Can't run Malwarebytes or any other antivirus program

Dezbme · August 6, 2009

I can't run Malwarebytes or any other antivirus program for more then 4 seconds. I don't know where to begin, but there is definitely something wrong with the laptop.. When trying to search in the internet browser, it takes me to a different search engine with different results.

Please point me in the right directly to begin this removal process.

miekiemoes · August 7, 2009

Hi,

First please take a look and see if any of these posts help you to get MBAM running or not.

Potential Malware infection issues to review to get MBAM running

If none of above apply in your case, then try if Malwarebytes works when you rename mbam.exe. This is the file located in the Program Files\Malwarebytes' Anti-Malware folder. So rename mbam.exe to blah.exe (or so). It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so these include system important processes. So that's why it may be a good idea to rename mbam.exe to explorer.exe or so.

Also try to run Mbam from Windows Safe mode.

Dezbme · August 7, 2009

Hi,
First please take a look and see if any of these posts help you to get MBAM running or not.
Potential Malware infection issues to review to get MBAM running
MBAM wont install or will not run. - CLB Rootkit driver=TDSS/Seneka/GAOPDX/UAC
MBAM wont install or will not run. - SystemSecurity
MB won't run(Fix) - Total-Security (FakeAlert)
MBAM wont run (Fix) - av360 (Fakealert)
If none of above apply in your case, then try if Malwarebytes works when you rename mbam.exe. This is the file located in the Program Files\Malwarebytes' Anti-Malware folder. So rename mbam.exe to blah.exe (or so). It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so these include system important processes. So that's why it may be a good idea to rename mbam.exe to explorer.exe or so.
Also try to run Mbam from Windows Safe mode.

I have read over the four stickie cases and tried their method but it didn't apply to my case.

I have install the Procexp.exe but I couldn't find anything that was blocking the system from running Malwarebytes.

I install Rootrepeal and try scanning the files, but it would run for about 4 seconds an freeze up and then disappear.

When I try running Rootrepeal it wouldn't open.

I try your next method of renaming the mbam.exe and I get the following error:

Error message:

Cannot rename mbam: Access is denied.

Make sure the disk is not full or write-protected and that the

file is not currently in use.

I tried it in Safe mode and it's the same error.

The only thing I haven't try is to rename it to explorer.exe and see what will happen. I will follow up and let you know.

Thank you so much for your help.

miekiemoes · August 7, 2009

This is strange...

Please download DDS and save it to your desktop.

Disable any script blocking protection
Double click dds.scr to run the tool.
When done, DDS.txt will open.
Click Yes at the next prompt for Optional Scan.
Save both reports to your desktop.

---------------------------------------------------

Copy and paste the contents of DDS.txt in your next reply. Do not copy and paste the contents of Attach.txt, but attach it to your reply instead.

pesto126 · August 7, 2009

Not to hijack this thread.. but I have the EXACT same issues... and when I run DDS - it just sits in the DOS box and doesn't provide any results for over 10 mins.. I've posted my own post but will be watching this one as well. Thx.

miekiemoes · August 7, 2009

I've already replied in your thread.

pesto126 · August 7, 2009

Thank you...

DBristol1226 · August 7, 2009

Had similar issue on friend's PC. Could not install Malwarebytes and couldn't run existing AV product or install new.

Discovered the offending infection knew existing names. By changine Malwarebytes download to "Killthis" (imagine anything else would have worked). Was able to install the application. Had to change names of executable to get the application to run.

Just my 2 cents.

miekiemoes · August 7, 2009

The renaming part is already in my instructions

Dezbme · August 8, 2009

The renaming part is already in my instructions

I try rename it after a fresh install and it still only run for 4 second and then disappear. When I try to start the software again it give me the error I previous posted. Attached are the copy of the DDS and I attached what you requested.

Thank you for you patience and help.

Mike

DDS (Ver_09-07-30.01) - NTFSx86

Run by Mike Nguyen at 15:11:32.43 on Sun 08/09/2009

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1649 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\IDT\WDM\STacSV.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\sttray.exe

C:\Program Files\IDT\WDM\sttray.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\AESTFltr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Documents and Settings\Mike Nguyen\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

uInternet Settings,ProxyOverride = *.local

BHO: c:\windows\system32\hs7f3uhduhfukde.dll: {bd56a320-23f2-42ad-f4e4-00aac39caa53} - c:\windows\system32\hs7f3uhduhfukde.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [iDTSysTrayApp] sttray.exe

mRun: [sysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe

mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [HP Mobile Broadband] c:\swsetup\hpqwwan\HPMobileBroadband.exe /TrayMode

mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe

IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

STS: c:\windows\system32\hs7f3uhduhfukde.dll: {bd56a320-23f2-42ad-f4e4-00aac39caa53} - c:\windows\system32\hs7f3uhduhfukde.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-8-6 11608]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-8-6 108289]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-8-6 55656]

R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2008-10-5 112128]

S0 vkquwexg;vkquwexg;c:\windows\system32\drivers\combo-fix.sys --> c:\windows\system32\drivers\Combo-Fix.sys [?]

