smart virus - won't let me run malwarebytes

I don't have good specifics... sorry.
My problem sounds just like sugarcane64 posted recently, however I can not get malwarebytes to run after installing from a flash drive. I renamed it to get the computer to install it. Still won't open/run it.

It started with a rogue malware application 2 days ago that I think I removed with Adaware. My other spwyare programs won't run, or reinstall after I deleted them. The computer was opening in safe mode with the black screen and 4 corners, but no icons. Did some reading and thot I had "incompatible motherboard chipset video driver". Was trying to follow those instructions with no luck because I could not start from a CD and don't seem to have my computer instructions about how to do something microsoft wanted me to do with my BIOS.

So i think I restarted with last known good... that had icons that did not work. Then I restarted in VGA mode. Then I restarted normally and it worked. But google redirected to a variety of pages. Now it won't connect to any website so it seems to be getting worse.

I have been reading your website for months, and appreciate all the help you provide. Thanks, Cheryl

{Mod Edit:Moved from XP to AII~~boopme}

Hi Cheryl.
Because of the wide variety of computer manufacturers and BIOS manufacturers over the evolution of computers, there have been numerous different ways to enter the BIOS or CMOS Setup. Below is a listing of the majority of these methods as well as other recommendations for entering the BIOS setup.

How to enter the BIOS or CMOS setup

Hopefully you can run it from the CD

Thanks for the answer, however I was not quite clear. I am now able to start windows regularly. I have an infection of something that I need help getting rid of. I have not been able to go to or run malware/spyware. The browser redirects. I have also tried downloading to my other computer and installing from flashdrive. It will install if I change the program name.
It will not run once it is on the computer. Thanks, Cheryl

OK, so we need to do it this way.You may have already tried the first one.

Once downloaded, rename the program installer "mbam-setup.exe" file to something else like "chryl.exe", then copy the installer file and the update file to a CD or flash drive.
Transfer the file to the problem machine, then install the "cheryl.exe" file, then run the update to get the program current.. After that, run a full system scan and delete anything it finds.
Malwarebytes Manual Updater link
http://www.malwarebytes.org/mbam/dat...mbam-rules.exe
Post back the log.

If the program installs correctly but then won't run, please access the "C:\Program Files\ Malwarebytes Antimalware folder and rename the "mbam.exe" file to something else,as above.. Make sure it has a .exe(dot exe) file extension and then double click on the newly named file. Malwarebytes should run correctly now..

Maybe, I am doing something wrong. It still won't open.

I downloaded malwarebytes and renamed it cheryl.exe. I tried the manual updater link u gave, but it did not work on my "good" computer. I googled and found on c-net a "corrected" malwarebytes manual updater link at http://www.malwarebytes.org/mbam/database/mbam-rules.exe, I don't know if that is really right, but it downloaded and I renamed it cherylupdate.exe. I copied both to my flash drive. Installed the first one. Doubleclicked on the 2nd one and it behaved just like the first one did only faster.

When I double click on cheryl.exe on my problem computer it will not open. What am I doing wrong?

Thanks, Cheryl

Ok, I guess I didn't fully read your #2 suggestion, but I think I need more details on how to do that. What do you mean by "please access", and do I do that on my good computer or my bad one. Sorry for my lack of knowledge.

Sometimes I try to make things to difficult. On my infected computer, I went to program files..malwarebytes etc. There was no file called mbam.exe. The folder was created this am, when I tried to install it earlier so I thot something might be mixed up. I deleted the malwarebytes program from the add/delete place, it restarted and now it won't open up any users.
I shut it off... will try again in the am, maybe it needs a rest.

here are my logs:

1)


Malwarebytes' Anti-Malware 1.31
Database version: 1498
Windows 5.1.2600 Service Pack 2

12/13/2008 9:45:25 PM
mbam-log-2008-12-13 (21-45-25).txt

Scan type: Quick Scan
Objects scanned: 127601
Time elapsed: 36 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Spyware Guard 2008 (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Spyware Guard 2008 (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\TDSSarxx.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSnvuo.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSvoql.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Drivers\TDSSmxjt.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS5ca2.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS630a.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS69f0.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS73d3.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS7a8a.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\CHERYL\Local Settings\Temp\TDSS36c6.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winscenter.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\CHERYL\Local Settings\Temp\TDSS36a7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS56b6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\moduleie.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSdxcp.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSkkai.log (Trojan.TDSS) -> Quarantined and deleted successfully.



2)

Malwarebytes' Anti-Malware 1.31
Database version: 1498
Windows 5.1.2600 Service Pack 2

12/14/2008 1:31:54 AM
mbam-log-2008-12-14 (01-31-54).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|)
Objects scanned: 251275
Time elapsed: 1 hour(s), 36 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP83\A0008470.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP83\A0008510.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP83\A0008512.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP83\A0008513.sys (Trojan.TDSS) -> Quarantined and deleted successfully.


3)

Malwarebytes' Anti-Malware 1.31
Database version: 1499
Windows 5.1.2600 Service Pack 2

12/14/2008 2:54:12 PM
mbam-log-2008-12-14 (14-54-12).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|)
Objects scanned: 251554
Time elapsed: 1 hour(s), 42 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\All Users\Application Data\svhost.exe (Trojan.Agent) -> Quarantined and deleted successfully.


