Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Used rkill to help install malwarebytes


  • Please log in to reply
3 replies to this topic

#1 cat33

cat33

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 19 September 2010 - 07:16 AM

I don't know where to post this. We have been having problems with our windows xp service pack 3 computer for more than a month now. Sluggish internet connection and freezing up. I installed malwarebytes and it found 2 infections. After the infections were removed, we were able to connect to the internet again. Since then I have scanned with different scanners, found different things and tried different things and it's a long story so I can't post all of it. The battle against something hogging my computer continues!

I removed malwarebytes because I would click to use the scanner and I would be told that a version of malwarbytes was already running which seemed odd to me because I set it to be an on demand type scanner not constantly running in the background. I checked the settings several times and it was not set to startup when I turned the computer on but it kept showing up in my startup. I went in the master account and used rkill and then I changed the name of malwarebytes before downloading it. Then I started a malwarebytes scan in the master account. For about 30 minutes the scan went ok and was finding nothing wrong.

Then I guess I made the mistake of using mcaffe to scan a file. The file was only about 5 mb so I didn't think it would be that big a deal. I guess I can't use 2 scanners at the same time. The mcaffee scan was not going normal and I didn't know what to do so I used rkill and rkill terminated C:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe. My computer then made a loud grinding noise and I turned it off at the power switch. I waited a half an hour and turned it back on. I have not heard the grinding noise since.

I have heard the grinding noise before. We were were watching an internet newscast a few months ago and the computer started going at 100% and that is when we first heard the grinding noise. It sounded like a saw or something. Turned the computer off at the power switch and then waited a while and turned it back on and now have task manager monitering internet radio and video. If a program is going past 80% we turn leave the broadcast.

We have been having problems with the computer for more than a month now. We used mcafee for more than 3 years with no problems in April after I read about the mistake they made which harmed a lot of computers. I then installed Avast. Then in the end of August installed Avira but didn't feel comfortable with Avira so went back to Mcaffee.

More than a month ago I installed Cyberlion Startup Optimizer and from the beginning it has been saying I have the RAIDY'S trojan infecting as ctfmon.exe but nothing I have scanned with shows an infection. However, after using Rkill yesterday, ctfmon.exe has been using a lot less memory. Before using Rkill, ctfmon.exe was using as much as 4572k. Now ctfmon.exe is down to only 460k.

Now back to malwarebytes. Before I changed it's name, it kept appearing in the Cyberlion Startup Optimizer as something in my startup. No matter what I did to the malwarebytes settings, it wanted to startup when I turned the computer on. The only way I could stop it was use the Cyberlion Startup Optimizer. I think there is some type of malware pretending to be malwarbytes. Also, interesting to note is that my renamed malwarebyes is not showing up in Cyberlion Startup Optimizer as a startup program. Before renaming it, it would show up in there as a startup item after reinstalling it.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,595 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:37 PM

Posted 19 September 2010 - 03:11 PM

I installed Cyberlion Startup Optimizer and from the beginning it has been saying I have the RAIDY'S trojan infecting as ctfmon.exe but nothing I have scanned with shows an infection.

That's probably because its a false detection (false positive).

The rating system is not to be trusted: Kaspersky, the notorious antivirus, has been stamped with the harmful color code, just like Windows Sidebar...Also, the 12000+ softwares in the database are clearly not enough to cover the needs of the user (the pictures clearly reveal that Startup Optimizer recognized three out of eleven valid processes running on the testing computer and from these three two innocent applications were declared harmful).

Cyberlion Startup Optimizer Review

An example of this false detection is shown here.

I recommend you replace it with a more trusted alternative.When installing Malwarebytes, it will create an icon in the system tray near the clock. If you right-click on the icon, a menu will open with several options including the ability to disable it from running at startup by unchecking Start with Windows. However, Malwarebytes' service (mbamservice.exe) will still show in Task Manager which is normal.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 cat33

cat33
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 21 September 2010 - 04:25 PM

Thanks Quietman7,
I haven't had a chance to investigate all those programs.

I downloaded the System Explorer Portable version and it seems to be what I have been looking for. I don't know how to interpret all the information it gives. I find the system connections interesting. There is a lot I don't know about computers. I am going research how to have some idea what is normal connections.

rkill seems to have helped a lot. ctfmon.exe was using more than 4000k of memory and now it is less than 2164k and often it is only something like 468k. I think some type of malware was pretending to be ctfmon.exe and somehow adding itself to it?

I also figured out that I could use ccleaner to clean my java. I remember a few weeks ago one of my scans (I can't remember which had found infections in my java). So far I have only used ccleaner to clean my applications, internet and multimedia. It found more 200mb of files. WARNING I have heard that you should never clean the registry MUI cashe.

I went back into my master account today and there is now a file on my desktop. I don't know where it came from and didn't notice it the last time I was in the master account. It is data.fdb
I right clicked on it to look at the properties and it says it opens with an unknown application
Size 1.63kb (1,677bytes)
Size on disk: 4.00kb (4096bytes)
says it was created yesterday
also I notice a config which was also created yesterday and opens with notepad. It is 8.45kb. I have not looked at the notepad. I have only right clicked on it to see what the properties are.

I hope it's ok to right click on files and check properties. I have read it's not a good idea to open unknown files. I don't want to throw away a file that might be needed.

The mysteries of using a computer continues. More for me to learn.

I also installed winpatrol but haven't had a chance to look at it. I looked at the website seems like a good program.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,595 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:37 PM

Posted 21 September 2010 - 06:30 PM

Determining whether a file is malware or a legitimate process usually depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file like svchost.exe. However, it then places itself in a different location (folder) than where the legitimate file resides and runs from there. Another techinique is for the process to alter the registry and add itself as a Startup program or service so that it can run automatically each time the computer is booted. Keep in mind that a legitimate file can also be infected by some types of malware such as Virut which is a dangerous polymorphic file infector. A file's properties may give a clue to identifying it. Right-click on the file, choose Properties and examine the General and Version tabs.

Anytime you come across a suspicious file or one that you do not recognize, search the name using Google <- click here for an example.

Or search the following databases:If you cannot find any informatio, the file has a legitimate name but is not located where it is supposed to be, or you want a second opinion, submit it to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users