Jump to content

Cannot run mbam.exe after removing infections


hbein

Recommended Posts

Followed the instructions to rename mbam.exe and run. Using the latest definitions that cleaned up some problems. But, I still cannot launch the app. Ran Hijack this - see log below. Any help would be appreciated.

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 10:44:52 AM, on 9/29/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Program Files\Novell\CASA\bin\micasad.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Novell\ZENworks\bin\ZenworksWindowsService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Novell\ZENworks\bin\TSUsage32.exe

C:\WINDOWS\system32\IPSSVC.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\AMT\atchksrv.exe

C:\Program Files\DesktopAuthority\RaMaint.exe

D:\IBM\SQLLIB\BIN\db2jds.exe

C:\Program Files\IBM\SQLLIB\BIN\db2mgmtsvc.exe

D:\IBM\SQLLIB\BIN\db2sec.exe

C:\Program Files\DesktopAuthority\DesktopAuthority.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

D:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Intel\AMT\LMS.exe

C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe

C:\lotus\notes\nsd.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

d:\oracle\adi\BIN\ADISRV.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\slClient.exe

C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe

C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe

C:\Program Files\Novell\ZENworks\Asset Management\bin\CClient.exe

C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe

C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe

C:\Program Files\Common Files\Lenovo\Logger\logmon.exe

C:\WINDOWS\system32\UStorSrv.exe

C:\WINDOWS\system32\vmnat.exe

C:\Program Files\Webroot\Client\commagent.exe

c:\program files\lenovo\system update\suservice.exe

D:\VMware Player\vmware-authd.exe

C:\WINDOWS\system32\vmnetdhcp.exe

C:\Program Files\Webroot\Client\spysweeper.exe

C:\Program Files\Novell\ZENworks\Asset Management\bin\TSUsage32.exe

C:\WINDOWS\system32\slagent.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe

C:\Program Files\Lenovo\AwayTask\AwaySch.EXE

C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Intel\AMT\atchk.exe

C:\Program Files\DesktopAuthority\ragui.exe

D:\VMware Player\hqtray.exe

C:\Program Files\Webroot\Client\SpySweeperUI.exe

C:\WINDOWS\system32\ctfmon.exe

D:\Program Files\Greenshot\Greenshot.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\lotus\notes\NLNOTES.EXE

C:\lotus\notes\framework\rcp\eclipse\plugins\com.ibm.rcp.base_6.2.1.20090925-1604\win32\x86\notes2.exe

C:\lotus\notes\ntaskldr.EXE

C:\Documents and Settings\hcahxb\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Program Files\Webroot\Security\Current\Framework\WRConsumerService.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Documents and Settings\hcahxb\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\hcahxb\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

D:\My Documents\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pmagateway.pmagroup.com/intranet

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://pmagateway.pmagroup.com/intranet

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] "HDAShCut.exe"

O4 - HKLM\..\Run: [LPManager] "C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe"

O4 - HKLM\..\Run: [AwaySch] "C:\Program Files\Lenovo\AwayTask\AwaySch.EXE"

O4 - HKLM\..\Run: [TVT Scheduler Proxy] "C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [WinVNC] "C:\WINDOWS\system32\rc\winvnc4.exe" -servicehelper

O4 - HKLM\..\Run: [igfxTray] "C:\WINDOWS\system32\igfxtray.exe"

O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\system32\hkcmd.exe"

O4 - HKLM\..\Run: [Persistence] "C:\WINDOWS\system32\igfxpers.exe"

O4 - HKLM\..\Run: [atchk] "C:\Program Files\Intel\AMT\atchk.exe"

O4 - HKLM\..\Run: [Desktop Authority GUI] "C:\Program Files\DesktopAuthority\ragui.exe"

O4 - HKLM\..\Run: [VMware hqtray] "D:\VMware Player\hqtray.exe"

O4 - HKLM\..\Run: [WebrootClientUI] "C:\Program Files\Webroot\Client\SpySweeperUI.exe"

O4 - HKLM\..\Run: [WebrootTrayApp] C:\Program Files\Webroot\Security\Current\Framework\WRTray.exe

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Greenshot] "d:\Program Files\Greenshot\Greenshot.exe"

O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat" (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: DesktopRecovery.bat

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre6\bin\jp2iexp.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre6\bin\jp2iexp.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: d:\vmware player\vsocklib.dll

O10 - Unknown file in Winsock LSP: d:\vmware player\vsocklib.dll

O14 - IERESET.INF: START_PAGE_URL=http://pmagateway.pmagroup.com/intranet

O15 - Trusted Zone: http://*.bbap2k100

O15 - Trusted Zone: http://*.bbap2k107

O15 - Trusted Zone: http://*.bbap2k141

O15 - Trusted Zone: http://*.bbap2k142

O15 - Trusted Zone: http://*.ccpma

O15 - Trusted Zone: http://*.bbap2k100 (HKLM)

O15 - Trusted Zone: http://*.bbap2k107 (HKLM)

O15 - Trusted Zone: http://*.bbap2k141 (HKLM)

O15 - Trusted Zone: http://*.bbap2k142 (HKLM)

O15 - Trusted Zone: http://*.ccpma (HKLM)

