Melanie

CreateProcess failed; code 2

15 posts in this topic

the HijackThis log is below. I could not include the Malwarebytes log because the program will not run. I get an error: CreateProcess failed; code 2; cannot find mbam.exe. Please help! Thank you

- Melanie

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:56:24 AM, on 11/3/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16915)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\DVDRAMSV.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Common Files\Intuit\Entitlement Client\v5\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

C:\WINDOWS\system32\mfevtps.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Panasonic\pcinfo\PCInfoPi.exe

C:\Program Files\Panasonic\pcinfo\PCInfoSV.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\tcpsvcs.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\Program Files\Panasonic\WSwitch\WSwitch.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\Program Files\Panasonic\Hotkey Appendix\HKEYAPP.EXE

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdater.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\McAfee\Common Framework\udaterui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\WINDOWS\system32\RAMAsst.exe

C:\Program Files\Verizon Wireless\VZAccess Manager Panasonic\VZAccess Manager.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe

C:\WINDOWS\system32\drwtsn32.exe

C:\WINDOWS\system32\drwtsn32.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = file://c:\windows\system32\blank.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = file://c:\windows\system32\blank.htm

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll

O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"

O4 - HKLM\..\Run: [PRunOnce] "C:\util\prunonce\PRunOnce.exe"

O4 - HKLM\..\Run: [WSwitch] "C:\Program Files\Panasonic\WSwitch\WSwitch.exe"

O4 - HKLM\..\Run: [soundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"

O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [Panasonic Hotkey Manager] "C:\Program Files\Panasonic\Hotkey Appendix\HKEYAPP.EXE"

O4 - HKLM\..\Run: [PCinfo] "C:\Program Files\Panasonic\pcinfo\PcInfoUt.exe"

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\system32\hkcmd.exe"

O4 - HKLM\..\Run: [Persistence] "C:\WINDOWS\system32\igfxpers.exe"

O4 - HKLM\..\Run: [igfxtray] "C:\WINDOWS\system32\igfxtray.exe"

O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [intuitUpdater] "C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdater.exe" /command startup

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [sufehomop] Rundll32.exe "c:\windows\system32\mozulavo.dll",a

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - S-1-5-21-614275979-3058800555-1659933913-1007 Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager Panasonic\VZAccess Manager.exe (User 'QBPOSDBSrvUser')

O4 - S-1-5-21-614275979-3058800555-1659933913-1007 User Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager Panasonic\VZAccess Manager.exe (User 'QBPOSDBSrvUser')

O4 - .DEFAULT User Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager Panasonic\VZAccess Manager.exe (User 'Default user')

O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager Panasonic\VZAccess Manager.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMAsst.exe

O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM

O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM

O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM

O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1256870246265

O17 - HKLM\System\CCS\Services\Tcpip\..\{8E91FBB3-D294-4981-A015-F118AF332645}: NameServer = 66.174.95.44 69.78.96.14

O18 - Protocol: qbpos - {662E7FAE-5C17-491C-AD9D-98C1F66CC6A0} - C:\WINDOWS\system32\QBPOSProtocol.dll

O20 - AppInit_DLLs: c:\windows\system32\rewuvafu.dll nuduzude.dll c:\windows\system32\mozulavo.dll

O21 - SSODL: pijulobak - {0c403a82-1b5f-4be8-9e09-e43365cc37d5} - c:\windows\system32\rewuvafu.dll (file missing)

O21 - SSODL: tijorozin - {90487793-fdd2-4c3b-8588-816b20404a40} - (no file)

O21 - SSODL: nosaderut - {897dc824-2c7f-4406-8b64-0ce7b1a190be} - c:\windows\system32\mozulavo.dll

O22 - SharedTaskScheduler: gahurihor - {0c403a82-1b5f-4be8-9e09-e43365cc37d5} - c:\windows\system32\rewuvafu.dll (file missing)

O22 - SharedTaskScheduler: gahurihor - {90487793-fdd2-4c3b-8588-816b20404a40} - (no file)

O22 - SharedTaskScheduler: jugezatag - {897dc824-2c7f-4406-8b64-0ce7b1a190be} - c:\windows\system32\mozulavo.dll

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Cisco Systems, Inc. Installer service (CiscoVpnInstallService) - Unknown owner - C:\DOCUME~1\derek\LOCALS~1\Temp\5Ua02484\~ic30\INSTAL~1.EXE (file missing)

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Intuit Entitlement Service v5 - Intuit, Inc. - C:\Program Files\Common Files\Intuit\Entitlement Client\v5\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe

O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe

O23 - Service: Panasonic PC Information Viewer Service 2 (PcInfoPi) - Matsushita Electric Industrial Co., Ltd. - C:\Program Files\Panasonic\pcinfo\PCInfoPi.exe

O23 - Service: Panasonic PC Information Viewer (PcInfoSV) - Matsushita Electric Industrial Co., Ltd. - C:\Program Files\Panasonic\pcinfo\PCInfoSV.exe

O23 - Service: QBPOS Database Manager v7 (QBPOSDBServiceV7) - Intuit Inc. - C:\Program Files\Intuit\QuickBooks Point of Sale 7.0\DatabaseServer\QBPOSDBServiceV7.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--

End of file - 13410 bytes

Share this post


Link to post
Share on other sites

Hi,

To run malwarebytes when you get the error code 2 during install, or mbam.exe gets deleted, please see here:

http://www.malwarebytes.org/forums/index.php?showtopic=29028

Once malwarebytes opens, click the "Update" tab, click "Check for Updates" in order to download the updates.

