Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security programs (Spybot and MalwareBytes) will not run


  • This topic is locked This topic is locked
19 replies to this topic

#1 theel13

theel13

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 15 September 2009 - 09:56 AM

My computer has recently been infected with something that will not allow Spybot to run. I have also tried to run MalwareBytes, but that was stopped from running as well. Additionally, I tried to run a Norton scan, but that was stopped prematurely as well.

Initially, I could get both programs to start a scan, but after a few seconds they would shut down. I have recently noticed that both shortcuts seem to have disappeared or may have even been uninstalled.

I tried to re-install the programs, but the same issue (as described above) takes place - programs run for a few seconds, stop running, then the programs mysteriously disappear from my desktop and Start Menu.

Any assistance would be appreciated.

BC AdBot (Login to Remove)

 


#2 binten

binten

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:22 AM

Posted 15 September 2009 - 10:45 AM

well, i'm no expert with malware.. though one doesn't need to be for this tip.. there's an obvious thing to do,

And by the way, sometimes they won't even install either.

-TRY- running them from Safe Mode.

I did this for a friend, it solved it no problem. Used MBAM (malware bytes...)

if you google like Windows XP safe mode. I don't know vista, but if you google windows vista safe mode.. you should find lots of websites telling you how to get into safe mode.
Then it's just like windows but with less things loaded. And the malware can have less power , so you may be able to get them installed/running.

Edited by binten, 15 September 2009 - 10:47 AM.


#3 theel13

theel13
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 15 September 2009 - 10:54 AM

Thanks for the suggestion. After attempts to run these programs (and later re-install) in normal XP mode failed, I attempted to run them in safe mode. The same problem occurred. I've also noticed that I do not have access to the internet now that the computer seems to be infected.

#4 binten

binten

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:22 AM

Posted 15 September 2009 - 11:08 AM

I don't know if you did this, but I meant you should save the installation file and run the installation file from safe mode. You may get it installed and running. Other than that, i'm out of good ideas..

Other helpers?

#5 theel13

theel13
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 15 September 2009 - 11:52 AM

I tried this as well thinking that the original programs may have already been infected. After downloading new versions, and attempting a re-install the same problem persists. This didn't work in either safe or normal mode.

I did use a flash drive to accomplish this as my internet browsers seem to have been infected as well, and it seems to have copied infections onto the flash drive. Luckily, my security software on my other computer stopped the infections from spreading off of my flash drive.

So far I'm still unable to run any security programs or access the internet. I'm also hesitant to extract or open and files off of the infected computer seeing as my flash drive was affected as well.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:22 AM

Posted 15 September 2009 - 12:28 PM

Hello, you should run this first on your USB and any PC"s it's contacted.
Download and Run FlashDisinfector

You have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.
Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.



Running On a clean Comp
You would need to run sub's flash disinfector on the clean computer first and hold down the shift key before connecting the external drive.


Then try running RSIT off the USB on the infected PC.
Please download RSIT by random/random and save it to your Desktop.
Note: You will need to run this tool while connected to the Internet so it can download HijackThis if it is not located on your system. If you get a warning from your firewall or other security programs regarding Rist attempting to contact the Internet, please allow the connection.
  • Close all applications and windows so that you have nothing open and are at your Desktop.
  • Double-click on RSIT.exe to start the program.
  • If using Windows Vista, be sure to Run As Administrator.
  • Click Continue after reading the disclaimer screen.
  • Leave the drop down box set to default: "List/folders created or modified in the last 1 month (30 days).
  • When the scan is complete, a text file named log.txt will automatically open in Notepad.
  • Save the log file to your desktop and copy/paste the contents into a new topic in the HijackThis Logs and Malware Removal forum, NOT here.
Important: Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run.
If RSIT did not work, then reply back here.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 theel13

theel13
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 15 September 2009 - 01:04 PM

So, I attempted to download the Flash_Disinfector on the clean computer, but could not do so. I received an error message stating that it is not a valid Win32 application.

