Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBAM not running; Trojan.Agent/Gen-ClickDownload


  • Please log in to reply
17 replies to this topic

#1 MissM

MissM

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Canada
  • Local time:07:37 PM

Posted 02 July 2014 - 01:19 PM

Hello there,

 

I am finding it impossible to run MBAM on our desktop computer (an HP with Windows 8), and I fear it is indicative of a serious problem.

 

Background information:

 

On June 27 I attempted to visit a soap opera website I used to run via tripod.com. It was something I had done in high school almost 10 years ago, and I was feeling nostalgic and decided to check it out again, and I was instantly greeted with notifications that the website was malicious (I can't remember the exact wording, sorry). 

 

I installed MBAM on my machine and ran it as well as SuperAntiSpyware the next day and got rid of some cookies, but that was it.

 

It was also at that time that we noticed that when we opened Google Chrome, a second tab opened for a Yahoo search, containing the word 'spigot' in the URL. That didn't seem to be legit so I did some research about it and in the process, downloaded CCleaner, AdwCleaner, and Junkware Removal Tool from this site. With these tools, I was able to eradicate the Spigot problem, and everything seemed fine.

 

Flash forward to late last night; I signed into my Hotmail and had just started reading an email from work (no attachments or anything) and suddenly the screen went a dark grayish colour, and then black. I forced shutdown and then turned it back on. I ran SAS and it found Trojan.Agent/Gen-ClickDonload in two Temporary Internet Files folders, the files both being named setup-bthelper[1].exe. I tried navigating to the folders listed to see if I could tell when they were downloaded, but those folders were not visible. I clicked on View and then Hidden Items, but they still did not show up. 

 

I don't know where this virus could have come from, as we were away for the weekend, and didn't use the computer much Monday or Tuesday. The only things I can think of that we downloaded during that time were my grocery list (sent from my clean laptop via email to my desktop computer so I could print it) and the manual for our dishwasher from the Whirlpool website.

 

So, after this last night, I tried running MBAM, but after I double-clicked the desktop icon, nothing happened. It was late so I went to bed, and tried again a few times today. Still nothing. I tried un-installing and re-installing several times, but it still wouldn't work, and multiple times during set-up I got the following message:

 

Internal Error: Expression Error  'Runtime error (at 79:177): External exception E06D7363

 

From there, I tried running Chameleon a couple times, but this was unsuccessful. Then I downloaded RKill from this site and ran it a few times. It did not find anything malicious to report, but MBAM is still not operational. Entering mbam in the Run box did not work either. I also booted in Safe Mode but it still did not work there. Also of note, I chose the Network option in SafeBoot but was unable to connect to the Internet using either Internet Explorer or Google Chrome.

 

Finally, I renamed the mbam.exe file to something else and copied it from the folder in ProgramFiles86 onto the deskop tried running that. When I did, I got a System Error box that said "The program can't start because mbam.dll is missing from your computer. Try reinstalling the program to fix this problem."

 

 

 

Scans from Windows Defender, SAS, and ESET are coming up clean, but MBAM's loss of functionality and the disappearance/hiding of certain folders make me think there is still a problem.

 

 

Sorry for the very long post; I just wanted to be thorough! 

 

I appreciate the help so very much. Unfortunately I have to head to work in about an hour but if I can't get on today, I will be on tomorrow for sure.

 

Thanks so much in advance!


Edited by MissM, 02 July 2014 - 02:24 PM.


BC AdBot (Login to Remove)

 


#2 kaz20

kaz20

  • Members
  • 165 posts
  • OFFLINE
  •  
  • Local time:07:37 PM

Posted 02 July 2014 - 01:35 PM

have you tried running the scans in safe mode? if not try safemode and reinstalling mbam if it doesnt work



#3 MissM

MissM
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Canada
  • Local time:07:37 PM

Posted 02 July 2014 - 01:48 PM

No, it will not run in Safe Mode either, and I can't seem to connect to the Internet in Safe Mode.



#4 kaz20

kaz20

  • Members
  • 165 posts
  • OFFLINE
  •  
  • Local time:07:37 PM

Posted 02 July 2014 - 02:00 PM

are you selecting safemode with networking?



#5 MissM

MissM
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Canada
  • Local time:07:37 PM

Posted 02 July 2014 - 02:07 PM

Using msconfig, I did SafeBoot and clicked the 'Network' tick box, but it didn't seem to work.

 

I am really not used to Windows 8. It was so much easier to do Safe Mode with previous versions.



#6 kaz20

kaz20

  • Members
  • 165 posts
  • OFFLINE
  •  
  • Local time:07:37 PM

Posted 02 July 2014 - 02:23 PM

u cant try also by going to the power button on the screen and holding the control button down when u press restart. it will bring you to a menu and lick on advanced options then after that i believe you choose troubleshoot. then hit the restart button on the screen on the right hand side and it will restart and give you all the options for safemode.



#7 MissM

MissM
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Canada
  • Local time:07:37 PM

Posted 02 July 2014 - 02:25 PM

Thank you! I have to leave for work now, but I will try that next chance I get. Much appreciated!



#8 MalwareAbort

MalwareAbort

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:37 PM

Posted 02 July 2014 - 10:04 PM

Hi MissM,

 

When running chameleon did you extract the downloaded archive?


Edited by MalwareAbort, 02 July 2014 - 10:06 PM.

"Imagine a world without malware"


#9 MissM

MissM
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Canada
  • Local time:07:37 PM

Posted 03 July 2014 - 08:54 AM

kaz20, I tried the control button method when restarting, but unfortunately, it did not work, and just restarted in normal mode. Thanks anyway for your suggestion!

