Failure during the scanning program MBAM

Nurlan85 · September 9, 2013

Hi! In my computer crashes while scanning program Mbam. Help please! Post the log files...

dds.txt

attach.txt

CheckResults.txt

Maniac · September 9, 2013

Hello Nurlan85 and :welcome: ! My name is Borislav and I will be glad to help you solve your malware problem.

Please note:

If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
Make sure you read all of the instructions and fixes thoroughly before continuing with them.
Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.

Step 1

Please uninstall the following applications:

µTorrent

DAEMON Tools Toolbar

Webalta Toolbar

Step 2

Please download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.

Step 3

Please download AdwCleaner by Xplode onto your desktop.

Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click on Clean.
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please post the content of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner[s1].txt as well.

Step 4

Please add to exceptions the following files in your Kaspersky AV:

http://support.kaspersky.com/2695

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

When you are ready, reboot your system.

Step 5

Launch Malwarebytes' Anti-Malware
Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
Go to Scanner tab and select Perform Quick Scan, then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

In your next reply, post the following log files:

Junkware Removal Tool log
AdwCleaner log
Malwarebytes' Anti-Malware log

Nurlan85 · September 11, 2013

Hi! It did not happen to do a quick scan of the program Mbam. Again crash happened during the scan. Post the log files and JRT log

AdwCleaner log

JRT.txt

AdwCleanerR0.txt

Maniac · September 11, 2013

Read my instructions carefully:

Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.

At each step, the instructions indicate that the log files should be posted directly to your post.

Nurlan85 · September 12, 2013

Hi!

Step 1 Remove the program μTorrent, DAEMON Tuls, Toolbar Toolbar Vebalta.

Step 2 Place the file JRT. Did the log file. spread:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 5.5.9 (09.07.2013:1)

OS: Microsoft Windows XP x86

Ran by User on 11.09.2013 at 10:02:19,13

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\pricegong

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\yahoopartnertoolbar

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\conduit

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\axmetastream.metastreamctl

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\axmetastream.metastreamctl.1

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\axmetastream.metastreamctlsecondary

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\axmetastream.metastreamctlsecondary.1

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\conduit.engine

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\driverscanner

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Toolbar.CT2127165

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{61EB20A4-D4D5-4276-A2C9-DCCE8CE9F633}

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{AD22EBAF-0D18-4fc7-90CC-5EA0ABBE9EB8}

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95289393-33EA-4F8D-B952-483415B9C955}

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{95289393-33EA-4F8D-B952-483415B9C955}

~~~ Files

Successfully deleted: [File] "C:\Documents and Settings\User\Application Data\microsoft\internet explorer\qipsearchbar.dll"

Successfully deleted: [File] "C:\WINDOWS\system32\conduitengine.tmp"

~~~ Folders

Successfully deleted: [Folder] "C:\Documents and Settings\All Users\application data\viewpoint"

Successfully deleted: [Folder] "C:\Documents and Settings\User\Application Data\opencandy"

Successfully deleted: [Folder] "C:\Documents and Settings\User\Application Data\pricegong"

Successfully deleted: [Folder] "C:\Documents and Settings\User\Local Settings\Application Data\conduit"

Successfully deleted: [Folder] "C:\Documents and Settings\User\Local Settings\Application Data\iac"

Successfully deleted: [Folder] "C:\Program Files\daemon tools toolbar"

Successfully deleted: [Folder] "C:\Program Files\iac"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on 11.09.2013 at 10:05:46,90

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Step 3: Install files Adschtsleaner Xplode. Did the log file. spread:

# AdwCleaner v3.003 - Report created 11/09/2013 at 10:07:46

# Updated 07/09/2013 by Xplode

# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)

# Username : User - NURLANDHETIBAEV

# Running from : C:\Documents and Settings\User\Рабочий стол\AdwCleaner.exe

# Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Found C:\Documents and Settings\User\Application Data\Mail.Ru

Folder Found C:\Documents and Settings\User\IECompatCache

Folder Found C:\Documents and Settings\User\Local Settings\Application Data\Mail.Ru

Folder Found C:\Documents and Settings\User\Главное меню\Программы\Mail.Ru

Folder Found C:\Documents and Settings\Гость\Local Settings\Application Data\Conduit

