Jump to content

Runtime error - mbam.exe


JeffR
 Share

Recommended Posts

I followed the instructions in previous threads and have downloaded process explorer and RootRepeal.

I wiped a couple of processes that looked to be random name generations, but I want to be sure I've wiped the correct files.

Here's the report generated from RootRepeal. Any help is appreciated. Thanks!

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/08/26 08:24

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xF522F000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF7AB3000 Size: 8192 File Visible: No Signed: -

Status: -

Name: PROCEXP113.SYS

Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS

Address: 0xF7A8F000 Size: 7872 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xF24F2000 Size: 49152 File Visible: No Signed: -

Status: -

Stealth Objects

-------------------

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE]

Process: System Address: 0x86ce9948 Size: 635

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_NAMED_PIPE]

Process: System Address: 0x86c1a698 Size: 2408

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLOSE]

Process: System Address: 0x86c43e68 Size: 394

Object: Hidden Code [Driver: Tcpip, IRP_MJ_READ]

Process: System Address: 0x86c2f430 Size: 579

Object: Hidden Code [Driver: Tcpip, IRP_MJ_WRITE]

Process: System Address: 0x86c33430 Size: 223

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x86cd24f8 Size: 105

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x86e00ad8 Size: 1321

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_EA]

Process: System Address: 0x86e1e568 Size: 337

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_EA]

Process: System Address: 0x86d21cd0 Size: 816

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x86cb7e68 Size: 409

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x86c27430 Size: 948

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System Address: 0x86c2f880 Size: 186

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x86d0ee68 Size: 409

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x86cdf338 Size: 3272

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x86d0f338 Size: 470

Object: Hidden Code [Driver: Tcpip, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x86c32338 Size: 355

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SHUTDOWN]

Process: System Address: 0x86c30bd8 Size: 195

Object: Hidden Code [Driver: Tcpip, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x86cd2bd8 Size: 358

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLEANUP]

Process: System Address: 0x86c071c0 Size: 3381

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_MAILSLOT]

Process: System Address: 0x86daa120 Size: 371

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_SECURITY]

Process: System Address: 0x86da91c0 Size: 1139

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_SECURITY]

Process: System Address: 0x86da7120 Size: 2975

Object: Hidden Code [Driver: Tcpip, IRP_MJ_POWER]

Process: System Address: 0x86da51c0 Size: 142

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x86e781c0 Size: 3195

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CHANGE]

Process: System Address: 0x86e411c0 Size: 851

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_QUOTA]

Process: System Address: 0x86e3e120 Size: 883

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_QUOTA]

Process: System Address: 0x86c001c0 Size: 747

Object: Hidden Code [Driver: Tcpip, IRP_MJ_PNP]

Process: System Address: 0x86bf9120 Size: 2558

Hidden Services

-------------------

Service Name: kbiwkmbuygkmav

Image Path: C:\WINDOWS\system32\drivers\kbiwkmrnggoqtc.sys

Service Name: kbiwkmkgqideag

Image Path: C:\WINDOWS\system32\drivers\kbiwkmqhnfwnvn.sys

Service Name: TDSSserv.sys)

Image Path: C:\WINDOWS\system32\drivers\TDSSmaxt.sys

Shadow SSDT

-------------------

#: 307 Function Name: NtUserAttachThreadInput

Status: Hooked by "<unknown>" at address 0x86d8e1e8

#: 383 Function Name: NtUserGetAsyncKeyState

Status: Hooked by "<unknown>" at address 0x86e19538

#: 414 Function Name: NtUserGetKeyboardState

Status: Hooked by "<unknown>" at address 0x86c7e500

#: 416 Function Name: NtUserGetKeyState

Status: Hooked by "<unknown>" at address 0x86ca7628

#: 460 Function Name: NtUserMessageCall

Status: Hooked by "<unknown>" at address 0x86bb81f8

#: 475 Function Name: NtUserPostMessage

Status: Hooked by "<unknown>" at address 0x86d1cc18

#: 476 Function Name: NtUserPostThreadMessage

Status: Hooked by "<unknown>" at address 0x86c9bf30

#: 549 Function Name: NtUserSetWindowsHookEx

Status: Hooked by "<unknown>" at address 0x86ccb020

#: 552 Function Name: NtUserSetWinEventHook

Status: Hooked by "<unknown>" at address 0x86c28a10

==EOF==

Link to post
Share on other sites

  • Staff

Hi,

These are the ones to wipe:

Service Name: kbiwkmbuygkmav

Image Path: C:\WINDOWS\system32\drivers\kbiwkmrnggoqtc.sys

Service Name: kbiwkmkgqideag

Image Path: C:\WINDOWS\system32\drivers\kbiwkmqhnfwnvn.sys

Service Name: TDSSserv.sys)

Image Path: C:\WINDOWS\system32\drivers\TDSSmaxt.sys

Then, try to run malwarebytes afterwards and post the log.

Link to post
Share on other sites

I went into the RootRepeal, Hidden Services tab, scanned to display these three processes. When I right click on and select 'wipe file', I get a confirmation message, select 'Yes' and get a message "RootRepeal Error - Could not find the file on disk". Hmmm.

FWIW I also tried to 'Force Delete' these and got the same message.

Thx so much for your help!

Hi,

These are the ones to wipe:

Service Name: kbiwkmbuygkmav

Image Path: C:\WINDOWS\system32\drivers\kbiwkmrnggoqtc.sys

Service Name: kbiwkmkgqideag

Image Path: C:\WINDOWS\system32\drivers\kbiwkmqhnfwnvn.sys

Service Name: TDSSserv.sys)

Image Path: C:\WINDOWS\system32\drivers\TDSSmaxt.sys

Then, try to run malwarebytes afterwards and post the log.

Link to post
Share on other sites

  • Staff

Ok, no worries...

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

Link to post
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.