Jump to content

Can't run malwarebytes


Recommended Posts

in case you wanted the hijackthis log, here it is:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:05:40 PM, on 1/3/2010

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\ltmoh\Ltmoh.exe

C:\PROGRA~1\LAUNCH~1\CPLBCL53.EXE

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\System32\conime.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\Iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: |?-μ?

Link to post
Share on other sites

Hello Charles W

Welcome to Malwarebytes.

=====================

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Under Custom scan's and fixes section paste in the below in bold


    %SYSTEMDRIVE%\*.exe

    /md5start

    eventlog.dll

    scecli.dll

    netlogon.dll

    cngaudit.dll

    sceclt.dll

    ntelogon.dll

    logevent.dll

    iaStor.sys

    nvstor.sys

    atapi.sys

    IdeChnDr.sys

    viasraid.sys

    AGP440.sys

    vaxscsi.sys

    nvatabus.sys

    viamraid.sys

    nvata.sys

    nvgts.sys

    iastorv.sys

    ViPrt.sys

    eNetHook.dll

    ahcix86.sys

    KR10N.sys

    nvstor32.sys

    /md5stop

    CREATERESTOREPOINT


  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

====================

Download the following GMER Rootkit Scanner from Here

  • Download the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.
  • Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on Run
  • It may take a minute to load and become available.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED


  • Sections

  • IAT/EAT

  • Drives/Partition other than Systemdrive (typically only C:\ should be checked)

  • Show All (don't miss this one)


  • Then click the Scan button & wait for it to finish.
  • Once done click on the [save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop
  • **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  • Click OK and quit the GMER program.
  • Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.
  • Post that log in your next reply.

Link to post
Share on other sites

hi, sorry for the delay in responding. heres the OTL text:

OTL logfile created on: 1/4/2010 8:38:14 AM - Run 1

OTL by OldTimer - Version 3.1.21.0 Folder = C:\Documents and Settings\Charles\桌面

Windows XP Home Edition Service Pack 1 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2800.1106)

Locale: 00000409 | Country: 美國 | Language: ENU | Date Format: M/d/yyyy

255.00 Mb Total Physical Memory | 110.00 Mb Available Physical Memory | 43.00% Memory free

619.00 Mb Paging File | 464.00 Mb Available in Paging File | 75.00% Paging File free

Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 27.47 Gb Total Space | 20.51 Gb Free Space | 74.67% Space Free | Partition Type: FAT32

Drive D: | 9.76 Gb Total Space | 8.39 Gb Free Space | 85.97% Space Free | Partition Type: FAT32

Drive E: | 52.45 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: WANG

Current User Name: Charles

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Charles\桌面\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)

PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)

PRC - C:\WINDOWS\system32\ati2evxx.exe ()

PRC - C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe (ATI Technologies, Inc.)

PRC - C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)

PRC - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)

PRC - C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)

PRC - C:\Program Files\Launch Manager\CPLBCL53.EXE (Dritek System Inc.)

PRC - C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe (Cyberlink Corp.)

PRC - C:\WINDOWS\AGRSMMSG.exe (Agere Systems)

PRC - C:\Program Files\ltmoh\ltmoh.exe (Agere Systems)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Charles\桌面\OTL.exe (OldTimer Tools)

MOD - C:\WINDOWS\system32\SynTPFcs.dll (Synaptics, Inc.)

MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll (Microsoft Corporation)

MOD - C:\WINDOWS\system32\MSIMTF.dll (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)

SRV - (Ati HotKey Poller) -- C:\WINDOWS\system32\ati2evxx.exe ()

SRV - (ose) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)

SRV - (Irmon) -- C:\WINDOWS\system32\irmon.dll (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (w22n51) Intel® -- C:\WINDOWS\system32\drivers\w22n51.sys (Intel

Link to post
Share on other sites

hi, sorry for the delay in responding. heres the OTL text:

OTL logfile created on: 1/4/2010 8:38:14 AM - Run 1

OTL by OldTimer - Version 3.1.21.0 Folder = C:\Documents and Settings\Charles\桌面

Windows XP Home Edition Service Pack 1 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2800.1106)

Locale: 00000409 | Country: 美國 | Language: ENU | Date Format: M/d/yyyy

255.00 Mb Total Physical Memory | 110.00 Mb Available Physical Memory | 43.00% Memory free

619.00 Mb Paging File | 464.00 Mb Available in Paging File | 75.00% Paging File free

Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 27.47 Gb Total Space | 20.51 Gb Free Space | 74.67% Space Free | Partition Type: FAT32

Drive D: | 9.76 Gb Total Space | 8.39 Gb Free Space | 85.97% Space Free | Partition Type: FAT32

Drive E: | 52.45 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: WANG

Current User Name: Charles

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Charles\桌面\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)

PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)

PRC - C:\WINDOWS\system32\ati2evxx.exe ()

PRC - C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe (ATI Technologies, Inc.)

PRC - C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)

PRC - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)

PRC - C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)

PRC - C:\Program Files\Launch Manager\CPLBCL53.EXE (Dritek System Inc.)

PRC - C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe (Cyberlink Corp.)

PRC - C:\WINDOWS\AGRSMMSG.exe (Agere Systems)

PRC - C:\Program Files\ltmoh\ltmoh.exe (Agere Systems)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Charles\桌面\OTL.exe (OldTimer Tools)

MOD - C:\WINDOWS\system32\SynTPFcs.dll (Synaptics, Inc.)

MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll (Microsoft Corporation)

MOD - C:\WINDOWS\system32\MSIMTF.dll (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)

SRV - (Ati HotKey Poller) -- C:\WINDOWS\system32\ati2evxx.exe ()

SRV - (ose) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)

SRV - (Irmon) -- C:\WINDOWS\system32\irmon.dll (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (w22n51) Intel® -- C:\WINDOWS\system32\drivers\w22n51.sys (Intel

Link to post
Share on other sites

One or more of the identified infections is a backdoor trojan or rootkit.

This type of infection has the capabilities to allows hacker to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

Link to post
Share on other sites

thanks for all your help. do you think using a recovery disk would be okay?

Using a recovery disk should work fine. It will format the drive and replace everything on your computer with the recovery image. However, if the infection was present when the recovery image was created, then no it won't work. You'd have to do a format and complete re-install from a Windows installation CD in that case.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.