I can get Malwarebytes to start from a fresh install by renaming the .exe file. When the program is installed I select to update and run MWB. The scan will run for about 2 seconds, then close.
If I try to run MWB from then application once it has been installed I get the following errors.
Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.
This computer has the Windows Police Pro malware on it. I have killed the processes, deleted the folder in program files, deleted files in windows, and in the registry. Still not able to finish a MWB scan. I ran the combofix, and it appeard to find many instances of this malware, and removed it, but I still cannot run Malware Bytes or any other app, without getting the Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.
I also can't get in safemode anymore, I get a blue screen of death, stop error 0x7B which I'm sure is because of this malware. Just never seen malware cause a stop error before. Stop 0&7B says it could be a virus, so another reasaon I'm pretty confident it is this malware.
Anyway here is my Combo log hope someone can help:
ComboFix 09-10-19.04 - Owner 10/20/2009 12:47.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.321 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\Repair\ComboFix.exe
AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\LocalService\ntuser.dll
c:\documents and settings\NetworkService\ntuser.dll
c:\documents and settings\Owner\ntuser.dll
c:\documents and settings\Owner\Start Menu\Programs\Startup\scandisk.dll
c:\documents and settings\Owner\Start Menu\Programs\Startup\scandisk.lnk
c:\windows\Installer\15304.msi
c:\windows\ocoyizajova.dll
c:\windows\system32\bincd32.dat
c:\windows\system32\calc.dll
c:\windows\system32\config\systemprofile\Desktop\Windows Police Pro.lnk
c:\windows\system32\config\systemprofile\ntuser.dll
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Police Pro
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Police Pro\Windows Police Pro.lnk
c:\windows\system32\drivers\hjgruijxvitkip.sys
c:\windows\system32\hjgruiebtexrao.dll
c:\windows\system32\hjgruikpwqwtli.dll
c:\windows\system32\hjgruillnsdkkp.dat
c:\windows\system32\hjgruilog.dat
c:\windows\system32\hjgruiqrnspfrw.dll
c:\windows\system32\hjgruivxjhxlhq.dat
c:\windows\system32\schtml
c:\windows\system32\schtml\dbsinit.exe
c:\windows\system32\schtml\images\i1.gif
c:\windows\system32\schtml\images\i2.gif
c:\windows\system32\schtml\images\i3.gif
c:\windows\system32\schtml\images\j1.gif
c:\windows\system32\schtml\images\j2.gif
c:\windows\system32\schtml\images\j3.gif
c:\windows\system32\schtml\images\jj1.gif
c:\windows\system32\schtml\images\jj2.gif
c:\windows\system32\schtml\images\jj3.gif
c:\windows\system32\schtml\images\l1.gif
c:\windows\system32\schtml\images\l2.gif
c:\windows\system32\schtml\images\l3.gif
c:\windows\system32\schtml\images\pix.gif
c:\windows\system32\schtml\images\t1.gif
c:\windows\system32\schtml\images\t2.gif
c:\windows\system32\schtml\images\up1.gif
c:\windows\system32\schtml\images\up2.gif
c:\windows\system32\schtml\images\w1.gif
c:\windows\system32\schtml\images\w11.gif
c:\windows\system32\schtml\images\w2.gif
c:\windows\system32\schtml\images\w3.gif
c:\windows\system32\schtml\images\w3.jpg
c:\windows\system32\schtml\images\wt1.gif
c:\windows\system32\schtml\images\wt2.gif
c:\windows\system32\schtml\images\wt3.gif
c:\windows\system32\schtml\wispex.html
Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\eventlog.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_hjgruixbqjomuf
-------\Legacy_hjgruixbqjomuf
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
((((((((((((((((((((((((( Files Created from 2009-09-20 to 2009-10-20 )))))))))))))))))))))))))))))))
.
2009-10-20 15:46 . 2009-10-20 15:59 -------- d-----w- C:\test
2009-10-20 14:27 . 2009-10-20 16:59 -------- d--h--w- c:\windows\PIF
2009-10-20 14:23 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-20 14:23 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-20 14:23 . 2009-10-20 14:23 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-10-20 13:28 . 2009-10-20 13:28 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-10-20 12:58 . 2009-10-20 16:25 0 ----a-r- c:\windows\win32k.sys
2009-10-20 12:56 . 2009-10-20 12:56 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-10-20 12:44 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-10-20 12:44 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-10-20 12:44 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-10-20 12:44 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-10-20 12:44 . 2009-10-20 12:44 -------- d-----w- c:\program files\Avira
2009-10-20 12:44 . 2009-10-20 12:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-20 14:44 . 2004-09-07 22:48 120 ----a-w- c:\windows\Qbatopepacup.dat
2009-10-20 14:23 . 2004-09-07 22:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-20 12:40 . 2004-09-07 22:48 0 ----a-r- c:\windows\Vmidumerujom.bin
2009-10-20 12:39 . 2004-09-07 22:33 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-26 19:42 . 2009-05-12 03:50 94208 ----a-w- c:\windows\DUMP4faf.tmp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mb.exe" [2009-09-10 1312080]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^..]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\..
backup=c:\windows\pss\..Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RichVideo"=2 (0x2)
"InCDsrv"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
S4 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/20/2009 8:44 AM 108289]
.
Contents of the 'Scheduled Tasks' folder
2009-05-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
2009-10-20 c:\windows\Tasks\User_Feed_Synchronization-{D0A37153-00D7-4B1E-8A4D-A5F2C8568839}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-Dgitigejopevogan - c:\windows\ocoyizajova.dll
HKU-Default-Run-calc - c:\docume~1\LOCALS~1\ntuser.dll
AddRemove-HijackThis - c:\documents and settings\Owner\Desktop\Repair\HijackThis.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-20 13:00
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\bcmwltrytmp.reg
scan completed successfully
hidden files: 1
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(816)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
- - - - - - - > 'explorer.exe'(3276)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\bcmwltry.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\HPZipm12.exe
c:\combofix\CF25270.exe
c:\windows\system32\wscntfy.exe
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-20 13:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-20 17:04
Pre-Run: 29,988,347,904 bytes free
Post-Run: 31,584,215,040 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
- - End Of File - - 1B383EFB58A0F548E3FC30F0EDBFD7B1