Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected - can't run MBAM or SAS


  • Please log in to reply
17 replies to this topic

#1 Bako-Dan

Bako-Dan

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 02 May 2010 - 11:12 PM

I'm running Windows XP SP3. The computer is infested with pop-ups and I can't get to the internet. I couldn't get MBAM to run. I rebooted in safe mode. I could run MBAM, but I couldn't update it (was not able to connect to the internet). Here's the MBAM log:

Malwarebytes' Anti-Malware 1.44
Database version: 3884
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

5/2/2010 8:11:07 PM
mbam-log-2010-05-02 (20-11-07).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 232126
Time elapsed: 1 hour(s), 16 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I'm currently running an SAS scan, but I was not able to update the SAS version before the scan.

What do I do now?

Thanks!

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:54 PM

Posted 03 May 2010 - 06:17 AM

Your Malwarebytes Anti-Malware log indicates you are using an older version (1.44) of MBAM with with an outdated database. Please download and install the most current version (v1.46) from here.
You may have to reboot after updating in order to overwrite any "in use" protection module files.

The database shows 3884. Last I checked it was 4060.

If you cannot use the Internet or download any required programs to the infected machine, you are going to need access to another computer (family member, friend, library etc) with an Internet connection. Save mbam-setup.exe to a flash (usb, pen, thumb, jump) drive or CD, transfer it to the infected machine, then install and run the program. If you cannot transfer to or install on the infected machine, try running the setup (installation) file directly from the flash drive or CD by double-clicking on mbam-setup.exe so it will install on the hard drive. If you cannot copy files to your usb drive, make sure it is not "Write Protected". Some flash drives have a switch on the side which could have accidentally been moved to write protect.

You will also need to manually download the definition database from another computer, save and transfer them to the infected machine. After installing MBAM, just double-click on mbam-rules.exe to apply the update. Then perform a new Quick Scan in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

Note: Mbam-rules.exe is not updated daily. Another way to get the most current database definitions if you're having problems updating through the program's interface or have already manually downloaded the latest definitions (mbam-rules.exe) shown on this page, is to do the following: Install MBAM on a clean computer, launch the program and update through MBAM's interface. Copy the definitions (rules.ref) to a USB stick or CD and transfer that file to the infected machine. Copy rules.ref to the location indicated for your operating system. If you cannot see the folder, then you may have to Reconfigure Windows to show it.
  • XP: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
  • Vista: C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware
-- Some types of malware will target Malwarebytes Anti-Malware and other security tools to keep them from running properly. Other types of malware may delete the main mbam.exe executable file during installation or when attempting to perform a scan which results in various errors. If that's the case, please refer to the suggestions provided in For those having trouble running Malwarebytes Anti-Malware for using Rkill or downloading a renamed version of mbam.exe. Do not reboot after running Rkill. Immediately after running this tool, you need to perform your scan with Malwarebytes Anti-Malware.

Note: You may have to make repeated attempts to use Rkill several times before it will run as some malware variants try to block it.

If you get an alert that Rkill is infected, ignore it. The alert is a fake warning given by the rogue software which attempts to terminate tools that try to remove it. If you see such a warning, leave the warning on the screen and then run Rkill again. By not closing the warning, this sometimes allows you to bypass the malware's attempt to protect itself so that Rkill can perform its routine.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Bako-Dan

Bako-Dan
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 03 May 2010 - 12:30 PM

I downloaded Dr. Web CureIt and ran it in Safe Mode last night. The Express scan quickly went through approximately 5,000 objects within 20 minutes, but then the scan became extremely slow. When I left for work this morning, about 6 hours after starting the scan, only 5,126 objects had been scanned. According to the progress bar, the scan was only about halfway done. I left the scan continue. I'll check it when I get home to see if it finished.

I'll work on getting MBAM v1.46 installed and updated when I get home. Hopefully I can get it installed and running.

Thanks for the help! I'll reply back with a progress update later tonight.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:54 PM

Posted 03 May 2010 - 12:35 PM

Ok.

Just so you know.