S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-8-6 185089]

S2 WinDefend;Windows Defender;"c:\program files\windows defender\msmpeng.exe" --> c:\program files\windows defender\MsMpEng.exe [?]

S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2009-6-25 17408]

S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]

=============== Created Last 30 ================

2009-08-09 15:07 <DIR> --d-h--- c:\windows\PIF

2009-08-09 15:04 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-09 15:04 19,096 a------- c:\windows\system32\drivers\mbam.sys

2009-08-09 15:04 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-08-06 19:35 55,656 a------- c:\windows\system32\drivers\avgntflt.sys

2009-08-06 19:35 <DIR> --d----- c:\program files\Avira

2009-08-06 19:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira

2009-08-06 18:39 <DIR> --d----- c:\windows\system32\CatRoot

2009-08-05 17:56 1,081,616 a------- c:\windows\system32\MSCOMCTL.OCX

2009-08-04 21:27 219,648 a------- c:\windows\PEV.exe

2009-08-04 21:27 161,792 a------- c:\windows\SWREG.exe

2009-08-04 21:27 98,816 a------- c:\windows\sed.exe

2009-08-04 21:27 <DIR> --ds---- C:\BryantLake

2009-08-04 21:27 389,120 a------- c:\windows\system32\CF2534.exe

2009-08-04 18:49 31,232 a------- c:\windows\system32\wingenocx.dll

2009-08-04 17:42 154,632 a------- c:\windows\system32\minix32.exe

2009-08-04 17:39 180 a------- c:\windows\34rdft.bat

2009-08-04 17:39 247 a------- c:\windows\prxid93ps.dat

2009-08-04 17:39 24,576 a------- c:\windows\system32\tapi.nfo

2009-08-04 17:39 4,224 a------- c:\windows\system32\drivers\beep.sys

2009-08-04 17:39 4,224 a------- c:\windows\system32\dllcache\beep.sys

2009-07-17 23:17 19,871 a------- c:\windows\system32\pykij.db

2009-07-17 23:17 17,730 a------- c:\windows\system32\exubigume.lib

2009-07-17 23:17 17,237 a------- c:\program files\common files\sotiq.bin

2009-07-17 23:17 16,953 a------- c:\windows\system32\icikaxuzec.inf

2009-07-17 23:17 15,520 a------- c:\docume~1\alluse~1\applic~1\yrocuvinel.pif

2009-07-17 23:17 15,071 a------- c:\program files\common files\sitibi.dll

2009-07-17 23:17 13,899 a------- c:\windows\system32\ujov.db

2009-07-17 23:17 12,826 a------- c:\windows\ibycyzu.bin

2009-07-17 23:17 12,644 a------- c:\docume~1\alluse~1\applic~1\ihysa.bat

2009-07-17 23:17 11,699 a------- c:\docume~1\mikeng~1\applic~1\azen.pif

2009-07-17 23:17 11,395 a------- c:\windows\vobafozeq.sys

2009-07-17 23:17 10,021 a------- c:\program files\common files\ivepyqa.dll

2009-07-14 22:16 180 a------- c:\windows\3456665.bat

==================== Find3M ====================

2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll

2009-07-19 08:33 3,597,824 -------- c:\windows\system32\dllcache\mshtml.dll

2009-07-19 08:32 6,067,200 -------- c:\windows\system32\dllcache\ieframe.dll

2009-07-17 23:17 18,939 a------- c:\program files\common files\gisexi._dl

2009-06-29 06:07 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe

2009-06-29 06:07 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe

2009-06-29 03:35 634,632 -------- c:\windows\system32\dllcache\iexplore.exe

2009-06-29 03:33 2,452,872 -------- c:\windows\system32\dllcache\ieapfltr.dat

2009-06-29 03:33 161,792 -------- c:\windows\system32\dllcache\ieakui.dll

2009-06-25 21:39 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_netaapl_01005.Wdf

