can not run Malwarebytes Anti-Malware

View previous topic View next topic Go down

can not run Malwarebytes Anti-Malware

Post by gsuggs on Wed Jan 13, 2010 5:59 pm

I need some help. I can not run the malware as something will not let it run to remove the problem my computer is having any help will be great.

gsuggs
Beginner
Beginner

Posts Posts : 4
Joined Joined : 2009-09-23
Gender Gender : Male
OS OS : XP
Points Points : 26338
# Likes # Likes : 0

View user profile

Back to top Go down

Re: can not run Malwarebytes Anti-Malware

Post by Belahzur on Wed Jan 13, 2010 6:55 pm

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Hijack log

Post by gsuggs on Wed Jan 13, 2010 7:11 pm

Here is the note log hijack

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 1:04:01 PM, on 1/13/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

--
End of file - 809 bytes

gsuggs
Beginner
Beginner

Posts Posts : 4
Joined Joined : 2009-09-23
Gender Gender : Male
OS OS : XP
Points Points : 26338
# Likes # Likes : 0

View user profile

Back to top Go down

Re: can not run Malwarebytes Anti-Malware

Post by Belahzur on Wed Jan 13, 2010 7:15 pm

Hello.

Is that a full log or have you fixed items yourself?



  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: can not run Malwarebytes Anti-Malware

Post by gsuggs on Wed Jan 13, 2010 8:25 pm

Here is the log it took awhile to run

ComboFix 10-01-13.06 - Craig Morris 01/13/2010 14:08:15.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1013.747 [GMT -6:00]
Running from: c:\documents and settings\Craig Morris\Desktop\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\smp.bat
c:\windows\system32\drivers\H8SRTtcuqxeovpp.sys
c:\windows\system32\H8SRTfnnbtmowxw.dll
c:\windows\system32\H8SRTgkqpypshfo.dat
c:\windows\system32\H8SRTswsqjwsstw.dll
c:\windows\system32\H8SRTvvebmvdbqu.dll
c:\windows\system32\krl32mainweq.dll
c:\windows\system32\memowuga.dll
c:\windows\system32\sefoseyo.dll
c:\windows\system32\suluyeba.dll
c:\windows\system32\zayezeru.dll
c:\windows\Tasks\ghcquclg.job

----- BITS: Possible infected sites -----

[You must be registered and logged in to see this link.]
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_H8SRTd.sys
-------\Legacy_H8SRTd.sys


((((((((((((((((((((((((( Files Created from 2009-12-13 to 2010-01-13 )))))))))))))))))))))))))))))))
.

