Jump to content

Failure during the scanning program MBAM


Recommended Posts

Hello Nurlan85 and :welcome:! My name is Borislav and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  • Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.
Step 1

Please uninstall the following applications:

µTorrent

DAEMON Tools Toolbar

Webalta Toolbar

Step 2

Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
Step 3

Please download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Clean.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[s1].txt as well.
Step 4

Please add to exceptions the following files in your Kaspersky AV:

http://support.kaspersky.com/2695

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

When you are ready, reboot your system.

Step 5

  • Launch Malwarebytes' Anti-Malware
  • Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

In your next reply, post the following log files:

  • Junkware Removal Tool log
  • AdwCleaner log
  • Malwarebytes' Anti-Malware log
Link to post
Share on other sites

Hi!

Step 1 Remove the program μTorrent, DAEMON Tuls, Toolbar Toolbar Vebalta.

 

Step 2 Place the file JRT. Did the log file. spread:


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 5.5.9 (09.07.2013:1)

OS: Microsoft Windows XP x86

Ran by User on 11.09.2013 at 10:02:19,13

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

 

~~~ Services

 

 

 

~~~ Registry Values

 

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL

 

 

 

~~~ Registry Keys

 

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\pricegong

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\yahoopartnertoolbar

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\conduit

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\axmetastream.metastreamctl

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\axmetastream.metastreamctl.1

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\axmetastream.metastreamctlsecondary

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\axmetastream.metastreamctlsecondary.1

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\conduit.engine

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\driverscanner

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Toolbar.CT2127165

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{61EB20A4-D4D5-4276-A2C9-DCCE8CE9F633}

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{AD22EBAF-0D18-4fc7-90CC-5EA0ABBE9EB8}

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95289393-33EA-4F8D-B952-483415B9C955}

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{95289393-33EA-4F8D-B952-483415B9C955}

 

 

 

~~~ Files

 

Successfully deleted: [File] "C:\Documents and Settings\User\Application Data\microsoft\internet explorer\qipsearchbar.dll"

Successfully deleted: [File] "C:\WINDOWS\system32\conduitengine.tmp"

 

 

