MBAM hangs after scanning

[AJ_CHICAGO]

I just downloaded MBAM to remove the ADVANCED XP FIXER. It scanned fine and presented me with checkmarked results. It found many more items than just the ADVANCED XP FIXER malware. When I tried to proceed with fixing them MBAM just hangs and I can't even force it out of the system. Must reboot and it never finishes fixing anything. Any suggestions?

AJ

[nosirrah]

Please do a quick scan with MBAM and save the log (dont fix anything yet) .

Post the log here .

[AJ_CHICAGO]

Please do a quick scan with MBAM and save the log (dont fix anything yet) .

Post the log here .

The log is blank, no items listed, right after the quick scan.

[AJ_CHICAGO]

The log is blank, no items listed, right after the quick scan.

Malwarebytes' Anti-Malware 1.12

Database version: 794

Scan type: Quick Scan

Objects scanned: 60393

Time elapsed: 16 minute(s), 42 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 1

Registry Keys Infected: 28

Registry Values Infected: 10

Registry Data Items Infected: 0

Folders Infected: 12

Files Infected: 25

Memory Processes Infected:

C:\Documents and Settings\Andy\cftmon.exe (Trojan.Agent) -> No action taken.

Memory Modules Infected:

C:\WINDOWS\SYSTEM32\nvrsma.dll (Trojan.Agent) -> No action taken.

Registry Keys Infected:

HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> No action taken.

HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> No action taken.

HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> No action taken.

HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{3e1656ed-f60e-4597-b6aa-b6a58e171495} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{63d0ed2b-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{63d0ed2d-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{0be385a3-85a5-4722-b677-68dae891ff21} (Adware.WhenUSave) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{272c0d60-0561-4c83-b3db-eb0a71f9d2eb} (Adware.WhenUSave) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{284477e4-a7cb-4055-9e1b-0ea7cba28945} (Adware.WhenUSave) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{70ca4938-6a0f-4641-a9a9-c936e4c1e7de} (Adware.WhenUSave) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{7468213e-010e-4ec6-a17d-642e909ba7ec} (Adware.WhenUSave) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{89dc33a2-f86f-42a1-8b5f-d4d1943efc9c} (Adware.WhenUSave) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{b86f4810-19a9-4050-9ac9-b5cf60b5799a} (Adware.WhenUSave) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{bb5b7e14-f8b4-4365-a24d-f4965c33e1ee} (Adware.WhenUSave) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{c13d4627-02f5-4b03-897a-bf6a90022dd2} (Adware.WhenUSave) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{c636f1fc-6ae4-4e6a-90ab-6d61d821a0dd} (Adware.WhenUSave) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{cb971ac0-6408-40da-a540-92f9f256f51f} (Adware.WhenUSave) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{d5694dfe-43b6-4e05-aa29-8c556c968973} (Adware.WhenUSave) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{e2032ec2-a9ac-4ed7-9bdb-ebecacf076f2} (Adware.WhenUSave) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{ebab4a71-8c34-461a-b57d-dd041d439555} (Adware.WhenUSave) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{f06fea43-0cc3-4bf6-a85b-5efb1c07aa4b} (Adware.WhenUSave) -> No action taken.

HKEY_CLASSES_ROOT\Interface\{fc94a0f7-9c7c-4ae2-9106-5c212332b209} (Adware.WhenUSave) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\AXPFixer (Rogue.AdvancedXPFixer) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Screensavers.com (Adware.Comet) -> No action taken.

Registry Values Infected:

HKEY_CURRENT_USER\Control Panel\Desktop\Wallpaper (Trojan.FakeAlert) -> No action taken.

HKEY_CURRENT_USER\Control Panel\Desktop\OriginalWallpaper (Trojan.FakeAlert) -> No action taken.

HKEY_CURRENT_USER\Control Panel\Desktop\ConvertedWallpaper (Trojan.FakeAlert) -> No action taken.

HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE (Trojan.FakeAlert) -> No action taken.

HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\autoload (Trojan.Agent) -> No action taken.

HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run\autoload (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\ntuser (Trojan.Agent) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\kr_done1 (Malware.Trace) -> No action taken.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload (Trojan.Agent) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\Documents and Settings\Andy\Application Data\AXPFixer (Rogue.AdvancedXPFixer) -> No action taken.

C:\Documents and Settings\Andy\Application Data\AXPFixer\AXPFixer (Rogue.AdvancedXPFixer) -> No action taken.

C:\Documents and Settings\Andy\Application Data\AXPFixer\AXPFixer\Quarantine (Rogue.AdvancedXPFixer) -> No action taken.

C:\Documents and Settings\Andy\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun (Rogue.AdvancedXPFixer) -> No action taken.

C:\Documents and Settings\Andy\Application Data\AXPFixer\AXPFixer\Quarantine\BrowserObjects (Rogue.AdvancedXPFixer) -> No action taken.

C:\Documents and Settings\Andy\Application Data\AXPFixer\AXPFixer\Quarantine\Packages (Rogue.AdvancedXPFixer) -> No action taken.

C:\Documents and Settings\Andy\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\HKCU (Rogue.AdvancedXPFixer) -> No action taken.

