Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MS Antivirus 2009 has blocked internet access, regedit, installation of MBAM


  • Please log in to reply
7 replies to this topic

#1 gamagetf

gamagetf

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 04 February 2009 - 07:01 PM

Okay, I so got this MS Antivirus 2009 a day ago while surfing and it has turned my computer into a mess. I managed to disable the systray from starting at boot through msconfig but when I restarted I got a BSOD and when I rebooted my login screen was black. I logged in and got my background but explorer did not load. I CTRL+ALT+DEL'd and manually started explorer and got into my system. I've received a few messaged of illegal operations but the computer is running with no popups or systray icon for MS Antivirus.

Problem is it redirects all of my google searchs to http://go.google.com?u= then a bunch of crazy characters which redirects me to bogus spyware sites no matter what I click. Norton Protection Center is unable to update its virus information, and my internet access is just restricted in general. I've tried installed MBAM but I double click the file and nothing happens. It has also blocked me from running regedit.

I'm really in a pickle because I'm on a tablet PC I use for school that doesn't have an optical drive (I opted not to pay for the docking station and am now regretting it) so I can't reinstall windows at this time but desperately need my computer's functionality for school.

Thank you in advance for any and all help!

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:33 PM

Posted 04 February 2009 - 07:05 PM

Hello let's see if this gets you in.
Some types of malware will disable MBAM and other security tools. If MBAM will not install, try renaming it. Right-click on the mbam-setup.exe file and change the

.exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above.

Then double-click on it to run..


***
Another work around is by not using the mouse to install it, Just use the arrow keys, tab, and enter keys.



If you cannot use the Internet,you will need access to another computer that has a connection.
From there save mbam-setup.exe to a flash,usb,jump drive or CD. Now transfer it to the infected machine, then install and run the program.
If you cannot transfer to or install on the infected machine, try running the setup (installation) file directly from the flash drive or CD by double-clicking on mbam-setup.exe so it will install on the hard drive.

Manually Downloading Updates:
Manually download them from HERE and just double-click on mbam-rules.exe to install. Alternatively, you can

update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application

Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.

Edited by boopme, 04 February 2009 - 07:07 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 gamagetf

gamagetf
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 04 February 2009 - 07:15 PM

It appears to have hidden my extensions and the option in windows explorer to change folder options isn't there. Managed to rename it thru cmd but still won't run, no matter the extension.

#4 gamagetf

gamagetf
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 05 February 2009 - 09:25 AM

Ok, got MBAM to work. Here's the logfile:

Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 2

2/5/2009 9:10:13 AM
mbam-log-2009-02-05 (09-09-51).txt

Scan type: Quick Scan
Objects scanned: 52514
Time elapsed: 5 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 14
Registry Values Infected: 15
Registry Data Items Infected: 7
Folders Infected: 6
Files Infected: 46

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\fccbbAqr.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\crypts.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\Temp\ntdll64.dll (Trojan.FakeAlert) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fccbbaqr (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{c5bf49a2-94f3-42bd-f434-3604812c8955} (Trojan.Zlob.H) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\protect (Trojan.NtRootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\protect (Trojan.NtRootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\protect (Trojan.NtRootkit.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ms antispyware 2009 5.7 (Rogue.MSAntiSpyware) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\passthru (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\passthru (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c5bf49a2-94f3-42bd-f434-3604812c8955} (Trojan.Zlob.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.FakeAlert.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rs32net (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rs32net (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jsf8uiw3jnjgffght (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jsf8uiw3jnjgffght (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\services (Backdoor.ProRat) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Backdoor.ProRat) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\services (Backdoor.ProRat) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tezrtsjhfr84iusjfo84f (Trojan.Downloader) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009 (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\BASE (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\DELETED (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\SAVED (Rogue.Multiple) -> No action taken.

Files Infected:
C:\WINDOWS\system32\fccbbAqr.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\hgdfeeeh4fdg.dll (Trojan.Zlob.H) -> No action taken.
C:\WINDOWS\services.exe (Trojan.FakeAlert.H) -> No action taken.
C:\WINDOWS\system32\TDSSakwi.dll (Trojan.TDSS) -> No action taken.
C:\WINDOWS\system32\TDSSbvan.dll (Trojan.TDSS) -> No action taken.
C:\WINDOWS\system32\TDSSurta.dll (Trojan.TDSS) -> No action taken.
C:\WINDOWS\system32\TDSSyyvb.dll (Trojan.TDSS) -> No action taken.
C:\WINDOWS\system32\drivers\protect.sys (Trojan.NtRootkit.Agent) -> No action taken.
C:\WINDOWS\system32\drivers\TDSSijso.sys (Trojan.TDSS) -> No action taken.
C:\Documents and Settings\Administrator\Local Settings\Temp\TDSS43e4.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\Temp\TDSS720e.tmp (Trojan.TDSS) -> No action taken.
C:\WINDOWS\Temp\TDSS8095.tmp (Trojan.TDSS) -> No action taken.
C:\WINDOWS\Temp\TDSS82d7.tmp (Trojan.TDSS) -> No action taken.
C:\WINDOWS\Temp\TDSS86bf.tmp (Trojan.TDSS) -> No action taken.
C:\WINDOWS\Temp\TDSS898e.tmp (Trojan.TDSS) -> No action taken.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090203135820078.log (Rogue.Multiple) -> No action taken.
C:\WINDOWS\system32\rs32net.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\kernel32.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Administrator\Local Settings\Temp\winlognn.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\ntdll64.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\2.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\3.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\4.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\5.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\7.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\8.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\9.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\A.tmp (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Administrator\Local Settings\Temp\TDSS4357.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\drivers\ndisio.sys (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\crypts.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\~.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\khfDuSij.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\warning.gif (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\ahtn.htm (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\Administrator\Local Settings\Temp\ntdll64.dll (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\Administrator\Local Settings\Temp\mousehook.dll (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\Administrator\Local Settings\Temp\csrssc.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\Temp\TDSS6e93.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\Temp\ntdll64.dll (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\Temp\mousehook.dll (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\TDSSnpvw.dll (Rootkit.Agent) -> No action taken.
C:\WINDOWS\system32\TDSSuikd.log (Trojan.TDSS) -> No action taken.



At the end before restart it said it could not delete a few files and it would delete them on reboot. Norton Protection Center keeps popping up saying these emails are being blocked constantly so I think something is still on my machine being used to send spam or something.

#5 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:33 PM

Posted 05 February 2009 - 10:04 AM

If MBAM won't update to a newer definition please download this one and transfer to the infected computer

Rerun MBAM and let it remove all infections

http://malwarebytes.gt500.org/mbam-rules.exe

Trojan.TDSS is a very nasty infection, you seem to have others also
Chewy

No. Try not. Do... or do not. There is no try.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:33 PM

Posted 05 February 2009 - 10:29 AM

After rerunning MBam and posting the log, reboot to normal mode. Then carefully follow these instructions to run SDFix:

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 gamagetf

gamagetf
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:33 PM

Posted 06 February 2009 - 11:32 AM

Now I can't log into Windows. Every time I log in it automatically logs me out within a few second and returns me to the login screen. Safe mode does the same thing.

#8 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:33 PM

Posted 06 February 2009 - 03:53 PM

Can you get to a command prompt in safe mode?

Edited by DaChew, 06 February 2009 - 03:54 PM.

Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users