Dymium Posted November 22, 2014 ID:911437 Share Posted November 22, 2014 My previous topic is here Whenever I try to run a scan, MBAM will ask to install database updates. Whether or not I let it install database updates, it will fail with either "SDKDatabaseLoadDefaults failed with code: 1812" or "SDKDatabaseLoadDefaults failed with code: 2". This same issue happens in both Chameleon mode and in Windows Safe Mode. I'm currently running Windows 7. (Ignore the Windows 8 theme) I have no idea what is causing this error, and if it is malware or not and I was told that I can get better support here. Some things to note:My disk is not encrypted with TrueCryptI have no other installed AVs besides MBAMA scan I did with Comodo Internet Security turned up cleanClean uninstalling and then reinstalling MBAM doesn't fix this errorThis error happens in Chameleon mode and Safe Mode Attached are the FRST and MBAM logs.Addition.txtCheckResults.txtFRST.txt Link to post Share on other sites More sharing options...
kevinf80 Posted November 22, 2014 ID:911457 Share Posted November 22, 2014 Hello and P2P/Piracy Warning: If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy. Next, Please download Malwarebytes Anti-Rootkit from the following link: https://malwarebytes.app.box.com/s/xiaxsbl4cjdyyqx5wp8q Unzip the contents to a folder in a convenient location.Open the folder where the contents were unzipped and run mbar.exeFollow the instructions in the wizard to update and allow the program to scan your computer for threats.Click on the Cleanup button to remove any threats and reboot if prompted to do so.Wait while the system shuts down and the cleanup process is performed.Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt Kevin.... Link to post Share on other sites More sharing options...
Dymium Posted November 22, 2014 Author ID:911489 Share Posted November 22, 2014 Hello and P2P/Piracy Warning: Next, Please download Malwarebytes Anti-Rootkit from the following link: https://malwarebytes.app.box.com/s/xiaxsbl4cjdyyqx5wp8q Unzip the contents to a folder in a convenient location. Open the folder where the contents were unzipped and run mbar.exe Follow the instructions in the wizard to update and allow the program to scan your computer for threats. Click on the Cleanup button to remove any threats and reboot if prompted to do so. Wait while the system shuts down and the cleanup process is performed. Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process. When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt Kevin....The link ( https://malwarebytes.app.box.com/s/xiaxsbl4cjdyyqx5wp8q)leads to a removed file, and I can't download MBAM anti-rootkit from it. Link to post Share on other sites More sharing options...
Dymium Posted November 22, 2014 Author ID:911494 Share Posted November 22, 2014 Okay, instead of using that link, I went ahead and downloaded MBAM Anti-Rootkit from http://www.malwarebytes.org/downloads/ . Updating the database goes fine, but when MBAR tries to scan, I get this error: I have tried restarting and then running the scan, and I get the same error. It only left one log, not two. I have attached it to this post.system-log.txt Link to post Share on other sites More sharing options...
kevinf80 Posted November 22, 2014 ID:911505 Share Posted November 22, 2014 See if you can run FRST from the recovery environment as follows: Please download Farbar Recovery Scan Tool from here: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/save it to a USB flash drive. Ensure to get the correct version for your system, 32 bit or 64 bitNote: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.Plug the flash drive into the infected PC.If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt Here: http://www.bleepingcomputer.com/tutorials/windows-8-recovery-environment-command-prompt/ to enter System Recovery Command prompt.If you are using Vista or Windows 7 enter System Recovery Options.Plug the flashdrive into the infected PC.Enter System Recovery Options I give two methods, use whichever is convenient for you.To enter System Recovery Options from the Advanced Boot Options:Restart the computer. As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears. Use the arrow keys to select the Repair your computer menu item. Select Your Country as the keyboard language settings, and then click Next. Select the operating system you want to repair, and then click Next. Select your user account an click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc. Restart your computer. If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings. Click Repair your computer. Select Your Country as the keyboard language settings, and then click Next. Select the operating system you want to repair, and then click Next. Select your user account and click Next.On the System Recovery Options menu you may get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand PromptSelect Command Prompt In the command window type in notepad and press Enter. The notepad opens. Under File menu select Open. Select "Computer" and find your flash drive letter and close the notepad. In the command window type e:\frst64 or e:\frst depending on your version. Press EnterNote: Replace letter e with the drive letter of your flash drive. The tool will start to run. When the tool opens click Yes to disclaimer.Type the following in the edit box after "Search:".explorer.exeClick Search button and post the log (Search.txt) it makes to your reply. Kevin... Link to post Share on other sites More sharing options...
