Jump to content

MBAM find malware but then crashes the whole system.


Recommended Posts

Post Merged

We look for post with 0 replies, so when you reply to your own topic, we assume you were being helped.

Please be patient, someone will assist you as soon as possible.

First i wanna say thanks in advance for any kinda of help :)

After being infected with Babylon, i decided to run MBAM(in safe mode with network) to remove it.During the scan it found 12 malwares but while scanning a "32" file (not always the same one) it crashes and forces me to restart.

Then i saw the "chameleon mode" for MBAM, same result, after DOS screen, while scanning the computer, it crashed the same way it crashed in "normal mode".

Same thing happens with Avast, it crashes while scanning one of those files.

I runned TDSSkiller and it found nothing.

If I dont run in safe mode internet browser crashes after some period of time.

I unchecked Microsoft Essentials, dont know while it still appears "enabled".

DDS logs:

DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK

Internet Explorer: 9.0.8112.16421

Run by Roberto at 13:23:00 on 2012-07-15

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.55.1033.18.2998.2396 [GMT -3:00]

.

AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}

AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}

SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

c:\Program Files\Microsoft Security Client\MsMpEng.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\ctfmon.exe

C:\Users\Roberto\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Roberto\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Roberto\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Roberto\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Roberto\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Roberto\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Roberto\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Roberto\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://search.babylon.com/home?affID=17425&tt=140612_dpl

mStart Page = hxxp://start.funmoods.com/?f=1&a=grupo&chnl=grupo&cd=2XzutAtN2Y1L1Qzu0EtD0Bzy0AyDtCtCzzyEtC0Dzz0AtCzztN0D0TzutBtDtCtBtDyBtCyE&cr=610558092

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [bTMTrayAgent] rundll32.exe "c:\program files\motorola\bluetooth\btmshell.dll",TrayApp

mRun: [RTHDVCPL] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW

mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRunOnce: [updateTutorialsHP] c:\users\roberto\appdata\roaming\tuto4pc\tuto4pc\UpdateTutoriaisSlimbaHP.exe -runonce

mRunOnce: [<NO NAME>]

mRunOnce: [GrpConv] grpconv -o

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: E&xportar para o Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {bd707fe6-39f6-4bda-9265-86a76719bdc5} - c:\program files\motorola\bluetooth\btmiesend.htm

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

TCP: DhcpNameServer = 192.168.24.1

TCP: Interfaces\{3A549937-F9BA-41F7-BEDE-6A1F1EA53D1B} : DhcpNameServer = 192.168.24.1

TCP: Interfaces\{3A549937-F9BA-41F7-BEDE-6A1F1EA53D1B}\3416371644F6543747574616E6475623 : DhcpNameServer = 200.204.0.10 200.204.0.138

TCP: Interfaces\{3A549937-F9BA-41F7-BEDE-6A1F1EA53D1B}\3416371644F6543747574616E6475633 : DhcpNameServer = 200.204.0.10 200.204.0.138

TCP: Interfaces\{3A549937-F9BA-41F7-BEDE-6A1F1EA53D1B}\64C6164756C602C4F676963747963616 : DhcpNameServer = 192.168.60.5 192.168.60.1

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: igfxcui - igfxdev.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

.

============= SERVICES / DRIVERS ===============

.

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]

R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]

R3 netr28;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\drivers\netr28.sys [2011-10-26 1291840]

S0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 171064]

S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-7-14 721000]

S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-7-14 353688]

S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]

S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]

S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-7-14 21256]

S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-7-14 57656]

S2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-7-14 44808]

S2 Bluetooth OBEX Service;Bluetooth OBEX Service;c:\program files\motorola\bluetooth\obexsrv.exe [2011-10-26 508680]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-7-14 655944]

S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-6-5 160944]

S2 TeamViewer6;TeamViewer 6;c:\program files\teamviewer\version6\TeamViewer_Service.exe [2011-11-12 2358656]

S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\intel\intel® management engine components\uns\UNS.exe [2011-10-26 2533400]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 Bluetooth Device Manager;Bluetooth Device Manager;c:\program files\motorola\bluetooth\devmgrsrv.exe [2011-10-26 3512072]

S3 Bluetooth Media Service;Bluetooth Media Service;c:\program files\motorola\bluetooth\audiosrv.exe [2011-10-26 901384]

S3 BTMCOM;Bluetooth Serial Port;c:\windows\system32\drivers\btmcom.sys [2011-10-26 41344]

S3 BTMUSB;Motorola Bluetooth Radio Service;c:\windows\system32\drivers\btmusb.sys [2011-10-26 395776]

S3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-2-10 132352]

S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2012-7-15 31560]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-7-14 22344]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-7-15 40776]

S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 74112]

S3 NisSrv;Inspeção de Rede da Microsoft;c:\program files\microsoft security client\NisSrv.exe [2012-3-26 214952]

S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2011-10-26 197224]

S3 WatAdminSvc;Serviço de Tecnologias de Ativação do Windows;c:\windows\system32\wat\WatAdminSvc.exe [2011-10-26 1343400]

.

=============== Created Last 30 ================

.

