Jump to content

MBAM hangs after scanning


Recommended Posts

I just downloaded MBAM to remove the ADVANCED XP FIXER. It scanned fine and presented me with checkmarked results. It found many more items than just the ADVANCED XP FIXER malware. When I tried to proceed with fixing them MBAM just hangs and I can't even force it out of the system. Must reboot and it never finishes fixing anything. Any suggestions?

AJ

Link to post
Share on other sites

The log is blank, no items listed, right after the quick scan.

Malwarebytes' Anti-Malware 1.12

Database version: 794

Scan type: Quick Scan

Objects scanned: 60393

Time elapsed: 16 minute(s), 42 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 1

Registry Keys Infected: 28

Registry Values Infected: 10

Registry Data Items Infected: 0

Folders Infected: 12

Files Infected: 25

Memory Processes Infected:

C:\Documents and Settings\Andy\cftmon.exe (Trojan.Agent) -> No action taken.

Memory Modules Infected:

C:\WINDOWS\SYSTEM32\nvrsma.dll (Trojan.Agent) -> No action taken.

Registry Keys Infected:

HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> No action taken.

HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> No action taken.

HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> No action taken.

HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{3e1656ed-f60e-4597-b6aa-b6a58e171495} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{63d0ed2b-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{63d0ed2d-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{0be385a3-85a5-4722-b677-68dae891ff21} (Adware.WhenUSave) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{272c0d60-0561-4c83-b3db-eb0a71f9d2eb} (Adware.WhenUSave) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{284477e4-a7cb-4055-9e1b-0ea7cba28945} (Adware.WhenUSave) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{70ca4938-6a0f-4641-a9a9-c936e4c1e7de} (Adware.WhenUSave) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{7468213e-010e-4ec6-a17d-642e909ba7ec} (Adware.WhenUSave) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{89dc33a2-f86f-42a1-8b5f-d4d1943efc9c} (Adware.WhenUSave) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{b86f4810-19a9-4050-9ac9-b5cf60b5799a} (Adware.WhenUSave) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{bb5b7e14-f8b4-4365-a24d-f4965c33e1ee} (Adware.WhenUSave) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{c13d4627-02f5-4b03-897a-bf6a90022dd2} (Adware.WhenUSave) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{c636f1fc-6ae4-4e6a-90ab-6d61d821a0dd} (Adware.WhenUSave) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{cb971ac0-6408-40da-a540-92f9f256f51f} (Adware.WhenUSave) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{d5694dfe-43b6-4e05-aa29-8c556c968973} (Adware.WhenUSave) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{e2032ec2-a9ac-4ed7-9bdb-ebecacf076f2} (Adware.WhenUSave) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{ebab4a71-8c34-461a-b57d-dd041d439555} (Adware.WhenUSave) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{f06fea43-0cc3-4bf6-a85b-5efb1c07aa4b} (Adware.WhenUSave) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{fc94a0f7-9c7c-4ae2-9106-5c212332b209} (Adware.WhenUSave) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\AXPFixer (Rogue.AdvancedXPFixer) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Screensavers.com (Adware.Comet) -> No action taken.

Registry Values Infected:

HKEY_CURRENT_USER\Control Panel\Desktop\Wallpaper (Trojan.FakeAlert) -> No action taken.

HKEY_CURRENT_USER\Control Panel\Desktop\OriginalWallpaper (Trojan.FakeAlert) -> No action taken.

HKEY_CURRENT_USER\Control Panel\Desktop\ConvertedWallpaper (Trojan.FakeAlert) -> No action taken.

HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE (Trojan.FakeAlert) -> No action taken.

HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\autoload (Trojan.Agent) -> No action taken.

HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run\autoload (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\ntuser (Trojan.Agent) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\kr_done1 (Malware.Trace) -> No action taken.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload (Trojan.Agent) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\Documents and Settings\Andy\Application Data\AXPFixer (Rogue.AdvancedXPFixer) -> No action taken.

C:\Documents and Settings\Andy\Application Data\AXPFixer\AXPFixer (Rogue.AdvancedXPFixer) -> No action taken.

C:\Documents and Settings\Andy\Application Data\AXPFixer\AXPFixer\Quarantine (Rogue.AdvancedXPFixer) -> No action taken.

C:\Documents and Settings\Andy\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun (Rogue.AdvancedXPFixer) -> No action taken.

C:\Documents and Settings\Andy\Application Data\AXPFixer\AXPFixer\Quarantine\BrowserObjects (Rogue.AdvancedXPFixer) -> No action taken.

C:\Documents and Settings\Andy\Application Data\AXPFixer\AXPFixer\Quarantine\Packages (Rogue.AdvancedXPFixer) -> No action taken.

C:\Documents and Settings\Andy\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\HKCU (Rogue.AdvancedXPFixer) -> No action taken.

C:\Documents and Settings\Andy\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\HKLM (Rogue.AdvancedXPFixer) -> No action taken.