C:\Documents and Settings\Andy\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\HKLM (Rogue.AdvancedXPFixer) -> No action taken.

C:\Documents and Settings\Andy\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\StartMenuAllUsers (Rogue.AdvancedXPFixer) -> No action taken.

C:\Documents and Settings\Andy\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\StartMenuCurrentUser (Rogue.AdvancedXPFixer) -> No action taken.

C:\Documents and Settings\Andy\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\HKCU\RunOnce (Rogue.AdvancedXPFixer) -> No action taken.

C:\Documents and Settings\Andy\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\HKLM\RunOnce (Rogue.AdvancedXPFixer) -> No action taken.

Files Infected:

C:\WINDOWS\SYSTEM32\blackster.scr (Trojan.Agent) -> No action taken.

C:\WINDOWS\SYSTEM32\ctfmonb.bmp (Malware.Trace) -> No action taken.

C:\WINDOWS\SYSTEM32\ide21201.vxd (Adware.Winad) -> No action taken.

C:\qkokqf.exe (Proxy.Ranky) -> No action taken.

C:\Documents and Settings\Andy\Local Settings\Temp\.tt7D.tmp (Rogue.AdvancedXPFixer) -> No action taken.

C:\Documents and Settings\Andy\Local Settings\Temp\cjvmwwxi.exe (Trojan.Agent) -> No action taken.

C:\WINDOWS\SYSTEM32\nvrsma.dll (Trojan.Agent) -> No action taken.

C:\Documents and Settings\Andy\cftmon.exe (Trojan.Agent) -> No action taken.

C:\WINDOWS\SYSTEM32\DRIVERS\spools.exe (Trojan.Agent) -> No action taken.

C:\WINDOWS\SYSTEM32\~.exe (Trojan.Agent) -> No action taken.

C:\WINDOWS\SYSTEM32\ntpl.bin (Trojan.Agent) -> No action taken.

C:\WINDOWS\SYSTEM32\kr_done1 (Malware.Trace) -> No action taken.

C:\Documents and Settings\Andy\Local Settings\Temp\.tt1.tmp (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\Andy\Local Settings\Temp\.tt2.tmp (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\Andy\Local Settings\Temp\.tt3.tmp (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\Andy\Local Settings\Temp\.tt4.tmp (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\Andy\Local Settings\Temp\.tt5.tmp (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\Andy\Local Settings\Temp\.tt6.tmp (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\Andy\Local Settings\Temp\.tt8.tmp (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\Andy\Local Settings\Temp\.ttB.tmp (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\Andy\Local Settings\Temp\.ttC.tmp (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\Andy\Local Settings\Temp\.ttE.tmp (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\LocalService\cftmon.exe (Trojan.Agent) -> No action taken.

C:\Documents and Settings\Kelly\cftmon.exe (Trojan.Agent) -> No action taken.

C:\Documents and Settings\Bonnie\cftmon.exe (Trojan.Agent) -> No action taken.

[AJ_CHICAGO]

Well, I stayed away from the SYSTEM 32 stuff and the .exe files and whittled it all down to those then ran MBAM from safe mode and it cleaned it all up! But, it nailed CTFMON.EXE for the three Windows accounts on this computer and I know that to be a good file from Microsoft. Am I gonna miss it?

[AdvancedSetup]

It will take a LOT more than MB to get rid of that file. Microsoft will bring it back like a zombie from the grave.

If you get bored take a search on the troubles people have had trying to remove that file. It's like malware on it's own with it's resiliency to removal.

[nosirrah]

Ctfmon.exe is %USERROOT% is malware , that is not its home location .

The blackhats use MS reserved words to cause this exact confusion .

C:\Documents and Settings\LocalService\cftmon.exe (Trojan.Agent) -> No action taken.

C:\Documents and Settings\Kelly\cftmon.exe (Trojan.Agent) -> No action taken.

C:\Documents and Settings\Bonnie\cftmon.exe (Trojan.Agent) -> No action taken.

If you do not remove these then your computer is still infected .

Putting malware directly into %USERROOT% also makes it hard to look up on google because your username randomizes it search string making it not hit .

http://www.virustotal.com/

Submit the file here if to confirm .

[AJ_CHICAGO]

Ctfmon.exe is %USERROOT% is malware , that is not its home location .

The blackhats use MS reserved words to cause this exact confusion .

C:\Documents and Settings\LocalService\cftmon.exe (Trojan.Agent) -> No action taken.

C:\Documents and Settings\Kelly\cftmon.exe (Trojan.Agent) -> No action taken.

C:\Documents and Settings\Bonnie\cftmon.exe (Trojan.Agent) -> No action taken.

If you do not remove these then your computer is still infected .

Putting malware directly into %USERROOT% also makes it hard to look up on google because your username randomizes it search string making it not hit .

http://www.virustotal.com/

Submit the file here if to confirm .

Thank you for the explanation of CTFMON. I should have realized that. It is all gone! MBAM running in safe mode cleared it up and it did not hang in safe mode. Thanks all.

[AdvancedSetup]

Thanks for the correction Bruce. It was late and I should not have replied without doing a real search and full review of the log. I'll have to keep this in mind next time not to respond without a full review of the log.