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6770.cab

O16 - DPF: {8C28EFD7-767B-11D1-844B-0060972DC2AC} - http://bbap2k70.sdmz.pmagroup.com:8080/Bri....Insight.en.cab

O16 - DPF: {b5859259-c40b-4b2a-af9d-3bf0f634b1d5} (Oracle JInitiator 1.1.8.20) -

O16 - DPF: {CAFECAFE-0013-0001-0021-ABCDEFABCDEF} (JInitiator 1.3.1.21) - http://finprod1.pma.pmagroup.com:8000/jinitiator/oajinit.exe

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pma.pmagroup.com

O17 - HKLM\Software\..\Telephony: DomainName = pma.pmagroup.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{90C77A3A-AF3E-447B-9EB2-2FA4A8662727}: Domain = pma.pmagroup.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pma.pmagroup.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pma.pmagroup.com

O18 - Protocol: qcom - {B8DBD265-42C3-43E6-B439-E968C71984C6} - C:\PROGRA~1\COMMON~1\QUESTS~1\CODEXP~1\qcom.dll

O20 - AppInit_DLLs: DAinit.dll

O20 - Winlogon Notify: AwayNotify - C:\Program Files\Lenovo\AwayTask\AwayNotify.dll

O20 - Winlogon Notify: LCredMgr - C:\Program Files\Novell\CASA\bin\lcredmgr.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Intel® AMT System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe

O23 - Service: AtmAppnNode - Attachmate Corporation - C:\Program Files\Attachmate\E!E2K\APPNODE.EXE

O23 - Service: Desktop Authority Maintenance Service (DAMaint) - ScriptLogic Corporation - C:\Program Files\DesktopAuthority\RaMaint.exe

O23 - Service: DB2 JDBC Applet Server (DB2JDS) - International Business Machines Corporation - D:\IBM\SQLLIB\BIN\db2jds.exe

O23 - Service: DB2 Management Service (DB2) (DB2MGMTSVC_DB2) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2mgmtsvc.exe

O23 - Service: DB2 Management Service (ToadF40) (DB2MGMTSVC_ToadF40) - Unknown owner - C:\Program Files\Quest Software\Toad for DB2 Freeware 4.0\DB2 Client\BIN\db2mgmtsvc.exe (file missing)

O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - D:\IBM\SQLLIB\BIN\db2sec.exe

O23 - Service: DB2 Security Server (DB2) (DB2NTSECSERVER_DB2) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe

O23 - Service: DB2 Security Server (ToadF40) (DB2NTSECSERVER_ToadF40) - Unknown owner - C:\Program Files\Quest Software\Toad for DB2 Freeware 4.0\DB2 Client\BIN\db2sec.exe (file missing)

O23 - Service: Desktop Authority Service (DesktopAuthority) - ScriptLogic Corporation - C:\Program Files\DesktopAuthority\DesktopAuthority.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Intel® Active Management Technology LMS Service (LMS) - Intel - C:\Program Files\Intel\AMT\LMS.exe

O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe

O23 - Service: Lotus Notes Diagnostics - IBM - C:\lotus\notes\nsd.exe

O23 - Service: Novell Identity Store - Novell, Inc - C:\Program Files\Novell\CASA\bin\micasad.exe

O23 - Service: Novell ZENworks Agent Service - Novell, Inc. - C:\Program Files\Novell\ZENworks\bin\ZenworksWindowsService.exe

O23 - Service: Oracle ADI Service - Oracle Corporation - d:\oracle\adi\BIN\ADISRV.EXE

O23 - Service: OracleClientCache80 - Unknown owner - d:\oracle\adi\BIN\ONRSD80.EXE

O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)

O23 - Service: ScriptLogic Service (SLClient) - ScriptLogic Software Corporation - C:\WINDOWS\system32\slClient.exe

O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe

O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

O23 - Service: ZENworks Asset Management - Collection Client (TSCensus Collection Client) - Novell, Inc. - C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe

O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe

O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe

O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe

O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - D:\VMware Player\vmware-ufad.exe

O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe

O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - D:\VMware Player\vmware-authd.exe

O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe

O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - C:\Program Files\Webroot\Client\commagent.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Client\spysweeper.exe

O23 - Service: VNC (WinVNC) - RealVNC Ltd. - C:\WINDOWS\system32\rc\winvnc4.exe

O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Security\Current\Framework\WRConsumerService.exe

O23 - Service: Novell ZENworks Pre Agent (ZENPreAgent) - Unknown owner - C:\WINDOWS\novell\zenworks\bin\ZENPreAgent.exe

--

End of file - 15002 bytes

Link to post
Share on other sites

Hello ,

And :) My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.

Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Please download OTL from one of the following mirrors:

    [*]Save it to your desktop.

    [*]Double click on the otlDesktopIcon.png icon on your desktop.

    [*]Click the "Scan All Users" checkbox.

    [*]Push the Quick Scan button.

    [*]Two reports will open, copy and paste them in a reply here:

    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download Rootkit Unhooker and save it to your Desktop

  • Double-click on RKUnhookerLE to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth and uncheck the rest
  • Click OK
  • Wait until it's finished and then go to File > Save Report
  • Save the report to your Desktop

Copy the entire contents of the report and paste it in a reply here.

Note - you may get this warning it is ok, just ignore: "Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • RKU log

Thanks and again sorry for the delay.

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.