Folder Found C:\Documents and Settings\Гость\Local Settings\Application Data\ConduitEngine

Folder Found C:\Documents and Settings\Гость\Local Settings\Application Data\Mail.Ru

Folder Found C:\Program Files\Mail.Ru

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{32099AAC-C132-4136-9E9A-4E364A424E17}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{32099AAC-C132-4136-9E9A-4E364A424E17}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}

Key Found : HKLM\Software\MetaStream

Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}

Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Tumar CSP_is1

Key Found : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP

Key Found : HKLM\Software\Uniblue\DriverScanner

Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{32099AAC-C132-4136-9E9A-4E364A424E17}]

Value Found : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List [C:\Documents and Settings\User\Application Data\Mail.Ru\Agent\magent.exe]

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

Setting Found : HKCU\Software\Microsoft\Internet Explorer\SearchUrl [] - Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip

*************************

AdwCleaner[R0].txt - [2857 octets] - [11/09/2013 10:07:46]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [2917 octets] ##########

Step 4: Added to avoid the following files to Kaspersky AV: http://support.kaspersky.com/2695

C: \ Program Files \ Malwarebytes' Anti-Malware \ mbam.exe

C: \ Program Files \ Malwarebytes' Anti-Malware \ mbamgui.exe

C: \ Program Files \ Malwarebytes' Anti-Malware \ mbamservice.exe

Restart the computer.

Step 5 Start the "Quick Scan" program Mbam. But, the problem is when you scan, Mbam stops and closes crash.

Maniac · September 12, 2013

Follow my instructions strictly. You should click Clean button on AdwCleaner. Please repeat this step.

Nurlan85 · September 13, 2013

Hi! I did re-scanning program. Here is the log:

# AdwCleaner v3.003 - Report created 13/09/2013 at 18:30:22

# Updated 07/09/2013 by Xplode

# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)

# Username : User - NURLANDHETIBAEV

# Running from : C:\Documents and Settings\User\Рабочий стол\AdwCleaner.exe

# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

*************************

AdwCleaner[R0].txt - [2997 octets] - [11/09/2013 10:07:46]

AdwCleaner[R1].txt - [3152 octets] - [13/09/2013 18:15:00]

AdwCleaner[R2].txt - [840 octets] - [13/09/2013 18:29:15]

AdwCleaner[s0].txt - [3108 octets] - [13/09/2013 18:16:33]

AdwCleaner[s1].txt - [762 octets] - [13/09/2013 18:30:22]

########## EOF - C:\AdwCleaner\AdwCleaner[s1].txt - [821 octets] ##########

But, then again during the scanning MBAM error occurred. The collapse during a quick scan. What to do? Thanks in advance!

Maniac · September 13, 2013

Note: Please do not run this tool without special supervision and instructions of someone authorized to do so. Otherwise, you could end up with serious problems. For more details, read this article: ComboFix usage, Questions, Help? - Look here

Please visit this webpage and read the ComboFix User's Guide:

Once you've read the article and are ready to use the program you can download it directly from the link below.
Important! - Please make sure you save combofix to your desktop and do not run it from your browser
Direct download link for: ComboFix.exe
Please make sure you disable your security applications before running ComboFix.
Once Combofix has completed it will produce and open a log file. Please be patient as it can take some time to load.
Please copy/paste the contents or attach that log file to your next reply.
If needed the file can be located here: C:\combofix.txt
NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.

Nurlan85 · September 16, 2013

Hi!!! This is LOG Combofix.txt:

ComboFix 13-09-14.01 - User 16.09.2013 12:02:40.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1251.7.1049.18.1012.710 [GMT 6:00]

Running from: c:\documents and settings\User\¦рсюўшщ ёЄюы\ComboFix.exe

AV: Антивирус Касперского *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Антивирус Касперского *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\User\Мои документы\~WRL0001.tmp

c:\documents and settings\User\WINDOWS

c:\windows\d4s.hst

c:\windows\msmqinst.log

c:\windows\ST6UNST.000

c:\windows\system32\lowsec

c:\windows\system32\lowsec\local.ds

c:\windows\system32\lowsec\user.ds

c:\windows\system32\SET9B8.tmp

c:\windows\system32\winlogon.bak

c:\windows\unin0407.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_PPDRV

-------\Service_AVPsys

-------\Service_PPDrv

.

