Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

problems running malwarebytes Anti-Malware


  • Please log in to reply
6 replies to this topic

#1 sappertime

sappertime

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:06 PM

Posted 17 August 2010 - 02:58 PM

My family desktop computer has been infected with a virus.

I am posting this thread using my laptop.

The infected machine uses XP.

I know that I have a virus becuase none of the executable files work....I've looked at some of the previous threads in this forum and it has the same error messages, such as "wltuser.exe is infected. Do you want to activate your antivirus software now?" Other files, such as cvtres.exe appear in the same warning box. There is a bogus Windows security alert box which appears asking if I want to activate my antivirus software now. I know it's bogus because it not got the correct windows shield logo. Anyway, it runs an antivirus scan, highlights some viruses and then wants me to pay for an antivirus software download. I have no intention of pursuing that path. I would not feel comfortable providing my card details to whoever runs that site!

So, I've followed photo6six's advice per the posting on Oct 27 2009, and downloaded superantispyware. I downloaded this on my laptop. Saved the file to a cd. Loaded the cd into the infected machine, tried to run it and was informed that the file superantispyware.exe is infected. "Do you want to activate your antivirus software now?" And back to their website etc.

So, I then have patiently and dilligently followed all the stages outlined in quietman7 post of Oct 29 2009. None of the executable files can be opened. I am informed the files infected are infected. I have tried running the three versions of Rkill. The black MSDos screen does flash. But I cannot run malawarebytes Anti-Malware. I've tried re-naming the files and adding different file extensions. I've downloaded the file WiNIOgOn.exe. Nothing works.

Has the virus mutated since these posts were made?

Can anyone help me make some inroads into this virus.

I have also tried to run the computer in SAFE mode. Fn-8 on load etc. I can see the ability to run in SAFE mode. The keyboard does not move the cursor though. I cannot get the cursor to go up and cover the SAFE mode instruction.

Also, when I try to run msconfig from the start button, again I'm told the file msconfig.exe is infected.

Has anyone esle faced and beaten this virus? If so, any tips and tricks gratefully received.

I really hope someone can help, because I've no idea what to do next.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,440 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:06 PM

Posted 17 August 2010 - 11:31 PM

Hi a couple things to try. The malware probably won't block this.
Let us see if we can get Safe mode to run.

Please download and run SafeBootKeyRepair.exe.

Once it has completed, please try booting into Safe Mode.

OR

Click on Start, Then Control Panel
Click on Users
Create a new user account with Administrative Rights
Login as that user
Now run MBAM (MalwareBytes ) ,, Run a FULL scan this will search all user accounts on your machine.
Reboot your machine.
When your machine is at the login don't login into the infected account log into the new account you made.
Logout of the new account once the machine finishes booting up.
Log into your original account that was infected. Post the MBAM log.
Hopefully we are good.

OR
AVIRA RESCUE CD
Try creating this disk and boot off of it. You will need anothewr computer to make this.
Avira AntiVir Rescue System
Tutorial for Avira Rescue CD
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 sappertime

sappertime
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:06 PM

Posted 18 August 2010 - 10:52 AM

Hi Boopme,

Really excellent advice. Fantastic.

Not only did you respond massively quickly...overnight in fact, but the information you gave me was spot on. Thanks.

I tried to set up a new user account on my desktop as you suggested. I was unable to do this. Stopped from doing it by the virus not allowing me to run exe files.

So I went and downloaded the AVIRA rescue disk using my laptop, burned the cd and booted up using it in my desktop. I followed the clear instructions that were provided by Avira and it loaded, ran an anti-virus scan, found 17 infected files which are quarantined and then I re-booted using windows.

Absolutely no problems. The machine operates pretty much flawlessly. What a giant relief.

I've also run an additional three anti malware scans since then. Avira's own anti-malware (Antivir Personal) Malawarebytes Anti-Malaware and AVG's anti-trojan EWIDO programme. Each caught some trojan marketing files, but nothing major.

I just have two small issues to resolve. First when I boot up I get an error message stating there is an "error loading ffxp.dll. The specific module could not be found." As this is one of the files AVIRA rescue quarantined I don't want to make a mistake and unleash the virus again. If you have any suggestions how to stop this error message coming up I'd be really grateful. It doesn't seem to compromise the operation of the desktop, however.

The second minor problem is that I cannot access the internet through my wireless network. For some reason my desktop can't acquire the network address. The network key doesn't seem to work any more. But I access the wireless fine using my laptop. I'm sure the reason will come to me in time.

Once again. I can't thank you enough. I was at a complete loss about what to do next. This forum has wildly exceeded my expectations.

