Jump to content

MBAM.exe wont run


M&JT
 Share

Recommended Posts

Hello,

My laptop has been recently infected. I tried to run AVG it found some viruses, trojans, rootkit and said it removed it. But after that also I continue to face issues like my internet explorer wont work, MBAM.EXE wont run after installation. I have tried to run Win32KDiag.exe and below is it's log. Please help me to disinfect my laptop.

Log file is located at:

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Edited by Mainard
Removed data as per user's request.
Link to post
Share on other sites

Sorry, Win32KDiag log posted earlier was not full. Here's the full lox

Log file is located at:

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Finished!

Edited by Mainard
Removed data as per user's request.
Link to post
Share on other sites

Sorry you're having trouble with this newish rootkit infection.

Download The Avenger by Swandog46:

http://swandog46.geekstogo.com/avenger2/download.php

  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to launch Avenger.
  • Click OK.
  • Make sure that the box next to "Scan for rootkits" is checked and that the box next to Automatically "Disable any rootkits found" is not checked.

Copy and Paste the text in the Code Box into the Avenger's "Input Script here" Box:

Files to move:
C:\WINDOWS\system32\dllcache\eventlog.dll | C:\WINDOWS\system32\eventlog.dll

  • Click the Execute button.
  • You will be prompted with "Are you sure you want to execute the current script?"
  • Click "Yes"
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click "Yes".
  • Your PC will reboot.
  • After your PC has completed the necessary reboot, a log should automatically open.
  • If it the log does not automatically open, then it can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt)
  • Please post the Avenger log in your next reply.

Reboot

Next, download this Antirootkit Program to a folder that you create such as C:\ARK.

Disable the active protection component of your antivirus by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Next, please perform a rootkit scan:

  • Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
  • When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  • When the "quick" scan is finished (a few seconds, click the Rootkit/Malware tab,and then select the Scan button.
  • Leave your system completely idle while this longer scan is in progress.
  • When the scan is done, save the scan log to the Windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Exit the Program
  • Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.

Note: If you have trouble completing the complete scan , just paste back the "quick" scan results.

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to a name of your choice such as rayman.exe

Notes:

  • It is very important that save the newly renamed EXE file to your desktop.
  • You must rename Combofixe.exe as you download it and not after it is on your computer.
    You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
    • Open Firefox
    • Click Tools -> Options -> Main
    • Under the downloads section check the button that says "Always ask me where to save files".
    • Click OK

    [*]For Internet Explorer:

    • Choose to save, not open the file
    • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console - if you have not done that already:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Also, disable your firewall!

You can enable the Window firewall in the interim, until the scan is complete.

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

  • Close any open browsers.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

1. Double click on the renamed combofix.exe & follow the prompts.

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply with a new hijackthis log.

Please post C:\Avenger.txt, Ark.txt, and C:\ComboFix.txt in your next reply.

What command did you use to run Win32kDiag.exe? Did you run it from the command prompt as follows with the switches (-f and -r) indicated?:

Win32kDiag.exe -f -r

Link to post
Share on other sites

Thanks for helping me!

I was able to successfully execute all the steps. Below are the logs for GMER and HijackThis. I had to attach ComboFix Log because of the limitation of text in reply.

As for your question about Wind32kDiag.exe - I had run it from windows explorer by double clicking on it. Did not use any of the switches. Please let me know if I should run it again with -f and -r switches.

Please look into the below logs and advise next steps.

----------------------------##################-----------------------------

GMER Log

-----------------EOF-----------------

----------------------------##################-----------------------------

Edited by Mainard
Removed data as per user's request.
Link to post
Share on other sites

You're welcome.

Yes - you should delete your current copy of win32kdiag. Please save this file to your desktop.

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop.

Please open it with notepad and post the contents here.

Open a command prompt by doing the following:

  • Click Start -> run
  • type cmd
  • Hit Enter

  • Copy and paste the following onto the command line:
    REG QUERY HKLM\SYSTEM\select > C:\CCS.txt && notepad C:\CCS.txt
  • Then hit Enter
  • Post back the log that opens C:\CCS.txt

You have a lot of domains located in the trusted zone of Internet Explorer (they are listed in your logs). You may want to review all of those domains listed and verify that you put there and that they are trustworthy.

We will have some more to do after I get this information from you.

Link to post
Share on other sites

Successfully executed both the steps. Please find below Win32KDiag and CCS Logs : -

Win32KDiag Log: -

Log file is located at:

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Please advice next steps!

Thanks!

Edited by Mainard
Removed data as per user's request.
Link to post
Share on other sites

Good job!

We have files to clean up that we will manually specify for deletion by using a Combofix script.

In order to perform the next step correctly - you need to move your renamed Combofix (Remove-It.exe ) from its present location to your desktop.

c:\documents and settings\trivemit\My Documents\Downloads\Remove-It.exe

It is important that you follow the next set of instructions precisely.