((((((((((((((((((((((((( Files Created from 2013-08-16 to 2013-09-16 )))))))))))))))))))))))))))))))

.

2013-09-16 05:06 . 2013-09-16 05:06 -------- d-sh--w- c:\documents and settings\User\IECompatCache

2013-09-13 12:44 . 2013-09-13 14:25 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2013-09-13 06:24 . 2013-09-13 06:24 4751752 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe

2013-09-11 04:07 . 2013-09-13 12:30 -------- d-----w- C:\AdwCleaner

2013-09-11 04:01 . 2013-09-11 04:01 -------- d-----w- c:\windows\ERUNT

2013-09-05 03:48 . 2013-04-04 08:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-09-05 03:48 . 2013-09-05 03:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2013-08-29 13:09 . 2013-08-02 17:29 217176 ----a-w- c:\windows\system32\unrar.dll

2013-08-29 13:07 . 2013-08-29 13:08 -------- d-----w- c:\program files\K-Lite Codec Pack

2013-08-29 12:34 . 2008-04-14 15:40 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll

2013-08-29 12:28 . 2013-08-29 12:28 -------- d-----w- c:\program files\Windows Media Connect 2

2013-08-28 02:33 . 2012-06-02 09:18 275696 ----a-w- c:\windows\system32\mucltui.dll

2013-08-28 02:33 . 2012-06-02 09:18 214256 ----a-w- c:\windows\system32\muweb.dll

2013-08-26 04:31 . 2013-08-26 04:31 -------- d--h--w- c:\windows\system32\GroupPolicy

2013-08-26 03:55 . 2013-08-26 03:54 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

2013-08-26 03:36 . 2013-08-26 03:37 -------- d-----w- C:\SecurityCheck

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-09-13 06:27 . 2013-02-25 12:48 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-09-13 06:27 . 2011-08-22 03:12 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-08-26 03:54 . 2012-08-06 03:01 144896 ----a-w- c:\windows\system32\javacpl.cpl

2013-08-26 03:54 . 2012-08-06 03:06 867240 ----a-w- c:\windows\system32\npdeployJava1.dll

2013-08-26 03:54 . 2010-07-29 11:57 789416 ----a-w- c:\windows\system32\deployJava1.dll

2013-08-09 01:56 . 2006-03-02 12:00 387584 ----a-w- c:\windows\system32\themeui.dll

2013-08-08 06:09 . 2006-03-02 12:00 1877888 ----a-w- c:\windows\system32\win32k.sys

2013-08-08 06:05 . 2006-03-02 12:00 920064 ----a-w- c:\windows\system32\wininet.dll

2013-08-08 06:05 . 2006-03-02 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2013-08-08 06:05 . 2006-03-02 12:00 18944 ----a-w- c:\windows\system32\corpol.dll

2013-08-08 06:05 . 2006-03-02 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2013-08-08 00:04 . 2006-03-02 12:00 385024 ----a-w- c:\windows\system32\html.iec

2013-08-07 12:58 . 2013-08-07 12:58 31048 ----a-w- c:\windows\_SETUPD_.EXE

2013-08-05 13:30 . 2006-03-02 12:00 1289216 ----a-w- c:\windows\system32\ole32.dll

2013-08-02 19:48 . 2006-10-18 15:47 1543680 ------w- c:\windows\system32\wmvdecod.dll

2013-07-10 10:37 . 2006-03-02 12:00 406016 ----a-w- c:\windows\system32\usp10.dll

2013-07-04 07:34 . 2006-03-02 12:00 2151936 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-07-04 07:33 . 2004-08-17 15:58 2030592 ----a-w- c:\windows\system32\ntkrnlpa.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]

"RTHDCPL"="RTHDCPL.EXE" [2010-12-30 19972712]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-16 137752]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

"AlterGeoUpdater"="c:\documents and settings\All Users\Application Data\AlterGeo\Update for Html5 geolocation provider\html5locsvc.exe" [2013-01-28 29696]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\tumint430.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EXPLORER.EXE]

