Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with stuff, which doesn't allow to run firewall, MBAM, avast etc.


  • Please log in to reply
9 replies to this topic

#1 buczubuczu

buczubuczu

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland, Silesia
  • Local time:03:52 AM

Posted 10 September 2014 - 09:08 PM

Good evening people!

As the title says - today I've encounter a serious problem. For a few years from now, I've been using avast! free (yearly, extendionable licence) together with Agnitum Outpost Firewall Pro (lifetime licence). Both of them were regulary updated (daily, basiclly) and were able to catch most of the crap which could come and infect my PC. If I had any objections, then MBAM helped me to decide is it a malware (or other unwanted stuff), or not. But, since a few days, something different is happening. Avast!, as well as op_mon.exe are now gone - both from task manager and autostart entries (not to mention that it were there before). I also cannot run MBAM, Chameleon plugin or even default Windows Defender anymore. Everytime I try to do so, I get the error message, which says "This program is blocked by group policy". Funny thing is - I wasn't doing ANYTHING with AppLocker before that message. I also doesn't mess up by installing other defence software.

I've started looking already in Internet, I've also bumped out on this thread (http://www.bleepingcomputer.com/forums/t/531202/this-program-is-blocked-by-group-policy/) over here. Most of the time it looked like solution to my problem, but I'm not having ANY folder like these four in respondend folder (mention somewhere on page 2 of that thread, I believe), so I decided to give up there. I don't want any other injuries with my registry. I've also tried using MBAM (of course - doesn't start), Chameleon (doesn't start as well, even when launched via help file, using firefox - none of 13 options give any CMD window, error - nothing), avastUI (as well, nothing). TDSS killer with his scan (excluded loading disk sectors) shows nothing, rkill also doesn't seem to be alerted with this abnormal acitivity.

Also - I can't even uninstall, uprage or run (fairly enough) either Outpost Firewall Pro or Avast. The same prompt appear every single time. I'm sure that it's some kind of unwanted trash, because everytime I try to launch "prohibited" software, there's action doing in the background. Nothing much - just a "thinking" pointer, but it's gone as soon as I click "OK" in the error message.

Few more things, that might become handy for help - I'm using Win7 enterprise, I've never mess up with my registry (only activity includes deleting old entries, which are left behind after unistalling software - CCleaner worked there just fine, for more than few years), I'm using this pack (avast! combined with Outpost Firewall Pro; licenced btw) also for a few years (3 or 4) - I've got only on attack on my PC so far (massive launch of processes, multiple tries to driverload and direct disk access - all of it founded and stopped by firewall). I've also tried to find help in both Agnitum and Malwarebytes - typed down two different mails few hours ago. Hope they will be able to do something. My oldest avalaible system restore point is dated on 5th of September, with adnotation "critical Windows update". I wasn't doing any prompted updates for a while - could be some trace of unwanted guests?
About any crappy software - I don't remember such thing for at least a couple of months. The last unwanted thing was connected with last (and only, so far) attack on my PC. But, after running a full MBAM scan, manually (somehow it works only with admin rights and task manager killing!) removing the contaminated folders and looking more carefully for a couple of days - thread was gone. Since that, I've got nothing to do with pirate stuff, porn and other weird places in Web, where You can easily catch something. It might be connected thought with watching Volleyball World Championship on non-legal Internet sides now. But - all plugins were disabled, all security - enabled. It might be it, although - getting infected simply by activating video stream, without having to install some "plugin"?

Hope that I've put everything nice and you will be able to get through it. Rest of my PC functions works as per usual, but it's stkins way to strong to ignore that. Also - I do apologize for any misspelled words or sentences - english isn't my first language, and it's 4 AM already here! :D



BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:52 PM

Posted 10 September 2014 - 09:20 PM

Hello can you run RKill?


Please download Rkill by Grinler and save it to your desktop.
  • Link 1
  • Link 2
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista, right-click on it and Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • If the tool does not run from any of the links provided, please let me know.
  • Do not reboot the computer, you will need to run the application again.
Also could you post the infected MBAM log?

Edited by boopme, 10 September 2014 - 09:22 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 buczubuczu

buczubuczu
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland, Silesia
  • Local time:03:52 AM

Posted 11 September 2014 - 05:34 AM

All right. For some reason rkill keeps closing foobar2000 1.18 (has not been updated for more than a year, no plugins and no other stuff). It also try to run Windows defender, which somehow works. It's able to open itself, but doesn't seem to do anything else. I'm trying now to run full scan, we will se, what this will do.
About infected MBAM log - what specially do You mean? I cannot run this file, so no log will ever appear. Also - I haven't found any older logs from older scan in main folder (C:\Program Files\MBAM\). Perhaps it's located somewhere else?

