Problem - Please Help

[SCHC]

I went to run MBAM last night for a routine scan and it won't work.  I've tried downloading it again and reinstalling (even renaming it) and still nothing.  I read the instructions about what to do before making requests and followed them all, except, for obvious reasons,  the step that requires running MBAM, and the step involving Hijack This (I didn't run it b/c the instructions said not to do it until all other steps had been completed).

If anyone could help me, I'd greatly appreciate it.

Thanks.

[Dr Jay]

Hello. We need to do some diagnostics to get started.

1. Please download Rooter and Save it to your desktop

• Double click it to start the tool.
• Click Scan.
• Eventually, a Notepad file containing the report will open, also found at C:\Rooter.txt. Post that log in your next reply.

2. Download LockSearch to your desktop

• A window will pop up, Press 2 and then Enter. A scan will start, let it run uninterrupted. It should only take a few minutes.
• A log will appear when it is finished, it will also be saved in the same location as LockSearch, which should be on your desktop. Post the contents of the log in your reply
  

3. Please download CKScanner by askey127 from here
Save it to your desktop.

• Doubleclick CKScanner.exe and click Search For Files.
  
• After a very short time, when the cursor hourglass disappears, click Save List To File.
  
• A message box will verify that the file is saved.
• Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

4. Please download <a href="http://www.helpmyos.com/Cheetah-php-h15.htm?cheetah.zip" target="_blank">Cheetah-Anti-Rogue[/url], and save to your Desktop.

• Double-click on Cheetah-Anti-Rogue.zip, and extract the file to your Desktop.
• Double-click on Cheetah-Anti-Rogue.cmd to start.
• It will finish quickly and launch a log.
• Post the contents of it in your next reply.

5. I request the following logs to be posted in your next reply, please:
-Rooter
-LockSearch
-CKScanner
-Cheetah

Thanks. :)

[SCHC]

Here goes.



Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP Home Edition (5.1.2600) Service Pack 3
[32_bits] - x86 Family 6 Model 15 Stepping 13, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Disabled !
.
Internet Explorer 7.0.5730.13
.
C:\  [Fixed-NTFS] .. ( Total:109 Go - Free:80 Go )
D:\  [CD_Rom]
.
Scan : 00:35.26
Path : C:\Documents and Settings\Me\Desktop\Rooter.exe
User : Me ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (464)
______ \??\C:\WINDOWS\system32\csrss.exe (520)
______ \??\C:\WINDOWS\system32\winlogon.exe (552)
______ C:\WINDOWS\system32\services.exe (596)
______ C:\WINDOWS\system32\lsass.exe (608)
______ C:\WINDOWS\system32\svchost.exe (816)
______ C:\WINDOWS\system32\svchost.exe (868)
______ C:\Program Files\Windows Defender\MsMpEng.exe (908)
______ C:\WINDOWS\System32\svchost.exe (968)
______ C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (1040)
______ C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (1104)
______ C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe (1148)
______ C:\WINDOWS\system32\svchost.exe (1244)
______ C:\WINDOWS\system32\svchost.exe (1312)
______ C:\Program Files\Tall Emu\Online Armor\OAcat.exe (1472)
______ C:\Program Files\Tall Emu\Online Armor\oasrv.exe (1584)
______ C:\WINDOWS\explorer.exe (1948)
______ C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe (360)
______ C:\WINDOWS\system32\spoolsv.exe (508)
______ C:\Program Files\Avira\AntiVir Desktop\sched.exe (740)
______ C:\Program Files\Avira\AntiVir Desktop\avguard.exe (612)
______ C:\WINDOWS\system32\svchost.exe (1632)
______ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (1796)
______ C:\Program Files\Bonjour\mDNSResponder.exe (1816)
______ C:\WINDOWS\system32\nvsvc32.exe (2244)
______ C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (2324)
______ C:\WINDOWS\system32\svchost.exe (2444)
______ C:\WINDOWS\System32\alg.exe (3692)
______ C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (1092)
______ C:\WINDOWS\system32\rundll32.exe (3840)
______ C:\WINDOWS\system32\RunDLL32.exe (1552)
______ C:\WINDOWS\OEM02Mon.exe (2120)
______ C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (2472)
______ C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (2564)
______ C:\WINDOWS\stsystra.exe (3432)
______ C:\WINDOWS\system32\KADxMain.exe (3540)
______ C:\Program Files\Dell\MediaDirect\PCMService.exe (3684)
______ C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (3948)
______ C:\Program Files\iTunes\iTunesHelper.exe (1520)
______ C:\WINDOWS\system32\rundll32.exe (1672)
______ C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (2088)
______ C:\Program Files\Tall Emu\Online Armor\oaui.exe (2540)
______ C:\WINDOWS\system32\ctfmon.exe (2572)
______ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (2840)
______ C:\Program Files\Digital Line Detect\DLG.exe (3016)
______ C:\Program Files\Tall Emu\Online Armor\OAhlp.exe (2424)
______ C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe (2920)
______ C:\Program Files\iPod\bin\iPodService.exe (2408)
______ C:\Program Files\Java\jre6\bin\jqs.exe (1352)
______ C:\Program Files\Mozilla Firefox\firefox.exe (2940)
______ C:\WINDOWS\system32\wbem\wmiprvse.exe (336)
______ C:\Documents and Settings\Me\Desktop\Rooter.exe (3648)
______ C:\WINDOWS\system32\wscntfy.exe (3772)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 (Start_Offset:32256 | Length:106896384)
\Device\Harddisk0\Partition2 --[ MBR ]-- (Start_Offset:106928640 | Length:117234915840)
\Device\Harddisk0\Partition0 (Start_Offset:117350069760 | Length:2681441280)
\Device\Harddisk0\Partition3 (Start_Offset:117350102016 | Length:2681409024)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
C:\WINDOWS\Tasks\MP Scheduled Scan.job
C:\WINDOWS\Tasks\Norton Security Scan.job
C:\WINDOWS\Tasks\SA.DAT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 00:36.01
.
C:\Rooter$\Rooter_1.txt - (05/03/2010 | 00:36.01)

