Malwarebytes Forum > mbam wont run

Malwarebytes Forum > Computer Help > Malware Removal - HijackThis Logs

Trav 1

Oct 28 2009, 02:40 AM

Hello,
I run XP on a Dell Inspirion 5150 & I have recently been infected with Antivirus Pro 2010 & Advanced Virus Removal. These are the ones I know of for sure. I can not access the web from the infected pc. I downloaded and installed Mbam from usb. I can not run it in normal mode, but I ran it i safe mode and found.....are you ready for this........535 infections. After the safe mode scan & removal I tried to open in normal mode and the desktop almost completely locks up. My system restore, reg editor and task manager have been disabled. Any thoughts or suggestions? Thanks for your time.

Trav 1

Oct 28 2009, 03:37 AM

I have just read about renaming the mbam.exe during the save process. Gonna download again and attempt to open in normal mode.

Blade81

Nov 2 2009, 09:32 AM

Hi,

If you still need help with this, do the following:

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt

Save both reports to your desktop. Post them back to your topic.

Download GMER here by clicking download exe -button and then saving it your desktop:

Double-click .exe that you downloaded
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log in your reply.

Trav 1

Nov 3 2009, 03:40 AM

Finally got mbam to run in normal mode and it finds more infections but it freezes in "extra and heuristics scan". Cant access ie for updates. I will do the suggestions that you mentioned and let you know. Thanks.

Trav 1

Nov 4 2009, 01:43 AM

Hello again! Here are the logs you requested. The GMER program is not exactly.....quick, is it....lol. I hope this helps. If you need anything else just let me know.

Blade81

Nov 4 2009, 05:57 AM

Thanks for the logs.

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Trav 1

Nov 6 2009, 02:57 AM

Hello,
Here are the new logs you requested. I want to thank you for your help & patience. I'm sure you are very busy and I appreciate all that your doing to help me.

Blade81

Nov 6 2009, 05:44 AM

Hi,

Looks like ComboFix (and DDS) was run from external drive. Please copy the file to your desktop and run it there. Let ComboFix install recovery console too. Post a fresh report when ready.

Trav 1

Nov 7 2009, 01:47 AM

I'm unable to download ComboFix from the link above. McAfee finds two "Artemis" trojans in the file. Any suggestions?

Blade81

Nov 7 2009, 09:45 AM

Hi,

Keep your protection software disabled while you download and run ComboFix.

Trav 1

Nov 7 2009, 07:25 PM

Ok, I got CF to download to my flash and installed on my infected desktop. I manually created Console Restore after I ran CF. These are the new logs ran from Desktop.

Blade81

Nov 7 2009, 10:57 PM

Hi again,

Uninstall Ask Toolbar if not installed on purpose.

Open notepad and copy/paste the text in the quotebox below into it:

CODE

File::
c:\documents and settings\Toshua Gent\Local Settings\Application Data\ropu.com
c:\documents and settings\Toshua Gent\Application Data\kexutubej.pif
c:\windows\system32\usacibeto.dat
c:\program files\Common Files\xazal._sy
c:\program files\Common Files\yhywe.dat
c:\program files\Common Files\ruko._dl
c:\documents and settings\All Users\Application Data\ceryky.scr
c:\documents and settings\Toshua Gent\Application Data\ugume.exe
c:\windows\zoqexi.com
c:\windows\system32\temp32.bat
c:\program files\Common Files\ovuvy.dat
c:\documents and settings\Toshua Gent\Application Data\ysegynydew.dat
c:\documents and settings\All Users\Application Data\qete.exe
c:\program files\Common Files\mamydeku._sy
c:\program files\Common Files\seqogot.dll
c:\windows\siqo.pif
c:\windows\yhupyqe.pif
c:\documents and settings\Travis Harrell\Local Settings\Application Data\upidozihe.bin
c:\documents and settings\Travis Harrell\Application Data\vexez.bin
c:\windows\system32\eryba.dat
c:\program files\Common Files\qatuxyqor.bin
c:\windows\upova.pif
c:\windows\ymyda.pif
c:\documents and settings\Travis Harrell\Local Settings\Application Data\irujyqal.com
c:\documents and settings\All Users\Application Data\ohyzipa.dat
c:\program files\Common Files\cojuras.pif
c:\program files\Common Files\vixaqar.scr
c:\windows\imubot.dat
c:\windows\system32\ilyvaxixum.dat
c:\windows\system32\ranubydeq.bin
c:\documents and settings\Toshua Gent\Local Settings\Application Data\ywybir.dll
c:\windows\ykekyxepy.com
c:\documents and settings\All Users\Application Data\idiruleneh.dat
c:\documents and settings\Toshua Gent\Application Data\kodecex.sys
c:\windows\system32\ucyf.sys
c:\documents and settings\Toshua Gent\Local Settings\Application Data\ykurisape.com
c:\windows\ucanelefu.bin
c:\program files\Common Files\mopi.sys
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000000

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Uninstall old Adobe Reader versions and get the latest one (9.2) here if you necessarily need it. I see that there's also Foxit Reader installed so you may not require Adobe Reader.

Uninstall Shockwave and get the fresh one here if needed.

Check here to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here. Fresh version can be obtained here.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6 Update 17.
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.

Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log. Also, start MBAM, update its definitions on update tab and run a quick scan. Post back the results.

Trav 1

Nov 8 2009, 12:35 AM

I am unable to access internet from infected computer. Will the above listed programs work off flash drive?

