Jump to content

malwarebytes closes durring scan at same file


Recommended Posts

Hi,

I have a friends laptop I am trying to fix but it has one of the nastiest malwares/spywares I've ever seen. I can get the program installed just fine and I can run it, but if I try to scan it forces malwarebytes to close everytime. It happens after about 5 seconds every time when I get to the same file...ntmarta.dll. Then, after it closes I can no longer open the program. It says access denied. I can't delete it or copy it or anything. If I reinstall the program it runs again, but wont scan. my antivirus has also been disabled (Avast) and now I can only start in safe mode. I can run spybot, but it doesn't fix it.

I followed the instructions in the sticky. I ran DDS and saved the log files. I attached the DDS.txt here. I then downloaded the GMER Rootkit program. It opens up and I choose the correct options and click scan. It starts to scan and then 10 seconds later closes, just like malwarebystes does. I can then no no lnger run or delete that GMER Rootkit file as well. I get the same error as I do trying to run malwarebytes after it fails to scan.

I'm at my wits end with this laptop. I've never seen one this bad. I'm starting to think the only option is to reformat. They have so much data save and programs to reinstall though\, so I'm trying to avoid that. Does anybody have any suggestions. I have no idea how to get malwarebytes to scan without crashing.

If anybody can help I'd be extremely grateful!

Thanks guys

-John

Link to post
Share on other sites

Hi. I actually got it fixed. I downloaded an AVG virus scan boot cd and that got rid of it.

I'll post the files anyway in case your interested. I'll attach the file called "Attach" and I'll paste the contents of the dds file

attach.txt

DDS file:

.

DDS (Ver_2011-06-23.01) - NTFSx86 NETWORK

Internet Explorer: 8.0.6001.18702

Run by Administrator at 1:41:17 on 2011-08-16

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1665 [GMT -4:00]

.

AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\3721931782:4191364898.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\DAEMON Tools Pro\DTShellHlp.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Administrator\Desktop\Defogger.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3080426

uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb

uDefault_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=3080426

uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRunOnce: [NeroHomeFirstStart] c:\program files\common files\ahead\lib\NMFirstStart.exe

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [sunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 0 (0x0)

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\npjpi150_06.dll

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

LSP: mswsock.dll

DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15108/CTPID.cab

TCP: DhcpNameServer = 192.168.1.1 71.250.0.12

TCP: Interfaces\{7FB4935E-DFAC-4883-A98E-E8A2DAA0BCEF} : DhcpNameServer = 192.168.1.1 71.250.0.12

Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll

Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Notify: igfxcui - igfxdev.dll

.

============= SERVICES / DRIVERS ===============

.

S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-8-15 441176]

S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-5-30 309848]

S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-5-30 19544]

S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-30 42184]

S2 DLPortIO;DriverLINX Port I/O Driver;c:\windows\system32\drivers\DLPORTIO.sys [2008-7-3 3584]

S2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-3-20 54752]

S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-7-20 366640]

S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-7-20 22712]

S3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual;c:\windows\system32\drivers\livecamv.sys [2009-7-5 31616]

.

=============== Created Last 30 ================

.

2011-08-16 05:36:11 -------- d-sh--w- c:\documents and settings\administrator\PrivacIE

2011-08-16 04:52:40 -------- d-----w- C:\VundoFix Backups

2011-08-16 04:43:16 -------- d-----w- c:\windows\ERUNT

2011-08-16 04:34:19 3216 ----a-w- c:\windows\system32\tmp.reg

2011-08-16 03:49:45 -------- d--h--w- c:\windows\PIF

2011-08-15 18:03:52 709968 ----a-w- c:\windows\isRS-000.tmp

2011-08-15 17:38:38 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-08-15 16:57:50 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-08-15 16:57:50 -------- d-----w- c:\windows\system32\wbem\Repository

2011-08-10 00:32:49 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-08-02 15:42:41 98304 ------w- c:\windows\system32\viscomoverlay.dll

2011-08-02 15:42:41 65536 ------w- c:\windows\system32\viscomwmvp.dll

2011-08-02 15:42:41 450560 ------w- c:\windows\system32\viscomqtde.dll

2011-08-02 15:42:41 102400 ------w- c:\windows\system32\viscomaudio.dll

2011-08-02 15:42:40 143360 ------w- c:\windows\system32\MoviePlayer.ocx

2011-08-02 15:42:39 90112 ------w- c:\windows\system32\DGWaveEdit.ocx

2011-08-02 15:42:39 607744 ------w- c:\windows\system32\Asoedmms.ocx

2011-08-02 15:42:39 1773568 ------w- c:\windows\system32\gdiplus.dll

2011-08-02 15:42:38 1652224 ------w- c:\windows\system32\AdjMmsEng.dll

2011-08-02 15:42:32 -------- d-----w- c:\program files\Pronunciation Patterns

.

==================== Find3M ====================

.

2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-07-06 23:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-06 23:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-04 11:43:53 40112 ----a-w- c:\windows\avastSS.scr

2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec

2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-02-19 14:51:00 1029000 ----a-w- c:\program files\SkypeSetup.exe

2011-02-18 17:26:03 42105 ----a-w- c:\program files\QuickBooks Premier - Manufacturing and Wholesale Edition 2008.lnk

2010-11-28 19:41:16 2153080 ----a-w- c:\program files\VLC_32.exe

2010-10-25 18:02:42 14259704 ----a-w- c:\program files\picasa38-setup.exe

2010-10-09 17:01:46 10088256 ----a-w- c:\program files\DAEMONToolsPro4360309-0160.exe

2010-06-02 16:10:24 1661616 ----a-w- c:\program files\LCVU_0415_PCDRV_US_1_01_03.exe

2010-02-11 21:22:05 16883056 ----a-w- c:\program files\IE8-WindowsXP-x86-ENU.exe

2009-07-20 14:27:08 3775176 ----a-w- c:\program files\mbam-setup.exe

2009-06-18 19:50:03 714136 ----a-w- c:\program files\JavaSetup6u14.exe

2009-05-27 00:26:42 274224 ----a-w- c:\program files\utorrent.exe

2009-04-01 01:49:22 10246088 ----a-w- c:\program files\windows-kb890830-v2.8.exe

2009-03-24 16:24:22 23596840 ----a-w- c:\program files\SkypeSetupFull.exe

2009-03-24 16:06:52 4188740 ----a-w- c:\program files\setupVoipraider.exe

2008-12-22 00:49:12 68756776 ----a-w- c:\program files\iTunesSetup.exe

2008-10-21 15:08:59 27288880 ----a-w- c:\program files\QuickTimeInstaller.exe

2008-10-17 14:56:50 2400784 ----a-w- c:\program files\WLinstaller.exe

2008-10-13 18:59:21 1234120 ----a-w- c:\program files\wrar380.exe

2008-05-08 13:58:22 17464248 ----a-w- c:\program files\IE7Setup_G.exe

.

============= FINISH: 1:42:49.09 ===============

Link to post
Share on other sites

  • Staff

Hi,

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the contents of C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

Link to post
Share on other sites

  • 2 weeks later...
  • 3 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.