Jump to content

Can't get MBAM or HJT this run


Recommended Posts

Hi chief18, Welcome to Malwarebytes :(

Step #1

We Need to check for Rootkits with RootRepeal

  1. Download RootRepeal from the following location and save it to your desktop.

[*]Rar Mirrors - Only if you know what a RAR is and can extract it.

[*]Extract RootRepeal.exe from the archive.

[*]Open rootRepealDesktopIcon.png on your desktop.

[*]Click the reportTab.png tab.

[*]Click the btnScan.png button.

[*]Check all seven boxes: checkBoxes2.png

[*]Push Ok

[*]Check the box for your main system drive (Usually C:), and press Ok.

[*]Allow RootRepeal to run a scan of your system. This may take some time.

[*]Once the scan completes, push the saveReport.png button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Step #2

Please download Win32kDiag.exe by AD to the desktop. Double click on it. It will make a diagnostic and produce a report on the desktop. Post that report on your next reply:

Step #3

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

chief18,

SpySentinel will be away for a bit and I will be taking over for him. Please follow his most recent set of instructions and we'll continue from there.

-screen317

Thanks for your help.....

Step 1

I ran RootRepeal. After running for some time I got the error message "RootRepeal Error","Could not read our index block!". I pressed the Details button and got "Attempt to read from address 0x00000114".

Step 2

Win32kDiag.txt attached

Step 3

ComboFix.txt attached

Thanks,

Jeffrey

Win32kDiag.txt

ComboFix.txt

Link to post
Share on other sites

Thanks for your help.....

Step 1

I ran RootRepeal. After running for some time I got the error message "RootRepeal Error","Could not read our index block!". I pressed the Details button and got "Attempt to read from address 0x00000114".

Step 2

Win32kDiag.txt attached

Step 3

ComboFix.txt attached

Thanks,

Jeffrey

I've since run Malwarebytes Anti-Malware (which wasn't able to run previously) three times. The first two times it found problems and fixed them. The third time (full scan) it didn't find any problems.

Thanks,

Jeffrey

Link to post
Share on other sites

  • Staff

Hi Jeffrey,

Please don't attach logs. Post them here instead.

Please delete your copy of Win32kDiag.

Please save this file to your Desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with Notepad and post the contents here.

"%userprofile%\desktop\win32kdiag.exe" -f -r

After that, please go to VirusTotal, and upload the following file for analysis:

c:\windows\System32\IcnOvrly.dll

Post the results in your reply.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-screen317

Link to post
Share on other sites

Hi Jeffrey,

Please don't attach logs. Post them here instead.

Please delete your copy of Win32kDiag.

Please save this file to your Desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with Notepad and post the contents here.

"%userprofile%\desktop\win32kdiag.exe" -f -r

After that, please go to VirusTotal, and upload the following file for analysis:

c:\windows\System32\IcnOvrly.dll

Post the results in your reply.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-screen317

Thanks for your help....

This is Win32kDiag.txt...

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...

Found mount point : C:\Windows\45235788142C44BE8A4DDDE9A84492E5.TMP\{29F8DDC1-9487-49b8-B27E-3E0C3C1298FF}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\45235788142C44BE8A4DDDE9A84492E5.TMP\{29F8DDC1-9487-49b8-B27E-3E0C3C1298FF}

Cannot access: C:\Windows\bthservsdp.dat

Attempting to restore permissions of : C:\Windows\bthservsdp.dat

[1] 2009-08-21 08:03:03 1660 C:\Windows\bthservsdp.dat ()

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

[1] 2009-08-21 08:04:10 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl ()

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

[1] 2009-08-21 08:03:56 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl ()

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

[1] 2009-08-21 08:03:59 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl ()

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

[1] 2009-08-21 08:03:59 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl ()

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl

[1] 2009-08-21 08:05:04 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl ()

Cannot access: C:\Windows\System32\mrt.exe

Attempting to restore permissions of : C:\Windows\System32\mrt.exe

[1] 2009-07-29 20:49:14 24281536 C:\Windows\System32\mrt.exe (Microsoft Corporation)

[1] 2008-01-20 22:24:53 52696 C:\Windows\winsxs\x86_microsoft-windows-malwareremovaltool_31bf3856ad364e35_6.0.6001.18000_none_d3909ca1dd6bb475\mrt.exe (Microsoft Corporation)

Finished!

These are the Results from VirusTotal...

Srpski | Македонски | العربية | Suomi | ihMdI | | עברית | | Sloven

Link to post
Share on other sites

  • Staff

Hi Jeffrey18,

The infection seems to have been neutralized. Let's see if we can get your security programs to run now.

Navigate to this file:

C:\program files\malwarebytes' anti-malware\mbam.exe

  • Right-click it, and click Properties.
  • Click the Security tab.
  • Click Edit...
  • Accept the prompt that pops up.
  • Click System then click Full Control under Allow.
  • Click Administrators then click Full Control under Allow.
  • Click Users then only click on Read & Execute and Read under Allow.
  • Click OK on both windows.
  • Restart your computer and see if MBAM will run now.

-screen317

Link to post
Share on other sites

Hi Jeffrey18,

The infection seems to have been neutralized. Let's see if we can get your security programs to run now.

Navigate to this file:

C:\program files\malwarebytes' anti-malware\mbam.exe

  • Right-click it, and click Properties.
  • Click the Security tab.
  • Click Edit...
  • Accept the prompt that pops up.
  • Click System then click Full Control under Allow.
  • Click Administrators then click Full Control under Allow.
  • Click Users then only click on Read & Execute and Read under Allow.
  • Click OK on both windows.
  • Restart your computer and see if MBAM will run now.

-screen317

Thanks for your help....

Malwarebytes Anti-Malware ran and found no problems.

This is the log.

Malwarebytes' Anti-Malware 1.40

Database version: 2685

Windows 6.0.6001 Service Pack 1

8/23/2009 10:15:42 PM

mbam-log-2009-08-23 (22-15-42).txt

Scan type: Full Scan (C:\|)

Objects scanned: 409672

Time elapsed: 2 hour(s), 12 minute(s), 32 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Thanks,

Jeffrey

Link to post
Share on other sites

  • Staff

Hi Jeffrey,

Repeat the permissions reset for any program that you cannot open.

I notice that you are using more than one antivirus program (avast!, AVG , AntiVir, Trend Micro Internet Security ). This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE viruses to get through. I strongly suggest you go to Start -> Control Panel -> Add or Remove Programs and uninstall all but one antivirus program.

Also delete Win32kDiag and SecurityCheck.

Navigate to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /u

This uninstalls all of ComboFix's components.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):

Java

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.