Jump to content

Malwarebytes runs for 5 seconds then closes...


Recommended Posts

Hello,

I am trying to use Malwarebytes to remove this super annoying Open Cloud Security crap from my girlfriends computer. I have tried a number of guides online which have told me to rename the mbam.exe file to firefox.com I do this, download the latest updates, and try to run it and it is closing after about 5 seconds. I am doing all of this in Safe Mode With Networking. I have been reading on this site for a while and have downloaded ComboFix. I disabled all my Antivirus/Antispyware/Firewall programs and ran ComboFix. The results are below, what is my next best course of action?

Thank you very much in advance!

ComboFix 11-09-27.01 - Administrator 09/27/2011 16:27:28.1.2 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2039.1783 [GMT -4:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

AV: McAfee VirusScan Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory

c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini

c:\documents and settings\Justin\Application Data\SIIIBrzPNyx1uDo\sySL32.dll

c:\windows\$NtUninstallKB15524$

c:\windows\$NtUninstallKB15524$\1720165852\@

c:\windows\$NtUninstallKB15524$\1720165852\bckfg.tmp

c:\windows\$NtUninstallKB15524$\1720165852\cfg.ini

c:\windows\$NtUninstallKB15524$\1720165852\Desktop.ini

c:\windows\$NtUninstallKB15524$\1720165852\keywords

c:\windows\$NtUninstallKB15524$\1720165852\kwrd.dll

c:\windows\$NtUninstallKB15524$\1720165852\L\oioonbvi

c:\windows\$NtUninstallKB15524$\1720165852\lsflt7.ver

c:\windows\$NtUninstallKB15524$\1720165852\U\00000001.@

c:\windows\$NtUninstallKB15524$\1720165852\U\00000002.@

c:\windows\$NtUninstallKB15524$\1720165852\U\80000000.@

c:\windows\$NtUninstallKB15524$\1720165852\U\80000032.@

c:\windows\$NtUninstallKB15524$\2931293555

.

Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected

Restored copy from - The cat found it :)

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_6687a5dc

.

.

((((((((((((((((((((((((( Files Created from 2011-08-27 to 2011-09-27 )))))))))))))))))))))))))))))))

.

.

2011-09-27 20:20 . 2004-08-04 12:00 49536 ----a-w- c:\windows\system32\drivers\cdrom.sys

2011-09-27 19:35 . 2011-09-27 19:51 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-09-27 19:04 . 2011-09-27 19:04 -------- d-s---w- c:\documents and settings\Administrator\UserData

2011-09-27 18:34 . 2011-09-27 18:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2011-09-27 16:43 . 2011-09-27 16:43 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2011-09-27 06:16 . 2011-09-27 06:16 -------- d--h--w- c:\windows\PIF

2011-09-27 05:51 . 2011-09-27 05:51 -------- d-s---w- c:\documents and settings\NetworkService\UserData

2011-09-27 04:52 . 2011-09-27 04:52 2463744 ----a-w- c:\windows\system32\U22oonF44mH5sJd.exe

2011-09-19 03:24 . 2011-09-19 03:24 -------- d-----w- c:\program files\Viewpoint

2011-09-19 03:23 . 2011-09-19 03:24 -------- d-----w- c:\program files\AIM95

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-08-24 20:27 . 2011-08-24 20:27 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-08-02 22:23 . 2011-08-02 22:23 260 ----a-w- c:\windows\system32\cmdVBS.vbs

2011-08-02 22:23 . 2011-08-02 22:23 256 ----a-w- c:\windows\system32\MSIevent.bat

2011-09-09 02:14 . 2011-03-26 16:50 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOvrly1]

@="{A4EEBF66-92EB-4F2A-9F1E-2F6D14B30DA6}"

[HKEY_CLASSES_ROOT\CLSID\{A4EEBF66-92EB-4F2A-9F1E-2F6D14B30DA6}]

2007-04-20 18:40 118784 ----a-w- c:\program files\TrueSuite Access Manager\IconOvrly.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ThpSrv"="c:\windows\system32\thpsrv" [X]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-03-07 819200]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-03-07 970752]

"00THotkey"="c:\windows\system32\00THotkey.exe" [2006-07-05 258048]

"000StTHK"="000StTHK.exe" [2001-06-23 24576]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2007-04-20 101144]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2007-04-20 84760]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2007-04-20 125720]