4)

Malwarebytes' Anti-Malware 1.31
Database version: 1499
Windows 5.1.2600 Service Pack 2

12/14/2008 5:30:36 PM
mbam-log-2008-12-14 (17-30-36).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)
Objects scanned: 251559
Time elapsed: 1 hour(s), 41 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




Looks good to me. What is/are the best programs to keep these horrid things away?

thanks, cheryl

Good Job !! cheryl !!

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

• Go to Start > Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Then use Disk Cleanup to remove all but the most recently created Restore Point.
• Go to Start > Run and type: Cleanmgr
• Click "Ok"
• Disk Cleanup will scan your files for several minutes, then open.
• Click the "More Options" Tab.
• Click the "Clean up" button under System Restore.
• Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
• Click Yes, then click Ok.
• Click Yes again when prompted with "Are you sure you want to perform these actions?"
• Disk Cleanup will remove the files and close automatically.

Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Tips to protect yourself against malware and reduce the potential for re-infection, be sure to read:
• Simple and easy ways to keep your computer safe
• "How did I get infected?, With steps so it does not happen again!".
• "Best Practices - Internet Safety for 2008"..
• "Hardening Windows Security - Part 1 & Part 2".
• "IE Recommended Minimal Security Settings" - "How to Secure Your Web Browser".

I did make a new restore point, but did NOT erase my old restore points.

Something made me run a malwarebytes scan on a different desk. It found 3 objects. Call this one desk 2.
Desk 3 found 7 objects. Desk 4 found 10 objects. Desk 5 found 0 objects.


1) Am I missing a setting on the malwarebytes program. Shouldn't it scan the whole computer including everyone's desks at once? Or do I have to run scans on each desk consecutively before I am "clear"?

2) Task manager is malfunctioning only on desk 4. It will not open or close properly, and appears to me to be unusable.




Thanks, Cheryl

Hello again. Yes you should Run it on all accounts. Sometimes thats needed.
You can post logs if you like, or Update and rescan till clean. Either way is ok by me.

Task Manager..

This step involves making changes in the registry. Always back up your registry before making any changes.

Go to Start » Run and type: regedit
Click OK.
On the left side, click to highlight My Computer at the top.
Go up to File » Export
Make sure in that window there is a tick next to "All" under Export Branch.
Leave the "Save As Type" as "Registration Files".
Under "Filename" put RegBackup.
Choose to save it to C:\
Click save and then go to File » Exit.
Or you can download and use ERUNT which is an excellent free tool that allows you to to take a snapshot (backup) of your registry before making changes and restore it when needed.

Click on the link below:
http://www.kellys-korner-xp.com/xp_tweaks.htm
Scroll down to #275 and click "Lift Restrictions - TM, Regedit and CMD" in the left column. Go to File, choose "Save page as" All Files and save regtmcmdrestore.vbs to your desktop. Double-click on that file to allow the script to run and reboot when done. Since the script modifies certain registry settings your anti-virus package may warn you about it. Ignore the warning and allow it to run.

I have the same problem on my sister's computer. I have to run the install in safe mode because the computer just freezes up upon bootup..I renamed the file on my computer, used my network to transfer over the file...the install finally booted up from changing the name...at the end of the install it just stops at finishing files or something like that..I look in her processes and there are one or multiple mbam.exe's and one or two of the renamed install file...if I end one of the processes [random, if i get the right one]..you can install it in safe mode can't you? If I get it installed, i changed the .exe in the malewarebyte folder, i even renamed the folder and put it on the desktop when I installed it..can't seem to get mbyte to launch...I downloaded the rules and renamed it also, right now I'm going to try to manually install it if I can get malbyte to install correctly without becoming inactive at the end of the install. I'm trying to see if I can install it without being in safe mode, but everything just lags, is non clickable..and she gets BSOD somewhat frequently..

Alright, computer seems totally unresponsive to any loading or clicking when not in safe mode...
I'm about to restart in safe mode, see what's turned on in her msconfig..disable all the startup things...
reboot again, and hope I can get it to install correctly without 'freezing' at the end..

Thanks, kcalb.

sorry, bump..

I'm on administrator in safe mode w/ networking
the Install finished..
I renamed the mbam.exe file, double clicked..
and nothing opens up. any ideas how to get it launching?

Did you try step 2 in Post 4?

got it to launch, made a copy of the .exe and it loaded up.
thanks anyway

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

• Go to Start > Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Then use Disk Cleanup to remove all but the most recently created Restore Point.
• Go to Start > Run and type: Cleanmgr
• Click "Ok"
• Disk Cleanup will scan your files for several minutes, then open.
• Click the "More Options" Tab.
• Click the "Clean up" button under System Restore.
• Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
• Click Yes, then click Ok.
• Click Yes again when prompted with "Are you sure you want to perform these actions?"
• Disk Cleanup will remove the files and close automatically.

Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.


I am closing this topic. If anyone needs help with this please start a new topic.