 

~~~ Folders

 

Successfully deleted: [Folder] "C:\Documents and Settings\All Users\application data\viewpoint"

Successfully deleted: [Folder] "C:\Documents and Settings\User\Application Data\opencandy"

Successfully deleted: [Folder] "C:\Documents and Settings\User\Application Data\pricegong"

Successfully deleted: [Folder] "C:\Documents and Settings\User\Local Settings\Application Data\conduit"

Successfully deleted: [Folder] "C:\Documents and Settings\User\Local Settings\Application Data\iac"

Successfully deleted: [Folder] "C:\Program Files\daemon tools toolbar"

Successfully deleted: [Folder] "C:\Program Files\iac"

 

 

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on 11.09.2013 at 10:05:46,90

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Step 3: Install files Adschtsleaner Xplode. Did the log file. spread:


# AdwCleaner v3.003 - Report created 11/09/2013 at 10:07:46

# Updated 07/09/2013 by Xplode

# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)

# Username : User - NURLANDHETIBAEV

# Running from : C:\Documents and Settings\User\Рабочий стол\AdwCleaner.exe

# Option : Scan

 

***** [ Services ] *****

 

 

***** [ Files / Folders ] *****

 

Folder Found C:\Documents and Settings\User\Application Data\Mail.Ru

Folder Found C:\Documents and Settings\User\IECompatCache

Folder Found C:\Documents and Settings\User\Local Settings\Application Data\Mail.Ru

Folder Found C:\Documents and Settings\User\Главное меню\Программы\Mail.Ru

Folder Found C:\Documents and Settings\Гость\Local Settings\Application Data\Conduit

Folder Found C:\Documents and Settings\Гость\Local Settings\Application Data\ConduitEngine

Folder Found C:\Documents and Settings\Гость\Local Settings\Application Data\Mail.Ru

Folder Found C:\Program Files\Mail.Ru

 

***** [ Shortcuts ] *****

 

 

***** [ Registry ] *****

 

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{32099AAC-C132-4136-9E9A-4E364A424E17}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{32099AAC-C132-4136-9E9A-4E364A424E17}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}

Key Found : HKLM\Software\MetaStream

Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}

Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Tumar CSP_is1

Key Found : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP

Key Found : HKLM\Software\Uniblue\DriverScanner

Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{32099AAC-C132-4136-9E9A-4E364A424E17}]

Value Found : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List [C:\Documents and Settings\User\Application Data\Mail.Ru\Agent\magent.exe]

 

***** [ Browsers ] *****

 

-\\ Internet Explorer v8.0.6001.18702

 

Setting Found : HKCU\Software\Microsoft\Internet Explorer\SearchUrl [] - Root: HKCU; Subkey: Software\Microsoft\Internet Explorer\SearchUrl; ValueType: string; ValueName: '; ValueData: '; Flags: createvalueifdoesntexist noerror; Tasks: AddSearchQip

 

*************************

 

AdwCleaner[R0].txt - [2857 octets] - [11/09/2013 10:07:46]

 

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [2917 octets] ##########

 

Step 4: Added to avoid the following files to Kaspersky AV: http://support.kaspersky.com/2695

C: \ Program Files \ Malwarebytes' Anti-Malware \ mbam.exe

C: \ Program Files \ Malwarebytes' Anti-Malware \ mbamgui.exe

C: \ Program Files \ Malwarebytes' Anti-Malware \ mbamservice.exe

Restart the computer.

 

Step 5 Start the "Quick Scan" program Mbam. But, the problem is when you scan, Mbam stops and closes crash.


Link to post
Share on other sites

Hi! I did re-scanning program. Here is the log:

# AdwCleaner v3.003 - Report created 13/09/2013 at 18:30:22
# Updated 07/09/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : User - NURLANDHETIBAEV
# Running from : C:\Documents and Settings\User\Рабочий стол\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v8.0.6001.18702
 
 
*************************
 
AdwCleaner[R0].txt - [2997 octets] - [11/09/2013 10:07:46]