"RTHDCPL"="RTHDCPL.EXE" [2007-04-13 16132608]

"NDSTray.exe"="NDSTray.exe" [bU]

"TFncKy"="TFncKy.exe" [bU]

"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-14 311296]

"TFNF5"="TFNF5.exe" [2006-04-11 622592]

"TAudEffect"="c:\program files\TOSHIBA\TAudEffect\TAudEff.exe" [2006-08-10 344144]

"TMERzCtl.EXE"="c:\program files\TOSHIBA\TME3\TMERzCtl.EXE" [2006-04-27 90112]

"TMESRV.EXE"="c:\program files\TOSHIBA\TME3\TMESRV31.EXE" [2005-12-14 126976]

"TOSDCR"="TOSDCR.EXE" [2005-12-13 57344]

"TouchED"="c:\program files\TOSHIBA\TouchED\TouchED.exe" [2005-06-29 126976]

"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 49152]

"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2007-04-10 159744]

"TosAutLk"="c:\program files\TOSHIBA\WirelessKeyLogon\TosAutLk.exe" [2006-11-21 110592]

"TPSODDCtl"="TPSODDCtl.exe" [2007-04-24 118784]

"TPSMain"="TPSMain.exe" [2007-04-24 315392]

"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]

"FingerPrintNotifer"="c:\program files\TrueSuite Access Manager\FpNotifier.exe" [2007-05-31 671744]

"UsbMonitor"="c:\program files\TrueSuite Access Manager\usbnotify.exe" [2007-06-05 94208]

"PwdBank"="c:\program files\TrueSuite Access Manager\PwdBank.exe" [2007-06-15 3147776]

"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2007-01-26 136816]

"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]

"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 127022]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-01-28 111952]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]

"Creative KSRun Persistence Module"="KSRun.dll" [2009-12-07 24064]

"VolPanel"="c:\program files\Creative\Volume Panel\VolPanlu.exe" [2009-07-07 241789]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-07-19 421736]

"W888gTTZqhYw8234A"="c:\windows\system32\U22oonF44mH5sJd.exe" [2011-09-27 2463744]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ATFUS]

2007-05-31 16:34 176128 ----a-w- c:\windows\system32\FpWinlogonNp.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=

"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

"c:\\Program Files\\BitComet\\BitComet.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Documents and Settings\\Owner1\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Documents and Settings\\Justin\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"21853:TCP"= 21853:TCP:BitComet 21853 TCP

"21853:UDP"= 21853:UDP:BitComet 21853 UDP

"50000:UDP"= 50000:UDP:IHA_MessageCenter

.

R0 AlfaFF;AlfaFF mini-filter driver;c:\windows\system32\drivers\AlfaFF.sys [6/21/2007 3:21 PM 29440]

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/1/2009 2:34 AM 721904]

R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [4/27/2007 1:19 PM 21120]

R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [3/9/2007 6:23 PM 6528]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [6/7/2007 6:13 PM 36608]

S1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [6/7/2007 6:23 PM 5888]

S2 Authentec memory manager;Authentec memory manager service;c:\windows\system32\TAMSvr.exe [6/21/2007 3:21 PM 9216]

S2 FingerprintServer;Fingerprint Server;c:\windows\system32\FpLogonServ.exe [6/21/2007 3:21 PM 106496]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/18/2010 12:42 AM 135664]

S2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [7/1/2011 3:01 PM 151552]

S2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [3/26/2007 3:22 PM 105856]

S2 Tmesrv;Tmesrv3;c:\program files\Toshiba\TME3\TMESRV31.exe [6/7/2007 6:23 PM 126976]

S2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2/19/2007 3:15 PM 134016]

S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [5/14/2010 3:14 PM 79360]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/18/2010 12:42 AM 135664]

S3 ksaud;Creative USB Audio Driver;c:\windows\system32\drivers\ksaud.sys [12/15/2009 10:25 AM 857472]

S3 ksaudfl;ksaudfl;c:\windows\system32\drivers\ksaudfl.sys [10/24/2008 6:27 PM 1830912]

S3 QCEmerald;Logitech QuickCam Web(PID_0850);c:\windows\system32\drivers\lvce.sys [10/1/2009 7:29 PM 44544]

S3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [6/7/2007 6:23 PM 435072]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Contents of the 'Scheduled Tasks' folder

.