[SCHC]

LockSearch by jpshortstuff (05.11.09.1)
Log created at 00:37 on 05/03/2010 (Me)
Scanning C:\


C:\hiberfil.sys
-------------------------


C:\pagefile.sys
-------------------------

-=E.O.F=-

[SCHC]

CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\me\my documents\media\my music\itunes\itunes music\hootie & the blowfish\cracked rear view\02 hold my hand.m4a
c:\documents and settings\me\my documents\media\my music\itunes\itunes music\hootie & the blowfish\cracked rear view\03 let her cry.m4a
c:\documents and settings\me\my documents\media\my music\itunes\itunes music\hootie & the blowfish\cracked rear view\04 only wanna be with you.m4a
c:\documents and settings\me\my documents\media\my music\itunes\itunes music\hootie & the blowfish\cracked rear view\08 time.m4a
scanner sequence 3.CA.11
 ----- EOF -----

[SCHC]

Cheetah-Anti-Rogue v1.3.23
by DragonMaster Jay

Microsoft Windows XP [Version 5.1.2600]
Date: 03/05/2010 - Time:  0:42:16 - Arch.: x86
 
 
-- Malware removal tools check --
CCleaner
Malwarebytes' Anti-Malware
SUPERAntiSpyware
 
 
-- Known infection --
 
 
 
Extra message: Detection only.
 
 
EOF

[SCHC]

Thanks.

[Dr Jay]

[list=1]

• Download Win32kDiag from any of the following locations and save it to your Desktop.
  
  • Download Win32kDiag (Win32kDiag.exe) - #1
    
  • Download Win32kDiag (Win32kDiag.exe) - #2
    
  • Download Win32kDiag (Win32kDiag.exe) - #3
    
• Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
  
• When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
  
• Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.
  

[SCHC]

Running from: C:\Documents and Settings\Me\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Me\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!

[Dr Jay]

Please download Stealth MBR Rootkit Detector by GMER from GMER.net, and save to your Desktop.

• Double-click mbr.exe to start the program.
  
• When done scanning, it will save a log on the Desktop called mbr.log.
  
• Please post the contents of that log in your next reply.

=========

Please download Malwarebytes Anti-Malware from Malwarebytes.org.
Alternate link: BleepingComputer.com.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

[SCHC]

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

[SCHC]

Malwarebytes still won't open.  I tried downloading it again and still nothing.

[Dr Jay]

[list=1]

• We will need to download a new copy of it and put it in the C:\program files\Malwarebytes' Anti-Malware\ folder. To download the file please click on the following link: Malwarebytes' RANDOM - EXE Download
  
  When your browser prompts you where to save it to, please save it to the C:\program files\Malwarebytes' Anti-Malware\ folder. When downloading the file, it will have a random filename. Please leave the filename the way it is as it is important that it is not changed. You may want to write down the name of the file as you will need to know the name in the next step.
  
• Once the file has been downloaded, open the C:\program files\Malwarebytes' Anti-Malware\ folder and double-click on the file you downloaded in step 8. MBAM should now start and you will be at the main program screen.

Let me know if this helps.

[SCHC]

Yes, it opened.  I'm assuming I need to run a scan now, but won't do anything until you say so.  If so, should I do a quick scan or a full one?

[Dr Jay]

Do a quick scan, please.