Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malwarebytes' Anti-Malware


  • Please log in to reply
10 replies to this topic

#1 helhelhel

helhelhel

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:England
  • Local time:07:14 PM

Posted 01 March 2009 - 09:27 AM

I'm following this guide http://www.bleepingcomputer.com/malware-re...e-antivirus-360 to get rid antivirus 360. I've downloaded the Malwarebytes' Anti-Malware but when I open it and click scan it closes after a few seconds. I've done this several times and restarted my computer but it keeps happening, does anyone know why and what I can do. Please help.

BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:14 PM

Posted 01 March 2009 - 09:36 AM

Hello.

I'm letting a MOD know, to move you to the AII forum. It seems there might be a rootkit infection involved here. I'm not exactly sure but it could be. We will verify this in that forum, as this forum is for protection methods and questions related to that. Not malware removal.

Thanks for understanding :thumbsup:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 helhelhel

helhelhel
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:England
  • Local time:07:14 PM

Posted 01 March 2009 - 09:43 AM

Okay, thankyou.

#4 Pandy

Pandy

    Bleepin'


  • Members
  • 9,559 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:14 PM

Posted 01 March 2009 - 10:33 AM

Moved to Am I Infected from AntiVirus, Firewall and Privacy Products and Protection Methods.

Do not anticipate trouble, or worry about what may never happen. Keep in the sunlight.

Hide not your talents. They for use were made. What's a sundial in the shade?

~ Benjamin Franklin

I am a Bleeping Computer fan! Are you?

Facebook

Follow us on Twitter


#5 Swordie

Swordie

  • Members
  • 792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Miami, Florida
  • Local time:02:14 PM

Posted 01 March 2009 - 10:45 AM

Rootkit.. Well, besides MBAM, what other security precautions do you have? I'd suggest downloading Avira or Avast anti-virus, since both of them have trojan and rootkit removals.
Who said I couldn't have everything?

#6 helhelhel

helhelhel
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:England
  • Local time:07:14 PM

Posted 01 March 2009 - 02:02 PM

Thanks for your help, I downloaded Avast anti-virus. It found just 1 trojan and I still have the same problem with Malwarebytes' Anti-Malware, I click scan and it disappears after a few seconds so I still have antivirus 360.

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:14 PM

Posted 01 March 2009 - 02:30 PM

Hello.

Please run GMER scan for me.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
  • After the reboot, run Gmer again and click on the Rootkit tab.[list]
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
If GMER doesn't work in Normal Mode try running it in Safe Mode

Important!:Please do not select the Show all checkbox during the scan..

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 helhelhel

helhelhel
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:England
  • Local time:07:14 PM

Posted 01 March 2009 - 03:13 PM

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-03-01 20:08:52
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xAAD336B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xAAD33574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xAAD33A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xAAD3314C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xAAD3364E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xAAD3308C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xAAD330F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xAAD3376E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xAAD3372E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xAAD338AE]

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[2352] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 5 Bytes JMP 0056DBBD C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe (Windows Live Messenger/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\WINDOWS\system32\services.exe[928] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[928] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- Files - GMER 1.0.14 ----

File C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 65536 bytes

---- EOF - GMER 1.0.14 ----

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:14 PM

Posted 01 March 2009 - 04:05 PM

Hello.

Seems no rootkit infection going on here right now :thumbsup:

Try running MBAM in Safe Mode and see if it works or not.

How to Boot into Safe Mode

I suggest you read over the instructions on how to boot into Safe Mode and then print these instructions out or save them in Notepad because you won't have access to this page while in Safe Mode.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use your arrow keys to navigate and highlight Safe Mode.
  • Hit Enter.
  • You will now be asked to choose your operating system. Again, use the arrow keys to select Microsoft Windows XP.
  • Hit Enter.
Your computer will proceed to booting into Safe Mode. During the boot process, you may see random code go past your screen. Simply wait for it to pass. Your computer should boot like usually, except with Safe Mode written in the corners of your screen. Your screen may also appear to be a different size because the video drivers are not loaded properly in Safe Mode.

After the boot, you will be asked whether you wish to use system restore, or to continue to Safe Mode. Select OK to choose Safe mode.


Additional instructions on booting into Safe Mode can be found here

Let me know how it goes. Alternatively you can try SAS as it can remove most of the rogue these days as well. :flowers:

Download and Run SUPERAntiSpyware
We will run a scan with SuperAntiSpyware.
  • Download SUPERAntiSpyware to your desktop.
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation. Delete the installer after use.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates".
    If you encounter any problems while downloading the updates, manually download and unzip them from here.
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under Scan for Harmful Software, click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive (or whatever drive your system is installed on).
  • On the right, under Complete Scan, choose Perform Complete Scan.
  • Click Next to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
  • Make sure everything has a checkmark next to it and click Next.
  • A notification will appear saying that "Quarantine and Removal is Complete". Click OK and then click the Finish button to return to the main menu.
  • If asked if you want to reboot, click Yes.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Let me know how it goes and post one of the logs if it works.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 helhelhel

helhelhel
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:England
  • Local time:07:14 PM

Posted 01 March 2009 - 05:10 PM

Thank you SO much!! :flowers: :thumbsup: I ran MBAM in safe mode. Here is the log;

Malwarebytes' Anti-Malware 1.34
Database version: 1813
Windows 5.1.2600 Service Pack 3

01/03/2009 22:04:43
mbam-log-2009-03-01 (22-04-43).txt

Scan type: Quick Scan
Objects scanned: 61057
Time elapsed: 7 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{d263fa6d-84cc-48a8-9af6-c664362b7a5b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d263fa6d-84cc-48a8-9af6-c664362b7a5b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d263fa6d-84cc-48a8-9af6-c664362b7a5b} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8bf14519e15241df3393cc223986a0f2 (Rogue.A360Antivirus) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\A360 (Rogue.A360Antivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dell\Start Menu\A360 (Rogue.A360Antivirus) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\winconfig.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Program Files\A360\av360.exe (Rogue.A360Antivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dell\Start Menu\A360\A360.lnk (Rogue.A360Antivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dell\Start Menu\A360\Help.lnk (Rogue.A360Antivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dell\Start Menu\A360\Registration.lnk (Rogue.A360Antivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dell\Application Data\Microsoft\Internet Explorer\Quick Launch\A360.lnk (Rogue.Antivirus360) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\System\Uninstall\Uninstall A360.lnk (Rogue.av360) -> Quarantined and deleted successfully.


Thanks again! :trumpet:

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:14 PM

Posted 01 March 2009 - 07:21 PM

Hello.

Your welcome :thumbsup:

It seems MBAM took out the AV 360 rogue program :flowers: I suggest you run MBAM again. Update it first and run a Full Scan this time and see what else it detects.

Let me know how your computer is running afterwards and if the AV 360 program is still there.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users