The speed and ability to complete an anti-virus or anti-malware scan depends on a variety of factors.
  • The program itself and how its scanning engine is designed to scan: using a signature database vs heuristic scanning or a combination of both.
  • Options to scan for spyware, adware, riskware and potentially unwanted programs (PUPS).
  • Options to scan memory, boot sectors, registry and alternate data streams (ADS).
  • Type of scan performed: Deep, Quick or Custom scanning.
  • What action has to be performed when malware is detected.
  • A computer's hard drive size.
  • Disk used capacity (number of files to include temporary files) that have to be scanned.
  • Types of files (.exe, .dll, .sys, .cab, archived, compressed, packed, email, etc) that are scanned.
  • Whether external drives are included in the scan.
  • Competition for and utilization of system resources by the scanner.
  • Other running processes and programs in the background.
  • Interference from malware.
  • Interference from the user.
To speed up your scans, uninstall unnecessary programs, clean out the temporary files or use ATF Cleaner first, temporarily disable any other real-time protection tools, close all open programs and do not use the computer during the scan.

Using two security scanning engines at the same time can cause each to interfere with the other, cause systems hangs, false detections, unreliable results and other unpredictable behavior.

Note: It is not unusual for an anti-virus or anti-malware scanner to be suspicious of some compressed, archived, .cab and packed files because they have difficulty reading what is inside them. These kind of files often trigger alerts by security software using heuristic detection because they are resistant to scanning (difficult to read). This resistance may also result in some scanners to stall (hang) on these particular types of files. Certain files in the System Volume Information Folder like the Tracking.log (created by the Distributed Link Tracking Service to store maintenance information) have also been reported as a source causing some scanners to hang.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Bako-Dan

Bako-Dan
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 04 May 2010 - 01:44 AM

Got home from work (and my kid's baseball game) and got ready to re-install MBAM onto the computer as per your instructions - had mbam-setup.v1.46.exe, mbam-rules.exe, and rules.ref all loaded onto a flash drive as well as rkill.com, rkill.scr, & rkill.exe (Link 3 gave me a "webpage cannot be found" error).

The Dr. Web CureIt search was still ongoing when I sat down at the computer (over 22 hours on the "quick" scan and still not finished - no infected files were indicated as being identified). When I tried to exit the scan, the computer locked up. I had to perform a hard boot on the machine, however the computer would not boot. As soon as the power button was pushed, the computer goes into a "hibernate" state (power indicator light flashes yellow). I unplugged the machine, plugged it back in, and tried to reboot - same results.

Where do I go now? Try to boot off the Windows XP disk? I doubt that will work as the machine doesn't even try to look at any drives - it just instantly goes into hibernation.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:54 PM

Posted 04 May 2010 - 06:18 AM

Have you tried using Last Known Good Configuration or System Restore from a command prompt in Safe Mode to return to a previous state before the problems began?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Bako-Dan

Bako-Dan
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 04 May 2010 - 11:06 AM

I can't get the computer to start - it immediately goes into hibernation once I push the power button.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:54 PM

Posted 04 May 2010 - 11:46 AM

When doing a Google search for this particular problem, there appears to be various possible causes to include ACPI setting in BIOS, video/graphics card, drivers, etc. What works for one person may not work for another so you will need to do some troubleshooting or check the computer manufacturers website for additional resources/suggestions.

I did not find anything that attributes the Dr.Web scan as causing the issue.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Bako-Dan

Bako-Dan
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 06 May 2010 - 03:51 PM

I believe the computer wasn't starting because the fan wasn't getting up to speed fast enough. After taking the cover off the computer case, I noticed that the fan would barely spin when I hit the start button. I spun the fan with my finger, then hit the start button, and the computer booted normally.

I was able to install MBAM v.1.46 from a flash drive. After installing it, I couldn't get it to run. I used rkill and got MBAM to run. I'm currently running a complete scan. MBAM immediately found 4 infections, but the complete scan will take a while.

Interestingly, after running rkill, the rkill notepad log popped up, MBAM opened, and the annoying pop-ups saying I needed to "click here to stop infection" disappeared. Also, the virus is not trying to connect with the internet as it was previously.

#10 Bako-Dan

Bako-Dan
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 06 May 2010 - 05:59 PM

MBAM finished the scan. Here's the log file:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4063

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/6/2010 3:47:44 PM
mbam-log-2010-05-06 (15-47-44).txt

Scan type: Full scan (C:\|F:\|)
Objects scanned: 219953
Time elapsed: 1 hour(s), 8 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cdnnyqub (Rogue.AntispywareSoft) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cdnnyqub (Rogue.AntispywareSoft) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Connie\Local Settings\Application Data\kqpaqjonp\lpwfcantssd.exe (Rogue.AntispywareSoft) -> Quarantined and deleted successfully.
C:\Documents and Settings\Connie\Local Settings\Temp\jIli.exe (Rogue.AntispywareSoft) -> Quarantined and deleted successfully.
C:\Documents and Settings\Connie\Local Settings\Temporary Internet Files\Content.IE5\YH6V8DQW\n002106201304r0409J11000601Re85bb3ebWec569f27X7e09cbdbY35d582e6Z0100f0700[1] (Rogue.AntispywareSoft) -> Quarantined and deleted successfully.