Open Notepad by hitting Start -> run, typing notepad into the Open: box, and then clicking OK.

On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled).

Copy/paste the text in the code box below into Notepad.

KillAll::

Driver::
oixthpylbdriycwb
prpqqouqxxnqqhxn
rkcure

File::
C:\WINDOWS\system32\drivers\oixthpylbdriycwb.sys
C:\WINDOWS\system32\drivers\prpqqouqxxnqqhxn.sys
C:\WINDOWS\system32\drivers\rkcure.sys

DirLook::
C:\0a182af68a06299ce0351f

Save this to your desktop as CFScript.txt by selecting File -> Save as.

CFScriptB-4.gif

Very Important: Disable ALL security program active protection components at this time including any and all antispyware and antivirus monitor/guards you have running!! You can re-enable all after the Combofix log is generated.

Also, disable any task(s) scheduled to run automatically upon reboot, such as chkdskor any scanners. If Windows is in the middle of updating and it needs to reboot to finish the updating process, allow it to complete that first - before attempting to run Combofix.

Referring to the picture above, drag CFScript.txt into your renamed ComboFix.exe

This will cause ComboFix to run again.

Please post back the log that is opens when it finishes (C:Combofix.txt)

Launch MBAM

  • Select the Update tab -> Check for Updates
  • After MBAM updates, select the Scanner tab.
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK -> Show Results to view the scan results.
  • Check all items found, and then choose the 'Remove Selected' option to move the selected items to the quarantine.
  • When the scan is done, a log will open in Notepad with the scan results. Please post the results in your next reply.

NOTE: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

If you are unable to complete or launch MBAM normally, then do the following:

Rename "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" -> "C:\Program Files\Malwarebytes' Anti-Malware\explorer.exe"

  • Now relaunch MBAM from the Windows Start Menu or by double-clicking explorer.exe in the MBAM folder.
  • Select the Update tab -> Check for Updates
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK -> Show Results to view the scan results.
  • Check all items found, and then choose the 'Remove Selected' option to move the selected items to the quarantine.
  • When the scan is done, a log will open in Notepad with the scan results. Please post the results in your next reply.

If you are unable to run MBAM still then there may be some lingering permissions issues caused by the rootkit infection you had.

Link to post
Share on other sites

I ran ComboFix with CFScript and MBAM as instructed by you. Did not face any (visible) issues while running ComboFox. MBAM gave me an error when I tried to update it, but I found that it still allowed me to perform a quick scan. So I went ahead and ran it. It found one item, which I removed. I was going to post this log and ask for your guidance to resolve that error and try again, but I tried to update MBAM again and this time it worked! :huh: . So I ran MBAM quick scan again and this time it found 3 items, which I removed. So, for MBAM I am posting two logs. Sorry, but I want to pass on all the information to you.

Thanks! Please advice next steps.

----------------############################-------------------

ComboFix Log

Thanks again!!</local>

Edited by Mainard
Removed data as per user's request.
Link to post
Share on other sites

I'm glad things are running better for you now, and that MBAM was able to update amd run. It found some items related to a Rogue Security program in the Application Data folder but it removed them successfully.

The rootkit infection you had can reset permissions on programs to prevent them from running. Should you find that any of your programs are not functioning properly, then do the following to reset the permissions for the affected executables:

  • Download Inherit and save it to your desk top:
  • Drag each of the executable files (EXE files) that you are unable to run into Inherit.exe - this must be the EXE file - not the shortcut)
  • Then wait for it to say "OK"

This will restore normal permissions so the affected program(s) should launch properly.

Your latest Combofix run looks good except I am wondering if you know what these recently created folders are:

2009-09-08 06:04 . 2009-09-08 06:18 -------- d-----w- C:\xobooQ

2009-09-08 04:39 . 2009-09-08 06:15 -------- d-----w- C:\ger

They look suspicious to me but perhaps you know otherwise.

Please let me know how things are going and the identity of the above.

Link to post
Share on other sites

You have some McAfee services that are stopped so that could be the problem.

Step 1

Launch notepad by Clicking start -> run -> type notepad

Hit Enter

Paste the following text in the code box into the notepad window

Save the file to your desktop by setting the "Save as Type" to "all files", and save it as fix.bat

@ECHO OFF
sc config Firehk start= auto
sc start Firehk
sc config mfeapfk start= auto
sc start mfeapfk
sc config mfebopk start= auto
sc start mfebopk
if exist C:\output.txt del C:\output.txt
sc query Firehk > C:\output.txt
sc query mfeapfk >> C:\output.txt
sc query mfebopk >> C:\output.txt
notepad C:\output.txt

Double-click the fix.bat gear-like icon on your desktop (allow the script to run and disable any script blocking programs which may interfere).