AdwCleaner[R1].txt - [3152 octets] - [13/09/2013 18:15:00]
AdwCleaner[R2].txt - [840 octets] - [13/09/2013 18:29:15]
AdwCleaner[s0].txt - [3108 octets] - [13/09/2013 18:16:33]
AdwCleaner[s1].txt - [762 octets] - [13/09/2013 18:30:22]
 
########## EOF - C:\AdwCleaner\AdwCleaner[s1].txt - [821 octets] ##########
 But, then again during the scanning MBAM error occurred. The collapse during a quick scan. What to do? Thanks in advance!
Link to post
Share on other sites

Note: Please do not run this tool without special supervision and instructions of someone authorized to do so. Otherwise, you could end up with serious problems. For more details, read this article: ComboFix usage, Questions, Help? - Look here

Please visit this webpage and read the ComboFix User's Guide:

  • Once you've read the article and are ready to use the program you can download it directly from the link below.
  • Important! - Please make sure you save combofix to your desktop and do not run it from your browser
  • Direct download link for: ComboFix.exe
  • Please make sure you disable your security applications before running ComboFix.
  • Once Combofix has completed it will produce and open a log file. Please be patient as it can take some time to load.
  • Please copy/paste the contents or attach that log file to your next reply.
  • If needed the file can be located here: C:\combofix.txt
  • NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.
Link to post
Share on other sites

Hi!!! This is LOG Combofix.txt:

ComboFix 13-09-14.01 - User 16.09.2013  12:02:40.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1251.7.1049.18.1012.710 [GMT 6:00]
Running from: c:\documents and settings\User\¦рсюўшщ ёЄюы\ComboFix.exe
AV: Антивирус Касперского *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Антивирус Касперского *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\User\Мои документы\~WRL0001.tmp
c:\documents and settings\User\WINDOWS
c:\windows\d4s.hst
c:\windows\msmqinst.log
c:\windows\ST6UNST.000
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\SET9B8.tmp
c:\windows\system32\winlogon.bak
c:\windows\unin0407.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_PPDRV
-------\Service_AVPsys
-------\Service_PPDrv
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-16 to 2013-09-16  )))))))))))))))))))))))))))))))
.
.
2013-09-16 05:06 . 2013-09-16 05:06 -------- d-sh--w- c:\documents and settings\User\IECompatCache
2013-09-13 12:44 . 2013-09-13 14:25 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2013-09-13 06:24 . 2013-09-13 06:24 4751752 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2013-09-11 04:07 . 2013-09-13 12:30 -------- d-----w- C:\AdwCleaner
2013-09-11 04:01 . 2013-09-11 04:01 -------- d-----w- c:\windows\ERUNT
2013-09-05 03:48 . 2013-04-04 08:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-09-05 03:48 . 2013-09-05 03:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-08-29 13:09 . 2013-08-02 17:29 217176 ----a-w- c:\windows\system32\unrar.dll
2013-08-29 13:07 . 2013-08-29 13:08 -------- d-----w- c:\program files\K-Lite Codec Pack
2013-08-29 12:34 . 2008-04-14 15:40 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2013-08-29 12:28 . 2013-08-29 12:28 -------- d-----w- c:\program files\Windows Media Connect 2
2013-08-28 02:33 . 2012-06-02 09:18 275696 ----a-w- c:\windows\system32\mucltui.dll
2013-08-28 02:33 . 2012-06-02 09:18 214256 ----a-w- c:\windows\system32\muweb.dll
2013-08-26 04:31 . 2013-08-26 04:31 -------- d--h--w- c:\windows\system32\GroupPolicy
2013-08-26 03:55 . 2013-08-26 03:54 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-08-26 03:36 . 2013-08-26 03:37 -------- d-----w- C:\SecurityCheck