Dymium Posted November 22, 2014 Author ID:911534 Share Posted November 22, 2014 Okay, did that.Search.txt Link to post Share on other sites More sharing options...
kevinf80 Posted November 22, 2014 ID:911547 Share Posted November 22, 2014 explorer.exe is patched we need to replace with FRST.. do the following: Save the attached file fixlist.txt to your flash drive, same place as FRST.Now please enter System Recovery Options as you did to get the log.Run FRST and press the Fix button just once and wait.The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply. Re-boot your PC to normal mode, see what happens when you give Malwarebytes a run...Fixlist.txt Link to post Share on other sites More sharing options...
Dymium Posted November 22, 2014 Author ID:911560 Share Posted November 22, 2014 Did that, it just reverted my custom start button. MBAM still won't scan, I get "SDKDatabaseLoadDefaults failed with code: 2" like from before. Link to post Share on other sites More sharing options...
kevinf80 Posted November 22, 2014 ID:911571 Share Posted November 22, 2014 Run this please: Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/ Quit all running programs.For Windows XP, double-click to start.For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.Read and accept the EULA (End User Licene Agreement)Click Scan to scan the system.When the scan completes select "Report", log will open. Close the program > Don't Fix anything!Post back the report which should also be located here: C:\Programdata\RogueKiller\Logs <-------- W7/8C:\Documents and Settings\All Users\Application Data\RogueKiller\Logs <------XP Kevin... Link to post Share on other sites More sharing options...
Dymium Posted November 22, 2014 Author ID:911573 Share Posted November 22, 2014 Done.RKreport_SCN_11222014_175540.log Link to post Share on other sites More sharing options...
kevinf80 Posted November 22, 2014 ID:911574 Share Posted November 22, 2014 Go here: https://forums.malwarebytes.org/index.php?/topic/146017-mbam-clean-removal-process-2x/ follow those instructions for clean install of Malwarebytes, When reinstalling the program please try the latest version from here: http://www.malwarebytes.org/mwb-download/Right click and choose "Run as administrator" to open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... linkOpen up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply. Link to post Share on other sites More sharing options...
Dymium Posted November 22, 2014 Author ID:911578 Share Posted November 22, 2014 Scan still won't run, same error as before.Malwarebytes Anti-Malwarewww.malwarebytes.orgScan Date: 11/22/2014Scan Time: 6:30:11 PMLogfile: Administrator: YesVersion: 0.00.0.0000Malware Database: v2014.11.22.15Rootkit Database: v2014.11.22.01License: FreeMalware Protection: DisabledMalicious Website Protection: DisabledSelf-protection: DisabledOS: Windows 7 Service Pack 1CPU: x64File System: NTFSUser: AdministratorScan Type: Result: FailedObjects Scanned: 0(No malicious items detected)Time Elapsed: 0 min, 0 secMemory: DisabledStartup: DisabledFilesystem: DisabledArchives: EnabledRootkits: DisabledHeuristics: DisabledPUP: DisabledPUM: DisabledProcesses: 0(No malicious items detected)Modules: 0(No malicious items detected)Registry Keys: 0(No malicious items detected)Registry Values: 0(No malicious items detected)Registry Data: 0(No malicious items detected)Folders: 0(No malicious items detected)Files: 0(No malicious items detected)Physical Sectors: 0(No malicious items detected)(end) Link to post Share on other sites More sharing options...
kevinf80 Posted November 22, 2014 ID:911583 Share Posted November 22, 2014 All settings are disabled, Open Malwarebytes, select "Settings" then select "General settings" then select "Restore default settings" > then select "Detection and Protection" then select "Recommended Settings"Will malwarebytes now run a threat scan? Link to post Share on other sites More sharing options...