2008-04-14 15:40 1034240 ----a-w- c:\windows\explorer.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"MP10_EnsureFileVer"=c:\windows\inf\unregmp2.exe /EnsureFileVersions

"eTCertManger"=c:\windows\system32\eTCrtMng.exe

"IgfxTray"=c:\windows\system32\igfxtray.exe

"HotKeysCmds"=c:\windows\system32\hkcmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\HP1006MC.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\WINDOWS\\system32\\rserver30\\rserver3.exe"=

"c:\\Program Files\\Sony Ericsson\\Update Engine\\Sony Ericsson Update Engine.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"2525:TCP"= 2525:TCP:hnhhszxx

"5900:TCP"= 5900:TCP:vnc5900

"5800:TCP"= 5800:TCP:vnc5800

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

.

R2 gupdate1ca050c48518e32;Служба Google Update (gupdate1ca050c48518e32);c:\program files\Google\Update\GoogleUpdate.exe [2009-07-15 133104]

R3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-11-18 1691480]

R3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [2013-01-30 12400]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-09-13 40776]

R3 PPEMSCAN;Protector Plus Email Scan Driver;c:\protector plus\PPEMSCAN.sys [x]

R3 RServer3;Radmin Server V3;c:\windows\system32\rserver30\RServer3.exe [2009-10-09 1242504]

R3 Sony PC Companion;Sony PC Companion;c:\program files\Sony\Sony PC Companion\PCCService.exe [2013-02-04 155824]

R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2011-12-14 721904]

S2 LcSvrAdm;ELSA Administration Service;c:\elsawin\bin\LcSvrAdm.exe [2011-01-26 240640]

S2 LcSvrDba;ELSA DBA Server;c:\elsawin\bin\LcSvrDba.exe [2011-01-26 392704]

S2 LcSvrHis;ELSA Historie Server;c:\elsawin\bin\LcSvrHis.exe [2011-01-26 335360]

S2 LcSvrPAS;ELSA PASS Server;c:\elsawin\bin\LcSvrPas.exe [2011-01-26 477696]

S2 LcSvrSaz;ELSA APOSpro Server;c:\elsawin\bin\LcSvrSaz.exe [2011-01-26 373248]

S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-04-04 418376]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2013-04-04 701512]

S2 TumarCSP Service;TumarCSP Service;c:\program files\GammaTech\TumarCSP\bin\tumsrv204.exe [2010-01-05 453632]

S2 VSGate;ELSA Vaudis Service;c:\elsawin\bin\VSgate.exe [2011-01-26 81920]

S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2007-05-30 24344]

S3 LcSvrAuf;ELSA Auftragsverwaltungs Service;c:\elsawin\bin\LcSvrAuf.exe [2011-01-26 1321472]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-04-04 22856]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

knblk

.

Contents of the 'Scheduled Tasks' folder

.

2013-09-16 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-02-25 06:28]

.

2013-09-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-15 05:20]

.

2013-09-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-15 05:20]

.

2013-09-16 c:\windows\Tasks\User_Feed_Synchronization-{1A3A7B1B-4904-4AF6-9913-7783DA85B13D}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 22:31]

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyServer = 192.168.55.2:8080

uInternet Settings,ProxyOverride = <local>

IE: &Экспорт в Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Добавить в Анти-Баннер - c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\ie_banner_deny.htm

Trusted Zone: pki.kz\ind

TCP: Interfaces\{57569E7E-A49E-4E25-8496-6A3F4E6D340C}: NameServer = 192.168.1.41

TCP: Interfaces\{7C2D2AC0-5089-4D6D-BC4F-E7F85D66FEEB}: NameServer = 212.154.163.162

.

------- File Associations -------

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

WebBrowser-{6AA40521-14E7-4B1D-B1B4-98528C1388C9} - (no file)

SafeBoot-Wdf01000.sys

AddRemove-MailRuUpdater - c:\documents and settings\User\Local Settings\Application Data\Mail.Ru\MailRuUpdater.exe

AddRemove-MRA - c:\documents and settings\User\Application Data\Mail.Ru\Agent\magentsetup.exe

AddRemove-Winamp Detect - c:\program files\Winamp Detect\UninstWaDetect.exe

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2013-09-16 16:16

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(688)

c:\windows\system32\klogon.dll

.