2011-09-16 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]

.

2011-09-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-18 04:42]

.

2011-09-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-18 04:42]

.

2011-09-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2034601438-1622992482-3957849795-1008Core.job

- c:\documents and settings\Owner1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-03 01:59]

.

2011-09-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2034601438-1622992482-3957849795-1008UA.job

- c:\documents and settings\Owner1\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-03 01:59]

.

2011-09-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2034601438-1622992482-3957849795-1009Core.job

- c:\documents and settings\Justin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-23 04:56]

.

2011-09-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2034601438-1622992482-3957849795-1009UA.job

- c:\documents and settings\Justin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-23 04:56]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.toshibadirect.com/dpdstart

uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart

TCP: DhcpNameServer = 192.168.1.1

DPF: vzTCPConfig - hxxp://my.verizon.com/micro/speedoptimizer/fios/vzTCPConfig.CAB

FF - ProfilePath -

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-09-27 18:37

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(864)

c:\windows\system32\FpWinLogonNp.dll

.

- - - - - - - > 'explorer.exe'(1964)

c:\program files\TrueSuite Access Manager\IconOvrly.dll

c:\windows\system32\msi.dll

.

Completion time: 2011-09-27 18:40:00 - machine was rebooted

ComboFix-quarantined-files.txt 2011-09-27 22:39

.

Pre-Run: 115,773,489,152 bytes free

Post-Run: 119,647,711,232 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - C3428F8E9699780E7C747F29381328F8

Link to post
Share on other sites

Hello, and welcome to Malwarebytes, whytee:

Sorry to hear that your computer may be infected.

Alas, we cannot review scan logs or work on malware detection/removal in this part of the General MBAM forum.

Please read the following to get started on the cleaning process:

  • Excellent, self-help troubleshooting info for getting MBAM to run on an infected machine can be found here.
  • And there are specific, self-help malware removal instructions here.

If you would like expert assistance with cleaning your system, there are 3 support options from which to choose:

  • Option 1 -- Free, Expert advice in the Malware Removal Forum
  • Option 2 -- Free support for paying customers using MBAM PRO -- Contact MBAM Support via email
  • Option 3 -- Premium, Fee-Based Support

OPTION 1

As we don't deal with malware removal in this General MBAM Forum, you need to start a topic in the Malware Removal forum so that a qualified helper can help you fix any malware related problems/infections you may have.

  • First, please print out, read and follow the directions here, skipping any steps you are unable to complete.
  • If the infection has so crippled the computer that you cannot follow most/all of the requested steps, then please just proceed as advised below:
  • Then please post a NEW topic in the Malware Removal forum.
  • When posting your new thread, please make sure that, under "options", you select Track this topic and choose Immediate Email Notification, so that you're alerted when someone has replied to your post.
  • One of the expert helpers there will give you free, one-on-one assistance when one becomes available.

IMPORTANT NOTE: Please do NOT make any further changes to your computer such as (Install/Uninstall programs; use special fix tools; delete files; edit the registry; OR use temp file cleaners, etc...) unless advised by a malware removal helper. Doing so can result in system changes which may hinder the attempts by a helper to clean your machine.

IMPORTANT NOTE: Please DO NOT post back to your topic or "bump" it within the first 48 hours.

Replying to your own posts changes the post count from zero. Helpers are looking for topics with zero replies. If you reply to your own post, helpers may think that you're already being helped and thus may overlook your post. This will only delay your obtaining assistance.


  • o If there is no reply from any experts after 48 hours, you can reply to the topic, asking for help again.
    Or
    o You may send a Private Message to a Moderator asking for assistance.

OPTION 2

Alternatively, as a paying customer using MBAM PRO, you can contact the help desk at support@malwarebytes.org or here.

OPTION 3

If you would like to use the Malwarebytes Premium Services (Comprehensive solutions to all your computer support needs -- from installation and set-up to troubleshooting and tune-ups), please go to the Malwarebytes Premium Services support site.

Please be patient -- someone will assist you as soon as it is possible.

Thanks very much!

daledoc1

PS: Please use the zMn2t.jpg button instead of other ones when you reply here and at the other forums, so that it will be easier to read. :)

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.