Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected, tried rkill,mbam, need next steps


  • Please log in to reply
6 replies to this topic

#1 redhiker

redhiker

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 22 April 2010 - 09:00 AM

Help! Here is what has happened since yesterday. Running Windows XP on Dell Inspirion. I am a malware novice but I searched this forum and followed the steps I thought would help but am at a dead-end. I apologize in advance if there are other things I should have tried before posting. I'm not an expert but can follow any detailed instructions you give me .........

Downloaded OpenOffice to read a file sent to me yesterday. (Not sure if this is the culprit but it did try to do something with Java which made me suspicious)

After rebooting I got a strange message 'NT AUTHORITY SYSTEM' when attempting to log in. Then these windows popped up:

Wireless Configuration: Notification dll has not been registered, program will not work correctly
C:\Program Files\Dell Support Center\gs_agent\dsc.exe: Unable to launch application. Please restart your computer and try again. Error code:-2147023174
BTTray: Error: Unable to start the Bluetooth Stack Services

Noticed two bad processes on my desktop. I will divulge their names if it will help but think I saw somewhere we don't want to publicize.

Downloaded rkill to flash drive and ran it on my laptop - killed the bad processes. (rkill seems to run clean now)

Attempted to run Malwarebytes Anti Malware already installed on my desktop. Got the dreaded message : Runtime Error '372' vbalGrid from vbalsgrid6.ocx. Your version of vbalsgrid6.ocx may be outdated. I also got this message when running the setup.

Tried the following:
Renamed mbam.exe and mbam setup files and reran; same error.
Grabbed and renamed a new mbam setup file, attempted to run it from flash drive; same error
Grabbed a different version of the ocx file and copied it to C:\Program Files\Malwarebytes, reran mbam; same error
Grabbed a randomly generated named mbam.exe..... maybe I'm going crazy but now cannot seem to copy from my flash drive to C:\. Cannot run from flash drive because it needs the language folder which is not in the path.

Should I install the entire mbam folder on the other computer and try to run the entire thing from flash or try something else? Thanks for advice you can give me!!

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:13 PM

Posted 22 April 2010 - 11:04 AM

Yes uninstall, Run Visual Basic ,reinstall and try it again.



Download MSFT Visual Basic from here
http://www.microsoft.com/downloads/details...;displaylang=en

Instructions


Before starting the download, create a download directory on your computer. If your internet connection is less than 300K, it is recommended that you run the multi-part download by following the "More Information" link at the upper right, then clicking "Download Now."

Click "Download" to begin downloading the single download. When prompted by the download software, choose the option "Save this program to disk" and click OK. Then select the directory you created on your computer.

Run the file from the download directory. When prompted, select the same directory you created on your computer. You will be expanding the contents of the EXE into this directory.

Run SetupSP6.exe from the download directory. When you accept the terms of the electronic End User License Agreement (EULA) the setup software will replace the appropriate files in your Visual Basic 6.0 installation.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 redhiker

redhiker
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 22 April 2010 - 11:30 AM

Thanks boopme.... for trhe record, in the meantime I copied a good version of thet ocx file to the malwarebytes directory and registered it successfully. Still got the error when I went to run a renamed version of mbam.

I have no internet connection on the infected computer so will have to do the visual basic install as well as reinstall of malwarebytes via flash drive. Will let you know how it goes.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:13 PM

Posted 22 April 2010 - 12:43 PM

If you cannot use the Internet,you will need access to another computer that has a connection.
From there save mbam-setup.exe to a flash,usb,jump drive or CD. Now transfer it to the infected machine, then install and run the program.
If you cannot transfer to or install on the infected machine, try running the setup (installation) file directly from the flash drive or CD by double-clicking on mbam-setup.exe so it will install on the hard drive.
***
Manually Downloading Updates:
Manually download them from HERE and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.


Note: Mbam-rules.exe is not updated daily. Another way to get the most current database definitions if you're having problems updating through the program's interface or have already manually downloaded the latest definitions (mbam-rules.exe) shown on this page, is to do the following: Install MBAM on a clean computer, launch the program and update through MBAM's interface. Copy the definitions (rules.ref) to a USB stick or CD and transfer that file to the infected machine. Copy rules.ref to the location indicated for your operating system. If you cannot see the folder, then you may have to Reconfigure Windows to show it.
  • XP: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
  • Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 redhiker

redhiker
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 22 April 2010 - 01:06 PM

Unfortunately, I have not gotten past installing the Visual Basic service pack. It says it has found Visual Studio, Visual C++, Visual Basic components but then says the update has been unsuccessful. I ran it on the 'healthy' computer too but got the same result (running XP Prof sp 3) . When I look at the list of programs on the healthy computer I see Microsoft Visual C++ but not Microsoft Visual Basic.... So I assume I have to install VB too? Not a VB expert so unsure which of the many (hopefully free) downloads to use (runtime? studio?)

In the meantime I did uninstall mbam completely from the infected machine and try to run the new version from my flashdrive with same error. Wondering if there is an alternative to malwarebytes I can try? Feels like I'm running out of options with malwarebytes...... Thanks!

Edited by redhiker, 22 April 2010 - 02:18 PM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:13 PM

Posted 22 April 2010 - 11:11 PM

Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

See if MBAM will run now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 redhiker

redhiker
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:13 PM

Posted 27 April 2010 - 09:00 PM

Boopme - thanks so much for your help.... to follow up I downloaded the programs (portable version of SAS) onto the healthy computer (infected one has no internet) and tried to run them from USB flash drive. ATF cleaner did not seem to run. At this point I gave up and had my laptop wiped and reinstalled. Yes, I know that is the coward's way out but thought it was time to cut my losses. Thanks so much for your help; I learned alot!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users