Dymium Posted November 23, 2014 Author ID:911587 Share Posted November 23, 2014 All settings are disabled, Open Malwarebytes, select "Settings" then select "General settings" then select "Restore default settings" > then select "Detection and Protection" then select "Recommended Settings" Will malwarebytes now run a threat scan?No, I still get the same error that I have been getting. Link to post Share on other sites More sharing options...
kevinf80 Posted November 23, 2014 ID:911591 Share Posted November 23, 2014 Download RKill from here: http://www.bleepingcomputer.com/download/rkill/ There are three buttons to choose from with different names on, select the first one and save it to your desktop. Double-click on the Rkill desktop icon to run the tool. If using Vista or Windows 7/8, right-click on it and Run As Administrator. A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully. A log pops up at the end of the run. This log file is located at C:\rkill.log. Please post this in your next reply. If you do not see the black box flash on the screen delete the icon from the desktop and go back to the link for the download, select the next button and try to run the tool again, continue to repeat this process using the remaining buttons until the tool runs. You will find further links if you scroll down the page with other names, try them one at a time. If the tool does not run from any of the links provided, please let me know. Next, Read the following link before we continue and run Combofix:ComboFix usage, Questions, Help? - Look hereNext,Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from either of the following links :-http://download.bleepingcomputer.com/sUBs/ComboFix.exehttp://www.infospyware.net/antimalware/combofix/ Ensure that Combofix is saved directly to the Desktop <--- Very important Disable all security programs as they will have a negative effect on Combofix, instructions available here http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask. Close any open browsers and any other programs you might have running Double click the icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator) Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required. If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes. When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here http://thespykiller.co.uk/index.php?page=20 why disabling autoruns is recommended.*EXTRA NOTES* If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so. If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)Post the log in next reply please...Kevin Link to post Share on other sites More sharing options...
Dymium Posted November 23, 2014 Author ID:911658 Share Posted November 23, 2014 Sorry for the long wait for my reply. There was no C:\rkill.log , but Rkill left a log in the folder I ran it from. I've attached it to this post. I've also attached the ComboFix log.Rkill.txtComboFix.txt Link to post Share on other sites More sharing options...
kevinf80 Posted November 23, 2014 ID:911663 Share Posted November 23, 2014 Thanks for the logs, continue please..... 1. Close any open browsers.2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.3. Open notepad and copy/paste the text in the Codebox below into it:ClearJavaCache::Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exeRefering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply. Next, Run Eset Online Scanner **Note** You will need to use Internet explorer for this scan - Vista and Windows 7/8 right click on IE shortcut and run as admin. (To run ESET Online Scanner in a browser other than Internet Explorer, you'll need to download ESET SMART Installer during the process) Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET. Turn off the real time scanner of any existing antivirus program while performing the online scan click on the Run ESET Online Scanner button Tick the box next to YES, I accept the Terms of Use.Click Start When asked, allow the add/on to be installedClick Start Make sure that the option "Remove found threats" is UNticked Click on Advanced Settings, ensure the following options are checked: Scan for potentially unsafe applicationsEnable Anti-Stealth Technology Click Scan wait for the virus definitions to be downloaded Wait for the scan to finish When the scan is complete If no threats were found put a checkmark in "Uninstall application on close" close program report to me that nothing was found If threats were found click on "list of threats found" click on "export to text file" and save it as ESET SCAN and save to the desktop Click on back put a checkmark in "Uninstall application on close" click on finish close program Copy and paste the report in next reply. Kevin... Link to post Share on other sites More sharing options...
Dymium Posted November 24, 2014 Author ID:911914 Share Posted November 24, 2014 Nothing was found in the scan.ComboFix.txt Link to post Share on other sites More sharing options...
kevinf80 Posted November 24, 2014 ID:911980 Share Posted November 24, 2014 Thanks for those logs, continus as follows and run a clean install of Malwarebytes: Download and save mbam-clean.exe and save to your desktop from the following:http://www.malwarebytes.org/mbam-clean.exeNow do the following: Click on Start and select Control Panel Open Uninstall a Program for XP use Add/Remove Programs Uninstall Malwarebytes' Anti-Malware Restart your computer, very important to do that!! Run mbam-clean.exe It will ask to restart your computer, please allow it to do so, very important!!Next, D/L and install Malwarebytes again and update as follows :-Download Malwarebytes Anti-Malware to your desktop.Double-click mbam-setup and follow the prompts to install the program. At the end, be sure a checkmark is placed next to the following: Launch Malwarebytes Anti-Malware A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program. Click Finish. On the Dashboard, click the 'Update Now >>' link After the update completes Select > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware. Now select > Scan > Threat scan > Scan now When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected. In most cases, a restart will be required. Wait for the prompt to restart the computer to appear, then click on Yes.After the restart (If applicable) once you are back at your desktop, open MBAM once more. Click on the History tab > Application Logs. Double click on the scan log which shows the Date and time of the scan just performed. Click 'Copy to Clipboard' Paste the contents of the clipboard into your reply. Kevin Link to post Share on other sites More sharing options...