- - - - - - - > 'explorer.exe'(3520)

c:\windows\system32\WININET.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\SCardSvr.exe

c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe

c:\windows\system32\eTSrv.exe

c:\program files\Java\jre7\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

c:\windows\RTHDCPL.EXE

c:\windows\system32\igfxsrvc.exe

.

**************************************************************************

.

Completion time: 2013-09-16 16:34:39 - machine was rebooted

ComboFix-quarantined-files.txt 2013-09-16 10:34

.

Pre-Run: 129 496 260 608 байт свободно

Post-Run: 130 325 090 304 байт свободно

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional RU" /noexecute=optin /fastdetect

.

- - End Of File - - 49C9515DD5002239146D7C957C364D26

5F8B5082F3482CC06B72EC5806598AE9

Maniac · September 16, 2013

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::
NetSvc::
knblk
Driver::
hnhhszxx
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2525:TCP"=-
JavaClearCache::

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Nurlan85 · September 17, 2013

Hi!!! Here the log file:

ComboFix 13-09-16.01 - User 17.09.2013 9:40:07.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1251.7.1049.18.1012.529 [GMT 6:00]

Running from: C:\Documents and Settings\User\Рабочий стол\ComboFix.exe

Command switches used :: C:\Documents and Settings\User\Рабочий стол\CFScript.txt

AV: Антивирус Касперского *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Антивирус Касперского *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

---- Previous Run -------

C:\Documents and Settings\User\Мои документы\~WRL0001.tmp

C:\WINDOWS\d4s.hst

C:\WINDOWS\msmqinst.log

C:\WINDOWS\ST6UNST.000

C:\WINDOWS\system32\lowsec\local.ds

C:\WINDOWS\system32\lowsec\user.ds

C:\WINDOWS\system32\SET9B8.tmp

C:\WINDOWS\system32\winlogon.bak

C:\WINDOWS\unin0407.exe

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_PPDRV

-------\Service_AVPsys

-------\Service_PPDrv

-------\Legacy_PPDRV

((((((((((((((((((((((((( Files Created from 2013-08-17 to 2013-09-17 )))))))))))))))))))))))))))))))

2013-09-16 05:06:34 . 2013-09-16 05:06:34 -------- d-sh--w- C:\Documents and Settings\User\IECompatCache

2013-09-13 06:24:48 . 2013-09-13 06:24:51 4751752 ----a-w- C:\WINDOWS\system32\FlashPlayerInstaller.exe

2013-09-11 04:07:31 . 2013-09-13 12:30:23 -------- d-----w- C:\AdwCleaner

2013-09-11 04:01:50 . 2013-09-11 04:01:50 -------- d-----w- C:\WINDOWS\ERUNT

2013-09-05 03:48:30 . 2013-04-04 08:50:32 22856 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys

2013-09-05 03:48:29 . 2013-09-05 03:48:47 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware

2013-08-29 13:09:24 . 2013-08-02 17:29:58 217176 ----a-w- C:\WINDOWS\system32\unrar.dll

2013-08-29 13:07:27 . 2013-08-29 13:08:57 -------- d-----w- C:\Program Files\K-Lite Codec Pack

2013-08-29 12:34:40 . 2008-04-14 15:40:48 26624 ----a-w- C:\Documents and Settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll

2013-08-29 12:28:28 . 2013-08-29 12:28:34 -------- d-----w- C:\Program Files\Windows Media Connect 2

2013-08-28 02:33:06 . 2012-06-02 09:18:58 275696 ----a-w- C:\WINDOWS\system32\mucltui.dll

2013-08-28 02:33:06 . 2012-06-02 09:18:58 214256 ----a-w- C:\WINDOWS\system32\muweb.dll

2013-08-26 04:31:40 . 2013-08-26 04:31:40 -------- d--h--w- C:\WINDOWS\system32\GroupPolicy

2013-08-26 03:55:44 . 2013-08-26 03:54:34 94632 ----a-w- C:\WINDOWS\system32\WindowsAccessBridge.dll

2013-08-26 03:36:37 . 2013-08-26 03:37:04 -------- d-----w- C:\SecurityCheck

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2013-09-13 06:27:36 . 2013-02-25 12:48:52 692616 ----a-w- C:\WINDOWS\system32\FlashPlayerApp.exe