C:\Documents and Settings\Andy\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\StartMenuAllUsers (Rogue.AdvancedXPFixer) -> No action taken.

C:\Documents and Settings\Andy\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\StartMenuCurrentUser (Rogue.AdvancedXPFixer) -> No action taken.

C:\Documents and Settings\Andy\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\HKCU\RunOnce (Rogue.AdvancedXPFixer) -> No action taken.

C:\Documents and Settings\Andy\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\HKLM\RunOnce (Rogue.AdvancedXPFixer) -> No action taken.

Files Infected:

C:\WINDOWS\SYSTEM32\blackster.scr (Trojan.Agent) -> No action taken.

C:\WINDOWS\SYSTEM32\ctfmonb.bmp (Malware.Trace) -> No action taken.

C:\WINDOWS\SYSTEM32\ide21201.vxd (Adware.Winad) -> No action taken.

C:\qkokqf.exe (Proxy.Ranky) -> No action taken.

C:\Documents and Settings\Andy\Local Settings\Temp\.tt7D.tmp (Rogue.AdvancedXPFixer) -> No action taken.

C:\Documents and Settings\Andy\Local Settings\Temp\cjvmwwxi.exe (Trojan.Agent) -> No action taken.

C:\WINDOWS\SYSTEM32\nvrsma.dll (Trojan.Agent) -> No action taken.

C:\Documents and Settings\Andy\cftmon.exe (Trojan.Agent) -> No action taken.

C:\WINDOWS\SYSTEM32\DRIVERS\spools.exe (Trojan.Agent) -> No action taken.

C:\WINDOWS\SYSTEM32\~.exe (Trojan.Agent) -> No action taken.

C:\WINDOWS\SYSTEM32\ntpl.bin (Trojan.Agent) -> No action taken.

C:\WINDOWS\SYSTEM32\kr_done1 (Malware.Trace) -> No action taken.

C:\Documents and Settings\Andy\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\Andy\Local Settings\Temp\.tt2.tmp (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\Andy\Local Settings\Temp\.tt3.tmp (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\Andy\Local Settings\Temp\.tt4.tmp (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\Andy\Local Settings\Temp\.tt5.tmp (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\Andy\Local Settings\Temp\.tt6.tmp (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\Andy\Local Settings\Temp\.tt8.tmp (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\Andy\Local Settings\Temp\.ttB.tmp (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\Andy\Local Settings\Temp\.ttC.tmp (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\Andy\Local Settings\Temp\.ttE.tmp (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\LocalService\cftmon.exe (Trojan.Agent) -> No action taken.

C:\Documents and Settings\Kelly\cftmon.exe (Trojan.Agent) -> No action taken.

C:\Documents and Settings\Bonnie\cftmon.exe (Trojan.Agent) -> No action taken.

Link to post
Share on other sites

Well, I stayed away from the SYSTEM 32 stuff and the .exe files and whittled it all down to those then ran MBAM from safe mode and it cleaned it all up! But, it nailed CTFMON.EXE for the three Windows accounts on this computer and I know that to be a good file from Microsoft. Am I gonna miss it?

Link to post
Share on other sites

  • Root Admin

It will take a LOT more than MB to get rid of that file. Microsoft will bring it back like a zombie from the grave.

If you get bored take a search on the troubles people have had trying to remove that file. It's like malware on it's own with it's resiliency to removal.

Link to post
Share on other sites

  • Staff

Ctfmon.exe is %USERROOT% is malware , that is not its home location .

The blackhats use MS reserved words to cause this exact confusion .

C:\Documents and Settings\LocalService\cftmon.exe (Trojan.Agent) -> No action taken.

C:\Documents and Settings\Kelly\cftmon.exe (Trojan.Agent) -> No action taken.

C:\Documents and Settings\Bonnie\cftmon.exe (Trojan.Agent) -> No action taken.

If you do not remove these then your computer is still infected .

Putting malware directly into %USERROOT% also makes it hard to look up on google because your username randomizes it search string making it not hit .

http://www.virustotal.com/

Submit the file here if to confirm .

Link to post
Share on other sites

Ctfmon.exe is %USERROOT% is malware , that is not its home location .

The blackhats use MS reserved words to cause this exact confusion .

C:\Documents and Settings\LocalService\cftmon.exe (Trojan.Agent) -> No action taken.

C:\Documents and Settings\Kelly\cftmon.exe (Trojan.Agent) -> No action taken.

C:\Documents and Settings\Bonnie\cftmon.exe (Trojan.Agent) -> No action taken.

If you do not remove these then your computer is still infected .

Putting malware directly into %USERROOT% also makes it hard to look up on google because your username randomizes it search string making it not hit .

http://www.virustotal.com/

Submit the file here if to confirm .

Thank you for the explanation of CTFMON. I should have realized that. It is all gone! MBAM running in safe mode cleared it up and it did not hang in safe mode. Thanks all.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.