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-13 06:27 . 2013-02-25 12:48 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-09-13 06:27 . 2011-08-22 03:12 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-08-26 03:54 . 2012-08-06 03:01 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-08-26 03:54 . 2012-08-06 03:06 867240 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-08-26 03:54 . 2010-07-29 11:57 789416 ----a-w- c:\windows\system32\deployJava1.dll
2013-08-09 01:56 . 2006-03-02 12:00 387584 ----a-w- c:\windows\system32\themeui.dll
2013-08-08 06:09 . 2006-03-02 12:00 1877888 ----a-w- c:\windows\system32\win32k.sys
2013-08-08 06:05 . 2006-03-02 12:00 920064 ----a-w- c:\windows\system32\wininet.dll
2013-08-08 06:05 . 2006-03-02 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-08-08 06:05 . 2006-03-02 12:00 18944 ----a-w- c:\windows\system32\corpol.dll
2013-08-08 06:05 . 2006-03-02 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-08-08 00:04 . 2006-03-02 12:00 385024 ----a-w- c:\windows\system32\html.iec
2013-08-07 12:58 . 2013-08-07 12:58 31048 ----a-w- c:\windows\_SETUPD_.EXE
2013-08-05 13:30 . 2006-03-02 12:00 1289216 ----a-w- c:\windows\system32\ole32.dll
2013-08-02 19:48 . 2006-10-18 15:47 1543680 ------w- c:\windows\system32\wmvdecod.dll
2013-07-10 10:37 . 2006-03-02 12:00 406016 ----a-w- c:\windows\system32\usp10.dll
2013-07-04 07:34 . 2006-03-02 12:00 2151936 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-07-04 07:33 . 2004-08-17 15:58 2030592 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"RTHDCPL"="RTHDCPL.EXE" [2010-12-30 19972712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-16 137752]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"AlterGeoUpdater"="c:\documents and settings\All Users\Application Data\AlterGeo\Update for Html5 geolocation provider\html5locsvc.exe" [2013-01-28 29696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\tumint430.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EXPLORER.EXE]
2008-04-14 15:40 1034240 ----a-w- c:\windows\explorer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MP10_EnsureFileVer"=c:\windows\inf\unregmp2.exe /EnsureFileVersions
"eTCertManger"=c:\windows\system32\eTCrtMng.exe
"IgfxTray"=c:\windows\system32\igfxtray.exe
"HotKeysCmds"=c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\HP1006MC.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\rserver30\\rserver3.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Engine\\Sony Ericsson Update Engine.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2525:TCP"= 2525:TCP:hnhhszxx
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R2 gupdate1ca050c48518e32;Служба Google Update (gupdate1ca050c48518e32);c:\program files\Google\Update\GoogleUpdate.exe [2009-07-15 133104]
R3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-11-18 1691480]
R3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [2013-01-30 12400]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-09-13 40776]
R3 PPEMSCAN;Protector Plus Email Scan Driver;c:\protector plus\PPEMSCAN.sys [x]
R3 RServer3;Radmin Server V3;c:\windows\system32\rserver30\RServer3.exe [2009-10-09 1242504]
R3 Sony PC Companion;Sony PC Companion;c:\program files\Sony\Sony PC Companion\PCCService.exe [2013-02-04 155824]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2011-12-14 721904]
S2 LcSvrAdm;ELSA Administration Service;c:\elsawin\bin\LcSvrAdm.exe [2011-01-26 240640]
S2 LcSvrDba;ELSA DBA Server;c:\elsawin\bin\LcSvrDba.exe [2011-01-26 392704]
S2 LcSvrHis;ELSA Historie Server;c:\elsawin\bin\LcSvrHis.exe [2011-01-26 335360]
S2 LcSvrPAS;ELSA PASS Server;c:\elsawin\bin\LcSvrPas.exe [2011-01-26 477696]
S2 LcSvrSaz;ELSA APOSpro Server;c:\elsawin\bin\LcSvrSaz.exe [2011-01-26 373248]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-04-04 418376]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2013-04-04 701512]
