Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't run MBAM, freddy56.exe., weird internet searches


  • Please log in to reply
8 replies to this topic

#1 l_njohn

l_njohn

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 07 August 2009 - 12:35 AM

Alright so I have a freddy56.exe virus that I have hopefully deleted with Dr. Web Cure It. However, my MBAM will not run. I do have Symantec AntiVirus which of course has not found any viruses. I typically use Malware Bytes as well but now after about ten seconds of searching it automatically exits and then every time I try to open it I get an error saying "Windows cannot access the specified device, path or file..." I have tried renaming mbam.exe to winlogin.exe... I've tried reinstalling and running the renamed version in safe mode... no luck...

I did install two other anti malware softwares through Dell Support which will not even run after downloading. I downloaded Dr. WebCure It and ran an express scan in safe mode.. That is where i found my freddy56 virus.. (facebook of course) However, I cannot do a complete it.. it exits automatically

My searches on ie are also going to random websites and my facebook will not open on ie. I tried opening ie with no add ons.. still didnt work. I do not have any of these problems though with opera browser.

All of these issues started at the same time.. originally my symantec kept popping up with trojandownloader viruses and it was clearing out different trojans every few minutes... However in the last two days my symantec has not found anything.

Any help would be appreciated!

BC AdBot (Login to Remove)

 


#2 master131

master131

  • Members
  • 366 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Melbourne, Australia
  • Local time:03:24 PM

Posted 07 August 2009 - 01:00 AM

Try renaming it to explorer.exe instead.

If that doesn't work, download Sophos Anti-Rootkit from a clean computer. Burn sar_15_sfx.exe to a disk or put it on a flash drive (USB).

After that is complete, print these instructions out and follow these steps:
NOTE: Close all programs when you follow these steps
1. Run sar_15_sfx.exe from the disk or the USB
2. Accept the license agreement
3. Follow the prompts to install Sophos Ant-Rootkit. If it asks to start Sophos Anti-Rootkit, click no
4. Run sargui.exe from C:\SOPHTEMP
5. Make sure 'Running processes', 'Windows registry' and 'Local hard drives' are ticked
6. Click Start Scan
7. Wait for the scan to complete. When it finishes, a window will pop up with the results.
8. Click OK to continue
9. Click 'Cleanup check items'
10. A window will pop up saying to restart. Click 'Restart Now' to continue.
11. After you have restarted your computer, a window will pop up. Just click 'Empty list' and close the window.
12. Re-run Malwarebytes Anti-Malware and update the database
13. Run a quick-scan and remove all of the detected results

Edited by master131, 07 August 2009 - 03:15 AM.


#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:24 AM

Posted 07 August 2009 - 11:09 AM

Please navigate to the MBAM folder located in the Program Files directory.

Locate MBAM.exe and rename it to winlogon.exe

Once renamed double click on the file to open MBAM and select Quick Scan

At the end of the scan click Remove Selected and then reboot.


Post the scan log. The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 l_njohn

l_njohn
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 07 August 2009 - 01:33 PM

alright i tried renaming it as explorer.exe... wouldn't work.. however i was able to run the sophos anti root kit without a problem and on reboot was finally able to use mbam :-D

here is my log

Malwarebytes' Anti-Malware 1.40
Database version: 2575
Windows 5.1.2600 Service Pack 3

8/7/2009 2:23:50 PM
mbam-log-2009-08-07 (14-23-50).txt

Scan type: Quick Scan
Objects scanned: 106542
Time elapsed: 14 minute(s), 34 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 15

Memory Processes Infected:
C:\WINDOWS\ld12.exe (Trojan.Dropper) -> Unloaded process successfully.
C:\WINDOWS\freddy57.exe (Worm.KoobFace) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a072ec12-a40b-41dd-9a1a-cdb848b70f3c} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bd4f7a6d-0107-4bdf-b72b-021b717b06ce} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysfbtray (Worm.KoobFace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Broken.SecurityProviders) -> Bad: (msapsspc.dll schannel.dll digest.dll msnsspc.dll) Good: (msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\ld12.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\rcvbm.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\umoikchf.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wbem\proquota.exe (Trojan.PWS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lauren\Local Settings\Temp\odins_1249592801.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lauren\Local Settings\Temp\9D.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lauren\Local Settings\Temp\~TMA4.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\WINDOWS\freddy55.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\010112010146120114.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\0101120101464849.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\0101120101465353.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\0101120101465453.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\0101120101465553.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\freddy57.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\prxid93ps.dat (Malware.Trace) -> Quarantined and deleted successfully.

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:24 AM

Posted 07 August 2009 - 01:45 PM

OK excellent!
Next run ATF and SAS:
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 l_njohn

l_njohn
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 08 August 2009 - 01:55 PM

ok here is my super log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/08/2009 at 02:26 PM

Application Version : 4.27.1002

Core Rules Database Version : 4045
Trace Rules Database Version: 1980

Scan type : Complete Scan
Total Scan Time : 01:56:53

Memory items scanned : 228
Memory threats detected : 0
Registry items scanned : 6491
Registry threats detected : 7
File items scanned : 23517
File threats detected : 1

Adware.RX Toolbar
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{59879FA4-4790-461C-A1CC-4EC4DE4CA483}
HKU\S-1-5-21-3709583099-1739544015-350458157-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{25D8BACF-3DE2-4B48-AE22-D659B8D835B0}
HKU\S-1-5-21-3709583099-1739544015-350458157-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{59879FA4-4790-461C-A1CC-4EC4DE4CA483}
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{59879FA4-4790-461C-A1CC-4EC4DE4CA483}

Unclassified.Unknown Origin
HKCR\PROTOCOLS\Filter\text/html
HKCR\PROTOCOLS\Filter\text/html#CLSID

Trojan.Media-Codec
HKU\S-1-5-21-3709583099-1739544015-350458157-1006\Software\Internet Security
C:\Program Files\strCodec



and here is my mbam log

Malwarebytes' Anti-Malware 1.40
Database version: 2581
Windows 5.1.2600 Service Pack 3

8/8/2009 2:53:44 PM
mbam-log-2009-08-08 (14-53-44).txt

Scan type: Quick Scan
Objects scanned: 95427
Time elapsed: 9 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:24 AM

Posted 08 August 2009 - 07:36 PM

Looks good now. If there are no further indications of the infection then....
Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 l_njohn

l_njohn
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 10 August 2009 - 03:00 PM

Alright great thank you so much!

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:24 AM

Posted 10 August 2009 - 03:39 PM

You're most welcome, please take a moment to read quietman7's excellent prevention tips in post 17 here
Click>>Tips to protect yourself against malware and reduce the potential for re-infection:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users