2009-06-25 21:39 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

2009-06-16 09:36 119,808 -------- c:\windows\system32\t2embed.dll

2009-06-16 09:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll

2009-06-16 09:36 81,920 -------- c:\windows\system32\fontsub.dll

2009-06-16 09:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll

2009-06-05 11:42 2,060,288 a------- c:\windows\system32\usbaaplrc.dll

2009-06-05 11:42 1,419,232 a------- c:\windows\system32\wdfcoinstaller01005.dll

2009-06-03 14:09 1,291,264 -------- c:\windows\system32\quartz.dll

2009-06-03 14:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll

2009-02-07 22:46 410 a------- c:\docume~1\mikeng~1\applic~1\wklnhst.dat

============= FINISH: 15:11:57.45 ===============

Attach.txt

FNIrishbull · August 8, 2009

Not to hijack this thread.. but I have the EXACT same issues... and when I run DDS - it just sits in the DOS box and doesn't provide any results for over 10 mins.. I've posted my own post but will be watching this one as well. Thx.

I am also having the same problem and when I try to run anything now, Malwarebytes, Hijack This, or DDS a cmd window opens some script runs across it an dthe n closes all in 2-3 seconds. Have posted but saw similar problem here.

Maurice Naggar · August 8, 2009

@ FNIrishBull

See my reply in your thread http://www.malwarebytes.org/forums/index.php?showtopic=21131

This thread belongs to someone else, so you ought to stick with yours, please, and make no more here.

miekiemoes · August 9, 2009

Hi,

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------

Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

Dezbme · August 9, 2009

Hi,
Please download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".
[*]During the download, rename Combofix to Combo-Fix as follows:
[*]It is important you rename Combofix during the download, but not after.
[*]Please do not rename Combofix to other names, but only to the one indicated.
[*]Close any open browsers.
[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
[*]Double click on combo-Fix.exe & follow the prompts.
[*]When finished, it will produce a report for you.
[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
If you still cannot get this to run, try booting into Safe Mode, and run it there.
To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

I download the file and rename it like you had request, but the software did NOT install. After the first phase of the install where the status percentage loading, the software then disappear and doesn't ask for anything else. It didn't run any scan or produce any file in the C Drive. I also tried it in the Safe Mode and it was the same result.

What to do now?

miekiemoes · August 9, 2009

Hi,

It should work this way though. Have you tried the exact steps as I posted? Which means, renaming the file before actually downloading it?

Dezbme · August 10, 2009

Hi,
It should work this way though. Have you tried the exact steps as I posted? Which means, renaming the file before actually downloading it?

yes I made sure I renamed it before it download to the desktop. After I click on it to start the install process it goes through it process status bar and then disappear. No prompt to install to a certain location or run any scan.

I really appreciate all your help, please dont give up on me.

miekiemoes · August 10, 2009

Hi,

I suggest you backup important data alreadyy, because this doesn't look too good here. This in case the malware present causes extra damage.

Then,

Avira AntiVir Rescue System

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

Download the
Avira AntiVir Rescue System
from
here
Place a blank CD in your burner and double-click on the downloaded file.
The program will automatically burn the CD for you.
Place the burned CD into the affected computer and start the computer from this CD.
On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.
Click on the
Configuration
button.
- Select
  Scan all files
- Select
  Try to repair infected files
  and
  Rename files, if they cannot be removed
- Select
  Scan for dialers
- Select
  Scan for joke programs (Jokes)
- Select
  Scan for games
- Select
  Scan for spyware (SPR)
[*]
Click on
Virus scanner
[*]
Click on
Start scanner
at the bottom of the screen
[*]
Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings

The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.

Screen resolution problems

Please see the post

here

if you're unable to view the entire screen of Avira.

Dezbme · August 11, 2009

Hi,
I suggest you backup important data alreadyy, because this doesn't look too good here. This in case the malware present causes extra damage.
Then,
Avira AntiVir Rescue System
Requires access to a working computer with a CD/DVD burner to create a bootable CD.
Download the
Avira AntiVir Rescue System
from
here
Place a blank CD in your burner and double-click on the downloaded file.
The program will automatically burn the CD for you.
Place the burned CD into the affected computer and start the computer from this CD.
On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.
Click on the
Configuration
button.
Select
Scan all files
Select
Try to repair infected files
and
Rename files, if they cannot be removed
Select
Scan for dialers
Select
Scan for joke programs (Jokes)
Select
Scan for games
Select
Scan for spyware (SPR)
[*]
Click on
Virus scanner
[*]
Click on
Start scanner
at the bottom of the screen
[*]
Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings
The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.
Screen resolution problems
Please see the post
here
http://forum.avira.com/wbb/index.php?page=Thread&threadID=82578' rel="external nofollow">
if you're unable to view the entire screen of Avira.