Dymium Posted November 25, 2014 Author ID:912368 Share Posted November 25, 2014 I followed your instructions exactly, and the scan will still not run. It produces the same error that's in my original post. Link to post Share on other sites More sharing options...
kevinf80 Posted November 25, 2014 ID:912389 Share Posted November 25, 2014 We must have missed deep rooted malware/infection, continue please: Re-run FRST make sure all boxes are checkmarked under "Whitelist" also make sure only "Addition.txt" is checkmarked under "Optional scan" Post both logs, FRST.txt and Addition.txt Next, Please download Gmer from Here by clicking on the "Download EXE" Button. Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent. If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO. In the right panel, you will see several boxes that have been checked. Uncheck the following ... Sections IAT/EAT Show All ( should be unchecked by default ) Leave everything else as it is. Close all other running Programs as well as your Browsers. Click the Scan button & wait for it to finish. Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post. Save it where you can easily find it, such as your desktop. Please post the content of the ark.txt here. **Caution**Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries **If GMER crashes** Follow the instructions here and disable your security temporarily… Next, Please download aswMBR from here: http://files.avast.com/files/rootkit-scanner/aswmbr.exe Save to your desktop. Double click theaswMBR.exe icon, and click RunThere will be a short delay before the next dialog box comes up. Please just wait a minute or two.When asked if you'd like to "download the latest Avast! virus definitions", click Yes.Typically this is about a 100MB download so depending on your connection speed it can take a short while to download and become ready.Click the Scan button to start the scan once the update has finished downloadingOn completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply. Note: There will also be a file on your desktop named MBR.dat do not delete this for now. It is an actual backup of the MBR (master boot record). Thanks, Kevin... Link to post Share on other sites More sharing options...
Dymium Posted November 26, 2014 Author ID:912933 Share Posted November 26, 2014 GMER runs, but it gets this error partway through the scan:------------------------------------------------------C:\Users\Administrator\ntuser.dat: The process cannot access the file because it is being used by another process.---------------------------OK ---------------------------It then says it has completed scanning, and the log it produces is empty.All the other scans ran OK, I posted the logs.Addition.txtaswMBR.txtFRST.txt Link to post Share on other sites More sharing options...
kevinf80 Posted November 26, 2014 ID:912952 Share Posted November 26, 2014 GMER should not show that error. was GMER running from an account with Admistrator status? Run this please... Please read carefully and follow these steps.Download TDSSKiller from here http://support.kaspersky.com/downloads/utils/tdsskiller.exe and save it to your Desktop. Doubleclick on to run the application.The "Ready to scan" window will open, Click on "Change parameters" Place a checkmark next to Verify Driver Digital Signature and Detect TDLFS file system, (Leave "Service & Drivers" and "Boot Sectors" ticked. Click OK. Select "Start Scan"If an infected file is detected, the default action will be Cure, click on Continue.If a suspicious file is detected, the default action will be Skip, click on Continue.It may ask you to reboot the computer to complete the process. Click on Reboot Now.If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here. If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. Thanks, Kevin.. Link to post Share on other sites More sharing options...
Dymium Posted November 27, 2014 Author ID:913189 Share Posted November 27, 2014 GMER was running with full administrator status. TDSSKiller found no infections.TDSS log.txt Link to post Share on other sites More sharing options...
kevinf80 Posted November 27, 2014 ID:913197 Share Posted November 27, 2014 Select Windows key and R key together. Into the run box type regedit tap enter, Registry Editor will open..... Expand the following key :- HKEY_LOCAL_MACHINE >SOFTWARE > Policies > Microsoft > Windows > safer > codeidentifiers > 0 Do not expand the folder 0 Right click on that folder and choose "Export" A new widow will open, make sure to change "saved in" to Desktop. From the desktop right click on the reg file > select > send to > compressed (zipped) folder.... Attach to next reply, Kevin... Link to post Share on other sites More sharing options...
Recommended Posts