S2 TumarCSP Service;TumarCSP Service;c:\program files\GammaTech\TumarCSP\bin\tumsrv204.exe [2010-01-05 453632]
S2 VSGate;ELSA Vaudis Service;c:\elsawin\bin\VSgate.exe [2011-01-26 81920]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2007-05-30 24344]
S3 LcSvrAuf;ELSA Auftragsverwaltungs Service;c:\elsawin\bin\LcSvrAuf.exe [2011-01-26 1321472]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-04-04 22856]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
knblk
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-16 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-02-25 06:28]
.
2013-09-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-15 05:20]
.
2013-09-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-15 05:20]
.
2013-09-16 c:\windows\Tasks\User_Feed_Synchronization-{1A3A7B1B-4904-4AF6-9913-7783DA85B13D}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 22:31]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = 192.168.55.2:8080
uInternet Settings,ProxyOverride = <local>
IE: &Экспорт в Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Добавить в Анти-Баннер - c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\ie_banner_deny.htm
Trusted Zone: pki.kz\ind
TCP: Interfaces\{57569E7E-A49E-4E25-8496-6A3F4E6D340C}: NameServer = 192.168.1.41
TCP: Interfaces\{7C2D2AC0-5089-4D6D-BC4F-E7F85D66FEEB}: NameServer = 212.154.163.162
.
.
------- File Associations -------
.
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
WebBrowser-{6AA40521-14E7-4B1D-B1B4-98528C1388C9} - (no file)
SafeBoot-Wdf01000.sys
AddRemove-MailRuUpdater - c:\documents and settings\User\Local Settings\Application Data\Mail.Ru\MailRuUpdater.exe
AddRemove-MRA - c:\documents and settings\User\Application Data\Mail.Ru\Agent\magentsetup.exe
AddRemove-Winamp Detect - c:\program files\Winamp Detect\UninstWaDetect.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-09-16 16:16
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(688)
c:\windows\system32\klogon.dll
.
- - - - - - - > 'explorer.exe'(3520)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\SCardSvr.exe
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
c:\windows\system32\eTSrv.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2013-09-16  16:34:39 - machine was rebooted
ComboFix-quarantined-files.txt  2013-09-16 10:34
.
Pre-Run: 129 496 260 608 байт свободно
Post-Run: 130 325 090 304 байт свободно
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional RU" /noexecute=optin /fastdetect
.
- - End Of File - - 49C9515DD5002239146D7C957C364D26
5F8B5082F3482CC06B72EC5806598AE9
Link to post
Share on other sites

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

NetSvc::

knblk

Driver::

hnhhszxx

Registry::

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"2525:TCP"=-

JavaClearCache::

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

Hi!!! Here the log file:

ComboFix 13-09-16.01 - User 17.09.2013   9:40:07.2.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1251.7.1049.18.1012.529 [GMT 6:00]
Running from: C:\Documents and Settings\User\Рабочий стол\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Рабочий стол\CFScript.txt
AV: Антивирус Касперского *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Антивирус Касперского *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
 
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
 
 
---- Previous Run -------
 
C:\Documents and Settings\User\Мои документы\~WRL0001.tmp
C:\WINDOWS\d4s.hst
C:\WINDOWS\msmqinst.log
C:\WINDOWS\ST6UNST.000
C:\WINDOWS\system32\lowsec\local.ds
C:\WINDOWS\system32\lowsec\user.ds
C:\WINDOWS\system32\SET9B8.tmp
C:\WINDOWS\system32\winlogon.bak
C:\WINDOWS\unin0407.exe
 
 
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
-------\Legacy_PPDRV
-------\Service_AVPsys
