\glmcqfod.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Base registry key for value HKEY_LOCAL_MACHINE\SYSTEM\
Replacement with dummy of registry value HKEY_LOCAL_MACHINE\SYSTEM\
Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\
Status: 0xc0000034
Base registry key for value HKEY_LOCAL_MACHINE\SYSTEM\
Replacement with dummy of registry value HKEY_LOCAL_MACHINE\SYSTEM\
Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\
Status: 0xc0000034
Base registry key for value HKEY_LOCAL_MACHINE\SYSTEM\
Replacement with dummy of registry value HKEY_LOCAL_MACHINE\SYSTEM\
Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\
Status: 0xc0000034
Completed script processing.
*******************
Finished! Terminate.
I moved on and ran the blacklight program anyway, I got the following results from it...
09/25/07 10:33:46 [Info]: BlackLight Engine 1.0.64 initialized
09/25/07 10:33:46 [Info]: OS: 5.1 build 2600 (Service Pack 2)
09/25/07 10:33:47 [Note]: 7019 4
09/25/07 10:33:47 [Note]: 7005 0
09/25/07 10:33:54 [Note]: 7006 0
09/25/07 10:33:54 [Note]: 7011 1608
09/25/07 10:33:54 [Note]: 7026 0
09/25/07 10:33:55 [Note]: 7026 0
09/25/07 10:33:58 [Note]: FSRAW library version 1.7.1022
09/25/07 10:35:17 [Info]: Hidden file: c:\WINDOWS\system32\mscach
09/25/07 10:35:17 [Note]: 7002 0
09/25/07 10:35:17 [Note]: 7003 1
09/25/07 10:35:18 [Note]: 10002 1
09/25/07 10:35:35 [Info]: Hidden file: c:\WINDOWS\system32\driver
09/25/07 10:35:35 [Note]: 7002 0
09/25/07 10:35:35 [Note]: 7003 1
09/25/07 10:35:35 [Note]: 10002 1
09/25/07 10:35:36 [Info]: Hidden file: c:\WINDOWS\system32\driver
09/25/07 10:35:36 [Note]: 7002 0
09/25/07 10:35:36 [Note]: 7003 1
09/25/07 10:35:36 [Note]: 10002 1
09/25/07 10:35:36 [Info]: Hidden file: c:\WINDOWS\system32\driver
09/25/07 10:35:36 [Note]: 7002 0
09/25/07 10:35:36 [Note]: 7003 1
09/25/07 10:35:36 [Note]: 10002 1
09/25/07 10:42:49 [Note]: 7007 0
System is still crashing
"Okay, maybe I am not disabling the properly. I looked in the services.msc but the drivers were not there. I went to the following location in the registry as per an online article and set the start to 4.."
Try this... go into the device manager>view>show hidden devices, and look under the heading "Non plug and play drivers", and disable them there, by right clicking>disable....
Try this... go into the device manager>view>show hidden devices, and look under the heading "Non plug and play drivers", and disable them there, by right clicking>disable....
You've got a rootkit, that's a certainty :) Hidden files are evidence of it :).
Name of rootkit: "Elite"
here's a description from vendor's site (they are selling this and getting big bucks!!):
"We are proud to present Elite Keylogger: the most powerful spy software ever created is offered for free trial! Elite Keylogger is completely hidden from any user, even computer professionals are unable to reveal its presence. Working in low-kernel mode Elite Keylogger is a driver-based keystroke logger that invisibly captures every detail of the PC and Internet activity: keyboard monitoring, e-mail recording, snapshots taking, passwords capturing, etc. It is the most powerful solution for concerned parents, small and middle companies, as well as big corporations with the need to monitor hundreds of employees simultaneously. Elite Keylogger is a superior stealth surveillance tool for everyone! Active Elite Keylogger is the perfect tiny spyware. It Record ICQ, MSN, AIM, AOL, Yahoo Instant Messengers! Elite Keylogger becomes true Messenger Sniffer. Being completely invisible Elite Keylogger Spy Software is always ready to capture all keystrokes and passwords (capture Windows XP logon password and Windows 2000 logon Password), chat sessions, instant messages, e-mails, websites visited, applications launched, usernames and time they worked on your computer, desktop activity, clipboard and much more. Do you need to find out what someone is doing online? Do your spouse, children or someone you know use your PC hiding secrets from you? If so, Elite Keylogger is the perfect solution for anyone who needs this information easily, quickly and secretly. Our Keylogger offers most powerful features at an affordable price! Elite Keylogger is compatible with Windows 2000 and XP (all service packs are supported). Download Remote Elite Keylogger program.From vendor site: We are proud to present Elite Keylogger: the most powerful spy software ever created is offered for free trial! Elite Keylogger is completely hidden from any user, even computer professionals are unable to reveal its presence. Working in low-kernel mode Elite Keylogger is a driver-based keystroke logger that invisibly captures every detail of the PC and Internet activity: keyboard monitoring, e-mail recording, snapshots taking, passwords capturing, etc. It is the most powerful solution for concerned parents, small and middle companies, as well as big corporations with the need to monitor hundreds of employees simultaneously. Elite Keylogger is a superior stealth surveillance tool for everyone! Active Elite Keylogger is the perfect tiny spyware. It Record ICQ, MSN, AIM, AOL, Yahoo Instant Messengers! Elite Keylogger becomes true Messenger Sniffer. Being completely invisible Elite Keylogger Spy Software is always ready to capture all keystrokes and passwords (capture Windows XP logon password and Windows 2000 logon Password), chat sessions, instant messages, e-mails, websites visited, applications launched, usernames and time they worked on your computer, desktop activity, clipboard and much more. Do you need to find out what someone is doing online? Do your spouse, children or someone you know use your PC hiding secrets from you? If so, Elite Keylogger is the perfect solution for anyone who needs this information easily, quickly and secretly. Our Keylogger offers most powerful features at an affordable price! Elite Keylogger is compatible with Windows 2000 and XP (all service packs are supported). Download Remote Elite Keylogger program."