Trav 1

Nov 8 2009, 02:33 AM

New logs. Installed CFScript and ATF. Mbam failed to update, error code 732 (0,0). I guessing its because I cant access internet. ATF done good, cleaned something like 5,000,000. If I could get online I could update MBAM. Ran quick scan without updates, found no infections. The quick scan is alot faster now. It used to run for about 14mins, this last time it only took about 6 mins.

Trav 1

Nov 8 2009, 02:52 AM

I forgot to mention I was unable to run Kaspersky scanner due to internet being down.

Blade81

Nov 8 2009, 12:44 PM

Hi,

When did this connection problem begin to occur? How do you normally connect to internet (wired or wireless solution)?

Trav 1

Nov 8 2009, 02:20 PM

The connection has been down for a month or two. It started after I failed to remove the two malware, Advanced Virus Remover & Anti Virus Pro 2010. I use both connections, wired & wireless. The taskbar shows I'm connected but no pages will open. Then it began to crash as soon as desktop opened, but after I ran the programs you suggested it doesn't crash but still can't open any pages. It say "page could not be displayed" or something like that. Thanks and have a good day.

Blade81

Nov 8 2009, 02:23 PM

Have you given browser(s) proper permissions in your firewall?

Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the quote box into a new file:

QUOTE

@echo off
>Log1.txt (
ipconfig /all
nslookup google.com
ping -n 2 google.com
route print
)
start Log1.txt
del %0

Go to the File menu at the top of the Notepad and select Save as.
Select save in: desktop
Fill in File name: test.bat
Save as type: All file types (*.*)
Click save.
Close the Notepad.
Locate and double-click tast.bat on the desktop.
A notepad opens, copy and paste the content it (log1.txt) to your reply.

Trav 1

Nov 9 2009, 07:24 PM

Hi again,

Here is the new log you requested. Hope it helps.

Blade81

Nov 9 2009, 07:46 PM

Hi,

Connection seems to work correctly. Did you check your firewall settings and make sure web browser is allowed there? Have you tried to turn Windows firewall on and the 3rd party one off?

Trav 1

Nov 9 2009, 11:16 PM

I will check firewall setting & let you know.

Trav 1

Nov 10 2009, 02:29 AM

No luck. I disabled windows and Mcafee firewalls one at a time, but still can't view web pages.

Blade81

Nov 10 2009, 06:53 AM

Hi,

Please see if you're able to use Firefox to access web.

Trav 1

Nov 10 2009, 11:08 PM

I downloaded Firefox, gonna try it tonight. Di I have to disable Explorer?

Blade81

Nov 11 2009, 05:55 AM

QUOTE

Di I have to disable Explorer?

Internet Explorer? No, don't have to disable it

Trav 1

Nov 13 2009, 01:28 AM

Still no luck. Neither Explorer or Firefox will view web pages.

Blade81

Nov 13 2009, 07:45 AM

Hi,

Do you access internet thru a router? If you do, are those systems with browsers working connected thru same device? Do you remember if you installed any firewall software around same date the browser problem originally started?

Trav 1

Nov 13 2009, 03:33 PM

Hello
I have a dLink wireless router and my Dell running dsl hardline from the dLink router. I use my iPhone & my Dell mini on the wifi from the same router. So I can access the web on different devices that run off the same router. I have not added any firewall protection other than McAfee.

Blade81

Nov 13 2009, 03:52 PM

Are you able to access these addresses with IE or Firefox:
http://74.125.39.106/
http://157.166.255.19/

Trav 1

Nov 14 2009, 01:35 AM

Sorry no luck on either FF or IE

Blade81

Nov 14 2009, 11:24 AM

Hi,

Post a fresh dds log, please.

Trav 1

Nov 16 2009, 02:04 AM

Hi
Here is the new DDS log. Also do I need to keep all the old logs that I have posted in the past?

Blade81

Nov 16 2009, 06:41 AM

Hi,

Download a fresh copy of ComboFix here.

Open notepad and copy/paste the text in the quotebox below into it:

CODE

Driver::
wnatzf
DDS::
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
File::
c:\windows\system32\winhelper.dll
c:\windows\system32\drivers\fvunhjo.sys
FileLook::
c:\windows\wc98pp.dll

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & fresh dds log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Trav 1

Nov 17 2009, 03:25 AM

Hi
I am unable to run fresh ComboFix with the CFScript. It shows a date error and says to check my settings. To my eye all settings are correct.

Blade81

Nov 17 2009, 08:01 AM

Hi,

Is your system date correct? See if you're able to run ComboFix without script. Let me know exact error if problem still occurs (see also if there's new version of ComboFix become available after your attempt)

Trav 1

Nov 18 2009, 07:28 PM

Hello
ComboFix ran ok without the script add-on. Here are the new logs you requested.

Trav 1

Nov 18 2009, 07:43 PM

Hi again
Just after I posted the last entry I tried to open Explorer and IT WORKED. Earlier I ran MBAM on the other account on the infected computer and it found multiple infections. Does MBAM only scan the account that is being used or does it csan ALL accounts. I ask because before I scanned the other account I scanned my account and found no infections. Combofix may have repaired what ever was wrong. I will reply back later today and let you know if its still working. If you find problems with the logs I posted please let me know. Thanks

Blade81

Nov 18 2009, 09:15 PM

Hi,

I think tool works best when scanned on account with issues. Do you have a report from that latest MBAM run handy? Please post it if you do.

Hopefully things are still working

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.