MBAM isn't being allowed to start, browser redirects to malicious website.

[Frostiiz]

Post Merged

We look for post with 0 replies, so when you reply to your own topic, we assume you were being helped.

Please be patient, someone will assist you as soon as possible.

I am trying to figure out why mbam is not being allowed to start via desktop icon as well as start menu and program list. I am running windows in safemode with networking which is letting me browse the internet without problem but when in regular start up and on a internet browser I am redirected from what ever website I am on and taken to a what I am assuming to be a malicious website telling me there is a registry error. A few weeks ago I was having this problem but I used a script through command prompt to try and delete PC power speed. The program or trojan is visibly gone (as in I can't find it in my programs) but it still gives me an option to "uninstall PC Power speed". Please help >.<

*edit* uninstalled mbam and reinstalled, currently able to run in chameleon but still unable to use desktop icon. Current "killing known malicious processes, please wait"

*edit 2* after running the quick scan a second time after already deleting what mbam had found the first, it found 14 more witch I proceeded to delete and restart of course. Here is the log

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 14

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EAB-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4D7B-9389-0F166788785A} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3DC201FB-E9C9-499C-A11F-23C360D7C3F8} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63D0ED2C-B45B-4458-8B3B-60C69BBBD83C} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98D9753D-D73B-42D5-8C85-4469CDA897AB} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9FF05104-B030-46FC-94B8-81276E4E27DF} (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\MyWebSearch.ThirdPartyInstaller (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKCR\MyWebSearch.ThirdPartyInstaller.1 (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Zwangi (PUP.Zwangi) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (PUP.MyWebSearch) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (PUP.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 4

C:\Users\Guest\Local Settings\My Web Search Installer(03156306).exe (PUP.MyWebSearch) -> Quarantined and deleted successfully.

C:\Users\Guest\Local Settings\My Web Search Installer(6e63031f).exe (PUP.MyWebSearch) -> Quarantined and deleted successfully.

C:\Users\Guest\Local Settings\Application Data\My Web Search Installer(03156306).exe (PUP.MyWebSearch) -> Quarantined and deleted successfully.

C:\Users\Guest\Local Settings\Application Data\My Web Search Installer(6e63031f).exe (PUP.MyWebSearch) -> Quarantined and deleted successfully.

(end)

*edit3* 3rd scan, nothing detected. Here is the log, going to scan with spybot s&d. Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.07.13.09

Windows Vista Service Pack 2 x64 NTFS

Internet Explorer 9.0.8112.16421

Owner :: CCITY-PC [administrator]

7/13/2012 2:54:56 PM

mbam-log-2012-07-13 (14-54-56).txt

[Maurice Naggar]

Hello Frostiiz,

When and if the "rogue" window shows up, just use CTRL+F4 keypress (press & Hold CTRL-key & press F4-function key) to close the window if in the browser. Use ALT+F4 if it is an independent window in the foreground.

Do not press or click 'any' keys on the rogue window itself.

Do as much as possible of the following:

Step 1

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT by doing a Right-Click on it & select Run As Admisnistrator

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

Step 2

Show all files:

• Click the Start button, and then click Computer.
  
• On the Organize menu, click Folder and Search Options.
  
• Click the View tab.
  
• Locate and uncheck Hide file extensions for known file types.
  
• Locate and uncheck Hide protected operating system files (Recommended).
  
• Locate and click Show hidden files and folders.
  
• Click Apply > OK.

Step 3

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do NOT turn off the firewall

1. Close any/all open internet browsers. Save any open documents you have open & close programs you started.
   
2. Click on START>All Programs>Malwarebytes' Anti-Malware>Tools>Malwarebytes Anti-Malware Chameleon
   On Windows 7, press Windows-key, then start typing in text box

   Malwarebytes

   then select/click Malwarebytes Anti-Malware Chameleon
   

3. Once the Help file opens, click on a Chameleon button (starting with #1)
   
4. If running on Vista, Windows 7, press the Yes button when prompted at the UAC prompt to allow to run.
   
5. You should see a black Command-prompt-window that remains open and says MBAM-chameleon ver. 1.62 at the top
   
6. Press any key to continue as it says in the window {space-bar will do}
   
7. If the Chameleon button you tried does not work, try the next Chameleon button shown. (There are 12 in all).
   
8. Have infinite patience during this process
   
9. Malwarebytes Chameleon will proceed to update Malwarebytes Anti-Malware, so ensure that you are connected to the internet if possible
   
10. Once the update completes and it says your database is updated, click on OK button so that process can continue
    
11. Malwarebytes Chameleon will then terminate any threats running in memory, which may take a while, so please be patient.
    
12. After that, Malwarebytes Anti-Malware will open automatically and perform a Quick scan
    
13. A quick scan will take a few minutes, possibly 5 or so minutes. Have infinite patience.
    
14. Once the scan is complete, click on Show Results and remove any threats that are found by clicking Remove Selected
    
15. If prompted to restart your computer to complete the removal process, click Yes
    
16. If no threats are found, press OK button & press EXIT to end MBAM. Press the space-bar (or another key) to exit the command-prompt-window.
    
17. After your computer restarts, open Malwarebytes Anti-Malware and perform one last Quick scan to verify that there are no remaining threats
    

Reply with copy of the MBAM scan log for review.

• Download & SAVE to your Desktop >> Tigzy's RogueKillerfrom here << or
  >> from here <<
  
• Quit all programs that you may have started.
  
• Please disconnect any USB or external drives from the computer before you run this scan!
  
• For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
  For Windows XP, double-click to start.
  
• Wait until Prescan has finished ...
  
• Then Click on Scan button at upper right of screen.
  
• Wait until the Status box shows "Scan Finished"
  
• Click on Report and copy/paste the content of the Notepad into your next reply.
  
• The log should be found in RKreport[1].txt on your Desktop
  
• Exit/Close RogueKiller

Edited July 18, 2012 by Maurice Naggar

[Maurice Naggar]

Kindly provide status update. Are you still having issues and do you still need help ?

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!