I'll post avenger script to remove it in my next post.
Name of rootkit: "Elite"
here's a description from vendor's site (they are selling this and getting big bucks!!):
"We are proud to present Elite Keylogger: the most powerful spy software ever created is offered for free trial! Elite Keylogger is completely hidden from any user, even computer professionals are unable to reveal its presence. Working in low-kernel mode Elite Keylogger is a driver-based keystroke logger that invisibly captures every detail of the PC and Internet activity: keyboard monitoring, e-mail recording, snapshots taking, passwords capturing, etc. It is the most powerful solution for concerned parents, small and middle companies, as well as big corporations with the need to monitor hundreds of employees simultaneously. Elite Keylogger is a superior stealth surveillance tool for everyone! Active Elite Keylogger is the perfect tiny spyware. It Record ICQ, MSN, AIM, AOL, Yahoo Instant Messengers! Elite Keylogger becomes true Messenger Sniffer. Being completely invisible Elite Keylogger Spy Software is always ready to capture all keystrokes and passwords (capture Windows XP logon password and Windows 2000 logon Password), chat sessions, instant messages, e-mails, websites visited, applications launched, usernames and time they worked on your computer, desktop activity, clipboard and much more. Do you need to find out what someone is doing online? Do your spouse, children or someone you know use your PC hiding secrets from you? If so, Elite Keylogger is the perfect solution for anyone who needs this information easily, quickly and secretly. Our Keylogger offers most powerful features at an affordable price! Elite Keylogger is compatible with Windows 2000 and XP (all service packs are supported). Download Remote Elite Keylogger program.From vendor site: We are proud to present Elite Keylogger: the most powerful spy software ever created is offered for free trial! Elite Keylogger is completely hidden from any user, even computer professionals are unable to reveal its presence. Working in low-kernel mode Elite Keylogger is a driver-based keystroke logger that invisibly captures every detail of the PC and Internet activity: keyboard monitoring, e-mail recording, snapshots taking, passwords capturing, etc. It is the most powerful solution for concerned parents, small and middle companies, as well as big corporations with the need to monitor hundreds of employees simultaneously. Elite Keylogger is a superior stealth surveillance tool for everyone! Active Elite Keylogger is the perfect tiny spyware. It Record ICQ, MSN, AIM, AOL, Yahoo Instant Messengers! Elite Keylogger becomes true Messenger Sniffer. Being completely invisible Elite Keylogger Spy Software is always ready to capture all keystrokes and passwords (capture Windows XP logon password and Windows 2000 logon Password), chat sessions, instant messages, e-mails, websites visited, applications launched, usernames and time they worked on your computer, desktop activity, clipboard and much more. Do you need to find out what someone is doing online? Do your spouse, children or someone you know use your PC hiding secrets from you? If so, Elite Keylogger is the perfect solution for anyone who needs this information easily, quickly and secretly. Our Keylogger offers most powerful features at an affordable price! Elite Keylogger is compatible with Windows 2000 and XP (all service packs are supported). Download Remote Elite Keylogger program."
I'll post avenger script to remove it in my next post.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the help. I have run extensive testing and the error has definately gone away. The funny part was that I had known of the keylogger and thought that I had rid myself of it right at the beginning.
Lesson learned.
Thanks heaps for the help again!!
Lesson learned.
Thanks heaps for the help again!!
Have you just uninstalled it? I have read their manual and it seems you first need to de-activate it by entering some "password" and selecting deactivate, and then you can uninstall it properly ;-). I am not a big fun of selling this type of software product - there are much more reliable, hardware-based solutions (e.g. which you install between the keyboard and computer and are recording *every* keystroke (even those in the BIOS or any other operating system. There are also hardware-based tools to record image of the screen, if it is CRC monitor - even remotely ! :) (type "tempest fur elise" into google for a program that by displaying some images on your screen would play musing on your radio :-), at selected frequency :-).
ASKER
I checked to see if there was an installer on the system but there was nothing. Early on in the process, I had run a VS, it identified that a program was on the system called Keylogger and it/I removed the proggy, or at least had figured that it was "gone". I guess it truely was not. I am uncertain as to how the program was installed on the P.C. or why.
As of this time, i have let the P.C. run a full 12 hours and tested alright. I also have installed the original disk and cloned the copy back. A new VS of the system did not show any problems or programs that were "not supposed" to be there.
As of this time, i have let the P.C. run a full 12 hours and tested alright. I also have installed the original disk and cloned the copy back. A new VS of the system did not show any problems or programs that were "not supposed" to be there.
You may try to run black light again, just in case :-).
ASKER
The computer has been run now for 3 days in normal operating mode. A run of Blacklight did not show any issues running.
Thanks for your help again.
Swaff -)
Thanks for your help again.
Swaff -)
In the event viewer>System>are there any further DISK, ATAPI, or NTFS errors?