Malwarebytes' Anti-Malware closes a few seconds

[ExeCut]

I run it, but it takes a few seconds and it closes.

I tried re-install it with mbam-clean, then download random exe from your website, but no result.

Here is GMER log.

[ExeCut]

Oops..

Here

gmer.zip

[ExeCut]

And HijackThis log

hijackthis.zip

[screen317]

Hi and welcome to Malwarebytes.

Download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post the one that is not minimized.

After you post that log, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
  

-screen317

[ExeCut]

DDS log

DDS.zip

I noticed that during scanning, file wregs.exe tried to change the registry (it was blocked by Ad-Aware).

I have run the scan again and again file wregs.exe tried to modify the registry.

This file is located in the Windows temporary folder and deleted after DDS scan is complete.

[ExeCut]

Combofix log and new Hijackthis log

combofix_hijackthis.zip

[screen317]

That's a false-positive by Ad-Aware. DDS doesn't make any Registry changes..

[screen317]

Hi,

Your logs indicate that you have Windows XP SP4. That shouldn't be possible. Where did you get that??

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the quotebox below into Notepad:

FCOPY::

c:\windows\system32\dllcache\tcpip.sys | C:\Windows\System32\tcpip.sys

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

-screen317

[ExeCut]

Here

NEW_combo_hijackthis.zip

Strange thing - ComboFix noticed me that NOD32 is running, but I delete NOD32 from HDD.

And after "stage 2" in ComboFix, appeared error of pevcp*** (I don't remember exactly). After I clicked OK, the program continued.

And ComboFix don't ask me about reboot and didn't do it.

Your logs indicate that you have Windows XP SP4. That shouldn't be possible. Where did you get that??

I don't know, I also see this for the first time.

[screen317]

Hi,

Before we continue, please go to VirusTotal, and upload the following file for analysis:

C:\143setup.exe

c:\windows\system32\drivers\tcpip.sys

Post the results in your reply.

Also try running MBAM now.

[ExeCut]

MBAM still closed after a few seconds.

143setup.exe is renamed mbam-setup.exe

tcpip.sys:

a-squared 4.5.0.50 2010.02.21 -

AhnLab-V3 5.0.0.2 2010.02.20 -

AntiVir 8.2.1.170 2010.02.19 -

Antiy-AVL 2.0.3.7 2010.02.19 -

Authentium 5.2.0.5 2010.02.20 -

Avast 4.8.1351.0 2010.02.21 -

AVG 9.0.0.730 2010.02.21 -

BitDefender 7.2 2010.02.21 -

CAT-QuickHeal 10.00 2010.02.19 -

ClamAV 0.96.0.0-git 2010.02.21 -

Comodo 4010 2010.02.21 -

DrWeb 5.0.1.12222 2010.02.21 -

eSafe 7.0.17.0 2010.02.18 -

eTrust-Vet 35.2.7315 2010.02.20 -

F-Prot 4.5.1.85 2010.02.20 -

F-Secure 9.0.15370.0 2010.02.19 -

Fortinet 4.0.14.0 2010.02.20 -

GData 19 2010.02.21 -

Ikarus T3.1.1.80.0 2010.02.21 -

Jiangmin 13.0.900 2010.02.21 -

K7AntiVirus 7.10.979 2010.02.20 -

Kaspersky 7.0.0.125 2010.02.17 -

McAfee 5898 2010.02.20 -

McAfee+Artemis 5898 2010.02.20 -

McAfee-GW-Edition 6.8.5 2010.02.19 -

Microsoft 1.5406 2010.02.21 -

NOD32 4883 2010.02.20 -

Norman 6.04.08 2010.02.20 -

nProtect 2009.1.8.0 2010.02.20 -

Panda 10.0.2.2 2010.02.20 -

PCTools 7.0.3.5 2010.02.21 -

Prevx 3.0 2010.02.21 -

Rising 22.34.01.03 2010.02.11 -

Sophos 4.50.0 2010.02.21 -

Sunbelt 5690 2010.02.20 -

Symantec 20091.2.0.41 2010.02.21 -

TheHacker 6.5.1.5.202 2010.02.21 -

TrendMicro 9.120.0.1004 2010.02.21 -

VBA32 3.12.12.2 2010.02.21 -

ViRobot 2010.2.19.2194 2010.02.19 -

VirusBuster 5.0.27.0 2010.02.20 -

Additional information

File size: 361600 bytes

MD5...: cd00787894008369f56153b91fc28847

SHA1..: f53c3a0248a507be6b953d2453e463b383a4a0f5

SHA256: 1a1ce805a984db0c6ee68467aae8b5829059d263b4072fc2c0c8ca6d5ebb9c25

ssdeep: 6144:uJVxTJMCOHOcecOeaVrith/CC/LxGh5wCQCzKLQ/x7czo:uDxTl2OzryZCA

Q4CQDQ/

PEiD..: -

PEInfo: PE Structure information

( base data )

entrypointaddress.: 0x50d23

timedatestamp.....: 0x485b99ad (Fri Jun 20 11:51:09 2008)

machinetype.......: 0x14c (I386)

