Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Anti-Virus/Malware programs disabled


  • Please log in to reply
30 replies to this topic

#1 TheConnexion

TheConnexion

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 03 August 2009 - 04:58 PM

Hello all,

I have encountered a rather stressing issue with my computer. I believe I was infected by some malicious program, upon which I attempted to use SUPERAntiSpyware, MalwareByte's AM, etc., to find that they do not execute whatsoever. On boot, not only does the computer start up awkwardly and slowly, I receive an error message saying SuperAntiSpyware has encountered a problem and must close. MBAM does not initiate after double-clicking.

I have seen a related thread in the forums, in which the other person had no desktop/icons and a bad explorer.exe. I feel I am in a similar boat, seeing as my computer now runs very slowly, and my explorer only seems to function for a few seconds before freezing the entire computer.

Here are the problems laid out clearly:

1) Anti-virus/malware programs do not function
2) Explorer does not function for long
3) Computer runs extremely slowly
4) Safe mode has made no difference

I have not yet tried renaming MBAM.exe to winlogon.exe, mostly because my explorer.exe freezes the computer before I can even open the Program Files. The other user was able to use Task Manager to initiate a program (ComboFix I believe), however I have not tried anything of that sort because I do not know how, nor would I run ComboFix without express recommendation.

If there is any advice to get me started on the path to cleaning, please let me know.


Very much appreciated,
Brett


***EDIT*** : I was able to rename MBAM.exe to winlogon.exe and am currently performing a scan right now.

Edited by TheConnexion, 03 August 2009 - 05:03 PM.


BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:55 PM

Posted 03 August 2009 - 05:26 PM

Post the log when the scan is finished.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 TheConnexion

TheConnexion
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 03 August 2009 - 05:41 PM

Malwarebytes' Anti-Malware 1.30
Database version: 1427
Windows 5.1.2600 Service Pack 3

8/3/2009 3:15:09 PM
mbam-log-2009-08-03 (15-15-09).txt

Scan type: Quick Scan
Objects scanned: 69692
Time elapsed: 6 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Brett\Local Settings\Temp\rasesnet.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brett\Local Settings\Temp\xpre.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.




After realizing it, I think that my MBAM is not up to date. Let me know if there's anything more I should do for now.

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:55 PM

Posted 03 August 2009 - 05:43 PM

Are you able to update Malwarebytes?

If so, run another quick-scan and post the new log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 TheConnexion

TheConnexion
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 03 August 2009 - 05:48 PM

I renamed MBAM.exe to winlogon.exe, should that be a problem for the updating process?

Because when I click update (which would update it to 1.40), it prepares the update (takes about 10 seconds) and then prompts me that it will begin applying the update and MBAM will close. After I click "Ok", the program closes and nothing happens thereafter. I waited for a few minutes and then started the program again to find that it was still at it's current state - 1.30.

#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:55 PM

Posted 03 August 2009 - 05:52 PM

Download this file then double-click it to update the definitions (you may need to do the renaming trick):

http://malwarebytes.gt500.org/mbam-rules.exe
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 TheConnexion

TheConnexion
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 03 August 2009 - 06:04 PM

When I attempt to click on the link, I am given a page with an error on it, stating that the connection timed out / is taking too long to respond.

I do not believe this to be any faults in my internet connection, as it is running smooth. I am not using the infected computer to relay these messages - instead I would be transporting the files with a USB stick over to the infected computer.

#8 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:55 PM

Posted 03 August 2009 - 06:13 PM

Let's try a different scan. You can copy it over from another computer if you need to.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#9 TheConnexion

TheConnexion
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 04 August 2009 - 03:23 AM

After a long scan, here is the DrWeb Report. This is how the .csv file opened in Notepad, sorry it is so cluttered... maybe that's normal.