#11 Bako-Dan

Bako-Dan
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 06 May 2010 - 07:10 PM

The viral pop-ups haven't returned, however I can't get IE to view the internet or SAS or my AV to update. I'm connected to the network (IP address assigned), but when I open IE it says it can't display my homepage (yahoo.com). Interestingly, I was able to update MBAM through the network connection.

Any ideas?

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:54 PM

Posted 07 May 2010 - 06:04 AM

Check your Proxy settings in Internet Explorer to make sure malware did not alter them. If so, that can affect your ability to browse or download tools required for disinfection:
  • Open Internet Explorer > click Tools > Internet Options > Connections tab.
  • Click the LAN Settings... button and uncheck Use a proxy server for your LAN
    or change the settings to the proxy you normally use if you previously reconfigured it.
  • Remove any unknown addresses from the Address box. 80 is the default Port so it does not have to be changed.
  • Click Ok and then click Ok again.
  • Close Internet Explorer and restart the computer.
  • An example of how to do this with screenshots can be found in steps 3-7 under the section Automated Removal Instructions... in this guide.
Check your Proxy settings in Firefox to make sure malware did not alter them:
  • Open Firefox, click Tools > Options > Advanced and click the Network Tab.
  • Under the Connection section click on the Settings... button.
  • Under Configure Proxies to Access the Internet, check No proxy. This is the default option if you don't use a proxy.
  • Click Ok and then click OK again.
  • Close Firefox and restart the computer.
For other browsers, please refer to How to configure browser proxy settings.

Rescan again with Malwarebytes Anti-Malware (Quick Scan) in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

The database in your previous log shows 4063. Last I checked it was 4073.

If you cannot update through the program's interface and have already manually downloaded the latest definitions (mbam-rules.exe) shown on this page, be aware that mbam-rules.exe is not updated daily. Another way to get the most current database definitions if you're having problems updating, is to install MBAM on a clean computer, launch the program, update through MBAM's interface, copy the definitions (rules.ref) to a USB stick or CD and transfer that file to the infected machine. Copy rules.ref to the location indicated for your operating system. If you cannot see the folder, then you may have to Reconfigure Windows to show it.
  • XP: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
  • Vista: C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Bako-Dan

Bako-Dan
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 07 May 2010 - 11:29 AM

The proxy settings in IE had gotten changed. Once I unchecked "Use a proxy server for your LAN", IE was able to connect to the internet. I was then able to update SAS and my AV software (Avira).

Why would the proxy settings in IE affect the ability of SAS and Avira from being able to update?

I ran another MBAM scan after updating to database 4075. Here's the log file:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4075

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/7/2010 8:34:12 AM
mbam-log-2010-05-07 (08-34-12).txt

Scan type: Quick scan
Objects scanned: 123496
Time elapsed: 2 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I also updated SAS and I'm currently running a scan.

#14 Bako-Dan

Bako-Dan
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 07 May 2010 - 02:40 PM

Here's the log for the SAS scan:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/07/2010 at 09:59 AM

Application Version : 4.33.1000

Core Rules Database Version : 4902
Trace Rules Database Version: 2714

Scan type : Complete Scan
Total Scan Time : 01:00:30

Memory items scanned : 560
Memory threats detected : 0
Registry items scanned : 5484
Registry threats detected : 0
File items scanned : 78136
File threats detected : 3

Adware.Tracking Cookie
C:\Documents and Settings\Connie\Cookies\connie@ad.wsod[2].txt
C:\Documents and Settings\Connie\Cookies\connie@ad.yieldmanager[2].txt
C:\Documents and Settings\Connie\Cookies\connie@doubleclick[1].txt


I'm now running an ESET scan. I can't remember if I'll get a log file after that scan. If I do, I'll put it in the next post.

Any other suggestions at this point. Would you recommend running a Dr. Web CureIt scan?

Thanks for all the help!

#15 Bako-Dan

Bako-Dan
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 07 May 2010 - 06:15 PM

The ESET scan didn't find any problems. Any other scans or adjustments I should make?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users