MBAM & DeFogger Won't Progress

[xXallergicXx]

Hi

While in another forum to get advice to remove a virus, I was asked to download Malwarebytes, run it, and post the log report. I downloaded it and ran the scan no probs...when it was finished I got an 'Access Denied" message while trying to access the log report. The face of the program did not change where you are supposed to click 'OK' and 'Show Results'. I have tried to uninstall the program (which I don't think was done properly because desktop icons remained) and install another in it's place but the results are always the same. I run this program on another computer but for some reason, cannot run it properly on this one.

Upon joining the forum here I was asked to go through some procedures before posting to this group, one being to install MBAM and run it which resulted in the same results mentioned above and secondly to run DeFogger; well DeFogger is in disable mode but did not reboot my computer so now I don't know what to do. Can I just re-enable it?

Thankyou for your help

Crystal

[Maurice Naggar]

Hello,

Is this your thread at WhattheTech forum http://forums.whatthetech.com/index.php?s=...st&p=638632

Please print out, re-review and follow the directions here, skipping any steps you are unable to complete.

Skip the defogger section. Just run Gmer & DDS

and then post the Gmer.txt log

the DDS logs

Edited March 6, 2010 by Maurice Naggar
Edited to add URL reference to WTT

[xXallergicXx]

Hi there

Yes that thread is correct.

The procedure from "directions here" is what I was in the middle of when Defogger would not reboot my computer; so should I put Defogger back into 'enable' mode? It is still in 'disable' mode. I will continue with the directions.

Thankyou

Crystal

[Maurice Naggar]

Hello Crystal,

If you are needing guided help to look for malwares, then I need to have the GMER & DDS logs so we can proceed.

Leave the Defogger as is. Don't revert it. Skip the defogger section.

Proceed forward.

[xXallergicXx]

Hi

Here is the DDS and GMER logs. 'Attach' file is zipped and attached. Thanks

Crystal

DDS (Ver_09-12-01.01) - NTFSx86

Run by Crystal & Addz at 11:41:21.89 on Tue 09/03/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18

Microsoft Windows XP Professional 5.1.2600.2.1252.61.1033.18.511.66 [GMT 10:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\vVX1000.exe

C:\Program Files\Telstra\BigPond Wireless Broadband 2.0\BigPond_CM.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Crystal & Addz.HOME-8B021C13CE\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.au/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}

uSearchAssistant = hxxp://www.google.com/ie

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: BigPond Wireless Broadband 2.0 Auto Dial: {db92ec3f-697d-4c3b-9a3b-3abbd23d4a85} - c:\program files\telstra\bigpond wireless broadband 2.0\bpwbb2ad.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"

mRun: [VX1000] c:\windows\vVX1000.exe

mRun: [bigPondWirelessBroadbandCM] "c:\program files\telstra\bigpond wireless broadband 2.0\BigPond_CM.exe" -tsr

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000

IE: Transfer by Image Converter 2 - c:\program files\sony\image converter 2\menu.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1189190842093

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {E862C832-3A5F-4CEB-BFAA-167B22010A71} - hxxp://support.packardbell.com/files/activex/InfosFinder2.CAB

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\crysta~1.hom\applic~1\mozilla\firefox\profiles\mppc2bn9.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-2-28 11608]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-2-28 108289]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-2-28 185089]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-2-28 56816]

R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2009-8-17 235648]

S2 BT848;AVerMedia, AVerTV WDM Video Capture;c:\windows\system32\drivers\bt848.sys [2002-5-13 261696]

S2 BTTUNER;AVerMedia, AVerTV WDM TvTuner;c:\windows\system32\drivers\bttuner.sys [2002-1-27 22016]

S3 cmusbnet;WAN Driver @ 3GPP (6280);c:\windows\system32\drivers\cmusbnet.sys [2006-11-23 87424]

S3 cmusbser;%CMUSBSER%;c:\windows\system32\drivers\cmusbser.sys [2006-12-13 87040]

S3 SNCT511;PC Camera (6005 CIF);c:\windows\system32\drivers\snct511.sys [2007-8-24 219264]

=============== Created Last 30 ================

2010-03-09 01:40:54 524288 ----a-w- c:\program files\dds.scr

2010-03-07 10:42:42 30780 ---ha-w- c:\windows\system32\mlfcache.dat

2010-03-06 01:51:11 0 ----a-w- c:\documents and settings\crystal & addz.home-8b021c13ce\defogger_reenable

2010-03-05 04:15:29 1955472 ----a-w- c:\program files\install_flash_player_ax.exe

2010-03-05 04:04:56 27386256 ----a-w- c:\program files\AdbeRdr930_en_US.exe

2010-03-05 04:00:19 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-03-05 03:49:12 0 d-----w- c:\documents and settings\crystal & addz.home-8b021c13ce\.SunDownloadManager

2010-03-05 00:20:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-05 00:20:47 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-02 03:19:47 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-28 03:42:33 0 d-sh--w- c:\documents and settings\crystal & addz.home-8b021c13ce\PrivacIE

2010-02-28 02:15:52 0 d-----w- c:\windows\SxsCaPendDel

2010-02-28 02:02:43 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-02-28 01:56:58 0 d-----w- c:\program files\Lavasoft

2010-02-28 01:18:25 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-02-28 01:18:20 0 d-----w- c:\program files\Avira

2010-02-28 01:18:20 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Avira

2010-02-26 22:53:27 0 d-sha-r- C:\cmdcons

2010-02-23 17:03:11 0 d-----w- c:\docume~1\crysta~1.hom\applic~1\Malwarebytes

2010-02-23 17:03:03 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes

2010-02-19 23:47:50 3604480 ----a-w- c:\windows\system32\GPhotos.scr

2010-02-08 23:53:24 0 d-----w- c:\docume~1\crysta~1.hom\applic~1\Office Genuine Advantage

2010-02-07 10:18:48 0 d--h--w- c:\windows\system32\GroupPolicy

==================== Find3M ====================

2010-03-05 04:17:10 5527040 ----a-w- c:\program files\AdbeRdrUpd931_all_incr.msp

2010-03-05 03:59:51 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-12-21 19:14:05 916480 ------w- c:\windows\system32\wininet.dll

2009-12-16 12:58:04 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:35:35 33280 ----a-w- c:\windows\system32\csrsrv.dll

============= FINISH: 11:42:04.03 ===============

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-03-09 14:33:31

Windows 5.1.2600 Service Pack 2

Running: GMER.exe; Driver: C:\DOCUME~1\CRYSTA~1.HOM\LOCALS~1\Temp\fxtdapoc.sys

---- System - GMER 1.0.15 ----

SSDT F8BE3E9E ZwCreateKey

SSDT F8BE3E94 ZwCreateThread

SSDT F8BE3EA3 ZwDeleteKey

SSDT F8BE3EAD ZwDeleteValueKey

SSDT F8BE3EB2 ZwLoadKey

SSDT F8BE3E80 ZwOpenProcess

SSDT F8BE3E85 ZwOpenThread

SSDT F8BE3EBC ZwReplaceKey

SSDT F8BE3EB7 ZwRestoreKey

SSDT F8BE3EA8 ZwSetValueKey

SSDT F8BE3E8F ZwTerminateProcess

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001583b41689 (not active ControlSet)

---- EOF - GMER 1.0.15 ----

Attach.zip

[Maurice Naggar]

I do not see anything amiss in the GMER log.

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

At -this time- of posting, the current definitions are # 3845 and the latest program version is 1.44

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Kindly do your best, and Copy & then Paste the contents of the new MBAM log.

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!