Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

mcsysmon.exe is infected


  • Please log in to reply
26 replies to this topic

#1 skryber64

skryber64

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bleepin' Hoosier
  • Local time:03:56 AM

Posted 01 December 2009 - 12:16 PM

Hi all! My boss is having a problem with his laptop. When he starts in normal mode, he get's this error (and any time he runs an app):

Security Warning

Application cannot be executed. The file mcsysmon.exe is infected.



I asked him to start in safe mode and he gets BSD. I was going to have him run Malwarebytes AntiMalware in Safe mode. He tried to run it in normal, but he gets that error. The virus won't let him run anything. Maybe I should start out with RKill? Any help is very much appreciated! :thumbsup:

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:56 AM

Posted 01 December 2009 - 02:32 PM

I was going to have him run Malwarebytes AntiMalware in Safe mode. He tried to run it in normal,

Scanning with Malwarebytes Anti-Malware in safe or normal mode will work but removal functions are not as powerful in safe mode. MBAM is designed to be at full power when malware is running so safe mode is not necessary when using it. In fact, MBAM loses some effectiveness for detection & removal when used in safe mode because the program includes a special driver which does not work in safe mode. Further, scanning in safe mode prevents some types of malware from running so it may be missed during the detection process. Additionally, there are various types of malware infections which target the safeboot keyset so booting into safe mode is not always possible. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM. Doing a safe mode scan should only be done when a regular mode scan fails or you cannot boot up normally.

-- Some types of malware will disable Malwarebytes Anti-Malware and other security tools to keep them from running properly. If MBAM will not install, try renaming it first.
  • Right-click on the mbam-setup.exe file file and rename it to mysetup.exe. If that did not work, rename it explorer.exe.
  • Double-click on the renamed file to start the installation.
  • If that still did not work, then try changing the file extension. <- click this link if you do not see the file extension
    If using Windows Vista, refer to these instructions.
  • Right-click on explorer.exe and change the .exe extension to .scr, .com, .pif, or .bat.
  • Then double-click on explorer.com (or whatever extension you renamed it) to begin installation.
If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files.
  • Right-click on mbam.exe and rename it to wuauclt.exe.
  • Double-click on wuauclt.exe to launch the program.
  • If that did not work, then change the .exe extension in the same way as noted above.
  • Double-click on wuauclt.com (or whatever extension you renamed it) to launch the program.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 skryber64

skryber64
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bleepin' Hoosier
  • Local time:03:56 AM

Posted 01 December 2009 - 03:28 PM

Thanks for the quick response. None of this works. It's blocking him from opening any of it after reinstalling with the new names. Same error. I'm doing this over the phone with him and he doesn't see the mbam.exe file in the program files - Malwarebytes AntiMalware. (????) So we weren't able to rename it.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:56 AM

Posted 01 December 2009 - 03:48 PM

Some types of malware will delete the main mbam.exe executable file during installation or when attempting to perform a scan which results in various errors.

One way to resolve this is to download and install Malwarebytes Anti-Malware on a non-infected computer.
  • After installation, open Windows Explorer and navigate to the C:\Program Files\Malwarebytes' Anti-Malware\ folder where mbam.exe is located.
  • Copy the mbam.exe file to the Desktop and rename it to wuauclt.exe or explorer.exe.
  • Save the renamed file to a usb flash drive or CD, then transfer to the infected computer.
    • Another option is to upload the file somewhere so you can download it later to the infected computer.
    • If you do not have access to another computer, ask a friend to email or upload a renamed mbam.exe for you and provide a link to download it.
  • Place the renamed mbam.exe in the C:\Program Files\Malwarebytes' Anti-Malware folder on the infected computer, then double-click on it to launch the program.
  • Check for database definition updates through the program's interface.
  • Then perform a Quick Scan, check all items found for removal and reboot afterwards.
  • Failure to reboot will prevent MBAM from removing all the malware.
  • When done, click the Logs tab and copy/paste the contents of the report in your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 skryber64

skryber64
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bleepin' Hoosier
  • Local time:03:56 AM

Posted 01 December 2009 - 04:43 PM

Okay, I walked him through this and when he runs the file that we renamed "wuauclt.exe" we get the error:

Application cannot be executed. The file wuauclt.exe is infected.