2010-01-13 17:28 . 2010-01-13 17:28 -------- d-----w- c:\program files\TrendMicro
2010-01-13 14:33 . 2010-01-13 14:42 -------- d-----w- c:\windows\SxsCaPendDel
2010-01-13 14:27 . 2010-01-13 14:29 -------- d-----w- c:\program files\TweakNow RegCleaner
2010-01-13 14:27 . 2010-01-13 14:27 -------- d-----w- c:\documents and settings\Craig Morris\Application Data\TweakNow RegCleaner
2010-01-13 14:26 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-08 18:49 . 2010-01-08 18:49 -------- d-----w- C:\f5013cb86796cc2dc5bff1656b2d
2010-01-08 18:44 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 18:44 . 2010-01-13 15:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-08 18:44 . 2010-01-08 18:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-08 18:44 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-07 17:16 . 2010-01-07 17:16 -------- d-sh--w- c:\documents and settings\Craig Morris\IECompatCache
2009-12-24 15:46 . 2009-12-24 15:46 -------- d-----w- C:\found.000
2009-12-21 21:07 . 2009-12-21 21:07 -------- d-----w- c:\documents and settings\Craig Morris\Local Settings\Application Data\Temp
2009-12-16 00:35 . 2009-12-16 16:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-13 20:07 . 2008-05-08 15:29 -------- d-----w- c:\program files\Google
2010-01-13 20:07 . 2008-05-08 15:29 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-01-13 19:58 . 2008-05-08 15:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-01-13 17:38 . 2010-01-13 17:38 388096 ----a-r- c:\documents and settings\Craig Morris\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-01-13 14:37 . 2008-05-08 15:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-13 14:33 . 2009-12-03 20:53 -------- d-----w- c:\program files\DivX
2010-01-07 15:21 . 2009-12-03 15:14 79488 ----a-w- c:\documents and settings\Craig Morris\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-31 20:09 . 2008-06-11 22:55 -------- d-----w- c:\documents and settings\Craig Morris\Application Data\LimeWire
2009-12-11 02:29 . 2009-12-16 00:35 1782128 ----a-w- c:\documents and settings\All Users\Application Data\Norton\NUA.exe
2009-12-01 21:46 . 2008-05-21 17:39 -------- d-----w- c:\program files\Arkona Web Client
2009-11-21 15:51 . 2004-08-11 22:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-13 21:01 . 2009-09-05 17:51 127325 ----a-w- c:\documents and settings\Craig Morris\Application Data\Move Networks\uninstall.exe
2009-11-13 21:01 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\Craig Morris\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-11-13 21:01 . 2009-11-13 21:00 1408376 ----a-w- c:\documents and settings\Craig Morris\Application Data\Move Networks\MoveMediaPlayerWinSilent_071505000011.exe
2009-10-29 07:45 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-11 22:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-11 22:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 04:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-10-15 03:38 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Speed Launch]
2008-10-15 07:03 45936 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrobat_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Synchronizer]
2007-05-11 05:29 738968 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Client Access Service]
2006-12-04 10:40 20531 ----a-w- c:\program files\IBM\Client Access\cwbsvstr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2008-02-26 20:16 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileZilla Server Interface]
2006-12-02 14:02 937984 ----a-w- c:\program files\FileZilla Server\FileZilla Server Interface.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-07-17 18:23 162328 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2007-07-27 00:03 178712 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-07-17 18:23 141848 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-11-20 19:20 290088 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2007-09-17 16:56 124200 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-07-17 18:23 137752 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-11-04 16:30 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-09-25 00:12 1036288 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-02-04 17:33 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"gupdate1ca745ac1427b5e"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Symantec Core LC"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"LiveUpdate Notice"=2 (0x2)
"LiveUpdate"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"IAANTMON"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"FileZilla Server"=2 (0x2)
"Cwbrxd"=3 (0x3)
"comHost"=3 (0x3)
"CLTNetCnService"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"ASFIPmon"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\CCPD-LC\\symlcsvc.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\FileZilla Server\\FileZilla Server Interface.exe"=
"c:\\Program Files\\Arkona Web Client\\Nlsvr.exe"=

S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys --> c:\windows\system32\Drivers\COH_Mon.sys [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]
S4 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [6/20/2007 1:30 PM 79168]
.
Contents of the 'Scheduled Tasks' folder

2009-11-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
Trusted Zone: adpalliance.com
Trusted Zone: arkona.com\dms
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
MSConfigStartUp-osCheck - c:\program files\Norton Internet Security\osCheck.exe
MSConfigStartUp-pukonotef - c:\windows\system32\lujivoni.dll
MSConfigStartUp-settdebugx - c:\docume~1\CRAIGM~1\LOCALS~1\Temp\settdebugx.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
MSConfigStartUp-system tool - c:\windows\sysguard.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-01-13 14:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3561598376-675117924-2178707222-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(588)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-01-13 14:20:48 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-13 20:20

Pre-Run: 64,649,310,208 bytes free
Post-Run: 64,747,347,968 bytes free

- - End Of File - - 1C4D09AF65848D0026E37181474DE752

gsuggs
Beginner
Beginner

Posts Posts : 4
Joined Joined : 2009-09-23
Gender Gender : Male
OS OS : XP
Points Points : 26338
# Likes # Likes : 0

View user profile

Back to top Go down

Re: can not run Malwarebytes Anti-Malware

Post by gsuggs on Wed Jan 13, 2010 10:36 pm

Hooray! Great Job Thank You for the help the problem is now fixed

gsuggs
Beginner
Beginner

Posts Posts : 4
Joined Joined : 2009-09-23
Gender Gender : Male
OS OS : XP
Points Points : 26338
# Likes # Likes : 0

View user profile

Back to top Go down

Re: can not run Malwarebytes Anti-Malware

Post by Belahzur on Thu Jan 14, 2010 12:19 am

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTM.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    C:\found.***


  • Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum