Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malwarebytes Anti-Malware keeps disappearing


  • Please log in to reply
18 replies to this topic

#1 Fumunda

Fumunda

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 03 March 2009 - 02:08 AM

Hi all,
Kind of a bad way to start my first post, but Hi just the same.

I got the A360 malware on my computer.
I have AVG Free 8.0 and ran it, it has placed these two files into the "Virus Vault":
_____________________________________________________________________________________________
"Infection";"Trojan horse FakeAlert.HF";"C:\System Volume Information\_restore{D563D1C0-0E7D-4A38-A001-60CDA029983F}\RP61\A0006995.dll";"";"3/2/2009, 8:28:42 PM"
_____________________________________________________________________________________________
"Infection";"Trojan horse FakeAlert.HF";"C:\WINDOWS\system32\winconfig.dll";"";"3/2/2009, 6:15:53 PM"
_____________________________________________________________________________________________

However, I see I still have the A360 icon on my desktop.
When I went to C:\Program Files\A360\av360.exe., I tried to delete this program, but it would not let me, so I did some searching and came here.

I did as the instructions stated and downloaded the Malwarebytes Anti Malware program to my desktop.
Unfortunately when I try and click on it sometime it doesn't open and other times it opens for a few seconds.
The times I have been able to click "run", it runs for about 4-5 seconds and closes the window again.
I have looked at the "Task Bar" and nothing is running, so I am stumped.
I have also re-booted the computer once with no changes noted to the down loaded program.

Have not done anything in Safemode (F8)

Looking for any new advice on getting the anti malware program to run.
Thanks,
Fumunda

Edited by Fumunda, 03 March 2009 - 02:16 AM.


BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:05:01 AM

Posted 03 March 2009 - 08:23 AM

Moved from HJT forum to more appropriate.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:01 AM

Posted 03 March 2009 - 08:59 AM

:thumbsup: Fumunda


Show Hidden Folders/Files
  • Open My Computer.
  • Go to Tools > Folder Options.
  • Select the View tab.
  • Scroll down to Hidden files and folders.
  • Select Show hidden files and folders.
  • Uncheck (untick) Hide extensions of known file types.
  • Uncheck (untick) Hide protected operating system files (Recommended).
  • Click Yes when prompted.
  • Click OK.
  • Close My Computer.

Now let's rename the MBAM installer to Fumu.com

See if it will install, if so, we might need to rename the executable in it's program folder in a similar manner.

mbam.exe

Good Luck
Chewy

No. Try not. Do... or do not. There is no try.

#4 Fumunda

Fumunda
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 03 March 2009 - 02:05 PM

Thanks, I'll try that when I get home from work tonight and let you know what happened. :thumbsup:

Hi Koan,
can you tell this newbie where the HJT forum is?
I just am doing a search on my name right now to find this post.
Thought I posted it in the most appropriate place.????

BTW, I loaded the MBAM installer on my computer (desktop) and there is also an Icon
there too. Should these be gotten rid of somehow or uninstalled and re-installed or should I just re-name the installer that is there and re-install?
Should I just delete the old icon from the first install?

Thanks
Fumunda

Edited by Fumunda, 03 March 2009 - 02:36 PM.


#5 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:01 AM

Posted 03 March 2009 - 04:02 PM

try renaming mbam.exe in C:\Program Files\Malwarebytes' Anti-Malware

you have to click on the renamed file then to run MBAM
Chewy

No. Try not. Do... or do not. There is no try.

#6 Fumunda

Fumunda
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 04 March 2009 - 12:02 AM

Yay!!!!! It worked!!! Thanks so much Chewy.
I ran the short version first and it came up with:

__________________________________________________________________________________________________________________

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 2

3/3/2009 8:23:44 PM
mbam-log-2009-03-03 (20-23-44).txt

Scan type: Quick Scan
Objects scanned: 63766
Time elapsed: 2 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e124ef7439f6e96017339ca3c8cfec5a (Rogue.A360Antivirus) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\A360 (Rogue.A360Antivirus) -> Delete on reboot.
C:\Documents and Settings\User\Start Menu\A360 (Rogue.A360Antivirus) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\A360\av360.exe (Rogue.A360Antivirus) -> Delete on reboot.
C:\Documents and Settings\User\Start Menu\A360\A360.lnk (Rogue.A360Antivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Start Menu\A360\Help.lnk (Rogue.A360Antivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Quick Launch\A360.lnk (Rogue.Antivirus360) -> Quarantined and deleted successfully.
____________________________________________________________________________________________________________________________

I told the program to remove this stuff and reboot.
Then I ran the "full" scan and it came up with all zeros.