I think this error comes up with anything he tries to run. A nasty one indeed.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:56 AM

Posted 01 December 2009 - 05:13 PM

Its a bogus alert by the malware to make you think the file is infected.

Please download Rkill by Grinler and save it to your desktop.Link 2
Link 3
Link 4
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.
Now try performing a Quick Scan in normal mode with Malwarebytes Anti-Malware and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 skryber64

skryber64
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bleepin' Hoosier
  • Local time:03:56 AM

Posted 01 December 2009 - 05:30 PM

I am going to do this tomorrow morning bc bossman is out and about right now. Thanks! :thumbsup:

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:56 AM

Posted 01 December 2009 - 05:31 PM

Ok.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 skryber64

skryber64
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bleepin' Hoosier
  • Local time:03:56 AM

Posted 02 December 2009 - 11:28 AM

No love. At least I can do all this myself now. I have the laptop here with me. I get the same error with all 4 links. I tried to run CMD and same thing. :thumbsup:

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:56 AM

Posted 02 December 2009 - 11:37 AM

Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is hidden piece of malware (i.e. rootkit) which has not been detected by your security tools that protects malicious files and registry keys so they cannot be permanently deleted. Other types of malware can even terminate your security tools by changing the permissions on targeted programs so that they cannot run or complete scans. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a DDS/HijackThis log for further investigation.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 skryber64

skryber64
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bleepin' Hoosier
  • Local time:03:56 AM

Posted 02 December 2009 - 11:57 AM

I started to do all this and I keep getting the error and I can't run anything. I know Rkill said not to restart but I did hoping to be able to run Rkill before any virus could take over. I was able to do this and right now I'm running a MBAM scan. Should I still post a DDS log in a new thread when it's over?

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:56 AM

Posted 02 December 2009 - 12:00 PM

If you were able to get the scan working, then hold off on posting a log and lets see how it goes.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 skryber64

skryber64
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bleepin' Hoosier
  • Local time:03:56 AM

Posted 02 December 2009 - 01:49 PM

It found 8 infections. Here is the log. I restarted. I can get online now but everytime I hit a link, I couple new windows pop up. Should I run another one? Or maybe SuperAntiSpyware? I haven't seen that annoying app error so far. :thumbsup:

Malwarebytes' Anti-Malware 1.41
Database version: 3278
Windows 5.1.2600 Service Pack 3

12/2/2009 1:40:18 PM
mbam-log-2009-12-02 (13-40-18).txt

Scan type: Full Scan (C:\|)
Objects scanned: 268918
Time elapsed: 1 hour(s), 34 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\omnmpfvd (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\omnmpfvd (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Douglas Williams\Local Settings\Application Data\xmkilv\vnkfsysguard.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Douglas Williams\Local Settings\Temporary Internet Files\Content.IE5\813GXDX4\op[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Douglas Williams\Desktop\explorer.com (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Douglas Williams\Desktop\explorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:56 AM

Posted 02 December 2009 - 02:18 PM

Please download TFC by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you cannot boot into safe mode or complete a scan, then perform your scan in normal mode.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 skryber64

skryber64
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bleepin' Hoosier
  • Local time:03:56 AM

Posted 02 December 2009 - 02:54 PM

I ran TFC and restarted. I still get BSD when starting in Safe Mode so I didn't run SAS. I opened ie and windows kept opening, like 50 or so and they kept going so I turned it off. Can I run SAS in normal mode?

edit: Oh, I'm sorry, it says at the bottom to run in Normal....I'm doing that right now.

Edited by skryber64, 02 December 2009 - 02:54 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users