-------\Service_PPDrv
-------\Legacy_PPDRV
 
 
(((((((((((((((((((((((((   Files Created from 2013-08-17 to 2013-09-17  )))))))))))))))))))))))))))))))
 
 
2013-09-16 05:06:34 . 2013-09-16 05:06:34 -------- d-sh--w- C:\Documents and Settings\User\IECompatCache
2013-09-13 06:24:48 . 2013-09-13 06:24:51 4751752 ----a-w- C:\WINDOWS\system32\FlashPlayerInstaller.exe
2013-09-11 04:07:31 . 2013-09-13 12:30:23 -------- d-----w- C:\AdwCleaner
2013-09-11 04:01:50 . 2013-09-11 04:01:50 -------- d-----w- C:\WINDOWS\ERUNT
2013-09-05 03:48:30 . 2013-04-04 08:50:32 22856 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys
2013-09-05 03:48:29 . 2013-09-05 03:48:47 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2013-08-29 13:09:24 . 2013-08-02 17:29:58 217176 ----a-w- C:\WINDOWS\system32\unrar.dll
2013-08-29 13:07:27 . 2013-08-29 13:08:57 -------- d-----w- C:\Program Files\K-Lite Codec Pack
2013-08-29 12:34:40 . 2008-04-14 15:40:48 26624 ----a-w- C:\Documents and Settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2013-08-29 12:28:28 . 2013-08-29 12:28:34 -------- d-----w- C:\Program Files\Windows Media Connect 2
2013-08-28 02:33:06 . 2012-06-02 09:18:58 275696 ----a-w- C:\WINDOWS\system32\mucltui.dll
2013-08-28 02:33:06 . 2012-06-02 09:18:58 214256 ----a-w- C:\WINDOWS\system32\muweb.dll
2013-08-26 04:31:40 . 2013-08-26 04:31:40 -------- d--h--w- C:\WINDOWS\system32\GroupPolicy
2013-08-26 03:55:44 . 2013-08-26 03:54:34 94632 ----a-w- C:\WINDOWS\system32\WindowsAccessBridge.dll
2013-08-26 03:36:37 . 2013-08-26 03:37:04 -------- d-----w- C:\SecurityCheck
.
 
 
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
 
2013-09-13 06:27:36 . 2013-02-25 12:48:52 692616 ----a-w- C:\WINDOWS\system32\FlashPlayerApp.exe
2013-09-13 06:27:34 . 2011-08-22 03:12:26 71048 ----a-w- C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2013-08-26 03:54:25 . 2012-08-06 03:01:49 144896 ----a-w- C:\WINDOWS\system32\javacpl.cpl
2013-08-26 03:54:24 . 2012-08-06 03:06:41 867240 ----a-w- C:\WINDOWS\system32\npdeployJava1.dll
2013-08-26 03:54:24 . 2010-07-29 11:57:57 789416 ----a-w- C:\WINDOWS\system32\deployJava1.dll
2013-08-09 01:56:34 . 2006-03-02 12:00:00 387584 ----a-w- C:\WINDOWS\system32\themeui.dll
2013-08-08 06:09:49 . 2006-03-02 12:00:00 1877888 ----a-w- C:\WINDOWS\system32\win32k.sys
2013-08-08 06:05:46 . 2006-03-02 12:00:00 920064 ----a-w- C:\WINDOWS\system32\wininet.dll
2013-08-08 06:05:46 . 2006-03-02 12:00:00 43520 ----a-w- C:\WINDOWS\system32\licmgr10.dll
2013-08-08 06:05:45 . 2006-03-02 12:00:00 18944 ----a-w- C:\WINDOWS\system32\corpol.dll
2013-08-08 06:05:45 . 2006-03-02 12:00:00 1469440 ----a-w- C:\WINDOWS\system32\inetcpl.cpl
2013-08-08 00:04:27 . 2006-03-02 12:00:00 385024 ----a-w- C:\WINDOWS\system32\html.iec
2013-08-07 12:58:59 . 2013-08-07 12:58:59 31048 ----a-w- C:\WINDOWS\_SETUPD_.EXE
2013-08-05 13:30:17 . 2006-03-02 12:00:00 1289216 ----a-w- C:\WINDOWS\system32\ole32.dll
2013-08-02 19:48:38 . 2006-10-18 15:47:22 1543680 ------w- C:\WINDOWS\system32\wmvdecod.dll
2013-07-10 10:37:48 . 2006-03-02 12:00:00 406016 ----a-w- C:\WINDOWS\system32\usp10.dll
2013-07-04 07:34:00 . 2006-03-02 12:00:00 2151936 ----a-w- C:\WINDOWS\system32\ntoskrnl.exe
2013-07-04 07:33:59 . 2004-08-17 15:58:00 2030592 ----a-w- C:\WINDOWS\system32\ntkrnlpa.exe
 
 
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 12:36:46 30040]
"RTHDCPL"="RTHDCPL.EXE" [2010-12-30 08:17:18 19972712]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2008-01-16 01:12:44 137752]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 09:40:44 155648]
"SunJavaUpdateSched"="C:\Program Files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 01:32:50 253816]
"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 21:06:36 958576]
 
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15:40:54 15360]