Is there anything else I should be aware off?

Thanks so much for such a great place to research things!!
I am hooked!
Now I can look around the whole site.

I really appreciate your help.

Fumunda

#7 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:01 AM

Posted 04 March 2009 - 12:34 AM

Is there anything else I should be aware off?


MBAM is up to 1815 now

Your scan was Database version: 1749
Chewy

No. Try not. Do... or do not. There is no try.

#8 Fumunda

Fumunda
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 04 March 2009 - 11:24 AM

Does that mean I should run an update?
I'm not sure what you are saying.

I'm not too happy as this rogue thing charged my credit card $88 after I cancelled it.
I put in a dispute with my bank and will see where that goes.
Seems like extortion to me. First they load on the malware and then they extort your credit card # and info out of you to get payment for their lousy program.

The only reason I loaded any of this in the first place is because I had AVG and I thought AV360 was part of AVG (same colored icon, etc).

#9 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:01 AM

Posted 04 March 2009 - 11:27 AM

Open MBAM and use the update tab, assuming we are fixed enough for you to connect to the internet
Chewy

No. Try not. Do... or do not. There is no try.

#10 Fumunda

Fumunda
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 05 March 2009 - 01:43 AM

Updated and ran ful scan again. Surprise!, It found more.
This thing sucks. Hopefully it's gone. Thanks for your help.
Fumunda

Malwarebytes' Anti-Malware 1.34
Database version: 1818
Windows 5.1.2600 Service Pack 2

3/4/2009 10:40:02 PM
mbam-log-2009-03-04 (22-40-02).txt

Scan type: Full Scan (C:\|H:\|)
Objects scanned: 134010
Time elapsed: 23 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Common Files\System\Uninstall\Uninstall A360.lnk (Rogue.av360) -> Quarantined and deleted successfully.

#11 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:01 AM

Posted 05 March 2009 - 07:18 AM

Let's dig a little more

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".



Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Chewy

No. Try not. Do... or do not. There is no try.

#12 MartyRD

MartyRD

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Location:eastern PA
  • Local time:04:01 AM

Posted 05 March 2009 - 10:31 AM

I have tried renaming the mbam.exe and setup and that does nothing. I can't get it to run. In fact, I had to download it from another computer because my computer will only let me into my email.

I have taken a360 off of my program files, start menu and regedit that I could find and was listed on every website I could get to from my other computer, including HKEYS. I can't update malware because it a)won't run, :thumbsup: can't get onto its website.

I could download the a360 removal tool via email, but would rather not pay for that. I don't know whether it works and $40 is a bit of change to plunk on this one time event.

I did download Spybot search and destroy, but that won't run either.

Any ideas?

Edited by MartyRD, 05 March 2009 - 10:37 AM.


#13 MartyRD

MartyRD

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Location:eastern PA
  • Local time:04:01 AM

Posted 05 March 2009 - 10:51 AM

Okay. I renamed the setup file and anti-malware is now on my desktop. However, when I click on it. Nothing happens. How can I get it to run?

#14 Fumunda

Fumunda
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 05 March 2009 - 04:43 PM

Chewy,
Are you talking to MartyRD or me with the instructions.
I think Marty hijacked this thread while you were helping me.

I am running XP with IE as the browser.
How does that pertain to the above instructions?

#15 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:01 AM

Posted 05 March 2009 - 05:27 PM

Chewy,
Are you talking to MartyRD or me with the instructions.
I think Marty hijacked this thread while you were helping me.

I am running XP with IE as the browser.
How does that pertain to the above instructions?


I just wanted you to run the atfclean and SAS from safe mode
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users