 

MalwareAbort, I'm not sure about the extracting... I did extract something, but I'm not sure if it was the downloaded archive. Sorry, I am not well-versed in this program! I may need some very specific instructions. Thanks so much for your reply!



#10 MalwareAbort

MalwareAbort

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:37 PM

Posted 03 July 2014 - 10:21 AM

No Worries!

 

When you use Chameleon (Downloaded from: http://downloads.malwarebytes.org/file/chameleon/)

 

You should save the .zip archive to an easy to access location.

 

Usage

  • Extract the file and its contents (Right click -> Extract All...)
  • In the newly created folder you should see two sub folders (Chameleon -> Windows)
  • In the Windows folder you should see a help file called chameleon.
  • Open the file (double click)
  • Follow the on screen instructions from malwarebytes

If the help file will not open you may run each of the other files in the Windows folder to try to see if they work. (Only try one at a time.)


"Imagine a world without malware"


#11 MissM

MissM
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Canada
  • Local time:07:37 PM

Posted 03 July 2014 - 10:28 AM

Thank you! I followed those steps, but when I opened the Chameleon help file, all that came up was an empty white box.

 

I will try the other ones and report back with the results.



#12 MissM

MissM
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Canada
  • Local time:07:37 PM

Posted 03 July 2014 - 10:37 AM

Tried the first of the other files in the folder: firefox.com. Here is what the box said:

 

Trying to start Malwarebytes Anti-Malware, please wait...

A reboot is recommended to remove temporary directory C:\Users\Jesse\Desktop\mbam-chameleon-3.1.4.0\Chameleon/Windows\rljyey
Failed to start Malware Bytes Ant-Malware
Killing known malicious processes, please wait...
Mbam-killer Timeout set to 1800 seconds.

Mbam-killer is scanning - Press C to cancel...

Mbam-killer scan is complete.

Mbam-killer is exiting.

Malwarebytes Antimalware has terminated - unable to start the scan.

Removing protection driver...

...Done!
Press any key to continue.

 

 

And after this, MBAM will still not run.

 

This is the typical result I have had when trying to run Chameleon with other files thus far, just with a different file name after Windows\ in that "A reboot is recommended" message.

 

Sadly I don't think it is going to work.

 

All SAS has found is some tracking cookies when run in both normal and safe mode. I was able to get into Safe Mode with Networking using the tutorial on this website, but I was still unable to use the Internet, by the way.

 

AdwCleaner consistently only finds and removes one thing each time I run it, which is something to do with Google Chrome/preferences.

 

Are there any other programs I could try as recommended by BC Administrators or Moderators?

 

Thanks again!


Edited by MissM, 03 July 2014 - 10:47 AM.


#13 MalwareAbort

MalwareAbort

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:37 PM

Posted 03 July 2014 - 11:26 AM

While you wait for an ADMIN/MOD

 

The last thing I suggest to run would be malwarebytes built in fixdamage tool.

 

  • Open the Malwarebytes Anti-Malware program folder (usually C:\Program Files\Malwarebytes Anti-Malware or C:\Program Files (x86)\Malwarebytes Anti-Malware) and open the Plugins folder
  • Double-click on the file fixdamage.exe to run the tool
  • Follow the onscreen instructions and restart your computer when the tool completes

"Imagine a world without malware"


#14 MissM

MissM
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Canada
  • Local time:07:37 PM

Posted 03 July 2014 - 11:34 AM

I was finally able to get into the Chameleon help file! I tried all 13 chameleons, and unfortunately, none of them worked.

 

This may be of note... I found how to get into Folder Options and I set it to show all hidden files and folders, including protected operating system files. This allowed me to see the folders for Temporary Internet Files, Documents and Settings, Local Settings, etc. However, the folders each have a little arrow-like picture on them and when I tried opening them it said it was "not accessible" and "Access Denied".

 

 

I just now clicked on the fixdamage, and a box came up saying "Warning!!! This utility will try to repair possible damages made by rootkit infections to the system by restoring some critical system services (firewall, security center, Windows update, etc.) and resetting them to their original default state. Some user settings may be lost after applying this procedure).

 

I have to admit, this makes me a little nervous! What does it mean by restoring these things to their original default state? Would some of our stuff be lost?

 

Thanks again! I truly do appreciate it.



#15 MalwareAbort

MalwareAbort

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:37 PM

Posted 03 July 2014 - 12:05 PM

I was finally able to get into the Chameleon help file! I tried all 13 chameleons, and unfortunately, none of them worked.

 

This may be of note... I found how to get into Folder Options and I set it to show all hidden files and folders, including protected operating system files. This allowed me to see the folders for Temporary Internet Files, Documents and Settings, Local Settings, etc. However, the folders each have a little arrow-like picture on them and when I tried opening them it said it was "not accessible" and "Access Denied".

 

 

I just now clicked on the fixdamage, and a box came up saying "Warning!!! This utility will try to repair possible damages made by rootkit infections to the system by restoring some critical system services (firewall, security center, Windows update, etc.) and resetting them to their original default state. Some user settings may be lost after applying this procedure).

 

I have to admit, this makes me a little nervous! What does it mean by restoring these things to their original default state? Would some of our stuff be lost?

 

Thanks again! I truly do appreciate it.

The reset is done from all windows programs (essential to run windows) They will be reset. This will not alter your personal documents.

 

Edit:

 

I will be gone for the rest of the day, I hope everything works out!

 

One last thing after fixdamage:

 

  • Download TDSSKiller and save it to your desktop.
  • Extract (unzip) its contents to your desktop.
  • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

An expert will eventually come and read the reports to further assist you :)


Edited by MalwareAbort, 03 July 2014 - 12:24 PM.

"Imagine a world without malware"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users