Jump to content

MBAM shuts down after 10 seconds or less


Recommended Posts

I have some sort of virus!!!! Help!

Running MBAM shuts down after 5 or 10 seconds with latest updates. Ran DDS and it completed. That log is below. Ran GMER and it quit after 5 seconds, not generating any logs.

I have followed the steps listed here, but without success.

Please help!

.

DDS (Ver_2011-08-26.01) - NTFSx86 MINIMAL

Internet Explorer: 8.0.6001.18702

Run by Everett at 20:09:57 on 2011-08-25

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.664 [GMT -5:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\929075084:1936760776.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.msn.com

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/apps/vso/en-us/vso9/default.asp?affid=105-36&dtag=4h3xt61

uInternet Settings,ProxyServer = http=127.0.0.1:6092

uInternet Settings,ProxyOverride = <local>

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll

mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll

BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll

BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"

BHO: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\supertoolbar\GenericAskToolbar.dll

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Microsoft Web Test Recorder 10.0 Helper: {dda57003-0068-4ed2-9d32-4d1ec707d94d} - c:\program files\microsoft visual studio 10.0\common7\ide\privateassemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll

BHO: {E3215F20-3212-11D6-9F8B-00D0B743919D} - No File

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn3\YTSingleInstance.dll

TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll

TB: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\supertoolbar\GenericAskToolbar.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll

TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"

EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll

EB: Web Test Recorder 10.0: {5802d092-1784-4908-8cdb-99b6842d353d} - mscoree.dll

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [security Protection] c:\documents and settings\all users\application data\defender.exe

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [iAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"

mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\point32.exe"

mRun: [VMware hqtray] "c:\program files\vmware\vmware player\hqtray.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"

mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [<NO NAME>]

mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{3e5562ed-69ab-4cec-91e2-64e18ec5acc6}\Icon3E5562ED7.ico

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

LSP: mswsock.dll

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/tgctlcm.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab

DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} - hxxp://project/projectserver/objects/pjclient.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1258220304250

DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} - hxxps://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {AF9A1421-E128-4D5F-A37E-039F305867B9} - hxxp://project/projectserver/objects/1033/pjcintl.cab

DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab

DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

TCP: DhcpNameServer = 192.168.1.1 68.238.96.12

TCP: Interfaces\{AA3595E4-AC9E-41BA-A855-CB749387BFC1} : DhcpNameServer = 192.168.1.1 68.238.96.12

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll

Notify: TPSvc - TPSvc.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

.

============= SERVICES / DRIVERS ===============

.

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2009-1-11 40840]

R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [2009-12-7 61328]

R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [2010-5-12 59280]

R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2009-1-11 66952]

R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2009-1-11 81288]

R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-1-11 356920]

S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2009-12-7 61328]

S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]

S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]

S2 clr_optimization_v4.0.21006_32;Microsoft .NET Framework NGEN v4.0.21006_X86;c:\windows\microsoft.net\framework\v4.0.21006\mscorsvw.exe [2009-10-7 129856]

S2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-9-10 156968]

S2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-1-11 1079176]

S2 WUSB54GSCSVC;WUSB54GSCSVC;c:\program files\compact wireless-g usb network adapter with speedbooster\WLService.exe [2007-1-15 53307]

S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560]

S3 Leapfrog-USBLAN;Leapfrog-USBLAN;c:\windows\system32\drivers\btblan.sys [2011-1-2 33792]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]

S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2003-8-28 189792]

S3 VSPerfDrv100;Performance Tools Driver 10.0;c:\program files\microsoft visual studio 10.0\team tools\performance tools\VSPerfDrv100.sys [2009-9-15 47616]

S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2010-11-11 268528]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.21006\wpf\WPFFontCache_v0400.exe [2009-10-7 752984]

S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-7-22 47128]

S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]

S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]

.

=============== Created Last 30 ================

.

2011-08-25 21:50:16 -------- d-----w- c:\program files\ESET

2011-08-25 21:38:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-25 21:38:40 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-08-25 21:38:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-08-25 19:03:38 -------- d-----w- c:\program files\common files\iS3

2011-08-24 22:02:42 546256 ----a-r- c:\windows\system32\SZComp5.dll

2011-08-24 22:02:42 456144 ----a-r- c:\windows\system32\SZBase5.dll

2011-08-24 22:02:42 22992 ----a-r- c:\windows\system32\SZIO5.dll

2011-08-24 22:02:42 132560 ----a-r- c:\windows\system32\IS3HTUI5.dll

2011-08-24 22:02:40 99792 ----a-r- c:\windows\system32\IS3Svc5.dll

2011-08-24 22:02:40 99792 ----a-r- c:\windows\system32\IS3Inet5.dll

2011-08-24 22:02:40 67024 ----a-r- c:\windows\system32\IS3Hks5.dll

2011-08-24 22:02:40 398800 ----a-r- c:\windows\system32\IS3DBA5.dll

2011-08-24 22:02:40 28624 ----a-r- c:\windows\system32\IS3XDat5.dll

2011-08-24 22:02:38 738768 ----a-r- c:\windows\system32\IS3Base5.dll

2011-08-24 22:02:38 390608 ----a-r- c:\windows\system32\IS3UI5.dll

2011-08-24 22:02:38 230864 ----a-r- c:\windows\system32\IS3Win325.dll

2011-08-21 23:18:36 -------- d-----w- c:\windows\9E23819E8AF44D25A7FE7756C9E3DBB9.TMP

2011-08-16 17:46:16 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys

2011-08-16 17:45:55 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys

.

==================== Find3M ====================

.

2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-06-30 00:18:39 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec

2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys

.

============= FINISH: 20:10:12.57 ===============

Link to post
Share on other sites

More information!

GMER will run and shut down mid-scan, not producing a log.

ComboFix will run and shut down mid-scan, not producing a log. After this initial run, the EXE will no longer execute. Windows prompts with: "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." I am an admin on this computer.

RKill runs but does not find any processes to kill. The log is basically empty.

Subsequent runs of mbam.exe produce the following error on start up: "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." I am an admin on this computer.

Reinstalling MBAM works, however when the Update is attempted, I get the following prompt: "Update failed. Make sure you are connected to the Internet and your firewall is set to allow Malwarebytes' Anti-Malware to access the internet." I have verified I have Internet access and that my firewall is set to allow MBAM access.

Also, SuperAntiSpyware will not open. Spyware Doctor will open but cannot connect to their update service. STOPzilla will hang on the splash screen and never load.

The following is the output from the SecurityCheck.exe I downloaded from this site:

Results of screen317's Security Check version 0.99.18

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

ESET Online Scanner v3

```````````````````````````````

Anti-malware/Other Utilities Check:

Ad-Aware

Malwarebytes' Anti-Malware

Java 6 Update 11

Java 6 Update 5

Out of date Java installed!

Flash Player Out of Date!

Adobe Flash Player 10.0.12.36

````````````````````````````````

Process Check:

objlist.exe by Laurent

Ad-Aware AAWService.exe is disabled!

Ad-Aware AAWTray.exe is disabled!

``````````End of Log````````````

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Rename MBAM.exe to iexplore.exe and try running it now; if no joy try iexplore.com

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Link to post
Share on other sites

I have the same thing. Including the google search results redirection. I have run the TDSSKiller and picks up something every time. I'm not at the infected machine right now, but I'm very interested to see how this thread goes.

Link to post
Share on other sites

  • 3 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.