( 10 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x380 0x3f05a 0x3f080 6.58 469827b02f4403f5236e017c0c4bc49a

.rdata 0x3f400 0x574 0x580 4.44 0eb5bdbba26ed4d079a201f965266cb4

.data 0x3f980 0xa4a4 0xa500 0.06 ea0c5005c163289d0c29ae80301cb86f

PAGE 0x49e80 0x1f85 0x2000 6.38 29223020b8202f58b61651e2099c84e8

PAGELK 0x4be80 0x6f2 0x700 6.19 d82540f4886ebcffb849774114194524

PAGEIPMc 0x4c580 0x2781 0x2800 6.43 bb13276e642dee8cf0a818967e06b022

.edata 0x4ed80 0x341 0x380 5.23 32781ababdbcd87358c1d1eb84509dd0

INIT 0x4f100 0x5936 0x5980 6.19 db1978bd975371e0170baba465ee02a5

.rsrc 0x54a80 0x3f0 0x400 3.41 3fd0d62483602aa6ce780c14866b4e39

.reloc 0x54e80 0x3590 0x3600 6.79 1e3ca28ef6ff9cf6fa16149dbf4fe144

( 4 imports )

> HAL.dll: KfLowerIrql, KeRaiseIrqlToDpcLevel, KfReleaseSpinLock, KfAcquireSpinLock, KfRaiseIrql, KeGetCurrentIrql, KeQueryPerformanceCounter, ExAcquireFastMutex, ExReleaseFastMutex

> NDIS.SYS: NdisCloseAdapter, NdisCancelSendPackets, NdisFreePacket, NdisUnchainBufferAtFront, NdisCompletePnPEvent, NdisFreePacketPool, NdisRequest, NdisAllocatePacket, NdisFreeMemory, NdisQueryAdapterInstanceName, NdisGetDriverHandle, NdisOpenAdapter, NdisAllocatePacketPoolEx, NdisGetReceivedPacket, NdisRegisterProtocol, NdisAllocateBuffer, NdisSetPacketPoolProtocolId, NdisReturnPackets, NdisCopyBuffer, NdisAllocateBufferPool, NdisFreeBufferPool, NdisReEnumerateProtocolBindings, NdisCompleteBindAdapter

