Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malwarebytes not working, Google Installer problems


  • This topic is locked This topic is locked
8 replies to this topic

#1 Pipperin

Pipperin

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 26 August 2009 - 12:46 PM

So it seems lots of people are having similar issues as me. I cannot work Malewarebytes and other programs like it even after renaming .exe files and trying it in safe mode. I also keep getting a pop-up saying Google Installer has encountered a problem and needs to close. I also have some problems with random pop-ups from IE though I don't use it, and had AV care which I got rid of. My OP is Windows XP.


I have seen other people with these issues, and someone suggested doing a Sophos root-kit scan. I've decided to try it, hopefully it can be of some help. Here's the log;

Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 26/08/2009 at 12:47:46 PM
User "Marcine" on computer "MARCI"
Windows version 5.1 SP 2.0 Service Pack 2 build 2600 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\UAC
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kbiwkmjrutfumo
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UACd.sys
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\kbiwkmjrutfumo
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\UACd.sys
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Documents and Settings\Marcine\Local Settings\Temporary Internet Files\Content.IE5\H6NC76KU\info_48[1]
Hidden: file C:\Documents and Settings\Marcine\Local Settings\Temporary Internet Files\Content.IE5\3JRGOSBS\ErrorPageTemplate[2]
Hidden: file C:\Documents and Settings\Marcine\Local Settings\Temporary Internet Files\Content.IE5\6ULXQBH1\httpErrorPagesScripts[1]
Hidden: file C:\Documents and Settings\Marcine\Local Settings\Temp\UAC7f83.tmp
Hidden: file C:\WINDOWS\system32\kbiwkmrsqiltbo.dll
Hidden: file C:\WINDOWS\system32\drivers\kbiwkmqvppjwsw.sys
Hidden: file C:\WINDOWS\system32\drivers\UACyqpbmknmyw.sys
Hidden: file C:\WINDOWS\system32\kbiwkmtnkljswk.dll
Hidden: file C:\Documents and Settings\Marcine\Local Settings\Temporary Internet Files\Content.IE5\H6NC76KU\background_gradient[2]
Hidden: file C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb
Hidden: file C:\WINDOWS\system32\UACbvvwqrovdb.dll
Hidden: file C:\WINDOWS\system32\kbiwkmtucupwgr.dat
Hidden: file C:\WINDOWS\system32\UAClennhtuxag.dll
Hidden: file C:\Documents and Settings\Marcine\Local Settings\Temporary Internet Files\Content.IE5\WI2YBFR1\httpErrorPagesScripts[1]
Hidden: file C:\Documents and Settings\Marcine\Local Settings\Temporary Internet Files\Content.IE5\3JRGOSBS\ErrorPageTemplate[1]
Hidden: file C:\WINDOWS\system32\eventlog.dll
Hidden: file C:\WINDOWS\system32\UACifhcgiallu.dll
Hidden: file C:\WINDOWS\system32\uacinit.dll
Hidden: file C:\WINDOWS\system32\UACtjlqvaygfl.dat
Hidden: file C:\WINDOWS\system32\UACkdpmiybmev.db
Hidden: file C:\WINDOWS\SoftwareDistribution\Download\55ae228715888b68a08f491655790fa6\update\update.exe
Hidden: file C:\Documents and Settings\Marcine\Local Settings\Application Data\Microsoft\Messenger\marcitini@hotmail.com\SharingMetadata\penksta_s@hotmail.com\DFSR\Staging\CS{5E473623-322F-FDF6-C324-030F242DC520}\01\11-{5E473623-322F-FDF6-C324-030F242DC520}-v1-{19BEE302-094C-4422-AFE0-C79585FEE467}-v11-Downloaded.frx
Hidden: file C:\Documents and Settings\Marcine\Local Settings\Application Data\Microsoft\Messenger\marcitini@hotmail.com\SharingMetadata\penksta_s@hotmail.com\DFSR\Staging\CS{5E473623-322F-FDF6-C324-030F242DC520}\11\11-{88A6AB32-E316-46BD-954A-2F3350F59476}-v11-{88A6AB32-E316-46BD-954A-2F3350F59476}-v11-Downloaded.frx
Hidden: file C:\WINDOWS\Temp\UAC6b57.tmp
Hidden: file C:\WINDOWS\system32\UACayrtqaorjn.dll
Hidden: file C:\WINDOWS\system32\kbiwkmbapaynnx.dat
Stopped logging on 26/08/2009 at 13:22:44 PM


Please help me!

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:04 PM

Posted 26 August 2009 - 05:47 PM

Have Sophos remove these two files:

C:\WINDOWS\system32\drivers\kbiwkmqvppjwsw.sys
C:\WINDOWS\system32\drivers\UACyqpbmknmyw.sys

Then reboot and scan with Malwarebytes.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 Pipperin

Pipperin
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 26 August 2009 - 07:17 PM

Alright, I deleted those and restarted. Upon restarting, an avg shield alert came up with a bunch of threats. I clicked 'remove all unhealed infections' and it removed a bunch but said it couldn't delete them all. After that I started up Malwarebytes which actually started up for the first time while not in safe mode, but after telling it to do a full scan it worked for two seconds then disappeared. When I clicked on it again it said 'Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.'

All the threats found by the Resident Shield alert were along the lines of C:\WINDOWS\system32\UAC[letters here].dll

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:04 PM

Posted 26 August 2009 - 07:20 PM

Rename this file:

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

to this:

iexplorer.exe

Then double-click the renamed file and see if it will run.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 Pipperin

Pipperin
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 26 August 2009 - 07:29 PM

When I try renaming it I get a pop-up saying;

Cannot rename mbam: access is denied

Make sure the disk is not full or write-protected and that the file is not currently in use.



#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:04 PM

Posted 26 August 2009 - 07:32 PM

I think it's time to head on over to the HijackThis forum for a closer look.

Preparation Guide for use before posting a HijackThis Log

Go straight to Step 6. Be sure to include a link to this thread so they can see what has already been tried. If you cannot get DSS to work just post the Sophos log.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 Pipperin

Pipperin
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:04 AM

Posted 26 August 2009 - 07:43 PM

Will do!

What topic title and description should I use? I'm not really sure what the exact problem is.

#8 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:04 PM

Posted 26 August 2009 - 07:46 PM

As you have a Rootkit infection you could use something like this:

Rootkit Infection: Malwarebytes and other programs won't run

Good luck!
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#9 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,801 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:04 AM

Posted 26 August 2009 - 11:11 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/252737/rootkit-infection-malwarebytes-and-other-programs-wont-run/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users