On the infected computer, I ran the Flash_Disinfector program and it worked as stated at first. I was asked to insert the flash drive, which I did. A warning prompt then popped up stating that Flash_Disinfector may cause my screen to go blank for a few seconds. The screen flashed, then all of my desktop icons were cleared. I've tried re-downloading the program again, but it only repeats the same sequence described above.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:22 AM

Posted 15 September 2009 - 03:08 PM

Did you hold down the shift key before connecting?
Do you now have a desktop with no icons?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 theel13

theel13
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 15 September 2009 - 03:31 PM

I was unable to get Flash_Disinfector to even download on one computer, but was able to get it to work on another computer we own and had the flash drive cleaned as instructed.

I then downloaded RSIT as directed on a clean computer and put it onto the flash drive. After inserting the flash drive onto the infected computer, I ran RSIT from the USB drive. The scan would not complete. It got about 75% of the way done before disappearing.

The infected computer is in safe mode, and has networking enabled. I also re-tried running Spybot and MalwareBytes, but with no luck.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:22 AM

Posted 15 September 2009 - 07:46 PM

Ok I would like to try these as they are both best in Safe Mode.
ext run ATF and SAS:
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


If it goes post the log. To save you some time waiting on me,if it fais... Then you will need to do this...
You will need to run HJT/DDS.
Please follow this guide. go and do steps 6 thru 8 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 theel13

theel13
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 16 September 2009 - 08:55 AM

Alright, I downloaded both SUPERAntiSpyware and ATF Cleaner to my desktop. I did both in Safe Mode with networking as the computer seems to hangup while trying to load windows in normal mode.

SUPERAntiSpyware will not run as it says that, "The Administrator has set policies to prevent this installation." ATF Cleaner did pull up, and I followed your instructions through 'Select All' and 'Empty Selected.' However, the program just closed out after selecting 'Empty Selected.'

It seems the Administrator policies to prevent installation is causing a lot of havoc on the installation and running of these security programs, as well as obtaining any logs as to what is happening.

Is there any other way around this?

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:22 AM

Posted 16 September 2009 - 09:54 AM

Hello ,this malware is brutal
Right click on your installer file and select "run as" option.
Then select Run as administrator from there.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 Boudin Brad

Boudin Brad

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 16 September 2009 - 10:23 AM

Sorry if this is a breach in protocol, but I have the same infection.

After clicking run as administrator, the following prompt comes up:

"F:\Desktop\SuperVV.exe (renamed)

This service cannot be started in Safe Mode."

Edited by Boudin Brad, 16 September 2009 - 10:23 AM.


#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:22 AM

Posted 16 September 2009 - 10:44 AM

OK Boudin Brad, yes that is the malware file renaming the file so it can prevent you from running what you want ,so you will pay for their fraud tool to fix this.
Try renaming that .exe to .bat and start over. You also should start your own topic so we all don't get confused telling diiferent posters what to do. But no harm done.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 theel13

theel13
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 16 September 2009 - 02:05 PM

I ran into the same error messages as Boudin Brad, but was able to work around it by renaming the .exe to .bat. I was not able to run the ATF Cleaner completely as directed. The Netscape menu worked as instructed, but I'm not sure the Main menu did not. After clicking on 'Select All', then hitting the 'Empty Selected' button, the program shut down.

Next, I tried the SUPERAntiSpyware. After completing the instructions for downloading, updating, and selecting the indicated options in normal mode, I restarted the computer in Safe mode. I was able to open SUPERAntiSpyware and begin a scan. However, about 7 1/2 minutes into the scan the program completely shut down. I can't say this for sure, but it appears to be after it has completed the registry scan.

After the program shut down, I tried to re-run the program, but cannot as it says that I no longer have permission to access the file. If I go to the SUPERAntiSpyware folder, the file is still present, but the SUPERAntiSpyware icon has been replaced with a blank window icon.

I've re-tried downloading in normal mode, and running in safe mode two more times (after performing an uninstall of SUPERAntiSpyware first), but to no avail. ATF Cleaner never runs cleanly from the Main menu, and SUPERAntiSpyware seems to always fail after 7 minutes.

Thank you for all of the help, but this seems to be quite a pain. Are there any other suggestions or ways around the malware's ability to stop all antispyware/antimalware scans?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users