tbsetup.exe\data004;C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4131\tbsetup.exe;Trojan.PWS.GoldSpy.origin;;
tbsetup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4131;Archive contains infected objects;Moved.;
tbsetup.exe\data004;C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4220\tbsetup.exe;Trojan.PWS.GoldSpy.origin;;
tbsetup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4220;Archive contains infected objects;Moved.;
tbsetup.exe\data004;C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4268\tbsetup.exe;Trojan.PWS.GoldSpy.origin;;
tbsetup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4268;Archive contains infected objects;Moved.;
tbsetup.exe\data004;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\tbsetup.exe;Trojan.PWS.GoldSpy.origin;;
tbsetup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2;Archive contains infected objects;Moved.;
tbsetup.exe\data004;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\tbsetup.exe;Trojan.PWS.GoldSpy.origin;;
tbsetup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3;Archive contains infected objects;Moved.;
tbsetup.exe\data004;C:\Documents and Settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4391.1.4\tbsetup.exe;Trojan.PWS.GoldSpy.origin;;
tbsetup.exe;C:\Documents and Settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4391.1.4;Archive contains infected objects;Moved.;
daemon4123-lite.exe/data007\data001;C:\Documents and Settings\Brett\Desktop\2008 Misc Icons!\daemon4123-lite.exe/data007;Adware.Shopper;;
daemon4123-lite.exe/data007\data002;C:\Documents and Settings\Brett\Desktop\2008 Misc Icons!\daemon4123-lite.exe/data007;Adware.SaveNow.128;;
data007;C:\Documents and Settings\Brett\Desktop\2008 Misc Icons!;Container contains infected objects;;
daemon4123-lite.exe;C:\Documents and Settings\Brett\Desktop\2008 Misc Icons!;Archive contains infected objects;Moved.;
crack.exe;C:\Documents and Settings\Brett\Desktop\2008 Misc Icons!\Alcohol 120% 1.9.2 1705 + crack\Crack\Alcohol_120%_v1.9.2(Build 1705)_;Tool.ASEye.2;Incurable.Moved.;
crack.exe;C:\Documents and Settings\Brett\Local Settings\Application Data\Microsoft\Messenger\strelok@live.com\Sharing Folders\nickphilli;Tool.ASEye.2;Incurable.Moved.;
b.exe;C:\Documents and Settings\Brett\Local Settings\Temp;Trojan.DownLoad.40867;Deleted.;
UACb813.tmp;C:\Documents and Settings\Brett\Local Settings\Temp;Trojan.Corruptor.56;Deleted.;
mirc621.exe\data009;C:\Documents and Settings\Mom.BRETTSCOMP\Desktop\mirc621.exe;Program.mIRC.621;;
mirc621.exe;C:\Documents and Settings\Mom.BRETTSCOMP\Desktop;Archive contains infected objects;Moved.;

#10 TheConnexion

TheConnexion
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 04 August 2009 - 12:54 PM

I'd like to also let it be known that when my computer starts, in addition to being very slow and disabling antivirus programs (which I get an error for), there is one continuous error saying,

"ViewMgr.exe has encountered a problem and needs to close"

Isn't ViewMgr.exe a Spyware executable? I thought I read how it infects your Control Panel (which makes sense because mine is very slow and acts similar to explorer.exe, in how it sometimes freezes the computer). But then again, how can that happen if the program is consistently being closed everytime I boot? Also, it has become more common for my computer to not boot fully - the computer boots up but then is hung up at the XP login screen right before the profiles show up (blue XP background with the windows logo, etc., but no profiles)

Nonetheless, my computer has not yet improved (it is truly difficult to get to anything on it), so I do hope the CureIt scan can lead us to the next step.

Thank you.

Edited by TheConnexion, 04 August 2009 - 12:58 PM.


#11 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:55 PM

Posted 04 August 2009 - 04:20 PM

Can you now update and scan with Malwarebytes?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#12 TheConnexion

TheConnexion
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 04 August 2009 - 04:42 PM

My computer is constantly freezing up (in normal mode), should I try to update MBAM through Safe Mode w/ Networking?

#13 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:55 PM

Posted 04 August 2009 - 04:52 PM

Try updating and running a scan with SUPERAntiSpyware in Safe Mode with Networking.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#14 TheConnexion

TheConnexion
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 04 August 2009 - 05:08 PM

Updated and scanning with SUPERAntiSpyware in Safe Mode w/ Networking, log soon to follow.

Was not able to update MBAM in either Safe/Normal mode.


EDIT: After running SAS and finding 194 infected items, I went through the removal process and finished by rebooting my computer. However, my computer does not complete it's boot cycle, meaning that when I rebooted it, the computer began its normal process, only to reboot on its own right before it brings up the XP login screen.

I was prompted with either starting the computer in Safe Mode or Normal Mode, of which I have tried both - Normal Mode keeps rebooting the computer before bringing up the XP screen, and Safe Mode gets hung up at the screen with all of the multi(disk) loading things. This is consistent for 3 attempts so far.

Any thoughts?

ANOTHER EDIT: I was repeating the reboot process, just trying to make sure that both Normal Mode and Safe Mode were no longer completing their boot cycles, and when I was prompted to choose Safe Mode, Safe Mode w/ Networking, Normal Mode, etc. etc., I was scrolling down to Normal Mode to give it one more try - to see if I was batting a thousand - and tapped enter when it highlighted "Last Known Good Configuration" on accident.

This is now performing the ChkDsk function on my computer (sometimes takes a bit of time) and I feel that I may have messed up our process. Just wanted to let it be known right away. Also, every now and then, when a program was no longer functioning, I would receive an error popup on the bottom right of the screen saying that "so and so is infected or corrupted. Run the ChkDsk function..." (At that time I didn't remember what ChkDsk was).

So, now my computer is running it and hopefully it boots fully and I am able to assess what has changed if at all. Please let me know what your thoughts are. SUPERAntiSpyware had found a good amount of malicious stuff, like RootKit.Agents, Trojans, etc. This has happened to me before when I've run a malicious program scan & removal, and wasn't able to reboot the computer properly, but it only malfunctioned once... By the next reboot attempt I was in the clear.

Edited by TheConnexion, 04 August 2009 - 06:09 PM.


#15 TheConnexion

TheConnexion
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 04 August 2009 - 06:49 PM

I'm now able to log into Safe Mode, I'll keep trying Normal Mode as well.

Edited by TheConnexion, 04 August 2009 - 06:52 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users