2013-09-13 06:27:34 . 2011-08-22 03:12:26 71048 ----a-w- C:\WINDOWS\system32\FlashPlayerCPLApp.cpl

2013-08-26 03:54:25 . 2012-08-06 03:01:49 144896 ----a-w- C:\WINDOWS\system32\javacpl.cpl

2013-08-26 03:54:24 . 2012-08-06 03:06:41 867240 ----a-w- C:\WINDOWS\system32\npdeployJava1.dll

2013-08-26 03:54:24 . 2010-07-29 11:57:57 789416 ----a-w- C:\WINDOWS\system32\deployJava1.dll

2013-08-09 01:56:34 . 2006-03-02 12:00:00 387584 ----a-w- C:\WINDOWS\system32\themeui.dll

2013-08-08 06:09:49 . 2006-03-02 12:00:00 1877888 ----a-w- C:\WINDOWS\system32\win32k.sys

2013-08-08 06:05:46 . 2006-03-02 12:00:00 920064 ----a-w- C:\WINDOWS\system32\wininet.dll

2013-08-08 06:05:46 . 2006-03-02 12:00:00 43520 ----a-w- C:\WINDOWS\system32\licmgr10.dll

2013-08-08 06:05:45 . 2006-03-02 12:00:00 18944 ----a-w- C:\WINDOWS\system32\corpol.dll

2013-08-08 06:05:45 . 2006-03-02 12:00:00 1469440 ----a-w- C:\WINDOWS\system32\inetcpl.cpl

2013-08-08 00:04:27 . 2006-03-02 12:00:00 385024 ----a-w- C:\WINDOWS\system32\html.iec

2013-08-07 12:58:59 . 2013-08-07 12:58:59 31048 ----a-w- C:\WINDOWS\_SETUPD_.EXE

2013-08-05 13:30:17 . 2006-03-02 12:00:00 1289216 ----a-w- C:\WINDOWS\system32\ole32.dll

2013-08-02 19:48:38 . 2006-10-18 15:47:22 1543680 ------w- C:\WINDOWS\system32\wmvdecod.dll

2013-07-10 10:37:48 . 2006-03-02 12:00:00 406016 ----a-w- C:\WINDOWS\system32\usp10.dll

2013-07-04 07:34:00 . 2006-03-02 12:00:00 2151936 ----a-w- C:\WINDOWS\system32\ntoskrnl.exe

2013-07-04 07:33:59 . 2004-08-17 15:58:00 2030592 ----a-w- C:\WINDOWS\system32\ntkrnlpa.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 12:36:46 30040]

"RTHDCPL"="RTHDCPL.EXE" [2010-12-30 08:17:18 19972712]

"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2008-01-16 01:12:44 137752]

"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 09:40:44 155648]

"SunJavaUpdateSched"="C:\Program Files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 01:32:50 253816]

"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 21:06:36 958576]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15:40:54 15360]

"AlterGeoUpdater"="C:\Documents and Settings\All Users\Application Data\AlterGeo\Update for Html5 geolocation provider\html5locsvc.exe" [2013-01-28 12:39:56 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=C:\WINDOWS\system32\tumint430.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EXPLORER.EXE]

2008-04-14 15:40:58 1034240 ----a-w- C:\WINDOWS\explorer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"MP10_EnsureFileVer"=C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions

"eTCertManger"=C:\WINDOWS\system32\eTCrtMng.exe

"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe

"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\HP1006MC.EXE"=

"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"C:\\WINDOWS\\system32\\rserver30\\rserver3.exe"=

"C:\\Program Files\\Sony Ericsson\\Update Engine\\Sony Ericsson Update Engine.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5900:TCP"= 5900:TCP:vnc5900

"5800:TCP"= 5800:TCP:vnc5800

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 LcSvrAdm;ELSA Administration Service;C:\ElsaWin\bin\LcSvrAdm.exe [04.04.2012 13:25:47 240640]

R2 LcSvrDba;ELSA DBA Server;C:\ElsaWin\bin\LcSvrDba.exe [04.04.2012 13:26:02 392704]