Should I try to download and run rkill from other source, if that from link one doesn't seem to do anything? Log only show one missing digital signature
 * C:\Windows\System32\user32.dll : 811 520 : 07/14/2009 03:16 AM : 8626f0c30d4e3564ffdd25c90f4426f1 [NoSig]
 +-> C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll : 811 520 : 07/14/2009 03:16 AM : 34b7e222e81fafa885f0c5f2cfa56861 [Pos Repl]
and 3 HOSTS file (don't have an idea, what's this) -   127.0.0.1 genuine.microsoft.com 127.0.0.1 mpa.one.microsoft.com 127.0.0.1 sls.microsoft.com.
Nothing else appears to be there. I'll do extended scan with Win Defender, hope that will do something.


Edited by buczubuczu, 11 September 2014 - 09:52 AM.


#4 buczubuczu

buczubuczu
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland, Silesia
  • Local time:03:52 AM

Posted 11 September 2014 - 11:29 AM

Almost six hours of scanning for unwanted stuff gave...ONE result. BrowseToSave, located in C:\Program Files\BRowse2Save\settings.ini. Got rid of this file already (couple of minutes spent on "thinking"), what should I do next? Is putting PC into safe mode a good option? Error, which keeps me unhappy is still active and still prevents from any serious action.

What's next? OTL? Some scripts? Live CD?


Edited by buczubuczu, 11 September 2014 - 11:32 AM.


#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:52 PM

Posted 11 September 2014 - 12:46 PM

Yeah there are still many issues and the system is not stable.. We need to repost and get a deeper look. Use same title.

Please follow this Preparation Guide, do steps 6,7 and 8 and post in a new topic.
Let me know if all went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 buczubuczu

buczubuczu
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland, Silesia
  • Local time:03:52 AM

Posted 11 September 2014 - 02:47 PM

I would love to inform that everything went nice 'n' smooth, but it won't. Either I choose option with scanning MBR or without it, DDS opens his window (normal one, not DOS-like style). Last known message from it is connected with making attach.txt file. But after a few seconds, window disappear, and nothing else want to happen. I can hear some read/write operations on my HDD drive, but whole OS, windows and other stuff remains still. Even waiting a couple of minutes (as typed in guide) doesn't change a simple thing. Also Windows's task manager shows absolutely NOTHING. I'm started to being worry about it. Of course - I could always type format c:\ and go with my friends for a beer or two, but I'll do whatever I can to avoid it. I don't have super precious files there, but installing all stuff once again, configuring it once again - few days partially (or fully) cut off.
What should (or can) I do now, if this method fail?

I'm also trying to do what I can with Agintum. Send there logs from Firewall and my configuration file. Maybe they will be able to extract some useful data out of it.


Edited by buczubuczu, 11 September 2014 - 02:50 PM.


#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:52 PM

Posted 11 September 2014 - 07:45 PM

OK, start a new topic here
http://www.brightfort.com/spywareblaster.html

State you cannot get DDS to run..

Include this link back to here so they can see what's going on... we can fix this.

http://www.bleepingcomputer.com/forums/t/547693/infected-with-stuff-which-doesnt-allow-to-run-firewall-mbam-avast-etc/#entry3475148
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 buczubuczu

buczubuczu
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland, Silesia
  • Local time:03:52 AM

Posted 12 September 2014 - 06:52 AM

All right, new thread posted, at the same title in official BrightLight forum and SpywareBlaster & other forum subsection. Here's the link, if anyone is interested
http://www.wilderssecurity.com/threads/infected-with-stuff-which-doesnt-allow-to-run-firewall-mbam-avast-etc.368129/



#9 buczubuczu

buczubuczu
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland, Silesia
  • Local time:03:52 AM

Posted 16 September 2014 - 07:19 PM

It's me again. I've posted that stuff on related forum and only one thing that I've get from them was "nuke your system and install new one". Wasn't too good to hear that. Is this only one way to get rid of the problem?
Is this crappy malware capable of attack my other files - music, videos, some stuff on other partitions? Or is it stucked with os files and doesn't do anything else? Should I be worry about keeping all my personal stuff?



#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:52 PM

Posted 16 September 2014 - 07:34 PM

Post what I asked here

http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users