2012-07-15 07:10:03 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2012-07-15 06:33:25 31560 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2012-07-15 06:04:00 -------- d-sh--w- C:\$RECYCLE.BIN

2012-07-15 05:45:59 98816 ----a-w- c:\windows\sed.exe

2012-07-15 05:45:59 518144 ----a-w- c:\windows\SWREG.exe

2012-07-15 05:45:59 256000 ----a-w- c:\windows\PEV.exe

2012-07-15 05:45:59 208896 ----a-w- c:\windows\MBR.exe

2012-07-15 05:42:16 -------- d-----w- c:\users\roberto\appdata\roaming\GetRightToGo

2012-07-15 01:13:58 44784 ----a-w- c:\windows\system32\drivers\aswRdr2.sys

2012-07-15 01:13:57 721000 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2012-07-15 01:13:49 57656 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys

2012-07-15 01:13:24 41224 ----a-w- c:\windows\avastSS.scr

2012-07-15 01:13:14 -------- d-----w- c:\programdata\AVAST Software

2012-07-15 01:13:14 -------- d-----w- c:\program files\AVAST Software

2012-07-15 01:00:24 -------- d-----w- c:\users\roberto\appdata\roaming\Malwarebytes

2012-07-15 01:00:18 -------- d-----w- c:\programdata\Malwarebytes

2012-07-15 01:00:17 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-07-15 01:00:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-07-14 23:56:24 -------- d-----w- c:\users\roberto\appdata\roaming\SUPERAntiSpyware.com

2012-07-14 23:56:14 -------- d-----w- c:\programdata\SUPERAntiSpyware.com

2012-07-14 23:56:14 -------- d-----w- c:\program files\SUPERAntiSpyware

2012-07-14 23:24:01 -------- d-----w- c:\program files\CCleaner

2012-07-14 23:14:44 -------- d-----w- c:\users\roberto\appdata\local\Tuto4PC

2012-07-14 23:14:42 -------- d-----w- c:\users\roberto\appdata\roaming\Tuto4pc

2012-07-14 23:14:41 -------- d-----w- c:\program files\Tuto4pc

2012-07-14 01:18:12 6762896 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{a2ef66b5-ebca-4572-a8cf-68df2c6902fe}\mpengine.dll

2012-07-12 23:28:20 6762896 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll

2012-07-12 04:44:59 2344448 ----a-w- c:\windows\system32\win32k.sys

2012-07-11 17:38:49 369336 ----a-w- c:\windows\system32\drivers\cng.sys

2012-07-11 17:38:49 219136 ----a-w- c:\windows\system32\ncrypt.dll

2012-07-11 17:38:49 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys

2012-07-11 17:38:48 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2012-07-11 17:38:48 225280 ----a-w- c:\windows\system32\schannel.dll

2012-07-11 17:38:42 1389568 ----a-w- c:\windows\system32\msxml6.dll

2012-07-11 17:38:41 1236992 ----a-w- c:\windows\system32\msxml3.dll

2012-07-11 17:38:36 987136 ----a-w- c:\program files\common files\system\ado\msado15.dll

2012-07-03 18:06:43 713784 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{567e7856-7fb9-4917-851f-19b683213b4e}\gapaengine.dll

2012-06-21 16:40:55 2422272 ----a-w- c:\windows\system32\wucltux.dll

2012-06-21 16:40:31 88576 ----a-w- c:\windows\system32\wudriver.dll

2012-06-21 16:40:10 33792 ----a-w- c:\windows\system32\wuapp.exe

2012-06-21 16:40:10 171904 ----a-w- c:\windows\system32\wuwebv.dll

.

==================== Find3M ====================

.

2012-06-02 08:33:25 1800192 ----a-w- c:\windows\system32\jscript9.dll

2012-06-02 08:25:08 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-06-02 08:25:03 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-06-02 08:20:33 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-06-02 08:16:52 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-05-02 04:52:09 163328 ----a-w- c:\windows\system32\profsvc.dll

2012-04-28 03:19:47 177152 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-04-26 04:48:52 57856 ----a-w- c:\windows\system32\rdpwsx.dll

2012-04-26 04:48:52 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll

2012-04-26 04:43:14 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe

2012-04-24 04:47:04 139264 ----a-w- c:\windows\system32\cryptsvc.dll

2012-04-24 04:47:04 103936 ----a-w- c:\windows\system32\cryptnet.dll

2012-04-24 04:47:03 1156608 ----a-w- c:\windows\system32\crypt32.dll

.

============= FINISH: 13:24:19,31 ===============

Just an update, i runned TDSSkiller again(changing the parameters) and it found something of medium risk called:"FLEXnet Licensing Server(UnsignedFile.Multi.Generic)", sorry for the quick update.

Link to post
Share on other sites

Hello AnDrEM and :welcome:! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support or here (http://helpdesk.malwarebytes.org/home). If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.

Step 1

Please run Malwarebytes' Anti-Malware, go to Logs tab and with double-click on each line find the log file with these detections and post it here for me.

Step 2

Download OTL to your Desktop

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Please tick the Scan All users. Next, click the Quick Scan button. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic.

Step 3

Download aswMBR.exe to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

aswMBR2-1.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

aswMBR2.png

In your next reply, post the following log files:

  • Malwarebytes' Anti-Malware log
  • OTL log with Extras.txt
  • aswMBR log

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.