"AlterGeoUpdater"="C:\Documents and Settings\All Users\Application Data\AlterGeo\Update for Html5 geolocation provider\html5locsvc.exe" [2013-01-28 12:39:56 29696]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINDOWS\system32\tumint430.dll
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EXPLORER.EXE]
2008-04-14 15:40:58 1034240 ----a-w- C:\WINDOWS\explorer.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MP10_EnsureFileVer"=C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
"eTCertManger"=C:\WINDOWS\system32\eTCrtMng.exe
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\HP1006MC.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\WINDOWS\\system32\\rserver30\\rserver3.exe"=
"C:\\Program Files\\Sony Ericsson\\Update Engine\\Sony Ericsson Update Engine.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
 
R2 LcSvrAdm;ELSA Administration Service;C:\ElsaWin\bin\LcSvrAdm.exe [04.04.2012 13:25:47 240640]
R2 LcSvrDba;ELSA DBA Server;C:\ElsaWin\bin\LcSvrDba.exe [04.04.2012 13:26:02 392704]
R2 LcSvrHis;ELSA Historie Server;C:\ElsaWin\bin\LcSvrHis.exe [04.04.2012 13:26:04 335360]
R2 LcSvrPAS;ELSA PASS Server;C:\ElsaWin\bin\LcSvrPas.exe [04.04.2012 13:26:09 477696]
R2 LcSvrSaz;ELSA APOSpro Server;C:\ElsaWin\bin\LcSvrSaz.exe [04.04.2012 13:42:56 373248]
R2 TumarCSP Service;TumarCSP Service;C:\Program Files\GammaTech\TumarCSP\bin\tumsrv204.exe [01.09.2011 14:51:11 453632]
R2 VSGate;ELSA Vaudis Service;C:\ElsaWin\bin\VSGate.exe [04.04.2012 13:25:57 81920]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\drivers\klim5.sys [30.05.2007 17:49:06 24344]
R3 LcSvrAuf;ELSA Auftragsverwaltungs Service;C:\ElsaWin\bin\LcSvrAuf.exe [04.04.2012 13:26:03 1321472]
S2 gupdate1ca050c48518e32;Служба Google Update (gupdate1ca050c48518e32);C:\Program Files\Google\Update\GoogleUpdate.exe [15.07.2009 11:20:35 133104]
S2 MBAMScheduler;MBAMScheduler;C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [05.09.2013 9:48:32 418376]
S2 MBAMService;MBAMService;C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [05.09.2013 9:48:32 701512]
S3 Ambfilt;Ambfilt;C:\WINDOWS\system32\drivers\Ambfilt.sys [20.01.2011 11:42:21 1691480]
S3 ggflt;SEMC USB Flash Driver Filter;C:\WINDOWS\system32\drivers\ggflt.sys [30.01.2013 18:09:54 12400]
S3 MBAMProtector;MBAMProtector;C:\WINDOWS\system32\drivers\mbam.sys [05.09.2013 9:48:30 22856]
S3 PPEMSCAN;Protector Plus Email Scan Driver;\??\C:\Protector Plus\PPEMSCAN.sys --> C:\Protector Plus\PPEMSCAN.sys [?]
S3 RServer3;Radmin Server V3;C:\WINDOWS\system32\rserver30\rserver3.exe [09.10.2009 14:00:44 1242504]
S3 Sony PC Companion;Sony PC Companion;C:\Program Files\Sony\Sony PC Companion\PCCService.exe [22.01.2013 18:52:15 155824]
S4 sptd;sptd;C:\WINDOWS\system32\drivers\sptd.sys [14.12.2011 17:35:26 721904]
 
Contents of the 'Scheduled Tasks' folder
 
2013-09-17 C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-02-25 12:48:54 . 2013-09-13 06:28:23]
 
2013-09-17 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2009-07-15 05:20:35 . 2009-07-15 05:20:03]
 
2013-09-17 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2009-07-15 05:20:35 . 2009-07-15 05:20:03]
 
2013-09-17 C:\WINDOWS\Tasks\User_Feed_Synchronization-{1A3A7B1B-4904-4AF6-9913-7783DA85B13D}.job
- C:\WINDOWS\system32\msfeedssync.exe [2007-08-13 12:36:40 . 2009-03-07 22:31:54]
 
 
------- Supplementary Scan -------
 
uInternet Settings,ProxyServer = 192.168.55.2:8080
uInternet Settings,ProxyOverride = <local>
IE: &Экспорт в Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: pki.kz\ind
TCP: Interfaces\{57569E7E-A49E-4E25-8496-6A3F4E6D340C}: NameServer = 192.168.1.41
TCP: Interfaces\{7C2D2AC0-5089-4D6D-BC4F-E7F85D66FEEB}: NameServer = 212.154.163.162
 
- - - - ORPHANS REMOVED - - - -
 
Toolbar-Locked - (no file)
WebBrowser-{6AA40521-14E7-4B1D-B1B4-98528C1388C9} - (no file)
Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.