R2 LcSvrHis;ELSA Historie Server;C:\ElsaWin\bin\LcSvrHis.exe [04.04.2012 13:26:04 335360]

R2 LcSvrPAS;ELSA PASS Server;C:\ElsaWin\bin\LcSvrPas.exe [04.04.2012 13:26:09 477696]

R2 LcSvrSaz;ELSA APOSpro Server;C:\ElsaWin\bin\LcSvrSaz.exe [04.04.2012 13:42:56 373248]

R2 TumarCSP Service;TumarCSP Service;C:\Program Files\GammaTech\TumarCSP\bin\tumsrv204.exe [01.09.2011 14:51:11 453632]

R2 VSGate;ELSA Vaudis Service;C:\ElsaWin\bin\VSGate.exe [04.04.2012 13:25:57 81920]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\drivers\klim5.sys [30.05.2007 17:49:06 24344]

R3 LcSvrAuf;ELSA Auftragsverwaltungs Service;C:\ElsaWin\bin\LcSvrAuf.exe [04.04.2012 13:26:03 1321472]

S2 gupdate1ca050c48518e32;Служба Google Update (gupdate1ca050c48518e32);C:\Program Files\Google\Update\GoogleUpdate.exe [15.07.2009 11:20:35 133104]

S2 MBAMScheduler;MBAMScheduler;C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [05.09.2013 9:48:32 418376]

S2 MBAMService;MBAMService;C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [05.09.2013 9:48:32 701512]

S3 Ambfilt;Ambfilt;C:\WINDOWS\system32\drivers\Ambfilt.sys [20.01.2011 11:42:21 1691480]

S3 ggflt;SEMC USB Flash Driver Filter;C:\WINDOWS\system32\drivers\ggflt.sys [30.01.2013 18:09:54 12400]

S3 MBAMProtector;MBAMProtector;C:\WINDOWS\system32\drivers\mbam.sys [05.09.2013 9:48:30 22856]

S3 PPEMSCAN;Protector Plus Email Scan Driver;\??\C:\Protector Plus\PPEMSCAN.sys --> C:\Protector Plus\PPEMSCAN.sys [?]

S3 RServer3;Radmin Server V3;C:\WINDOWS\system32\rserver30\rserver3.exe [09.10.2009 14:00:44 1242504]

S3 Sony PC Companion;Sony PC Companion;C:\Program Files\Sony\Sony PC Companion\PCCService.exe [22.01.2013 18:52:15 155824]

S4 sptd;sptd;C:\WINDOWS\system32\drivers\sptd.sys [14.12.2011 17:35:26 721904]

Contents of the 'Scheduled Tasks' folder

2013-09-17 C:\WINDOWS\Tasks\Adobe Flash Player Updater.job

- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-02-25 12:48:54 . 2013-09-13 06:28:23]

2013-09-17 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job

- C:\Program Files\Google\Update\GoogleUpdate.exe [2009-07-15 05:20:35 . 2009-07-15 05:20:03]

2013-09-17 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job

- C:\Program Files\Google\Update\GoogleUpdate.exe [2009-07-15 05:20:35 . 2009-07-15 05:20:03]

2013-09-17 C:\WINDOWS\Tasks\User_Feed_Synchronization-{1A3A7B1B-4904-4AF6-9913-7783DA85B13D}.job

- C:\WINDOWS\system32\msfeedssync.exe [2007-08-13 12:36:40 . 2009-03-07 22:31:54]

------- Supplementary Scan -------

uInternet Settings,ProxyServer = 192.168.55.2:8080

uInternet Settings,ProxyOverride = <local>

IE: &Экспорт в Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: pki.kz\ind

TCP: Interfaces\{57569E7E-A49E-4E25-8496-6A3F4E6D340C}: NameServer = 192.168.1.41

TCP: Interfaces\{7C2D2AC0-5089-4D6D-BC4F-E7F85D66FEEB}: NameServer = 212.154.163.162

- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)

WebBrowser-{6AA40521-14E7-4B1D-B1B4-98528C1388C9} - (no file)

Maniac · September 17, 2013

Your log file is cut. Please make sure you mark the entire text before copy and paste it here.

AdvancedSetup · September 21, 2013

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Failure during the scanning program MBAM

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information