MBAM help

[Josh88]

Hello, I believe I have recently caught a nasty rootkit on my computer. When I first got it, whatever it was it instantly disabled my windows firewall and McAfee virus scan, and I can no longer get these things to re-activate. I do have the full version of Spyware Doctor, and I've run several full scans with rootkits coming up on some of the infections list, but the scans are very inconsistent, because sometimes the scans just stop. I downloaded MBAM because I heard it is the best thing for this stuff, but there is absolutely no way I can open it. Whenever I try, it just says that MBAM has stopped working and Windows has to shut it down. I was just wondering what should be my next step, since I my knowledge of computers is very limited. I have Windows Vista on an HP Pavilion. Thanks in advance.

[marktreg]

Hello and welcome to Malwarebytes

Please print this topic and follow these basic steps first before posting any logs.

Our program, Malwarebytes' Anti-Malware can detect and remove most Malware with no further actions required for free.

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
  
• At the end, be sure a checkmark is placed next to the following:
  
  • Update Malwarebytes' Anti-Malware
    
  • Launch Malwarebytes' Anti-Malware
    

  [*]Then click Finish.

  [*]If an update is found, it will download and install the latest version.

  [*]Once the program has loaded, select Perform quick scan, then click Scan.

  [*]When the scan is complete, click OK, then Show Results to view the results.

  [*]Be sure that everything is checked, and click Remove Selected.

  [*]When completed, a log will open in Notepad and if required the program will ask you to reboot to remove locked files.

We hope our application has helped you eradicate this malicious Malware.

If your current anti-virus solution let this infection through please consider purchasing the PRO version of Malwarebytes' Anti-Malware for additional protection.

Update your current Anti-Virus to the latest definitions and then perform a Full scan of your system.

If you don't currently have Anti-Virus please download and install Avira AntiVir Personal

Then update to the latest definitions and perform a Full scan of your system.

If you're still experiencing issues after running the above procedures then please follow the instructions below.

• Disable CD-ROM Emulation Software

• DeFogger - Disable
  
  
• Please download the following tool
  DeFogger
  to your
  desktop
  .
  
  
• Double click
  DeFogger
  to run the tool.
  
  
• The application window will appear
  
  
• Click the
  Disable
  button to disable your CD Emulation drivers.
  
  
• Click
  Yes
  to continue
  
  
• A
  'Finished!'
  message will appear
  
  
• Click
  OK
  
  
• DeFogger will now ask to reboot the machine - click
  OK
  
  
• IMPORTANT!
  If you receive an error message while running DeFogger, please post the log
  defogger_disable
  which will appear on your desktop.
  
  
• Do not
  re-enable these drivers until otherwise instructed.
  
  

• Download DDS and save it to your desktop from

here or here or here
Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs
  • DDS.txt
    
    
  • Attach.txt
    
    
  [*]
  Save both reports to your desktop.

• Download the following GMER Rootkit Scanner from

here

• Download the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.
  
  
• Double click on the new
  random named exe file
  you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on Run
  
  
• It may take a minute to load and become available.
  
  
• If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on
  NO
  , then use the following settings for a more complete scan..
  
  
• In the right panel, you will see several boxes that have been checked. Ensure the following are
  UNCHECKED
  
  
  • Sections
    
    
  • IAT/EAT
    
    
  • Drives/Partition other than Systemdrive
    (typically only C:\ should be checked)
    
    
  • Show All
    (don't miss this one)
    
    
  [*]
  Then click the Scan button & wait for it to finish.
  [*]
  Once done click on the
  [save..]
  button, and in the File name area, type in
  "ark.txt"
  or it will save as a .log file which cannot be uploaded to your post.
  [*]
  Save it where you can easily find it, such as your desktop
  [*]
  **Caution**
  Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  [*]
  Click OK and quit the GMER program.

Note:

On Firefox you need to go to

Tools/Options/Main

then under the

Downloads

section, click on

Always ask me where to save files

so that you can choose the name and where to save to, in this case your Desktop.