My netbook does not have a cd rom drive, and I don't have an external one, so I'm waiting to borrow my co-worker. I will follow up with you in a couple of days and let you know how it went.

miekiemoes · August 11, 2009

Extra note, please also do the following...

Open notepad and copy and paste next present in the quotebox in it:

DIR /a/s C:\WINDOWS\scecli.dll C:\WINDOWS\sceclt.dll C:\WINDOWS\netlogon.dll C:\WINDOWS\ntelogon.dll >Look.txt
Start notepad Look.txt

Save this as look.bat , choose to save as *all files and place it on your desktop.

It should look like this:

Doubleclick on it and notepad should open.

Copy and paste the contents of it in your next reply.

Dezbme · August 13, 2009

Extra note, please also do the following...
Open notepad and copy and paste next present in the quotebox in it:
Save this as look.bat , choose to save as *all files and place it on your desktop.
It should look like this:
Doubleclick on it and notepad should open.
Copy and paste the contents of it in your next reply.

Mieke,

The situation with the external CD driver is not going to happen, because my coworker has seem to misplace it.

I will have skip this step and go on to your next one. I'm almost to a point where I'm going to format this netbook and start over, it just wasting to much time on it. I will follow up with you regarding the notepad.

miekiemoes · August 13, 2009

Hi,

I'm almost to a point where I'm going to format this netbook and start over, it just wasting to much time on it.

I know.

Your pc is too severly infected here. Even though if we have things up and running again, there's never a guarantee you'll be able to trust this computer anymore. I've actually blogged about this before as well: Malware Removal - Where to draw the line

So if it's taking too long to restore, because we can't find the cause yet and even if we can find it, then we still have to deal with it if possible - then in most cases it's just better to throw in the towel and start from fresh.

Dezbme · August 16, 2009

Extra note, please also do the following...
Open notepad and copy and paste next present in the quotebox in it:
Save this as look.bat , choose to save as *all files and place it on your desktop.
It should look like this:
Doubleclick on it and notepad should open.
Copy and paste the contents of it in your next reply.

here are the notes from the look.bat program.

Volume in drive C has no label.

Volume Serial Number is 12B5-13BD

Directory of C:\WINDOWS\system32

04/14/2008 11:00 PM 60,928 scecli.dll

Directory of C:\WINDOWS\system32

04/14/2008 11:00 PM 181,248 sceclt.dll

Directory of C:\WINDOWS\system32

04/14/2008 11:00 PM 407,040 netlogon.dll

3 File(s) 649,216 bytes

Total Files Listed:

3 File(s) 649,216 bytes

0 Dir(s) 7,609,724,928 bytes free

Dezbme · August 16, 2009

I try downloading ComboFix and renaming it to iexplore.exe to the desktop. It downloaded fine, but when I try installing the software, it get pass the percentage bar and it disappear. Nothing install or prompt for anything.

Do you have any other idea or is it time for restoring it??

miekiemoes · August 17, 2009

Hi,

1. Please download The Avenger2 by SwanDog46

2. Unzip avenger.exe to your desktop.

3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"

Files to move:
C:\WINDOWS\system32\sceclt.dll|C:\Windows\System32\scecli.dll

4. Now start The Avenger2 by double clicking avenger.exe on your desktop.

5. Read the prompt that appears, and press OK.

6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".

7. Press the "Execute" button.

8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.

Note: It is possible that Avenger will reboot your system TWICE.

9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

Dezbme · August 17, 2009

Hi,
1. Please download The Avenger2 by SwanDog46
2. Unzip avenger.exe to your desktop.
3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
Files to move:
C:\WINDOWS\system32\sceclt.dll|C:\Windows\System32\scecli.dll
4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
5. Read the prompt that appears, and press OK.
6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
7. Press the "Execute" button.
8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
Note: It is possible that Avenger will reboot your system TWICE.
9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

below is the logged. Let me know what else I can do.

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

File move operation "C:\WINDOWS\system32\sceclt.dll|C:\Windows\System32\scecli.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

Can't run Malwarebytes or any other antivirus program

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information