Cheers for now.

Sappertime

P.s. great picture of the beach.....looks like a better place to be than here!

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,440 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:06 PM

Posted 18 August 2010 - 12:22 PM

Very glad to hear it..

Ok you did update MBAM prtor to running?
Avira is the AV I use. I like it.
Ewido Isn't that quite an old appplication??


Its not unusual to receive such an error after using specialized fix tools.

A "Cannot find...", "Could not run...", "Error loading... or "specific module could not be found" message is usually related to malware that was set to run at startup but has been deleted. Windows is trying to load this file but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan. However, an associated orphaned registry entry remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.

Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if you're not sure how to do this.)
Open the folder and double-click on autoruns.exe to launch it.
Please be patient as it scans and populates the entries.
When done scanning, it will say Ready at the bottom.
Scroll through the list and look for a startup entry related to the file(s) in the error message. -->>ffxp.dll
Right-click on the entry and choose delete.
Reboot your computer and see if the startup error returns.



For the Connection ...Try this--open control, internet options, connections tab, lan settings, uncheck the box next to "use proxy...."
OR
Go to Start ... Run and type in cmd
A dos Window will appear.
Type in the dos window: netsh winsock reset
Click on the enter key.

Reboot your system to complete the process.



P.s It isa where I go to empty my brain LOL.. and it is better than here :thumbsup:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 sappertime

sappertime
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:06 PM

Posted 19 August 2010 - 02:31 PM

Hi,

Once again thanks for posting valuable suggestions.

I've been trying to fix my access to the internet through my wireless router today. When I get that sorted I can try and download the tools you recommend for removing the orphaned registry entry. I should also be able to get updates for the malaware programme and re-run it.

Basically I cannot seem to complete the handshake with the router. It hangs, stating its "Acquiring network address!".

I have completed both suggested tasks of yours posted below, namely taken off proxy server check box and run the dos command "netsh winsock reset" exited dos and re-booted.

I have also tried to connect to the router via an ethernet cable, this does not work. I have also reinstalled the wirless adaptor driver.

The wireless network is recognised, and is shown as a network available to me when I search for available wireless networks. I just can't connect. I've re-entered the network key.

Nothing seems to work.

What I have noticed is that when I highlight the wireless network connection (and the LAN connection when using the ethernet cable), there is no IP address assigned by the router DHCP.

I've been in to the router and checked the settings. All seem to be ok. I have 4 other machines happily going on to and off the wireless network. I've rebooted the router and all other machines have IP addresses assigned np.

Although it's not hard, I admit, I'm stumped again!

Any suggestions?

Thanks

#6 sappertime

sappertime
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:06 PM

Posted 23 August 2010 - 09:22 AM

As I use these forums to help with my own computer problems, I thought I would post the last few steps I needed to take to enable the family desktop re-connect to the wireless router.

After I had run the antivirus software, as mentioned in my earlier posting, I could not access the wireless router.

The problem was that the machine could not acquire the network address. The machine had no IP address nor a subnet mask showing (all zeroes).

When I tried to start the DHCP Client Service manually, I got the following error message

"Error: Could not start the DHCP Client Service on local computer. Error 1068: The dependency service or group failed to start."

I found the solution at http://windowsxp.mvps.org/dhcp.htm. I thoroughly recommend you look at this site, as it contains a lot of useful information on DHCP connection problems, certainly more than I outline below.

The advice I got from this website relevant to me was:

To start the DHCP Client Service three services; AFD, NetBios over Tcpip and TCP/IP Protocol Driver need to be operating.

To find if these were operating on my machine I opened Windows Explorer and navigated to %Windir%\System32\Drivers folder.

I looked for
afd.sys
tcpip.sys
netbt.sys

In my case, the antivirus software I think had quarantined netbt.sys. (The file was in the folder, but had been renamed netbt.sys.xxx).

So, I went to the folder ServicePackFiles\i386, found the file netbt.sys and copied it into the %Windir%\System32\Drivers folder. I then re-booted the machine.

Not only was I then able to automatically log on to the wireless network, the error message "error loading ffxp.dll" has also been solved.

I have now re-installed MBAM updated it, and completed a full scan. As it found a further 32 infected files, this was a useful step to take.

Everything now seems back to normal, I'm pleased to report. I hope it stays that way.

Once again thanks for your help, and I hope this string can help others quickly sort out problems they experience if they are unlucky enough to pick up a similar virus

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,440 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:06 PM

Posted 23 August 2010 - 10:07 AM

Thanks for posting back your excellent solution. well done!! I am sure it will benefit other members.

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Tips to protect yourself against malware and reduce the potential for re-infection:Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users