• Copy/Paste the contents of 'DDS.txt' to be posted as text to your post
  The other two logs ...
  * attach.txt
  * ark.txt
  
  ... should be zipped/archived before attaching to the post
  

[*]Please start a Newtopic here and post the most recent Malwarebytes' Anti-Malware log file and DDS/GMER log files.

[*]The Malwarebytes' Anti-Malware log file is located in the Logs tab of the program.

• DeFogger - Re-Enable (only run when instructed to when your system is clean again)
  
• To re-enable your Emulation drivers, double click DeFogger to run the tool.
  
• The application window will appear
  
• Click the Re-enable button to re-enable your CD Emulation drivers.
  
• Click Yes to continue
  
• A 'Finished!' message will appear
  
• Click OK
  
• DeFogger will now ask to reboot the machine - click OK
  
• IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.
  
• Your Emulation drivers are now re-enabled.
  

Someone will analyze the logs and give you further instructions. Please DO NOT reply to another users post, create your own new post.

Prompt responses to instructions and performing the required fixes as soon as possible is always best.

During this scan and cleanup process you should not install any other software unless requested to do so.

Please see item #12 below as to who can help you, please ignore posts from others not authorized and their post will be removed.

Logs to reply with: MBAM and DDS/GMER

NOTE: If Malwarebytes won't run or DDS/GMER won't run please still create a new post in the Malware Removal - HijackThis Logs forum and explain what happens.

NOTE: Please DO NOT post back to your post within the first 48 hours. Replying to your own posts changes the post count and will often cause helpers to think that you're already being helped and thus they won't open and look at your post. If no one has replied within 48 hours then please go ahead and either reply to your post or send a private message to a Moderator and let them know that you're still needing assistance.

As soon as someone is available they will assist you.

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.

Troubleshooting Tips

Please review some of the following potential fixes

1. MBAM will not install - Code 2 error, mbam.exe not found
   
2. Windows Police Pro - MBAM will not install
   
3. SystemSecurity - MBAM won't run
   
4. Total-Security (FakeAlert) - MBAM won't run
   
5. av360 (Fakealert) - MBAM won't run
   
6. MBAM wont install or will not run.(CLB Rootkit-WinNT.Alureon) - TDSS/Seneka/GAOPDX/UAC/ovfst/kungsf/SKYNET/MSIVX/hjgrui/wzszx
   
7. Error Code 732 - Internet Explorer 8, Possible Fix
   
8. Basic procedures to prevent freezing in McAfee VirusScan Enterprise
   
9. Basic procedures to prevent freezing in Trend Internet Security
   
10. Fixes for common problems and Error Codes
    
11. Windows Defender and/or UAC Notifications on Startup
    
12. Groups authorized to help with HJT logs
    

[mountaintree16]

Josh,

Just a question (and yes, follow what marketreg just posted to you). Is the UAC turned on on your machine?

[Josh88]

Hello, my computer was acting all sorts of crazy and it was a miracle but I got defogger to work. I do have UAC on, and I was finally able to scan with MBAM. Here is the log:

Malwarebytes' Anti-Malware 1.42

Database version: 3289

Windows 6.0.6002 Service Pack 2

Internet Explorer 7.0.6002.18005

12/16/2009 12:57:21 PM

mbam-log-2009-12-16 (12-57-21).txt

Scan type: Quick Scan

Objects scanned: 104872

Time elapsed: 11 minute(s), 26 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 1

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\egodktf.bsfl (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaRoverCodec (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\h8srtd.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\Program Files\MediaRoverCodec (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Files Infected:

C:\Users\Josh\AppData\Local\Temp\Installer.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Program Files\MediaRoverCodec\install.ico (Trojan.FakeAlert) -> Quarantined and deleted successfully.

[mountaintree16]

Josh88,

It's good that you have your UAC on.

You need to post your log in the link I give below though, as malware removal is not worked on in the general forums.

http://www.malwarebytes.org/forums/index.php?showforum=7

Thank you