A notepad file will open called C:\output.txt. Please copy and paste the contents in a reply back here.

Step 2

If the above doesn't correct the problem, then drag each of these EXEs listed below into inherit.exe

C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe

C:\Program Files\McAfee\SiteAdvisor Enterprise\McSACore.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

C:\WINDOWS\system32\mfevtps.exe

C:\Program Files\McAfee\Host Intrusion Prevention\HIPSCore\HIPSvc.exe

Next, rerun fix.bat and post output.txt

Also, do you know what the folders are?

Your latest Combofix run looks good except I am wondering if you know what these recently created folders are:

2009-09-08 06:04 . 2009-09-08 06:18 -------- d-----w- C:\xobooQ

2009-09-08 04:39 . 2009-09-08 06:15 -------- d-----w- C:\ger

Link to post
Share on other sites

The below folders were created by ComboFix and Avenger when I ran them earlier. I had renamed them (for no specific reason). So, I think they are not are specious: -

2009-09-08 06:04 . 2009-09-08 06:18 -------- d-----w- C:\xobooQ

2009-09-08 04:39 . 2009-09-08 06:15 -------- d-----w- C:\ger

All my programs (including McAfee) are running well now. Thanks for all your help! Please let me know if there is anything mroe needed.

Thanks again!

Link to post
Share on other sites

Here's the output.txt log : -

SERVICE_NAME: Firehk

TYPE : 1 KERNEL_DRIVER

STATE : 1 STOPPED

(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 2 (0x2)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: mfeapfk

TYPE : 1 KERNEL_DRIVER

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

SERVICE_NAME: mfebopk

TYPE : 1 KERNEL_DRIVER

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

Even before running the fix.bat, my mcafee started on access scan started running. But, I any way ran the fix.bat per your instructions. Please let mek now the next steps.

Link to post
Share on other sites

Good job! Let me give you my customary post-cleanup farewell advice then -

We have a few steps to finish up now.

You should update your version of the Sun Java Platform (JRE) to the newest version which is Java Runtime Environment (JRE) 6 Update 16, if you have not done that already:

You can click here to see what version you currently have installed.

If you need to update, then follow these instructions please -

1. Download the latest JRE version at the http://java.sun.com/javase/downloads/index.jsp Sun Microsystem's website

2. Select the option that says: "JRE 6 Update 16

This special release provides a few key fixes", and click Download button.

3. Select your platform: Windows, in the pull down menu.

4. Check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement."

5. Click Continue.

6. Under the Windows Platform - Java SE Runtime Environment 6 Update 16 section, click on the link to download the Windows Offline Installation and save the installer to your desktop.

7. Close any programs you may have running - especially your web browser.

8. Next, remove all older versions of the Sun Java Platform using the Control Panel's Add/Remove Program feature (as they may contain security vulnerabilities).

9. Reboot your system

10. Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version of the Sun Java Platform

12. Ifhe Yahoo Toolbar is prechecked for installation be sure to UNCHECK it, if you do not care to have it, or already have it installed - it is not part of the JRE install and totally unnecessary.

13. You may verify that the current version installed properly by clicking here.

Now clear the Java cache:

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)

  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files

    [*]Click OK on Delete Temporary Files Window

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

    [*] Click OK to leave the Temporary Files Window

    [*]Click OK to leave the Java Control Panel.

If I asked you to download and run an ARK (Antirootkit program, then please uninstall it by doing the following:

  • Delete the contents of the folder C:\ARK
  • Delete the C:\ARK folder

Also delete these folders:

C:\xobooQ

C:\ger

Let's remove Combofix and all its associated files including those in quarantine:

Click start -> run, then copy and paste the following line into the Open box and click OK.

"%userprofile%\desktop\Remove-It.exe" /u

This will do the following:

  • Uninstall Combofix and all its associated files and folders.
  • It will flush your system restore points and create a new restore point.
  • It will rehide your system files and folders
  • Reset your system clock

---

Here are some additional measures you should take to keep your system in good working order and ensure your continued security.

1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI). This is very important because recent statistics confirm that an overwhelming majority of infections are aquired through application not Operating System flaws. Commonly used programs like Quicktime, Java, and Adobe Acrobat Reader, itunes, and many others are commonly targeted today. You can make your computer much more secure if you update to the most current versions of these programs and any others that Secunia alerts you to.

Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs.

Note: If your firewall prompts you about access, allow it.

2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes.

3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer.

4. Download and install SpywareBlaster:

http://www.javacoolsoftware.com/spywareblaster.html

Update it and the enable protection for all unprotected items.

You will have to update the free version manually about once a month by clicking the Updates button. You can refer to the Calendar of Updates Website to see when SpywareBlaster and other programs that do not autoupdate have new definitions or program updates available.

Finally, please follow the suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment.

Happy Surfing!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.