Jump to content

MBAM shuts itself down after scan - posting logs


Recommended Posts

Hey,

I installed Malwarebytes Anti-Malware, which went fine, but there's a problem when I try to scan.

MBAM performs the scan without problem and detects some malwares (19 in full scan), then display the message saying "Scan was sucessful, click "show results" to display all infected objects -blablabla". But when I click "OK" on this message, the program immediately closes itself. I checked my log tab and the sucessful scans didnt produce any log.

I tried stopping the scan before it's end, with different results :

- If I end the scan before any malware is detected, the program doesn't crash.

- If I end the scan as soon as 1 malware is detected, or after that, it gives me a "Scan aborted. Click "show results" to display all infected objects", and as soon as I click OK, it shuts itself down.

The only other anti-virus or firewall program I'm using is Security Essentials (I ran a full scan which came up clean).

I downloaded and ran DeFogger, DDS and the GMER Rootkit Scanner. The logs are found below and in the attachment.

All help is greatly appreciated!

--------------------------------------------------------------

DDS/GMER Log:

--------------------------------------------------------------

DDS (Ver_10-03-17.01) - NTFSx86

Run by Compaq_Eigenaar at 14:47:06,95 on za 04-09-2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.31.1043.18.446.126 [GMT 2:00]

AV: Digital Protection *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

c:\windows\system32\svchost -k dcomlaunch

svchost.exe

c:\Program Files\Microsoft Security Essentials\MsMpEng.exe

c:\windows\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\nvsvc32.exe

c:\windows\system32\svchost.exe -k imgsvc

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Microsoft Security Essentials\msseces.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\HP\KBD\KBD.EXE

c:\windows\system\hpsysdrv.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Compaq_Eigenaar\Bureaublad\Defogger.exe

C:\Documents and Settings\Compaq_Eigenaar\Bureaublad\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.nl/

uSearch Page = hxxp://www.google.com

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NL_NL&c=63&bd=PRESARIO&pf=desktop

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NL_NL&c=63&bd=PRESARIO&pf=desktop

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE

mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run

mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey

mRun: [Malwarebytes Anti-Malware (rootkit-scan)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

mPolicies-system: DisableTaskMgr = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll

IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

Notify: __c001DA60 - c:\windows\system32\__c001DA60.dat

Notify: __c0027134 - c:\windows\system32\__c0027134.dat

Notify: __c0036A99 - c:\windows\system32\__c0036A99.dat

Notify: __c00CA559 - c:\windows\system32\__c00CA559.dat

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 151216]

=============== Created Last 30 ================

2010-09-04 12:44:42 0 ----a-w- c:\documents and settings\compaq_eigenaar\defogger_reenable

2010-09-04 11:22:49 54016 ----a-w- c:\windows\system32\drivers\cuotckwb.sys

2010-09-04 11:11:26 54016 ----a-w- c:\windows\system32\drivers\hctgkusl.sys

2010-09-04 10:48:43 54016 ----a-w- c:\windows\system32\drivers\wulpa.sys

2010-09-04 10:23:56 0 d-----w- c:\docume~1\compaq~1\applic~1\Malwarebytes

2010-09-04 10:23:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-09-04 10:23:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-09-04 10:23:38 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-09-04 10:23:38 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-13 12:13:47 0 d-----w- c:\windows\pss

==================== Find3M ====================

2010-08-13 10:42:07 70546 ----a-w- c:\windows\system32\perfc013.dat

2010-08-13 10:42:07 443836 ----a-w- c:\windows\system32\perfh013.dat

2010-07-27 06:30:32 8509440 ------w- c:\windows\system32\dllcache\shell32.dll

2010-06-30 12:33:19 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-30 12:33:19 149504 ------w- c:\windows\system32\dllcache\schannel.dll

2010-06-24 15:57:54 11077120 ------w- c:\windows\system32\dllcache\ieframe.dll

2010-06-24 09:02:59 1852032 ----a-w- c:\windows\system32\win32k.sys

2010-06-24 09:02:59 1852032 ------w- c:\windows\system32\dllcache\win32k.sys

2010-06-23 12:08:09 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2010-06-21 15:27:11 354304 ------w- c:\windows\system32\dllcache\srv.sys

2010-06-18 13:36:12 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

2010-06-17 14:03:48 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-14 14:31:20 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe

2010-06-14 07:43:35 1172480 ----a-w- c:\windows\system32\msxml3.dll

2010-06-14 07:43:35 1172480 ----a-w- c:\windows\system32\dllcache\msxml3.dll

2008-11-21 06:47:39 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\geschiedenis\history.ie5\mshist012008112120081122\index.dat

============= FINISH: 14:47:31,29 ===============

Attach.zip

Link to post
Share on other sites

Mayflower06:

icon11.gif Download Pragmafix by Noahdfear from here and save it in a place you can remember such as, your desktop.

  • Click on Pragmafix.exe to run it
  • It shall produce PragmaFix.log in the C:\ folder.
  • Please post the results here.

icon11.gif You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Please include the following in your next post:

  • MBAM log
  • PragmaFix log

Link to post
Share on other sites

Hello RPMcMurphy,

1) I downloaded and ran Pragmafix, the log can be found below.

zo 05-09-2010 20:02:00,39

No embedded null keys found

2) After updating MBAM, I did a Quick Scan. MBAM log is found below.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Databaseversie: 4550

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5-9-2010 20:10:06

mbam-log-2010-09-05 (20-10-06).txt

Scantype: Snelle scan

Objecten gescand: 129818

Verstreken tijd: 5 minuut/minuten, 15 seconde(n)

Geheugenprocessen ge

Link to post
Share on other sites

Mayflower06:

Is your computer running better? Please do this next:

icon11.gif Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Java 6 Update 20 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts. If it does not, let me know.

Once the install is complete...

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)

  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files

    [*]Click OK on Delete Temporary Files Window

Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

icon11.gif Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take quite a long time to download.

  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, adware, dialers, and other riskware
    • Archives
    • E-mail databases

    [*]Click on My Computer under the green Scan bar to the left to start the scan.

    [*]Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

    [*]Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

    [*]Click View report... at the bottom.

    [*] Click the Save report... button.

    [*] Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

Please include the following in your next post:

  • Kaspersky log
  • How is your computer running?

Link to post
Share on other sites

Hi RPMcMurphy,

- You can Find the Kaspersky log in the attachment.

- My computer is definitely running better than it did before. It boots up quicker, and programs run better. It's also a lot quieter, before I could hear it making noise a lot of the time, not only when I booted up or some program was running, like it always had something going on in the background. Also, iexplore.exe often had a high CPU usage (usually 98-99), that has not happened in the last days.

Grtz, Mae

KasReport.txt

Link to post
Share on other sites

Mayflower06:

Your logs look good! Those Kaspersky detections are in your ComboFix quarantine and the system restore cache and will be cleaned when we uninstall ComboFix.

All I have left for you to do are another update and some very importatnt cleanup:

icon11.gif Your Adobe reader needs to be updated. Please visit Adobe's site and grab the newest version.

icon11.gif Uninstall ComboFix

  • Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall

Combofix_uninstall_image.jpg

icon11.gif Delete the following tools along with any other logs you saved from our work:

  • DDS
  • GMER

icon11.gif Download TFC to your desktop

  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean

icon11.gif Finally, I'd like to make a couple of suggestions to help you stay clean in the future:

  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application current and updated. Also, hang on to MBAM. Scan with them at least weekly.
  • Please visit our General Computer Security Forum and review this post for some helpful information.

Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.