> ntoskrnl.exe: IoCreateDevice, _wcsicmp, wcscpy, wcsncpy, wcschr, ZwSetInformationThread, KeLeaveCriticalRegion, KeEnterCriticalRegion, KeQueryTimeIncrement, KeSetEvent, IoDeleteSymbolicLink, ExDeleteNPagedLookasideList, KeDelayExecutionThread, ZwOpenKey, KeSetTimerEx, KeInitializeTimer, KeInitializeDpc, ExInitializeNPagedLookasideList, MmLockPagableSectionByHandle, ZwQueryValueKey, ZwSetValueKey, InterlockedPopEntrySList, InterlockedPushEntrySList, ExIsProcessorFeaturePresent, RtlAddAccessAllowedAce, RtlCreateAcl, RtlLengthSid, SeExports, RtlMapGenericMask, IoGetFileObjectGenericMapping, ObReleaseObjectSecurity, SeSetSecurityDescriptorInfo, RtlLengthSecurityDescriptor, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, ObGetObjectSecurity, IofCallDriver, IoBuildDeviceIoControlRequest, IoGetDeviceObjectPointer, ObfDereferenceObject, RtlAddAce, RtlGetAce, IoCreateSymbolicLink, RtlInitializeSid, RtlLengthRequiredSid, ObSetSecurityObjectByPointer, RtlSelfRelativeToAbsoluteSD, RtlGetSaclSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, RtlGetDaclSecurityDescriptor, RtlVerifyVersionInfo, VerSetConditionMask, IoWMIRegistrationControl, IoGetCurrentProcess, KeInitializeTimerEx, RtlExtendedIntegerMultiply, KeQueryInterruptTime, _aulldiv, DbgBreakPoint, KeSetTargetProcessorDpc, RtlSetBit, SeUnlockSubjectContext, SeAccessCheck, SeLockSubjectContext, ObDereferenceSecurityDescriptor, PsGetCurrentProcessId, RtlWalkFrameChain, ExNotifyCallback, ExCreateCallback, ObReferenceObjectByHandle, MmUnlockPages, SeFreePrivileges, SeAppendPrivileges, ObLogSecurityDescriptor, SeAssignSecurity, IoFileObjectType, MmProbeAndLockPages, IoAllocateMdl, _except_handler3, ProbeForWrite, ObfReferenceObject, PsGetCurrentProcess, RtlPrefetchMemoryNonTemporal, KeInitializeMutex, MmIsThisAnNtAsSystem, KeWaitForSingleObject, KeReleaseMutex, KeReadStateEvent, IoDeleteDevice, ZwEnumerateValueKey, RtlUnicodeStringToInteger, RtlIpv4StringToAddressW, RtlTimeToTimeFields, ExLocalTimeToSystemTime, RtlExtendedMagicDivide, RtlAppendUnicodeToString, ZwClose, _allmul, MmQuerySystemSize, RtlCompareUnicodeString, RtlInitializeBitMap, RtlClearAllBits, RtlSetBits, wcslen, RtlAreBitsSet, RtlClearBits, RtlFindClearBitsAndSet, RtlFindClearRuns, DbgPrint, memmove, RtlCopyUnicodeString, RtlAppendUnicodeStringToString, ZwLoadDriver, KeResetEvent, IoAcquireCancelSpinLock, IoReleaseCancelSpinLock, IofCompleteRequest, ExfInterlockedAddUlong, MmMapLockedPagesSpecifyCache, IoFreeMdl, ExfInterlockedInsertTailList, RtlInitUnicodeString, MmMapLockedPages, KeNumberProcessors, RtlUnicodeStringToAnsiString, MmLockPagableDataSection, MmUnlockPagableImageSection, RtlCompareMemory, ExAllocatePoolWithTag, KeCancelTimer, KeClearEvent, RtlAnsiStringToUnicodeString, IoRaiseInformationalHardError, KeInitializeEvent, ExFreePoolWithTag, ExAllocatePoolWithTagPriority, KeInitializeSpinLock, _alldiv, KeQuerySystemTime, KefAcquireSpinLockAtDpcLevel, KefReleaseSpinLockFromDpcLevel, KeBugCheckEx, RtlSubAuthoritySid, KeTickCount, MmBuildMdlForNonPagedPool, ZwDeviceIoControlFile, ZwCreateFile

> TDI.SYS: CTESystemUpTime, CTEBlock, CTELogEvent, CTESignal, CTEBlockWithTracker, CTEStartTimer, CTEInitEvent, CTEScheduleDelayedEvent, CTEInitTimer, TdiProviderReady, CTEInitialize, TdiDeregisterNetAddress, TdiRegisterNetAddress, TdiDeregisterDeviceObject, TdiRegisterDeviceObject, TdiDeregisterProvider, TdiRegisterProvider, TdiPnPPowerRequest, TdiCopyMdlChainToMdlChain, TdiInitialize, TdiDeregisterPnPHandlers, TdiRegisterPnPHandlers, CTEScheduleEvent, TdiCopyBufferToMdl, CTERemoveBlockTracker, CTEInsertBlockTracker, TdiMapUserRequest, TdiCopyBufferToMdlWithReservedMappingAtDpcLevel

( 31 exports )

ARPRcv, ARPRcvPacket, FreeIprBuff, GetIFAndLink, IPAddInterface, IPAllocBuff, IPDelInterface, IPDelayedNdisReEnumerateBindings, IPDeregisterARP, IPDisableSniffer, IPEnableSniffer, IPFreeBuff, IPGetAddrType, IPGetBestInterface, IPGetInfo, IPInjectPkt, IPProxyNdisRequest, IPRcvComplete, IPRcvPacket, IPRegisterARP, IPRegisterProtocol, IPSetIPSecStatus, IPTransmit, LookupRoute, LookupRouteInformation, LookupRouteInformationWithBuffer, SendICMPErr, SetIPSecPtr, UnSetIPSecPtr, UnSetIPSecSendPtr, tcpxsum

RDS...: NSRL Reference Data Set

-

pdfid.: -

trid..: Win32 Executable Generic (68.0%)

Generic Win/DOS Executable (15.9%)

DOS Executable Generic (15.9%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

sigcheck:

publisher....: Microsoft Corporation

copyright....: © Microsoft Corporation. All rights reserved.

product......: Microsoft_ Windows_ Operating System

description..: TCP/IP Protocol Driver

original name: tcpip.sys

internal name: tcpip.sys

file version.: 5.1.2600.5625 (xpsp_sp3_gdr.080620-1249)

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

[screen317]

Hi,

My apologies for the delay.

Please run DDS again. This time, post both logs. Also run GMER again and post its log. Finally, grab a new copy of ComboFix, run it, and post its log (don't attach them). We'll take it from there.

-screen317

[screen317]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!