Then run the scan, let mbam quarantine/delete what it found and reboot afterwards.

After reboot, post the malwarebytes log together with a new HijackThislog.

Share this post


Link to post
Share on other sites

When I try to run mbam.exe renamed to explorer.exe, I get error code 707 (3,0). What now? I'm trying to kill vundo.gen.ab. I'm running Windows XP in Safe mode. Thanks.

Share this post


Link to post
Share on other sites

Hi,

The error you get appears to be related with the enumeration of the languages. Not sure what's up there... unless you didn't put it in the correct folder.

Please delete the renamed file again from your C:\Program Files\Malwarebytes Antimalware folder first

Then try this renamed version:

http://users.telenet.be/bluepatchy/miekiem...mp/explorer.exe

Please make sure you put the renamed mbam.exe (explorer.exe) in the C:\Program Files\Malwarebytes Antimalware folder again and launch it from there.

Do you still get an error then?

Also, it's really important that the version of malwarebytes you have installed is the latest version. So it may be a good idea to redownload and reinstall it again.

Here.

I know you'll get an error again at the end of the installation, but that's because the malware deleted the mbam.exe while the installer extracted it, so that's why you have to put a renamed mbam.exe manually in that C:\program Files\Malwarebytes Antimalware folder

Share this post


Link to post
Share on other sites

Thanks. I was trying to launch it from a flash drive, not from the program folder. It's now running a quick scan and finding infected objects. All but one were removed. When prompted to restart, do I start in Safe mode or normal Start? I restarted in normal mode and got an error message Specified module (hovufuka.dll) could not be found. I clicked OK. System now appears to be running normally. Should I update and rerun a full scan before doing anything else, or is there something else I should do first?

Share this post


Link to post
Share on other sites
I was trying to launch it from a flash drive, not from the program folder.
That explains it.

Yes, run in normal mode. The error you get is normal. That was also in the instructions of the link I posted.

Can you post the log from malwarebytes please?

Also post a NEW HijackThislog (rescan) so we can deal with these registry leftovers causing these errors.

Share this post


Link to post
Share on other sites

I updated and started a new quick scan. It is running extremely slowly (as is the entire system) and has found at least 2 more infections. Previous scan in Safe mode took about 5 minutes; this one is at 20 minutes and still going. I'll post a log when this can finshes, if it ever does.

-----------------------------------------

Can you post the log from malwarebytes please?

Also post a NEW HijackThislog (rescan) so we can deal with these registry leftovers causing these errors.

Share this post


Link to post
Share on other sites

Yes, a scan in normal mode always takes longer. But we recommend to scan in normal mode anyway though, because it's not that powerful in safe mode.

Share this post


Link to post
Share on other sites

The very long scan finally picked up kiligefu.dll and eliminated it. After restart a large number of .exe files were also eliminated during startup. I hope we have solved it. Thanks for your help. I will add logs when I have a bit more time.

-----------------------------------

Yes, a scan in normal mode always takes longer. But we recommend to scan in normal mode anyway though, because it's not that powerful in safe mode.

Share this post


Link to post
Share on other sites

azsunking.... Someone just notified me about the fact that you are not the original topicstarter here, but Melanie is. This is extremely confusing if people start to post in eachothers thread.

I'm sorry Melanie, I have not noticed this before. If you still need help, please read my instructions in my first post and post the logs in your next reply here... then I'll proceed with the help.

@azsunking, for your logs, it's better that you start your own thread with it. Thanks.

Share this post


Link to post
Share on other sites

My apologies. As a new member I didn't understand the protocol. I will post the logs in a new thread. Again sorry.

------------------------------

azsunking.... Someone just notified me about the fact that you are not the original topicstarter here, but Melanie is. This is extremely confusing if people start to post in eachothers thread.

I'm sorry Melanie, I have not noticed this before. If you still need help, please read my instructions in my first post and post the logs in your next reply here... then I'll proceed with the help.

@azsunking, for your logs, it's better that you start your own thread with it. Thanks.

Share this post


Link to post
Share on other sites
The very long scan finally picked up kiligefu.dll and eliminated it. After restart a large number of .exe files were also eliminated during startup. I hope we have solved it. Thanks for your help. I will add logs when I have a bit more time.

-----------------------------------

Yes, a scan in normal mode always takes longer. But we recommend to scan in normal mode anyway though, because it's not that powerful in safe mode.

Thank you for your reply. With help of a friend I found the problem was that the downloading of the malwarebytes executable file was being blocked, so he found a place (I'm not sure where) to download the executable separately, and now it works. Also it seems to have REALLY helped all the problems we were having. I'm very glad to have learned of the program from the Windows users group where it was suggested to me.

Melanie

Share this post


Link to post
Share on other sites

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.