Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

It all started with Antivirus System Pro (Grrrrrr)


  • Please log in to reply
3 replies to this topic

#1 slobbermom

slobbermom

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 23 June 2009 - 12:47 AM

Hello,

In searching for a cure I came across your removal guide, but I cannot get MBAM to run. I'm not exactly sure what I have or where it came from but it seems to be more than just one thing. I am running Windows XP Home sp3 on a wireless home network. It started with a popup for antivirus system pro. I immediately shut it down with task manager, disabled the internet and started a trend micro scan (paid version). Soon after starting the scan my computer crashed. I made several attempts (over the past few days) to log back on and IF I managed to get past the windows screen, it was frozen. Occasionally there is just a black screen.

I am able to boot into safe mode with networking. I tried running the trend micro from there but it would not start. Searching online my browser gets hijacked to windowsclick and various other sites. I can copy and paste the link to get around this though. All of my restore points are gone, so I turned off restore for now. Adaware would not run. Housecall crashed my computer with a blue screen something about kernel dump and now there is a kernelfaultcheck program in start up that I don't know if should be there. Bitdefender scanner would not run. I installed Spybot but it will not run. MBAM will not run and would only install after changing the name of the setup. I am afraid of super antispyware so I did not go there.

F-secure online scanner cleaned many things that I can't remember. After that I was able to start the computer normally, but only temporarily before it crashed again, however during the up time I discovered that it had disabled my trend micro and also turned off the windows firewall. After turning these back on I was able to run my trend micro and also adaware and the Microsoft malicious software remover. These found more Trojans. There are so many trojans involved I can't keep track. There are also at least 2 and sometimes up to 4 instances of iexplore.exe in my process list.

Some of the names I can remember are trojan_tdss, bkdr_tidies.xs, isadisk.sys, Alureon and sudet I think, but there have been others. I have been trying to get rid of this for several days; I have been scanning over and over and over (from safe mode). Every time I get rid of one thing I get something else. I have not been able to figure this out; I am going craaaazy!

I downloaded hijack this which installed and ran perfectly and I have saved a log file if you need it. I downloaded DDS, but it will not run. It opens to the instructions, then I get a Microsoft error that sort.exe needs to close.

Can anyone help me? Thanks in advance!!

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:30 AM

Posted 23 June 2009 - 07:03 AM

Some types of malware will disable Malwarebytes Anti-Malware and other security tools. If MBAM will not install, try renaming it first.
  • Right-click on the mbam-setup.exe file file and rename it to mysetup.exe.
  • Double-click on mysetup.exe to start the installation.
  • If that did not work, then try renaming and changing the file extension. <- click this link if you do not see the file extension
  • Right-click on the mbam-setup.exe file, rename it to mysetup and change the .exe extension to .scr, .com, .pif, or .bat.
  • Then double-click on mysetup.scr (or whatever extension you renamed it) to begin installation.
If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files.
  • Right-click on mbam.exe, rename it to myscan.exe.
  • Double-click on myscan.exe to launch the program.
  • If that did not work, then try renaming and change the .exe extension in the same way as noted above.
  • Double-click on myscan.scr (or whatever extension you renamed it) to launch the program.
If using Windows Vista, refer to How to Change a File Extension in Windows Vista.

Be sure to update MBAM through the program's interface (preferable method) or manually download the definition updates and just double-click on mbam-rules.exe to install. Then perform a Quick Scan in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the report in your next reply.

Note: MBAM uses Inno Setup instead of the Windows Installer Service to install the program. If installation fails in normal mode, try installing in safe mode. Doing this is usually not advised as MBAM is designed to be at full power when running in normal mode and loses some effectiveness for detection & removal when used in safe mode. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM. Therefore, after completing a scan it is recommended to uninstall MBAM, then reinstall it in normal mode and perform another Quick Scan.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 slobbermom

slobbermom
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 24 June 2009 - 08:49 PM

Thanks...changing the name did work and I was able to run MBAM!

It removed all except 2 files. I've restarted and tried again, but it won't remove them. Sometimes it will restart normally, but sometimes I will get a black screen and have to push the button to turn it off. The two files it will not remove are c:\windows\system32\uacinit.dll and hkey_local_machine\software\uac. I've searched for these files and cannot even find them. I suspect they are responsible for the windowsclick, because my browser still gets taken there.

My trend micro still will not work and the taskbar icon is gone. Spybot still will not work. Who knows what other problems it has caused. This is the worse thing I have ever had. I wish I knew where it came from! I usually love a challenge, but this is ridiculous and I am aggrevated. I am giving up. I am just going to move aaaaaall my files and F-12 it to start fresh.

Anyway, just wanted to say thank you!!

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:30 AM

Posted 25 June 2009 - 07:54 AM

I am just going to move aaaaaall my files and F-12 it to start fresh.

By that I take it that you're using a recovery partition that will allow you to restore the computer to the state it was in when you first purchased it. If so, sometimes that's the best solution.

I wish I knew where it came from

Antivirus System Pro is a rogue security program which infect machines by using social engineering and scams to trick a user into spending money to buy a an application which claims to remove malware and is often seen with a Vundo infection. Vundo is a Trojan that infects a system with malicious Browser Helper Objects and .dll (Dynamic Link Library) modules attached to system files like Winlogon and Explorer.exe. The infection is responsible for launching unwanted pop ups, advertising for rogue antispyware programs, and downloading more malicious files which hampers system performance. Newer variants of Vundo typically use bogus warning messages and alerts to indicate that your computer is infected with spyware or has critical errors as a scare tactic to goad you into downloading a malicious security application to fix it. The messages can mimic system messages so they appear as if they are generated by the Windows Operating System. The problem with these types of infections is that they can download other malicious files so the extent of the infection can vary to include backdoor Trojans and rootkit components which make it more difficult to remove. For more specific information on how these types of rogue programs and infections install themselves, read:Vundo infections are contracted and spread via Internet Relay Chat, by visiting gaming sites, porn sites, using pirated software, cracking tools, and keygens. Infections also spread by using peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Malicious worms, backdoor Trojans IRCBots, and rootkits spread across P2P file sharing networks, gaming, porn and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans, and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The infection also spreads through emails containing links to websites that exploit your web browser’s security holes and by exploiting a vulnerability in older versions of Sun Java. When you click on an infected email link or spam, Internet Explorer launches a site that stealthy installs a Trojan so that it can run every time you startup Windows and download more malicious files.

When a backdoor Trojan or rootkit is involved, the PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users